Over at VOIPSA, Dustin Trammell offers a bleak assessment of VOIP Security in real-world products, basing his judgment on a recent Cisco advisory concerning a number of vulnerabilities.
Over at VOIPSA, Dustin Trammell offers a bleak assessment of VOIP Security in real-world products, basing his judgment on a recent Cisco advisory concerning a number of vulnerabilities.The attacks described in the Cisco advisory mainly deal with Denial of Service and Overflow attacks, and some can be addressed by what's emerging as an unofficial (and by no means complete or codified) set of best practices for VOIP security. For example, Cisco details a possible HTTP Server DoS vulnerability, and most security experts have already been telling enterprises to disable the Web servers on IP phones, as this advisory also recommends (and as Jonathan Roseberg of Cisco discussed at Interop New York last year).
I'm sure, as Dustin suggests, that the problems cited aren't limited to Cisco products. And the whole thing suggests that VOIP security isn't proven, but rather is untested--in other words, if you haven't encountered a major security breach, it's more likely because nobody has tried one yet.
At this juncture, I have to put a plug in for our VOIP Security tutorials and sessions at VoiceCon; I know it's our show and all, but these are really the smartest people we know when it comes to VOIP Security (that's why we invited them). I'm hoping to learn a lot from them again this year.