[ISN] REVIEW: "Practical VoIP Security", Thomas Porter et al

From: InfoSec News (isn@private)
Date: Tue Jul 04 2006 - 22:11:35 PDT


Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade@private>

BKPVOIPS.RVW   2060602

"Practical VoIP Security", Thomas Porter et al, 2006, 1-59749-060-1,
U$49.95/C$69.95
%A   Thomas Porter
%C   800 Hingham Street, Rockland, MA   02370
%D   2006
%G   1-59749-060-1
%I   Syngress Media, Inc.
%O   U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 amy@private
%O  http://www.amazon.com/exec/obidos/ASIN/1597490601/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1597490601/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597490601/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   563 p.
%T   "Practical VoIP Security"

VoIP (Voice over Internet Protocol) is something of the new kid on the
technology block, and computer folks may have limited experience with
telephony.  It therefore seems a bit strange that chapter one, as an
introduction to VoIP security, starts out by talking about computer
security and attacks.  However, the structure of the book is rather
odd in any case.  The basics of telephony, and the Public Switched
Telephone Network (PSTN), are not covered until chapter four.  Even
then, while there is some useful trivia, most of the content is a list
of telephony protocols.  Chapter three covers some of the basic
hardware and element information, discussing PBX (Private Branch
eXchange) systems, VoIP components, and even power supplies.  That
material, in turn, would be helpful to those who try to understand
chapter two, which is supposed to be about the Asterisk PBX software
package.  Although the text purports to deal with configuration and
features of Asterisk, most of the section's content covers PBX
operations and functions, dial plans, telephony numbering plans, and
even a terse piece on the vital aspect of circuit versus packet
switching.

With chapter five, the book moves into some of the specifics of VoIP,
discussing H.323, a protocol to specify data formats that is used
extensively in commercial IP telephony products.  SIP, the Session
Initiation Protocol (used to negotiate interactive sessions over the
net), gets a more detailed treatment (along with examination of
related protocols) in chapter six.  Other IP telephony architectures
are briefly listed in chapter seven: the very popular Skype, H.248,
IAX (Inter Asterisk eXchange), and Microsoft's Live Communications
Server 2005 (MLCS).  Diverse protocols used in support of VoIP are
discussed in chapter eight.  Most of these are commonly used in other
Internet applications: some; such as RSVP (Resource reSerVation
Protocol), SDP (Session Description Protocol), and Skinny; are more
specialized.  All the listed protocols have some review of security
implications, which marks the first time in the book that security
seems to be a major issue.

Chapter nine examines specific threats and attacks, mostly related to
denial of service and hijacking.  Securing the infrastructure used for
VoIP is important, although the material in chapter ten is fairly
standard information security.  Chapter eleven reviews a number of
ordinary authentication tools that are frequently used in VoIP. 
"Active Security Monitoring," in chapter twelve, is the traditional
intrusion detection and penetration testing, and has nothing specific
to IP telephony applications.  Similarly, chapter thirteen examines
normal traffic management and LAN segregation issues: the only
telephony related content is in regard to VoIP aware firewalls.  The
IETF (Internet Engineering Task Force) has recommended certain
existing security protocols in regard to IP telephony, and one
addition (SRTP, Secure Real-time Transfer Protocol): these are
outlined in chapter fourteen.  Chapter fifteen lists various (United
States) data security related regulations and the European Union
privacy directive.  The IP Multimedia Subsystem (IMS) structure is
reviewed in chapter sixteen.  Chapter seventeen repeats the
recommendations made in chapters ten through fourteen.

It is handy to have a number of the issues related to VoIP addressed
in one work.  There is some depth to the content of the text as well,
and those dealing with system internals may find that useful. 
However, for those who need to manage or make policy or purchasing
decisions in regard to VoIP, this book may not have the forcefulness
of complete analysis, or a structure that would assist in learning the
background.  While there is a considerable amount of helpful
information, it reads more like an accumulation of miscellaneous facts
than a directed study.

copyright Robert M. Slade, 2006   BKPVOIPS.RVW   2060602


======================  (quote inserted randomly by Pegasus Mailer)
rslade@private     slade@private     rslade@private
An Englishman, even if he is alone, forms an orderly queue of one
                                                      - George Mikes
Dictionary Information Security     www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jul 04 2006 - 22:43:49 PDT