Razvan, et. al, While not about PBX security directly, I have been doing research on the security of IP telephony in enterprise networks for the past year. I have several publications on the subject including my Master's Thesis (http://www.off-pisteconsulting.com/research/pubs/reynolds-ms_thesis.pdf), NDSS 03 conference paper (http://www.off-pisteconsulting.com/research/pubs/ndss03-reynolds.pdf) and slides (http://www.off-pisteconsulting.com/research/pubs/ndss03-slides.ppt) and IEEE Communication Magazine article (http://www.off-pisteconsulting.com/research/pubs/ieee_comm.pdf). If you have any questions about any of the material feel free to drop me an email. Brennen -- Brennen Reynolds - Chief Consultant/Owner - Off-Piste Consulting, LLC Email: brennen at off-pisteconsulting dot com Voice: (209) 258-4584 WWW: http://www.off-pisteconsulting.com Fax: (209) 258-4584 PGP Fingerprint: E868 8B0D 175D 7394 E7AE 9E71 38CC 2B63 A1EB 9D9F > -----Original Message----- > From: Martin Walker [mailto:Martin.Walkerat_private] > Sent: Saturday, February 08, 2003 10:08 AM > To: Rob Shein; Razvan; pen-testat_private > Subject: RE: PBX Security > > > Making matters worse is that the telephony vendors don't have a clue > about anything other than the telelphony side of things, and if you > harden the box yourself you'll void most vendor paper regarding support > etc. > > Several steps need to be taken to effectively combat the situation. > First is that IT should own telelphony, not facilities. Second IT needs > to recognise these devices are general purpose computing platforms and > design the secured architecture appropriately. This would include > implementing firewalled "zones of protection" between the data access > layer (in this case the IVRS/call center), application layer (agent > applications) and the data storage back end. Third the boxes need to be > hardened and the IT department's standard security self-certification > program applied just like any other platform. A certification program > would include recurring certification requirements. (I know everybody > is using some sort of internal certification program to implement and > manage security across the organization.....right?). > > > > From: Razvan [mailto:bugtraqat_private] > > Sent: Wednesday, February 05, 2003 2:51 AM > > To: pen-testat_private > > Subject: PBX Security > > > > As promised, I return with the reasons I freaked when I saw > > what a PBX can become if used unwisely. > > > > Also, I feel unable to come up with any sort of relevant > > advice on this matter. What's actually scary is the fact a > > PBX owner has practically no control over such an issue. He > > can have the most secure configuration, a relevant and > > enforced security policy, security conscious users, etc and > > he's still vulnerable. Or is he? > > > > Waiting your thoughts on this. > > > > Razvan Teslaru > > Romanian IT Security Company > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 07:18:57 PST