In Situ Security Testing for VoIP

Lawrence Dobranski — Wed, 27 Aug 2008 21:10:01 +0000

Like many other professions, security has its demons. One of which is how do we ensure that the products that we use are trustworthy, or have “assurance.” An emerging method of validating the assurance that is present in a solution made up of many different products is the concept of In Situ Security Testing. This testing is periodically done on the running solution without interrupting the normal state of operation. This approach is ideally suited to the high availability, real-time environment of VoIP and Multimedia solutions, specifically solutions made up of many individual products and components.

The National Institute of Standards and Technology (NIST) is overseeing the Information Security Automation Program and The Security Content Automation Protocol (SCAP). SCAP compliant tools with appropriate checklists allow for in situ security testing.

The Internet Security Alliance (ISAlliance) working with the Department of Homeland Security and NIST has been designated to lead an industry based program to develop SCAP checklists for VoIP, Real Time Converged Networks, Multimedia, Unified Communications , and VoIP based converged data and voice solutions.

At the upcoming 4th annual IT Security Automation Conference (Sept 23rd and 24th, 2008) the applicability of SCAP to these VoIP based systems and solutions will be explored. On Tuesday, September 23rd the ISAlliance will present a panel to discuss the applicability of security automation in VoIP, Multimedia, and Unified Communications environments, including VoIP based converged data and voice solutions.

In particular the value of performing in situ security testing will be covered, and how it can be applied to bring a level of security assurance to a high availability, high reliability network. This discussion should also set the stage for broader participation in the ISA sponsored workshop.

The workshop will be held on Thursday, September 25 and will focus on developing broad answers to the following four questions:

How can SCAP based testing be productively used to create a level of assurance in high availability/high reliability networks and what might some limitations to that approach be?
What SCAP protocols/approaches/components are best for voice and real time networks?
Is there a baseline of best practice/standards to base the development of SCAP checklists to achieve a level of assurance in voice and real time networks?
What are the next steps?

Details on the ISAlliance Project are here.

I will be participating in both the panel and the workshop, as well as reporting on the event here on the Nortel Voice Security Blog. In future posts we will explore the technology of In Situ Security testing and the use of SCAP in more detail.

Lawrence

Disclosure: Nortel is a founding member of the Internet Security Alliance, and a member of its Board of Directors.

Nortel Voice Security » Security Testing

In Situ Security Testing for VoIP