Nortel Voice Security

Brian Wilson, a Senior Security Architect with my team, specializes in the area of Risk Management and Compliance. With this post he begins a series of articles related to identifying and documenting a baseline security architecture for voice systems using a risk management approach. Lawrence

Part 1 – Establishing Security Requirements
The objective of this series of blog posts is to take the reader through the process of designing a baseline security architecture for voice solutions base on a generic Implementation. Part 1 of this series will focus on how and where security requirements fit in to the Risk Management process.

The process of risk management (RM) is continuous and is based on defining and establishing an acceptable level of risk. Once …

Read the rest of this entry »

Tom DeSot from Digital Defense joins us again….Lawrence

The Argument Begins

In my last post I talked primarily about how many organizations are looking to utilize vulnerability assessments to learn what issues are being introduced into their enterprise by newer IP based voice systems. Before I went any further in the discussion, I wanted to cover off on a topic many organizations neglect to consider before assessing their networks, whether voice or data. The topic is risk evaluation and system prioritization.

While I do not think any reader would dispute the need to conduct vulnerability assessments and subsequently patch any systems where issues are discovered, many would debate what systems take priority in the grand scheme of things. …

Read the rest of this entry »

Like many other professions, security has its demons. One of which is how do we ensure that the products that we use are trustworthy, or have “assurance.” An emerging method of validating the assurance that is present in a solution made up of many different products is the concept of In Situ Security Testing. This testing is periodically done on the running solution without interrupting the normal state of operation. This approach is ideally suited to the high availability, real-time environment of VoIP and Multimedia solutions, specifically solutions made up of many individual products and components.

The National Institute of Standards and Technology (NIST) is overseeing the Information Security Automation Program and The …

Read the rest of this entry »

Jeff Lewis on my team joins us again with an interesting comparison…Lawrence

I often read in the blogosphere about how Voice over IP is so much less secure than traditional TDM based technologies. There certainly seems to be enough compelling reasons for such thinking, but I frequently wonder how much truth there really is to it. Is it really that dangerous? Is it really that different from the old way of doing things? Keeping the scope to the telephone lines and sets themselves, I think the answer is probably yes – but it certainly doesn’t have to be.

I recently joined a tech trial at the office to help test out a new VoIP call server. Installation was easy enough …

Read the rest of this entry »

I am becoming very amazed at the number of people (Analysis: Hacking VoIP, As Easy As 1-2-3) that are equating the presence of vulnerabilities in voice systems to the voice system being compromised (AKA hacked). It is true that a vulnerability increases the possibility of a system being compromised but it does not equate to it. This is a very important distinction.

Let’s look at what has to happen before a vulnerability can be successfully exploited. I am reminded of the consecutive steps in the Three-mile Island Accident of 1978 that all had to happen for the accident to occur – breaking any of the steps would have mitigated the accident. Despite diligent efforts to discover and …

Read the rest of this entry »

Today’s guest post is by Eric Winsborrow, the Chief Marketing Officer of Sipera Systems. Eric has more than 20 years experience in both security and unified communications. He has a broad depth of VoIP and Security experience having senior positions for companies such as McAfee as VP of Product Marketing, Symantec, Sygate, Nortel, Lucent and Cisco. Lawrence

Enterprises are increasingly deploying real-time, unified communications such as VoIP, IM, video and others to increase productivity, reduce costs and improve collaboration. Enterprises can fully experience unified communications when IP PBXs and real-time communications applications are extended beyond the enterprise to soft phones on PCs, hard phones at remote sites, and WiFi/dual-mode phones.

It is critical for enterprises to understand the …

Read the rest of this entry »

Today’s post is from Jeff Lewis. Jeff is a Security Architect on my team, and has more than 10 years experience in voice communications technology, including technical support of global voice networks, product verification, software integration, and most predominantly, carrier grade voice application software development. He was involved in some of the very first ground breaking voice over IP calls performed in Nortel’s laboratories in Germany. Lawrence

The discussion over the usefulness and applicability of taking a Risk Management (RM) based approach to voice security is an interesting one to say the least. Welcome to the front line.

Let’s begin by considering why a company might decide that RM is the wrong way to go. Perhaps the process is seen …

Read the rest of this entry »

Besides posters from Nortel’s Voice Security Eco System, I will be having members of Nortel’s technical community post as well. Today, Stephan Varty of my Advanced Security Solutions R&D Team joins us. Stephan has been at Nortel for more than 10 years in various security related roles. He holds the CISSP certification. Lawrence

Many people assume a certain level of confidentiality is assured when they use their phone. Concerns have been raised about the increased risk of someone eavesdropping on a VoIP call compared to a traditional PSTN call. Although the concern applies similarly to other VoIP protocols such as UNIStim, H.323, or SCCP as well, what follows is an opinion on the …

Read the rest of this entry »

The Nortel Voice Security Blog will regularly feature posts by members of Nortel’s Voice Security Ecosystem. Today Mark Collier, the CTO and VP of Engineering of SecureLogix will be our featured contributor. Mark is well known in the Voice Security Industry, having co-authored with David Endler Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions (Hacking Exposed). He also writes about VoIP security on his own VoIP Security Blog.

Over the past 10 years, SecureLogix has conducted many voice security assessments for enterprise customers. A proper voice security assessment will include two parts. First the TDM or VoIP trunks connecting one or more enterprise sites to the public network must be instrumented. All the voice …

Read the rest of this entry »

You may have seen that some Nortel products, as well as others, have recently been identified with a few voice system vulnerabilities. This is timely because one of next week’s Voice Security Blog postings will be about responsible disclosure for Voice Security….but let’s start the discussion about the proper process for vulnerability reporting now.

The reporting process followed by some commercial firms involved in this type of research is raising some concerns. Most firms involved with vulnerability reporting will agree that the accepted protocols for disclosure have been well established – and they have been worked out to the satisfaction of vulnerability researchers, manufactures, and users. However the debate over full disclosure versus non-disclosure versus responsible …

Read the rest of this entry »