VoIP books and white papers

Opinion
Jul 14, 20054 mins

* VoIP security resources

In my last column, I introduced a major document reviewing VoIP security published by the National Institute of Standards and Technology. In this column, I am presenting additional resources for those of you interested in deepening your knowledge of VoIP or in finding resources for teaching others about VoIP security.

Textbooks

* In _Voice over IP Fundamentals_ Jonathan Davidson, James Peters and Brian Gracely provide an overview of VoIP in a single short text dating back a few years.

https://www.amazon.com/exec/obidos/ASIN/1578701686/fusion0e/

Similar overviews:

* Scott Keagy’s _Integrating Voice and Data Networks: Practical solutions for the world of packetized voice over data networks_

https://www.amazon.com/exec/obidos/ASIN/1578701961/fusion0e/

* Mark A. Miller’s _Voice over IP Technologies: Building the Converged Network_

https://www.amazon.com/exec/obidos/ASIN/0764549073/fusion0e/

* Gonzalo Camarillo’s _SIP Demystified_ is a short text about Session Initiation Protocol (SIP), one of the major techniques used in VoIP. Chapters 4 (fundamentals of the protocol), 5 (examples of how SIP works), and 6 (security) are the core of the book.

https://www.amazon.com/exec/obidos/ASIN/0071373403/fusion0e/

White Papers

* “Vulnerabilities and Security Limitations of current IP Telephony Systems” is a 2001 paper by Ralf Ackermann, Markus Schumacher, Utz Roedig and Ralf Steinmetz that discussed “the theoretical background of certain vulnerabilities, testing and attacking tools” and found significant vulnerabilities in many VoIP technologies.

https://tinyurl.com/8pxya

* A white paper by Jason Halpern of Cisco discusses security of VoIP in the context of Cisco’s SAFE framework. The author begins, “This paper provides best-practice information to interested parties for designing and implementing secure IP telephony networks utilizing elements of the SAFE blueprints. All SAFE white papers are available at the SAFE Web site: https://www.cisco.com/go/safe These documents were written to provide best-practice information on network security and VPN designs.”

https://tinyurl.com/dtf2h

* Another Cisco white paper extends this framework to what the company calls “Integrated Network Security for Cisco IP Communications” and which “will provide comprehensive security with system-level protection, integrity, and privacy through tighter integration with the security capabilities of the data network.”

https://tinyurl.com/cwgqm

* A 10-page white paper from Vitel Software offers some practical advice on protocols, hardware, and monitoring as useful tools in securing VoIP.

https://tinyurl.com/dgf9n

* Tom Long and Brian Boyter wrote very nice descriptions of sniffing attacks on VoIP and several countermeasures as part of their work for the GIAC Security Essentials Certification (GSEC) and GIAC Certified Incident Handler (GCIH) certification, respectively.

Long’s “Eavesdropping an IP Telephony Call”:

https://tinyurl.com/86yo5

Boyter’s “Voice-over-IP Sniffing Attack”:

https://tinyurl.com/bm9bn

* Mark Collier’s “The Value of VoIP Security” has excellent recommendations for securing VoIP which are worth quoting directly here:

– Use some form of host-based intrusion detection to detect attacks.

– Deploy a voice-optimized firewall to protect the IP PBX from attackers on the LAN and Internet.

– Build a switched network. This not only improves performance, but also makes it more difficult for an attacker to access end points.

– Make use of VLANs to help segregate traffic.

– Secure all networking components, including switches, routers, etc.

– For campus VoIP, configure Internet firewalls and other security systems to prevent VoIP from entering or leaving the internal network.

– Limit the number of calls traveling over the WAN to the media gateway or any shared resource that could be overloaded by a DoS attack.

– Consider additional firewalls and security products to control or monitor traffic on the network.

https://tinyurl.com/dbmak

* Frank Echezabal wrote a nine-page paper for the GIAC Security Essentials Certification (GSEC) on VoIP Security that provides a succinct summary of the issues:

https://tinyurl.com/dxo7w

* Andrew Molitor of Aravox Technologies wrote a couple of short white papers with helpful information about firewalls for VoIP systems:

“Deploying a Dynamic Voice over IP Firewall with IP Telephony Applications”:

https://tinyurl.com/8tp2c

“Securing VoIP Networks with Specific Techniques, Comprehensive Policies and VoIP-Capable Firewalls”:

https://tinyurl.com/86vr4

In my next column, I will examine in more detail an excellent exposition of threats to VoIP from an Austrian student’s master’s thesis. For a sneak peek see:

https://tinyurl.com/bfzez