Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon
& Hannah" <rmslade shaw.ca>
BKPVOIPS.RVW 2060602
"Practical VoIP Security", Thomas Porter et al,
2006, 1-59749-060-1,
U$49.95/C$69.95
%A Thomas Porter
%C 800 Hingham Street, Rockland, MA 02370
%D 2006
%G 1-59749-060-1
%I Syngress Media, Inc.
%O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 amysyngress.com
%O http://www.amazon.com/exec/obidos/ASIN/1597490
601/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/159
7490601/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/159749060
1/robsladesin03-20
%O Audience i- Tech 2 Writing 1 (see revfaq.htm for
explanation)
%P 563 p.
%T "Practical VoIP Security"
VoIP (Voice over Internet Protocol) is something of the new
kid on the
technology block, and computer folks may have limited
experience with
telephony. It therefore seems a bit strange that chapter
one, as an
introduction to VoIP security, starts out by talking about
computer
security and attacks. However, the structure of the book is
rather
odd in any case. The basics of telephony, and the Public
Switched
Telephone Network (PSTN), are not covered until chapter
four. Even
then, while there is some useful trivia, most of the content
is a list
of telephony protocols. Chapter three covers some of the
basic
hardware and element information, discussing PBX (Private
Branch
eXchange) systems, VoIP components, and even power supplies.
That
material, in turn, would be helpful to those who try to
understand
chapter two, which is supposed to be about the Asterisk PBX
software
package. Although the text purports to deal with
configuration and
features of Asterisk, most of the section's content covers
PBX
operations and functions, dial plans, telephony numbering
plans, and
even a terse piece on the vital aspect of circuit versus
packet
switching.
With chapter five, the book moves into some of the specifics
of VoIP,
discussing H.323, a protocol to specify data formats that is
used
extensively in commercial IP telephony products. SIP, the
Session
Initiation Protocol (used to negotiate interactive sessions
over the
net), gets a more detailed treatment (along with examination
of
related protocols) in chapter six. Other IP telephony
architectures
are briefly listed in chapter seven: the very popular Skype,
H.248,
IAX (Inter Asterisk eXchange), and Microsoft's Live
Communications
Server 2005 (MLCS). Diverse protocols used in support of
VoIP are
discussed in chapter eight. Most of these are commonly used
in other
Internet applications: some; such as RSVP (Resource
reSerVation
Protocol), SDP (Session Description Protocol), and Skinny;
are more
specialized. All the listed protocols have some review of
security
implications, which marks the first time in the book that
security
seems to be a major issue.
Chapter nine examines specific threats and attacks, mostly
related to
denial of service and hijacking. Securing the
infrastructure used for
VoIP is important, although the material in chapter ten is
fairly
standard information security. Chapter eleven reviews a
number of
ordinary authentication tools that are frequently used in
VoIP.
"Active Security Monitoring," in chapter twelve,
is the traditional
intrusion detection and penetration testing, and has nothing
specific
to IP telephony applications. Similarly, chapter thirteen
examines
normal traffic management and LAN segregation issues: the
only
telephony related content is in regard to VoIP aware
firewalls. The
IETF (Internet Engineering Task Force) has recommended
certain
existing security protocols in regard to IP telephony, and
one
addition (SRTP, Secure Real-time Transfer Protocol): these
are
outlined in chapter fourteen. Chapter fifteen lists various
(United
States) data security related regulations and the European
Union
privacy directive. The IP Multimedia Subsystem (IMS)
structure is
reviewed in chapter sixteen. Chapter seventeen repeats the
recommendations made in chapters ten through fourteen.
It is handy to have a number of the issues related to VoIP
addressed
in one work. There is some depth to the content of the text
as well,
and those dealing with system internals may find that
useful.
However, for those who need to manage or make policy or
purchasing
decisions in regard to VoIP, this book may not have the
forcefulness
of complete analysis, or a structure that would assist in
learning the
background. While there is a considerable amount of helpful
information, it reads more like an accumulation of
miscellaneous facts
than a directed study.
copyright Robert M. Slade, 2006 BKPVOIPS.RVW 2060602
====================== (quote inserted randomly by Pegasus
Mailer)
rsladevcn.bc.ca sladevictoria.tc.ca
rsladecomputercrime.org
An Englishman, even if he is alone, forms an orderly queue
of one
-
George Mikes
Dictionary Information Security
www.syngress.com/catalog/?pid=4150
http://victoria
.tc.ca/techrev/rms.htm
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|