Re: [fw-wiz] VOIP versus PBX
At 11:25 AM 7/21/2005, Marcus J. Ranum wrote:[color=blue]
>Yehuda Goldenberg wrote:[color=green]
> >What else do I have to worry about with VOIP?[/color]
>We don't know much about the security of VOIP PBXes but since they were
>largely developed by "phone guys" I'm comfortable assuming that
>there is little
>or none. So you have the issue of accidental or deliberate denial-of-service
>against desktop phones, but also the potential that the PBX can be attacked
>over the in-band network that's used to manage it. Because you *KNOW*
>that whoever manages the PBX will want to access it from their desktop
>workstation not a workstation on a separate VLAN.[/color]
>> Historically, most telecommunication folks who managed PBX prior[/color][/color]
to IP enabled PBX would hide in the telco/phone room a majority of
the day to do moves, adds, changes and deletes, always standing by
with their 66/110 punchdown tool, butt-set with appropriate gator
clips to validate whether a traditional analog pair is
working. This even goes for 911 or alarm lines.
As the migration towards VOIP PBXes is occurring, the
telecommunications folks are a bit skiddish of moving towards a
desktop workstation environment and would rather rely on their SAT
Terminal connected via Serial Connection to the back end of the
PBX. Most telecommunications folks get all befuddled when H.323/SIP
speak is talked about and usually see through the B.S of the VoIP vendors
Most crusty old or experienced PBX admins are a bit more crusty at
moving to the newer solutions especially when it involves screwing
with dial tone for their users. Cutovers to VoIP PBXes are much more
tricky, especially when migrating a call center environment or a
financial trading firm. Disruption in phone service could impact
their business greater than network disruption.
Much different POV then "ripping out old Gauntlet firewalls for the
latest and greatest cobbled together "neat color scheme" all-in one
appliance. :) Old motto: if ain't broke, don't fix it.
Ensuring a VOIP solution works in default mode is not easy,
especially when considering large enterprise type entities are used
to just coming into their office picking up their analog phone and
retrieving their daily voicemail with little to no complexity.
Migration to a VOIP PBX solution can be a very complex and daunting,
especially when dealing with QOS, MOS, jitter even if implementing a
default configuration without turning on all the security features.
The scariest issue is did the VoIP PBX vendor implement the various
VoIP protocols correctly and ensure their solution plays well with
the various firewall, VPN, Intrusion Detection and Intrusion
Prevention vendors out there. Most are still in the process of
working out all the features to ensure users are not impacted to much.
P.S. I disavow any hands-on knowledge of VoIP PBX or traditional PBX
>The protocols used for VOIP are "problematic" let us say. "Designed by
>people who ignored security" might be a less tactful way to say it.
>"Moronic" also comes to mind. That said, there appear to be so many of
>them that it's hard to nail down whether you'll have a problem or not; it
>depends on what you wind up using and where/how. The situation is
>comparable to wireless - getting it all working in default mode is easy.
>Getting it all working safely is hard and may be impossible.
>Lastly, inevitably, someone will want to do VOIP with the outside world.
>For cost saving reasons, or whatever (but really so they can talk to their
>kid in college for "free") so there will be a move to let the VOIP through
>your firewall. Then you will discover VOIP-spam. Of course the guys
>who designed VOIP systems didn't take that into account, either.
>Like every other "new widget technology" VOIP will eventually mature
>just around the time that it's being replaced by some cool new new
>widget technology that didn't take into account any lessons learned
>from the last new widget technology. But there will be loads of vendors
>with a $15,000 1-U rack-mount appliance that offers a complete solution
>that fixes all those problems.
>firewall-wizards mailing list
firewall-wizards mailing list