RE: Converged Network Assessment

From: Joseph Seanor (joseph@cibir.net)
Date: Fri Feb 10 2006 - 21:23:19 EST


Ken,

        Thank you for the email, however, I did not post that original email. My email address was forged by an ex-employee of mine who has been doing this around the internet.

> I think one of the additional implications here is the realization
> that VoIP and multi-media will introduce new issues to the security
> community and should be factored into risk assessments. Pen tests
> should be adjusted accordingly.
>
> Several simple observations on the convergence impact:
>
> 1) first, convergence is going to have a lot to do with integrating
> VoIP - here we should note that general managers are traditionally
> more concerned about voice privacy than email privacy (while most
> data folks know there's a lot of critical information in email,
> mgmt cares more about confidentiality on their voice
> communications) - this is likely to lead to wide-spread encryption
> of voice traffic which means it's an ideal convert channel since
> filters can't inspect encrypted data flows so look for malicious
> use of encrypted UDP packets
> 2) VoIP requires two ports (each is unidirectional) for
> conversations - some firewalls or perimeter defenses talk about pin
> holes being opened for voice; don't you love it - a hole in the
> perimeter but it's only a pin prick 2) acceptable, or functional
> latency is very different for voice and live video than for email
> or browsing; this means that many exploits that might cause a delay
> can actually produce an outage in the converged network 3) power
> dependency is an important issue since the phone grid traditionally
> carried it's own power and that's not easy to do with VoIP 4)
> location awareness is an issue as we see in the FCC battle over
> E911 for VoIP 5) spoofing of caller ID is made quite trivial in VoIP
> 6) Convergence also commonly includes wireless and new client form
> factors like cell phones and hybrid PDAs
>
> These are not all direct issues for a pen test but risk assessment
> and planning should address these and far more.
>
> Each new technology we deploy opens up new vulnerabilities and it's
> our jobs to be in front of these.
>
> Convergence is far more than market hype - it's going to bring lots
> of new vulnerabilities and will require new, enhanced defenses.
>
> And, as I've said to vendors for 30 years "it's got to be taught
> before it will be bought" so it's got to start with education.
>
>
> -----Original Message-----
> From: Bob Radvanovsky [mailto:rsradvan@unixworks.net]
> Sent: Sunday, February 05, 2006 3:12 PM
> To: joseph@cibir.net; pen-test@securityfocus.com
> Subject: Re: Converged Network Assessment
>
> Actually, it could go either way. The latest thing within the IT
> and security industries is "standardization". For the security
> industries, this means converging physical, cyber and policy
> management security together. For the IT industries, this means
> converging telephone (VoIP), video, and networking together.
>
> This makes sense that what they're offering is a complete suite of
> networking assessments for telephony, video and network (data).
> They're taking advantage of the "convergence movement" lately, and
> utilizing it as a method of a one-stop-shopping for assessing ALL
> technologies under ONE quote.
>
> Makes sense, doesn't it?
>
> Bob Radvanovsky, CISM, CIFI, REM, CIPS
> "knowledge squared is information shared"
> rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
> (630) 673-7740 | (412) 774-0373 (fax)
>
> *** DISCLAIMER NOTICE ***
> This electronic mail ("e-mail") message, including any and/or all
> attachments, is for the sole use of the intended recipient(s), and
> may contain confidential and/or privileged information, pertaining
> to business conducted under the direction and supervision of Bob
> Radvanovsky and/or his affiliates, as well as is the property of
> Bob Radvanovsky and/or his affiliates, or otherwise protected from
> disclosure. All electronic mail messages, which may have been
> established as expressed views and/or opinions (stated either
> within the electronic mail message or any of its attachments), are
> left at the sole discretion and responsibility of that of the
> sender, and are not necessarily attributed to Bob Radvanovsky.
> Unauthorized interception, review, use, disclosure or distribution
> of any such information contained within this electronic mail
> message and/or its attachment(s), is(are) strictly prohibited. As
> this e-mail may be legally privileged and/or confidential and is
> intended only for the use of the addressee(s), no addressee should
> forward, print, copy, or otherwise reproduce this message in any
> manner that would allow it to be viewed by any individual not
> originally listed as a recipient. If the reader of this message is
> not the intended recipient, you are hereby notified that any
> unauthorized disclosure, dissemination, distribution, copying or
> the taking of any action in reliance upon the information herein is
> strictly prohibited. If you have received this communication in
> error, please notify the sender immediately, followed by the
> deletion of this or any related message.
>
>
> ----- Original Message -----
> From: joseph@cibir.net
> To: pen-test@securityfocus.com
> Subject: Converged Network Assessment
>
>
>> I am newbie in the field of security, and stumbled across a
>> security
>>
> company
>> advertising that they conduct Converged Network Assessments. As
>> they describe the assessment focuses on both the voice and the
>> data network, in order to expose any new security holes created
>> by a converged network.
>>
>> .The assessment covers:
>> - External Security Assessment
>> - Internal Security Assessment
>> - PBX Assessment
>> - Adjunct Assessment
>> - Wireless Assessment
>> - Bluetooth Assessment
>> - Rogue Modem Assessment
>> - IDS Assessment
>> - SAN's Assessment
>> - VoIP Assessment
>> - Penetration testing
>>
>> So can someone provide me a honest answer to what a Converged
>> Network Assessment is, it sounds like a lot of marketing speak.
>>
>> thx

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT