From: Bob Bell (rtbell) (rtbell@cisco.com)
Date: Fri Mar 10 2006 - 16:35:39 EST
Franck, Chris, et al -
First off, there are a number of manufacturers, (e.g. Cisco, Avaya,
Nortel, etc.) that provide systems for enterprises that support SRTP.
They support other security components with varying degrees of
completeness in that same space. One of the issues to be considered
however is that just because you support TLS or SRTP or whatever as a
protocol protection, that does not necessarily mean that the system is
secure or has appropriate security characteristics.
Cisco's IPT solution for enterprises (CCM 4.x+) does support a very
complete set of security features and functionality. And it is improving
with time. Cisco has been engaged in securing their IPT offering since
1999. The first release containing a security component was CCM 3.3
which contained digitally signed images for the phones. Each release
since that time has increased the security features. Other vendors are
also improving their offerings.
While it is true that other environments may have more limited security
implementations, to say that there is absolutely no security in place
for any VoIP is not very accurate. It is possible to provide appropriate
protection to commercial grade IPT commensurate with the threat
environments currently present. And it is getting better.
It is important to understand that SRTP or any encryption of user
information is probably the last and least important security feature.
It matters little, for instance, if the media stream between two
endpoints is encrypted if those endpoints cannot guarantee that they are
directly communicating with the intended destination rather than a MITM.
Schemes that provide SRTP support without strong, positive
authentication of the remote endpoint basically do nothing other than to
give their customers a very false sense of security.
As to how much is actually realized at customer's sites, that is widely
variable. In many respects, it reflects the security stances of the
specific customers. SRTP as a protection mechanism for voice streams, is
only implemented in certain environments today. Usually this is due to
the presence of specific legal requirements. However, as it, and the
other more critical security features, become both more pervasive and
easier to manage, it will increase in its usage. Many businesses may not
implement SRTP simply because, like email, they want to be able to
listen to their customer's conversations if needed. In the US that is an
option. In other countries, an employer may not be legally able to
listen to such communications. In that environment, SRTP will probably
be more widely implemented.
Guess I need to get down off the soap box. Summary, SRTP and other
security features are available to IPT customers within enterprise
deployments. In the USA, deployments that activate these features are
growing but are still in the minority. Non-USA deployments are actively
pursuing this.
Bob Bell
Chief Security Architect - IPCBU
Cisco Systems, Inc.
> -----Original Message-----
> From: Chris Serafin [mailto:chris@chrisserafin.com]
> Sent: Friday, March 10, 2006 09:55
> To: defragz@hotmail.com; pen-test@securityfocus.com
> Subject: RE: VOIP: RTP vs SRTP
>
> I have been thinking of writing a paper about a VoIP security
> also. I my experience [solely Cisco voip] there is
> absolutely no security in place for any VoIP.
>
> Chris Serafin
> IT Security / VoIP Engineer
> chris@chrisserafin.com
>
> -----Original Message-----
> From: defragz@hotmail.com [mailto:defragz@hotmail.com]
> Sent: Friday, March 10, 2006 2:23 AM
> To: pen-test@securityfocus.com
> Subject: VOIP: RTP vs SRTP
>
> Hello list,
>
> Planning some internal presentations on VoIP, I was wondering
> if SRTP (Secure Real Time Protocol) is now really in use, as
> a secure replacement of RTP.
>
> More generally, from your experience, and from what you have
> seen in "real life", do you thing that VoIP security is
> getting better? Do people use crypto to protect both data and
> signalling?
> I will love to hear your feedbacks...
> -Franck
>
>
> --------------------------------------------------------------
> --------------
> --
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> As attacks through web applications continue to rise, you
> need to proactively protect your applications from hackers.
> Cenzic has the most comprehensive solutions to meet your
> application security penetration testing and vulnerability
> management needs. You have an option to go with a managed
> service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm).
>
> Download FREE whitepaper on how a managed service can help you:
> http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to
> confirm your results from other product. Contact us at
> request@cenzic.com
> --------------------------------------------------------------
> --------------
> --
>
>
>
>
> --------------------------------------------------------------
> ----------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> As attacks through web applications continue to rise, you
> need to proactively protect your applications from hackers.
> Cenzic has the most comprehensive solutions to meet your
> application security penetration testing and vulnerability
> management needs. You have an option to go with a managed
> service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm).
> Download FREE whitepaper on how a managed service can help you:
> http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to
> confirm your results from other product. Contact us at
> request@cenzic.com
> --------------------------------------------------------------
> ----------------
>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:40 EDT