RE: VOIP: RTP vs SRTP

From: Ken Kousky (kkousky@ip3inc.com)
Date: Sun Mar 12 2006 - 12:14:31 EST

• Next message: Darren Webb: "RE: SGS 5400 firewalls"
• Previous message: Mohamed Abdel Kader: "Masquerade windows as linux"
• In reply to: Chris Serafin: "RE: VOIP: RTP vs SRTP"
• Next in thread: thefifth: "Re: VOIP: RTP vs SRTP"
• Reply: thefifth: "Re: VOIP: RTP vs SRTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

There's no question that VoIP Security is a BIG issue. Most management
surveys say that it's the first or second reason given for why companies are
delaying on VoIP.

VoIPSA is certainly a resource, as NIST. They publish a free report (it's
really a 100 page book) on Securing VoIP and it's probably the best guide in
the industry. It's also a great VoIP primer and best of all, you've already
paid for it in your tax dollars so you can download it at no cost. (The
administration has not reclassified it as top secret yet)

It's at:
http://www.csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

The most important lessons here are the recommendations to avoid soft phones
and to segment VoIP on a VLAN will prevent many of the desired voip benefits
so the security frameworks don't map to reality.

If you'd like to present your work in this field or just learn a more about
VoIP security join us at the Second Annual Voip Security Conference hosted
by IP3 and Illinois Institute of Technology:

Call for Speakers and Sponsors
The 2nd Annual
Managing VoIP Security Conference
(MVSC 2006)
May 17-18, 2006

IIT- Illinois Institute of Technology
Herman Union Building- Conference Center
Chicago, Illinois, USA
www.voip-wifi.net
 or visit:
www.ip3seminars.com/conf.htm

-----Original Message-----
From: Chris Serafin [mailto:chris@chrisserafin.com]
Sent: Friday, March 10, 2006 11:55 AM
To: defragz@hotmail.com; pen-test@securityfocus.com
Subject: RE: VOIP: RTP vs SRTP

I have been thinking of writing a paper about a VoIP security also. I my
experience [solely Cisco voip] there is absolutely no security in place for
any VoIP.

Chris Serafin
IT Security / VoIP Engineer
chris@chrisserafin.com

-----Original Message-----
From: defragz@hotmail.com [mailto:defragz@hotmail.com]
Sent: Friday, March 10, 2006 2:23 AM
To: pen-test@securityfocus.com
Subject: VOIP: RTP vs SRTP

Hello list,

Planning some internal presentations on VoIP, I was wondering if SRTP
(Secure Real Time Protocol) is now really in use, as a secure replacement of
RTP.

More generally, from your experience, and from what you have seen in "real
life", do you thing that VoIP security is getting better? Do people use
crypto to protect both data and signalling?
I will love to hear your feedbacks...
-Franck

----------------------------------------------------------------------------

--
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to
proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com
----------------------------------------------------------------------------
--
----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to
proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com
----------------------------------------------------------------------------
--
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------

• Next message: Darren Webb: "RE: SGS 5400 firewalls"
• Previous message: Mohamed Abdel Kader: "Masquerade windows as linux"
• In reply to: Chris Serafin: "RE: VOIP: RTP vs SRTP"
• Next in thread: thefifth: "Re: VOIP: RTP vs SRTP"
• Reply: thefifth: "Re: VOIP: RTP vs SRTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:40 EDT