I was rather surprised but pleased to see that my “Black Back Security Review” was on the list of the “Top Ten IT Conversations Shows for March 2008“. My “surprise” was mostly because that particular talk is over a year old and was given at the ETel 2007 show back at the end of February 2007.
To be honest, I was not actually aware (or didn’t remember, anyway) that the IT Conversations Network had distributed my talk but I’m guessing they did so with a number of the ETel sessions.
Unfortunately, they don’t include the slides, which I put up in the Blue Box posting and also just generally made available on SlideShare. Without the slides, I suppose it works perfectly fine.. I’ve just never listened to it that way. It was still one of the most fun presentations I’ve ever given. Also took a ton of time to prepare. 243 slides in 14 minutes… 🙂 (I did write up some notes about the presentation and the style, etc.)
Anyway, it’s cool to see people discovering that session again. Nice surprise!
Technorati Tags:
voip, voip security, dan york, etel
That was a great presentation. Thanks for posting/sharing it. I don’t get to travel as much as you… (how many airlines do you have premier type status with)?
Anyway, the topic was VoIP security, but you seem to use “VoIP” interchangeably (at least in this presentation) with “SIP”. In this presention you identified risks with SIP. My impression is SIP is not that secure, but most of the vendor proprietary implementations of VoIP (Cisco, Mitel, etc…) are reasonably secure. The Mitel Teleworker has some form of encryption built into it. The very nature that you need a proprietary phone just to get dial tone would suggest some level of security.
I am sure Mitel was very concerned about secuirty (all the way up to the day they let you go) as well as the other non SIP VoIP boys. Of course they are all embracing SIP now cautiously – but I doubt a SIP trunk on a PBX really compromises a non-SIP VoIP to PSTN conversation on the same switch? (why is Mitel URL included on the more info slide?).
I am sure it is difficult in a 15 minute presentation, but I assume in your non-abridged presentations (links please) you differentiate more about security risks in the proprietary H323 world.
Quick question – Does the other open source system (Nortel posting) rely on SIP as much as Asterisk?
Hi, thanks for the comments. Glad you liked the presentation. You know, the irony is that because I’m always flying “whatever is cheapest” I wind up NOT getting premier status on *any* airlines! I fly a week or two a month, which is certainly enough for me, but not enough to wind up in premier programs.
To your questions – yes, in this presentation I was talking about SIP. I was at ETel talking to a crowd focused on open standards (and often open source), so that was my focus. As I mentioned in my notes ( /2007/03/01/etel_black_bag_/ ) SysAdmin Steve could have certainly been safer with proprietary protocols and IP-PBXs.
The Mitel Teleworker phone *does* have extremely good encryption built in and on by default. (full disclosure: I was the product manager when the product was released in Jan 2003.)
A SIP trunk to a PBX would NOT compromise a non-SIP-to-PSTN conversation *assuming the conversion happens in the PBX*, i.e. it goes from non-SIP handset to a PSTN trunk line connected directly to the PBX via some direct interface. If the call from the non-SIP handset goes to the PBX and then across the SIP trunk to the PSTN, it certainly *is* at risk.
The Mitel URL is on the more info slide because at the time I gave this presentation I was employed by Mitel. That slide listed VOIPSA, my various blogs and my employer.
One of these days I need to get around to having a better list of all the presentations I’ve given. I have a “list” here: http://www.danyork.com/presos.html but it’s not complete and doesn’t have links to the slides. I’m trying to use SlideShare more: http://www.slideshare.net/danyork . Any presentations I can record about VoIP security are generally run on http://www.blueboxpodcast.com/ as “Special Editions”.
BTW, I’ve never done a presentation around proprietary H.323. Haven’t worked with it. (Avaya’s the only one I know using it for VoIP.)
Re: your quick question – the open source sipXecs product now used by Nortel for their SCS 500 relies on SIP *more* than Asterisk as SIP is the only protocol supported.
Thanks for your comments,
Dan