Aug 27 2009 1:29PM GMT
Posted by: Tony Bradley
SIP trunking,
Sipera Systems,
Adam Boone,
JaJah,
Microsoft,
OCS 2007 R2,
Unified Communications,
UC,
OCS
SIP trunking has been a very hot technology in 2009- thanks in no small part to Office Communications Server 2007 R2. In fact, Microsoft shook the SIP trunking world up again recently with its announcement to partner with JaJah which will enable customers to place calls from almost any device to almost any device using VoIP, and let OCS 2007 R2 customers begin making calls almost immediately when deploying the server.
SIP trunking offers savings by eliminating some hardware components and more importantly by cutting costs and increasing efficiency. Adam Boone, vice president of marketing at Sipera Systems said “The economic crisis has underscored for us that any technology that enables greater enterprise process efficiencies actually is relatively recession proof” in a recent interview.
The rest of the interview with Boone is interesting and worth a read. SIP trunking is a step in the evolution from traditional voice to a completely software-based, IP-voice implementation. Be sure to keep security on your to-do list though. Part of the reason that Sipera Systems is gung ho on SIP trunking is that they offer appliances and services that let customers deploy it securely and extend it to remote and branch workers. Take a look at what they have to offer and how it can enhance your SiP trunking VoIP infrastructure.
Aug 19 2009 2:12AM GMT
Posted by: Tony Bradley
ip video,
DEFCON,
VIPER Lab,
Sipera Systems,
man-in-the-middle,
eavesdrop,
redirect
IP video conference calls can be easily hijacked or eavesdropped using simple tools that are available for free. Of the organizations that use IP video for surveillance or conferencing, only about 5% employ any sort of encryption or security measures to protect it.
Its a common trick in action movies for the bad guys to cut the wires to the video surveillance cameras and insert their own looped video clip of business as usual so that security guards monitoring the area can’t tell a breach is occurring. The Hollywood bad guys always make it look so easy, and now it is. Using simple techniques attackers could insert video into an IP video surveillance stream or listen/watch an IP video conference undetected.
Sipera Systems VIPER (Voice Over IP Exploit Research) Lab team demonstrated an attack on IP video conferencing at the recent DEFCON security conference. Jason Ostrom, director of VIPER Lab, said “These attacks are based on ARP poisoning/man-in-the middle. You can do this with email and VoIP — we’re just doing a new twist on an old attack to show people that these vulnerabilities are out there for IP video.”
IP video and other aspects of unified communications can be game changing tools to streamline business processes and improve efficiency. However, they also have to be protected and secured or they can easily become game changing weaknesses that allow attackers access to sensitive information and network resources. Make sure you take advantage of the inherent security of the products you are using by enabling encryption and other security controls, and also take a look at third-party products like Sipera’s UC-Sec applicances.
Apr 3 2009 12:57PM GMT
Posted by: Tony Bradley
OAT,
VIPER Lab,
Sipera Systems,
OCS Assessment Tool,
Office Communications Server,
unified communications security,
VoIP security
At Voicecon 2009 in Orlando this week Sipera Systems announced a new free tool for assessing unified communications and VoIP security. The OCS Assessment Tool, dubbed OAT, is available as a free download from Sourceforge.
According to the OAT download site, Sipera’s “VIPER Lab created OAT because OCS and other Microsoft products are frequently being used as part of a unified communications infrastructure in many enterprises. Our mission is to help IT manager and security practitioners evaluate the security architecture of their deployments and ensure that their mission-critical communications and systems are protected.”
OAT starts off with a dictionary attack against a known user. Once the password is determined, OAT can run a variety of UC / VoIP attacks against the OCS environment. OAT can be run internally, as if an authorized user is performing malicious or unauthorized activities, or as an external attack against OCS. OAT can perform the following functions:
- Online Dictionary Attack
- Presence Stealing
- Contact List Stealing
- Single User Flood Mode (Internal)
- Domain Flood Mode (Internal)
- Call Walk (Internal/External)
- Play Spam Audio
- Detailed Report Generation
Follow me on Twitter
Nov 30 2008 5:05AM GMT
Posted by: Tony Bradley
Nortel,
SIP,
Unified Communications,
VLAN,
VoIP security,
UC,
Sipera Systems
When voice was just voice, it did not pose a security risk to the data network…at least not directly. It could be argued that there is still potential to exploit the voice network for social engineering purposes that result in a compromised data network, but that is a semi-convoluted argument and not really the point of this post.
With VoIP alone, standard best practices suggest keeping the voice VLAN and the data VLAN separate so that a compromise of the voice network would not have any effect on the data network. However, we live in a converged world. Unified communications merges voice and data and requires that they all play nice on the same network. Where does that leave us? That leaves us with some new security concerns to be aware of and guard against.
This post from Nortel’s Voice Security Blog, in conjunction with Sipera Systems Chief Marketing Officer, Eric Winsborrow, provides some additional detail and illustrates some potential scenarios that could exploit a vulnerable VoIP system and lead to a compromise of the UC or data network.
