Razvan, et. al,
While not about PBX security directly, I have been doing research on the
security of IP telephony in enterprise networks for the past year. I have
several publications on the subject including my Master's Thesis
(http://www.off-pisteconsulting.com/research/pubs/reynolds-ms_thesis.pdf),
NDSS 03 conference paper
(http://www.off-pisteconsulting.com/research/pubs/ndss03-reynolds.pdf) and
slides (http://www.off-pisteconsulting.com/research/pubs/ndss03-slides.ppt)
and IEEE Communication Magazine article
(http://www.off-pisteconsulting.com/research/pubs/ieee_comm.pdf). If you
have any questions about any of the material feel free to drop me an email.
Brennen
--
Brennen Reynolds - Chief Consultant/Owner - Off-Piste Consulting, LLC
Email: brennen at off-pisteconsulting dot com Voice: (209) 258-4584
WWW: http://www.off-pisteconsulting.com Fax: (209) 258-4584
PGP Fingerprint:
E868 8B0D 175D 7394 E7AE 9E71 38CC 2B63 A1EB 9D9F
> -----Original Message-----
> From: Martin Walker [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, February 08, 2003 10:08 AM
> To: Rob Shein; Razvan; [EMAIL PROTECTED]
> Subject: RE: PBX Security
>
>
> Making matters worse is that the telephony vendors don't have a clue
> about anything other than the telelphony side of things, and if you
> harden the box yourself you'll void most vendor paper regarding support
> etc.
>
> Several steps need to be taken to effectively combat the situation.
> First is that IT should own telelphony, not facilities. Second IT needs
> to recognise these devices are general purpose computing platforms and
> design the secured architecture appropriately. This would include
> implementing firewalled "zones of protection" between the data access
> layer (in this case the IVRS/call center), application layer (agent
> applications) and the data storage back end. Third the boxes need to be
> hardened and the IT department's standard security self-certification
> program applied just like any other platform. A certification program
> would include recurring certification requirements. (I know everybody
> is using some sort of internal certification program to implement and
> manage security across the organization.....right?).
>
>
> > From: Razvan [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, February 05, 2003 2:51 AM
> > To: [EMAIL PROTECTED]
> > Subject: PBX Security
> >
> > As promised, I return with the reasons I freaked when I saw
> > what a PBX can become if used unwisely.
> >
> > Also, I feel unable to come up with any sort of relevant
> > advice on this matter. What's actually scary is the fact a
> > PBX owner has practically no control over such an issue. He
> > can have the most secure configuration, a relevant and
> > enforced security policy, security conscious users, etc and
> > he's still vulnerable. Or is he?
> >
> > Waiting your thoughts on this.
> >
> > Razvan Teslaru
> > Romanian IT Security Company
> >
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
