I want to echo John's comments about the need for better VoIP
security and 802.11r is still at least 18 months away. It is worth
noting that there are some proprietary solutions from Cisco and
others if you need something in the mean time. The standard
disclaimers about proprietary solutions apply, but they are available
if they fit your environment.
David
David Morton
Director, ITI Security Solutions
University of Washington
On Nov 29, 2005, at 2:02 PM, Jonn Martell wrote:
Agreed. There are a couple of important components.
The first is 802.1x but as important is fast roaming (secure
handoffs between APs). IEEE 802.11r is still a work in progress.
PMK-caching is the way to facilitate secure fast roaming in
current generation products but it's likely not going to appear for
WPA devices (not sure exactly why?)
It appears the handset vendors will have to support WPA2. We're
seeing a number of interesting handsets which are starting to just
now support WPA but not WPA2. In many cases WPA2 will require brand
new handsets which have yet to see the light of day. Needless to
say, we aren't buying a lot of expensive VOIP wireless handsets
right now but we are testing several... :-)
Our VOIP over Wireless pilot uses WPA-PSK and we won't release
devices that exposes the PSK. I think that's the best way to deploy
secure VOIP over wireless in the short term. Not ideal, as Frank
says, vendors aren't very far along.
My prediction is that secure VOIP (at the application layer) will
open the floodgates on all VOIP (including VOIP over wireless)...
We're already starting to see this with Skype... The days for
insecure VOIP are numbered IMHO.
... Jonn Martell, Manager UBC Wireless (Wireless and VOIP Project
Manager)
on 11/29/2005 1:41 PM Frank Bulk said the following:
Hear-hear, but the Wi-Fi handset vendors are by far and large not
that far
long in the thought process....
Frank
-----Original Message-----
From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Tuesday,
November 29, 2005 2:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [SCFN] <offtopic> VoIP eavesdropping
(fwd)
This highlights the exact reasons that VoFi systems *should* use
802.1x
authentication with per-station keys. That way, each handset has
its own
key to encrypt its traffic over the air with, stopping the easy
sniffing of
traffic passing through the air. This, of course, does nothing for
beyond-the-AP sniffing, but it is presumed that is handled by
other security
measures in the environment.
--Mike
-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Lee Barken wrote:
Any comments? (Originally sent to socalfreenet.org)
---------- Forwarded message ----------
Date: Tue, 29 Nov 2005 09:20:11 -0800 (PST)
From: Lee Barken <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [SCFN] <offtopic> VoIP eavesdropping
This is somewhat offtopic for a wireless list-- but kinda
relevent considering our plans to implement VoIP in our wireless
clouds....
VoIP, in essence, uses CLEARTEXT protocols... making passive
capture trivial in a wireless environment..... (?) What is the
risk that somebody will capture unauthorized recordings of voice
communication? Is there a legal precendent for prohibiting
wiretapping in a digital
environment?
http://oreka.sourceforge.net/
"The open source, cross-platform audio stream recording and
retrieval system Oreka is a modular and cross-platform system for
recording and retrieval of audio streams. The project currently
supports VoIP and sound device based capture. Recordings metadata
can be stored in any mainstream database. Retrieval of captured
sessions is web based."
"Record VoIP RTP sessions by passively listening to network
packets. Both sides of a conversation are mixed together and each
call is logged as a separate audio file. When SIP or Cisco Skinny
(SCCP) signalling is detected, the associated metadata is also
extracted."
Take it easy,
-Lee
_______________________________________________
SoCalFreeNet.org General Discussion List To unsubscribe, please
visit: http://socalfreenet.org/mailman/listinfo/
discuss_socalfreenet.org
**********
Participation and subscription information for this EDUCAUSE
Constituent
Group discussion list can be found at http://www.educause.edu/
groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent
Group discussion list can be found at http://www.educause.edu/
groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at http://
www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at http://
www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
