RE VOIP RTP vs SRTP by liuhongmei

VIEWS: 3 PAGES: 4

									                                          RE: VOIP: RTP vs SRTP

RE: VOIP: RTP vs SRTP

Source: http://www.derkeiler.com/Mailing−Lists/securityfocus/pen−test/2006−03/msg00152.html



      • From: "Bob Bell (rtbell)" <rtbell@xxxxxxxxx>
      • Date: Fri, 10 Mar 2006 13:35:39 −0800

Franck, Chris, et al −

First off, there are a number of manufacturers, (e.g. Cisco, Avaya,
Nortel, etc.) that provide systems for enterprises that support SRTP.
They support other security components with varying degrees of
completeness in that same space. One of the issues to be considered
however is that just because you support TLS or SRTP or whatever as a
protocol protection, that does not necessarily mean that the system is
secure or has appropriate security characteristics.

Cisco's IPT solution for enterprises (CCM 4.x+) does support a very
complete set of security features and functionality. And it is improving
with time. Cisco has been engaged in securing their IPT offering since
1999. The first release containing a security component was CCM 3.3
which contained digitally signed images for the phones. Each release
since that time has increased the security features. Other vendors are
also improving their offerings.

While it is true that other environments may have more limited security
implementations, to say that there is absolutely no security in place
for any VoIP is not very accurate. It is possible to provide appropriate
protection to commercial grade IPT commensurate with the threat
environments currently present. And it is getting better.

It is important to understand that SRTP or any encryption of user
information is probably the last and least important security feature.
It matters little, for instance, if the media stream between two
endpoints is encrypted if those endpoints cannot guarantee that they are
directly communicating with the intended destination rather than a MITM.
Schemes that provide SRTP support without strong, positive
authentication of the remote endpoint basically do nothing other than to
give their customers a very false sense of security.

As to how much is actually realized at customer's sites, that is widely
variable. In many respects, it reflects the security stances of the
specific customers. SRTP as a protection mechanism for voice streams, is
only implemented in certain environments today. Usually this is due to
the presence of specific legal requirements. However, as it, and the
other more critical security features, become both more pervasive and


RE: VOIP: RTP vs SRTP                                                                         1
                                         RE: VOIP: RTP vs SRTP
easier to manage, it will increase in its usage. Many businesses may not
implement SRTP simply because, like email, they want to be able to
listen to their customer's conversations if needed. In the US that is an
option. In other countries, an employer may not be legally able to
listen to such communications. In that environment, SRTP will probably
be more widely implemented.

Guess I need to get down off the soap box. Summary, SRTP and other
security features are available to IPT customers within enterprise
deployments. In the USA, deployments that activate these features are
growing but are still in the minority. Non−USA deployments are actively
pursuing this.

Bob Bell
Chief Security Architect − IPCBU
Cisco Systems, Inc.


        −−−−−Original Message−−−−−
        From: Chris Serafin [mailto:chris@xxxxxxxxxxxxxxxx]
        Sent: Friday, March 10, 2006 09:55
        To: defragz@xxxxxxxxxxx; pen−test@xxxxxxxxxxxxxxxxx
        Subject: RE: VOIP: RTP vs SRTP

        I have been thinking of writing a paper about a VoIP security
        also. I my experience [solely Cisco voip] there is
        absolutely no security in place for any VoIP.

        Chris Serafin
        IT Security / VoIP Engineer
        chris@xxxxxxxxxxxxxxxx

        −−−−−Original Message−−−−−
        From: defragz@xxxxxxxxxxx [mailto:defragz@xxxxxxxxxxx]
        Sent: Friday, March 10, 2006 2:23 AM
        To: pen−test@xxxxxxxxxxxxxxxxx
        Subject: VOIP: RTP vs SRTP

        Hello list,

        Planning some internal presentations on VoIP, I was wondering
        if SRTP (Secure Real Time Protocol) is now really in use, as
        a secure replacement of RTP.

        More generally, from your experience, and from what you have
        seen in "real life", do you thing that VoIP security is
        getting better? Do people use crypto to protect both data and
        signalling?
        I will love to hear your feedbacks...
        −Franck


RE: VOIP: RTP vs SRTP                                                      2
                                     RE: VOIP: RTP vs SRTP


      −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
      −−−−−−−−−−−−−−
      −−
      This List Sponsored by: Cenzic

      Concerned about Web Application Security?
      As attacks through web applications continue to rise, you
      need to proactively protect your applications from hackers.
      Cenzic has the most comprehensive solutions to meet your
      application security penetration testing and vulnerability
      management needs. You have an option to go with a managed
      service (Cenzic ClickToSecure) or an enterprise software
      (Cenzic Hailstorm).

      Download FREE whitepaper on how a managed service can help you:
      http://www.cenzic.com/news_events/wpappsec.php
      And, now for a limited time we can do a FREE audit for you to
      confirm your results from other product. Contact us at
      request@xxxxxxxxxx
      −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
      −−−−−−−−−−−−−−
      −−




      −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
      −−−−−−−−−−−−−−−−
      This List Sponsored by: Cenzic

      Concerned about Web Application Security?
      As attacks through web applications continue to rise, you
      need to proactively protect your applications from hackers.
      Cenzic has the most comprehensive solutions to meet your
      application security penetration testing and vulnerability
      management needs. You have an option to go with a managed
      service (Cenzic ClickToSecure) or an enterprise software
      (Cenzic Hailstorm).
      Download FREE whitepaper on how a managed service can help you:
      http://www.cenzic.com/news_events/wpappsec.php
      And, now for a limited time we can do a FREE audit for you to
      confirm your results from other product. Contact us at
      request@xxxxxxxxxx
      −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
      −−−−−−−−−−−−−−−−



−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
This List Sponsored by: Cenzic

RE: VOIP: RTP vs SRTP                                                        3
                             RE: VOIP: RTP vs SRTP


Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−




RE: VOIP: RTP vs SRTP                                                        4

								
To top