These ground rules were adopted as a means of setting a level playing field for consistent testing practices for all vendors whose products were tested.
1. The vendor has complete control over the IP telephony environment and underlying network infrastructure -- which products to include and how everything would be configured.
2. A midsize, local-only VoIP environment (campus or building) would be simulated. No VoIP traffic would be carried via WAN between remote, distributed locations.
3. After setup, IP telephony and Layer 2/Layer 3 data networking could not be functionally limited because of security settings, including normal IP phone calling out to or from the PSTN.
4. After setup, vendors could not actively manipulate or reconfigure their network. They could, however, continue to passively monitor security alert/alarm logs.
5. Assaults would all be attempted via these specific attack points:
- a. Via an "office-cube" data-LAN port, which the assailant can legitimately access (for example a valid MAC address).
- b. Via an "office-cube" IP phone, which the assailant is authorized to use, including the "data switch port" on the back of the phone, for a desktop or laptop. These scenarios represent typical insider-attack scenarios.
6. All assaults would employ or be based on tools and attacks that are publicly available via the Internet. No new programming or other unique or custom attacks could be applied.
7. Assailants could not procure or disassemble and dissect a vendor IP hard phone.
VoIP Goes Mainstream
Stories in this report:
- VoIP Goes Mainstream
- VoIP: Ready for Prime Time
- Snapshot: The Seattle Times Co.
- VoIP Case Study: Small Project Works Out the Kinks
- VoIP Case Study: Wireless Joins Hospital's VoIP Mix
- VoIP Case Study: Call Centers Put on Speed Dial
- VoIP Case Study: Fashion Designer Gets Hip to IP
- VoIP Is Scary
- The Hidden Costs, and Savings, of VoIP
- The VoIP Management Challenge
- Breaking Through IP Telephony
- VoIP Security Rating Scale
- Ground Rules for VoIP Security Testing
- Laying the Groundwork for IP Telephony
- Bridging the IP Migration Gap
- The VoIP security checklist
- VoIP Security a Moving Target
- A VoIP Security Plan of Attack
- Avoiding Potholes on the VoIP Path
- Computerworld VoIP Data Points
This story, "Ground Rules for VoIP Security Testing" was originally published by Network World.