Ground Rules for VoIP Security Testing

These ground rules were adopted as a means of setting a level playing field for consistent testing practices for all vendors whose products were tested.

1. The vendor has complete control over the IP telephony environment and underlying network infrastructure -- which products to include and how everything would be configured.

2. A midsize, local-only VoIP environment (campus or building) would be simulated. No VoIP traffic would be carried via WAN between remote, distributed locations.

3. After setup, IP telephony and Layer 2/Layer 3 data networking could not be functionally limited because of security settings, including normal IP phone calling out to or from the PSTN.

4. After setup, vendors could not actively manipulate or reconfigure their network. They could, however, continue to passively monitor security alert/alarm logs.

5. Assaults would all be attempted via these specific attack points:

  • a. Via an "office-cube" data-LAN port, which the assailant can legitimately access (for example a valid MAC address).
  • b. Via an "office-cube" IP phone, which the assailant is authorized to use, including the "data switch port" on the back of the phone, for a desktop or laptop. These scenarios represent typical insider-attack scenarios.

6. All assaults would employ or be based on tools and attacks that are publicly available via the Internet. No new programming or other unique or custom attacks could be applied.

7. Assailants could not procure or disassemble and dissect a vendor IP hard phone.

Special Report

VoIP Goes Mainstream

Stories in this report:

This story, "Ground Rules for VoIP Security Testing" was originally published by Network World.


Copyright © 2005 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon