- Войти через:
- vk.com
- ok.ru
- google.com
- mail.ru
- yandex.ru
Johnston A.B., Piscitello D.M. Understanding Voice over IP Security
- Файл формата pdf
- размером 2,75 МБ
- Добавлен пользователем Shushimora
- Описание отредактировано
Издательство Artech House, 2006. - 272 p.VoIP is poised to take over from the century-old public switched telephone network (PSTN). But VoIP telephony does not enjoy the same privacy as the old PSTN. This is because PSTN phone calls were based on establishing a closed circuit between the two parties, while VoIP phone calls send packets through the Internet, which everyone knows can be easily intercepted by anyone along the way. This naturally reduces the security of VoIP phone calls. While most PSTN phone users saw no justification for encrypting their calls, relying on the natural security of circuit-switched phone calls, even the less security-aware users are more likely to see a need to encrypt calls sent over the Internet.
The threat model for wiretapping VoIP is much more expansive than the one for wiretapping the PSTN. With the PSTN, the opportunities for wiretapping were in three main scenarios. First, someone could attach alligator clips to the phone wires near your home or office. Second, they could tap in at the switch at the phone company. This would likely be done by your own domestic government law enforcement agency, with the phone company’s cooperation. Third, international long-distance lines could be intercepted by intelligence agencies of either your country, the other party’s country, or a third country. It generally means a reasonably resourceful opponent.
That sounds like a lot of exposure to wiretapping, but it pales in comparison to the opportunities for interception that VoIP offers your opponents. Imagine that one of the PCs in your corporate offices becomes infected with spyware that can intercept all the IP packets it sees on the network, including VoIP packets. It could record these conversations on the hard disk as WAV files, or in a compressed audio format. It could organize them by caller or callee, allowing someone to conveniently browse through them like a TiVo player, but remotely. They might want to only listen to the CEO talking to his counterpart in another company about a merger or acquisition. Or maybe the in-house corporate counsel talking to an outside law firm. Point-and-click wiretapping, from the other side of the world. This could be done by a foreign government such as China. Or the Russian mob, some other criminal organization, or a freelance hacker. The attacker need not have the resources of a major government. He need not have the legal access that domestic law enforcement has. He can be anyone in the world, with global reach, without a military budget. In fact, sophisticated wiretapping software could even be used by countless unskilled script kiddies to wiretap their victims remotely. Wiretapping could go retail.
Think of all the criminal exploitation of the Internet going on today. Identity theft. Nigerian e-mail scams. Phishing. Millions of zombies taking over PCs everywhere, to be used as platforms to blackmail businesses with threats of distributed denial-of-service attacks. Criminal enterprises are now making more money from these activities than from selling drugs. Up to this point (January 2006), VoIP has been spared from the unwanted attentions of organized crime, because it isn’t big enough to be attractive yet. Just like the Internet as a whole was some years back. When VoIP grows big enough to present lucrative opportunities for criminal exploitation, the bad guys will be all over it, like they are today with the rest of the Internet. Just think of the insider trading opportunities for someone who can wiretap anywhere in a corporate target with a mouse click. This could be more lucrative and harder to detect than identity theft.
As our economies become more globalized, even small- and medium-sized companies are opening offices in countries with cheap labor markets. VoIP becomes an enabling technology for businesses to become globalized, cheaply tying overseas offices together with the home office. Now intracompany phone calls are crossing national borders. These cheap labor markets are sometimes in countries where governments have poor track records in wiretapping their people, and too often have their law enforcement agencies influenced by organized crime. This exposes globalized businesses more and more to wiretapping by criminal enterprises and foreign governments.
While my interests tend to gravitate first to protection against eavesdropping, many other forms of attack are possible in the VoIP world, and this book attempts to address a wide range of them. So many of these attacks have never been an issue in the PSTN world, but we face them in the VoIP world. If you want to work in the VoIP industry, you’d better become familiar with them, and this book will help you understand how they work and what can be done about them. It’s the first book to present both the present and future of VoIP security.
Cryptography plays an important role in protecting VoIP against many of these threats. The question of whether strong cryptography should be restricted by the government was debated all through the 1990s. This debate had the active participation of the White House, the NSA, the FBI, the courts, the Congress, the computer industry, civilian academia, and the press. This debate fully took into account the question of terrorists using strong crypto, and in fact, that was one of the core issues of the debate. Nonetheless, society’s collective decision (over the FBI’s objections) was that on the whole, we would be better off with strong crypto, unencumbered with government back doors. The export controls were lifted and no domestic controls were imposed. This was a well-thought-out decision, because we took the time and had such broad expert participation. If we are to move our phone calls from the well-manicured neighborhood of the PSTN to the lawless frontier of the Internet, we’d be irresponsible not to protect them with strong encryption. We have no choice but to act. Of course, some in law enforcement might view that as an encumbrance to legitimate wiretapping. But I see it as our duty as security professionals to protect our nation’s critical infrastructure and to protect our economy, and it ought to be considered as another facet of national security.Basic Security Concepts: Cryptography
VoIP Systems
Internet Threats and Attacks
Internet Security Architectures
Security Protocols
General Client and Server Security Principles
Authentication
Signaling Security
Media Security
Identity
PSTN Gateway Security
Spam and Spit
Conclusions
The threat model for wiretapping VoIP is much more expansive than the one for wiretapping the PSTN. With the PSTN, the opportunities for wiretapping were in three main scenarios. First, someone could attach alligator clips to the phone wires near your home or office. Second, they could tap in at the switch at the phone company. This would likely be done by your own domestic government law enforcement agency, with the phone company’s cooperation. Third, international long-distance lines could be intercepted by intelligence agencies of either your country, the other party’s country, or a third country. It generally means a reasonably resourceful opponent.
That sounds like a lot of exposure to wiretapping, but it pales in comparison to the opportunities for interception that VoIP offers your opponents. Imagine that one of the PCs in your corporate offices becomes infected with spyware that can intercept all the IP packets it sees on the network, including VoIP packets. It could record these conversations on the hard disk as WAV files, or in a compressed audio format. It could organize them by caller or callee, allowing someone to conveniently browse through them like a TiVo player, but remotely. They might want to only listen to the CEO talking to his counterpart in another company about a merger or acquisition. Or maybe the in-house corporate counsel talking to an outside law firm. Point-and-click wiretapping, from the other side of the world. This could be done by a foreign government such as China. Or the Russian mob, some other criminal organization, or a freelance hacker. The attacker need not have the resources of a major government. He need not have the legal access that domestic law enforcement has. He can be anyone in the world, with global reach, without a military budget. In fact, sophisticated wiretapping software could even be used by countless unskilled script kiddies to wiretap their victims remotely. Wiretapping could go retail.
Think of all the criminal exploitation of the Internet going on today. Identity theft. Nigerian e-mail scams. Phishing. Millions of zombies taking over PCs everywhere, to be used as platforms to blackmail businesses with threats of distributed denial-of-service attacks. Criminal enterprises are now making more money from these activities than from selling drugs. Up to this point (January 2006), VoIP has been spared from the unwanted attentions of organized crime, because it isn’t big enough to be attractive yet. Just like the Internet as a whole was some years back. When VoIP grows big enough to present lucrative opportunities for criminal exploitation, the bad guys will be all over it, like they are today with the rest of the Internet. Just think of the insider trading opportunities for someone who can wiretap anywhere in a corporate target with a mouse click. This could be more lucrative and harder to detect than identity theft.
As our economies become more globalized, even small- and medium-sized companies are opening offices in countries with cheap labor markets. VoIP becomes an enabling technology for businesses to become globalized, cheaply tying overseas offices together with the home office. Now intracompany phone calls are crossing national borders. These cheap labor markets are sometimes in countries where governments have poor track records in wiretapping their people, and too often have their law enforcement agencies influenced by organized crime. This exposes globalized businesses more and more to wiretapping by criminal enterprises and foreign governments.
While my interests tend to gravitate first to protection against eavesdropping, many other forms of attack are possible in the VoIP world, and this book attempts to address a wide range of them. So many of these attacks have never been an issue in the PSTN world, but we face them in the VoIP world. If you want to work in the VoIP industry, you’d better become familiar with them, and this book will help you understand how they work and what can be done about them. It’s the first book to present both the present and future of VoIP security.
Cryptography plays an important role in protecting VoIP against many of these threats. The question of whether strong cryptography should be restricted by the government was debated all through the 1990s. This debate had the active participation of the White House, the NSA, the FBI, the courts, the Congress, the computer industry, civilian academia, and the press. This debate fully took into account the question of terrorists using strong crypto, and in fact, that was one of the core issues of the debate. Nonetheless, society’s collective decision (over the FBI’s objections) was that on the whole, we would be better off with strong crypto, unencumbered with government back doors. The export controls were lifted and no domestic controls were imposed. This was a well-thought-out decision, because we took the time and had such broad expert participation. If we are to move our phone calls from the well-manicured neighborhood of the PSTN to the lawless frontier of the Internet, we’d be irresponsible not to protect them with strong encryption. We have no choice but to act. Of course, some in law enforcement might view that as an encumbrance to legitimate wiretapping. But I see it as our duty as security professionals to protect our nation’s critical infrastructure and to protect our economy, and it ought to be considered as another facet of national security.Basic Security Concepts: Cryptography
VoIP Systems
Internet Threats and Attacks
Internet Security Architectures
Security Protocols
General Client and Server Security Principles
Authentication
Signaling Security
Media Security
Identity
PSTN Gateway Security
Spam and Spit
Conclusions
- Чтобы скачать этот файл зарегистрируйтесь и/или войдите на сайт используя форму сверху.
- Узнайте сколько стоит уникальная работа конкретно по Вашей теме:
- Сколько стоит заказать работу?