BKPVOIPS.RVW 2060602
"Practical VoIP Security", Thomas Porter et al, 2006, 1-59749-060-1,
U$49.95/C$69.95
%A Thomas Porter
%C 800 Hingham Street, Rockland, MA 02370
%D 2006
%G 1-59749-060-1
%I Syngress Media, Inc.
%O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 amy@syngress.com
%O http://www.amazon.com/exec/obidos/ASIN/1597490601/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1597490601/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1597490601/robsladesin03-20
%O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 563 p.
%T "Practical VoIP Security"
VoIP (Voice over Internet Protocol) is something of the new kid on the
technology block, and computer folks may have limited experience with
telephony. It therefore seems a bit strange that chapter one, as an
introduction to VoIP security, starts out by talking about computer
security and attacks. However, the structure of the book is rather
odd in any case. The basics of telephony, and the Public Switched
Telephone Network (PSTN), are not covered until chapter four. Even
then, while there is some useful trivia, most of the content is a list
of telephony protocols. Chapter three covers some of the basic
hardware and element information, discussing PBX (Private Branch
eXchange) systems, VoIP components, and even power supplies. That
material, in turn, would be helpful to those who try to understand
chapter two, which is supposed to be about the Asterisk PBX software
package.
Although the text purports to deal with configuration and features of
Asterisk, most of the section's content covers PBX operations and
functions, dial plans, telephony numbering plans, and even a terse
piece on the vital aspect of circuit versus packet switching.
With chapter five, the book moves into some of the specifics of VoIP,
discussing H.323, a protocol to specify data formats that is used
extensively in commercial IP telephony products. SIP, the Session
Initiation Protocol (used to negotiate interactive sessions over the
net), gets a more detailed treatment (along with examination of
related protocols) in chapter six. Other IP telephony architectures
are briefly listed in chapter seven: the very popular Skype, H.248,
IAX (Inter Asterisk eXchange), and Microsoft's Live Communications
Server 2005 (MLCS). Diverse protocols used in support of VoIP are
discussed in chapter eight. Most of these are commonly used in other
Internet applications: some; such as RSVP (Resource reSerVation
Protocol), SDP (Session Description Protocol), and Skinny; are more
specialized. All the listed protocols have some review of security
implications, which marks the first time in the book that security
seems to be a major issue.
Chapter nine examines specific threats and attacks, mostly related to
denial of service and hijacking. Securing the infrastructure used for
VoIP is important, although the material in chapter ten is fairly
standard information security. Chapter eleven reviews a number of
ordinary authentication tools that are frequently used in VoIP.
"Active Security Monitoring," in chapter twelve, is the traditional
intrusion detection and penetration testing, and has nothing specific
to IP telephony applications.
Similarly, chapter thirteen examines normal traffic management and LAN
segregation issues: the only telephony related content is in regard to
VoIP aware firewalls. The IETF (Internet Engineering Task Force) has
recommended certain existing security protocols in regard to IP
telephony, and one addition (SRTP, Secure Real-time Transfer
Protocol): these are outlined in chapter fourteen. Chapter fifteen
lists various (United States) data security related regulations and
the European Union privacy directive. The IP Multimedia Subsystem
(IMS) structure is reviewed in chapter sixteen. Chapter seventeen
repeats the recommendations made in chapters ten through fourteen.
It is handy to have a number of the issues related to VoIP addressed
in one work. There is some depth to the content of the text as well,
and those dealing with system internals may find that useful.
However, for those who need to manage or make policy or purchasing
decisions in regard to VoIP, this book may not have the forcefulness
of complete analysis, or a structure that would assist in learning the
background. While there is a considerable amount of helpful
information, it reads more like an accumulation of miscellaneous facts
than a directed study.
copyright Robert M. Slade, 2006 BKPVOIPS.RVW 2060602
====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
An Englishman, even if he is alone, forms an orderly queue of one
- George Mikes
Dictionary Information Security www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm
Rob Slade (rmslade@shaw.ca)