Book Review: Practical VoIP Security, Thomas Porter et al


"Practical VoIP Security", Thomas Porter et al, 2006, 1-59749-060-1, U$49.95/C$69.95 %A Thomas Porter %C 800 Hingham Street, Rockland, MA 02370 %D 2006 %G 1-59749-060-1 %I Syngress Media, Inc. %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 %O

formatting link
formatting link
formatting link
Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 563 p. %T "Practical VoIP Security"

VoIP (Voice over Internet Protocol) is something of the new kid on the technology block, and computer folks may have limited experience with telephony. It therefore seems a bit strange that chapter one, as an introduction to VoIP security, starts out by talking about computer security and attacks. However, the structure of the book is rather odd in any case. The basics of telephony, and the Public Switched Telephone Network (PSTN), are not covered until chapter four. Even then, while there is some useful trivia, most of the content is a list of telephony protocols. Chapter three covers some of the basic hardware and element information, discussing PBX (Private Branch eXchange) systems, VoIP components, and even power supplies. That material, in turn, would be helpful to those who try to understand chapter two, which is supposed to be about the Asterisk PBX software package.

Although the text purports to deal with configuration and features of Asterisk, most of the section's content covers PBX operations and functions, dial plans, telephony numbering plans, and even a terse piece on the vital aspect of circuit versus packet switching.

With chapter five, the book moves into some of the specifics of VoIP, discussing H.323, a protocol to specify data formats that is used extensively in commercial IP telephony products. SIP, the Session Initiation Protocol (used to negotiate interactive sessions over the net), gets a more detailed treatment (along with examination of related protocols) in chapter six. Other IP telephony architectures are briefly listed in chapter seven: the very popular Skype, H.248, IAX (Inter Asterisk eXchange), and Microsoft's Live Communications Server 2005 (MLCS). Diverse protocols used in support of VoIP are discussed in chapter eight. Most of these are commonly used in other Internet applications: some; such as RSVP (Resource reSerVation Protocol), SDP (Session Description Protocol), and Skinny; are more specialized. All the listed protocols have some review of security implications, which marks the first time in the book that security seems to be a major issue.

Chapter nine examines specific threats and attacks, mostly related to denial of service and hijacking. Securing the infrastructure used for VoIP is important, although the material in chapter ten is fairly standard information security. Chapter eleven reviews a number of ordinary authentication tools that are frequently used in VoIP. "Active Security Monitoring," in chapter twelve, is the traditional intrusion detection and penetration testing, and has nothing specific to IP telephony applications.

Similarly, chapter thirteen examines normal traffic management and LAN segregation issues: the only telephony related content is in regard to VoIP aware firewalls. The IETF (Internet Engineering Task Force) has recommended certain existing security protocols in regard to IP telephony, and one addition (SRTP, Secure Real-time Transfer Protocol): these are outlined in chapter fourteen. Chapter fifteen lists various (United States) data security related regulations and the European Union privacy directive. The IP Multimedia Subsystem (IMS) structure is reviewed in chapter sixteen. Chapter seventeen repeats the recommendations made in chapters ten through fourteen.

It is handy to have a number of the issues related to VoIP addressed in one work. There is some depth to the content of the text as well, and those dealing with system internals may find that useful. However, for those who need to manage or make policy or purchasing decisions in regard to VoIP, this book may not have the forcefulness of complete analysis, or a structure that would assist in learning the background. While there is a considerable amount of helpful information, it reads more like an accumulation of miscellaneous facts than a directed study.

copyright Robert M. Slade, 2006 BKPVOIPS.RVW 2060602

====================== (quote inserted randomly by Pegasus Mailer) An Englishman, even if he is alone, forms an orderly queue of one - George Mikes Dictionary Information Security

formatting link
formatting link

Reply to
Rob Slade
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.