Voice over Internet Protocol (VoIP) Security (Paperback)

~ James F. Ransome PhD CISM CISSP (Author), John Rittinghouse PhD CISM (Author) "Have you ever thought to yourself "Why should we do this VoIP thing?" or "What value will voice over Internet provide my company?" or even..." (more)
Key Phrases: signature security profile, baseline security profile, telephone firewalls, Retrieved July, Retrieved August, United States (more...)

Editorial Reviews

Review

"Voice Over Internet Protocol Security is both unique and timely. Ransome and Rittinghouse expertly describe the technical fundamentals, salient business drivers, and converged network infrastructure security risks and challenges IT and security professionals encounter when implementing enterprise-level VoIP systems." - William M. Hancock, Ph.D., CISSP, CISM, CSO, Savvis Communications.

"This book should be required reading for anyone contemplating a VoIP implementation for three reasons: first, it deals with telecom technology and standards from Alexander Graham Bell onward. This puts VoIP in its proper context as an integral, evolved part of a global system that is potentially vulnerable. Second, it provides a detailed tutorial on all of the major aspects of VoIP implementation from a pragmatic point of view. Finally, it addresses the very real security issues that could put the global telephone system at risk if not dealt with professionally. I would heartily recommend your entire project team buy this book and read it carefully!"- John Milner, MIS Director, Cambridge University

Book Description

First book to focus exclusively on VoIP Security the fastest growing portion of telecom/CS Communications

See all Editorial Reviews

Product Details

• Paperback: 432 pages
• Publisher: Digital Press (December 3, 2004)
• Language: English
• ISBN-10: 1555583326
• ISBN-13: 978-1555583323
• Product Dimensions: 9.1 x 7.3 x 1.1 inches
• Shipping Weight: 1.9 pounds (View shipping rates and policies)
• Average Customer Review: 3.0 out of 5 stars  See all reviews (9 customer reviews)
• Amazon.com Sales Rank: #1,526,732 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

21 of 23 people found the following review helpful:

1.0 out of 5 stars I am IP_Geek, July 15, 2005

By	VoIP_Geek (Boston, MA) - See all my reviews

[note: I am the same reviewer IP_Geek, but Amazon only lets you review once, so this is follow up]
Despite what Dr. Michael G. Mathews may believe, I really wanted to use my real name, and I have never worked for Exodus (although they may have been a customer of one of the companies I worked for, unknown to me). I have worked at 4 networking vendor/manufacturer companies, of which 2 were data vendors (routers/switches) and 2 VoIP companies. I currently work at a vendor who makes VoIP security products, and thus I felt it a bit unfair/dangerous to my employer to critique any book in a public forum. (because you can google my name and find out where I work)
I still feel that way, so I will try to convince you I have no agenda as easily as I can as follows:
1) My argument was simply that you should VERY carefully read the table of contents, including the page numbers. Dr. Mathews is quite right that this type of book will appeal to some people, just that in my humble opinion I hope those people are not put in charge of securing VoIP, because this book doesn't do it. (see below why)
2) I did not slam the authors in person or capabilities - I slammed the book they wrote. This book was published fairly recently (6 months ago), and this book is written from a VoIP perspective of several years ago, in my opinion. It is missing tons, and contains lots of frankly irrelevant content to the subject. If the title of the book "VoIP Security" is not meant to actually mean this is a book about VoIP Security, then I guess I don't understand what book titles are for. The back cover even says "This book will teach you how to plan for and implement VoIP security solutions...". I am taking issue with that statement, not the authors personally.
3) I think some people may like the book, because they are not already experts in VoIP security and thus don't know what they're missing. I believe I am pretty close to an expert. I was looking for a book I could recommend to my customers and colleagues who are not.
4) Dr. Mathews says "It addresses the protocol specifics, the technical issues, and the security options surrounding the protocol." I think that it addresses them if you don't know what they really are. I will tell you what I know is missing from this book:
a) TLS. Much of the VoIP industry believes TLS to be the future panacea for VoIP service security. (it's not used much today, but many are moving that way) That belief is true for eavesdropping protection/privacy, and server-side authentication. It is not true for DoS/DDoS attack protection, or user-side authentication. It is also not true for fraud prevention, and it adds many scalability/performance issues. The reasons for that, how SIP over TLS works at a protocol level, and more interestingly the security issues around it are not addressed in this book. That should be a whole chapter. As a side note, they say TLS requires TCP, which was true until the draft for DTLS came out for TLS over UDP, which has received much publicity in the VoIP security world. It came out in 2003 - long before this book was finished.
b) IPSec. The 3GPP/IMS world and some inter-carrier VoIP peering uses IPSec to secure VoIP, which like TLS only provides some security features/benefits but not others. Used by enterprises it also adds latency to RTP (because they use it in tunnel mode over TCP). I give the authors some credit - they did spend 10 pages on the VPN issues with IPsec (but it's not exactly how 3GPP uses it). I still think this topic should be a whole chapter.
c) SRTP. How SRTP is performed, from a protocol level and hardware/software level, leaves much to be desired. There is in fact much debate in the industry if it is needed at all, how it can be managed, how CALEA can be supported with it, etc. SRTP also does not protect the gateways/phones, and the implementation of it is the critical piece as to whether it's any good at all. The authors spend a couple pages on it - I would probably spend at least half a chapter on it - perhaps by removing the big section on how codecs work (which has virtually no relevance to VoIP security compared to this list). The fact there are different codecs is important, but not the formulas for the plot curves of A-law and u-LAw!
d) S/MIME. Some voip products do it, but most don't, and it breaks some things. Again, the protocol and security issues with S/MIME are not covered in much detail in this book. (although it's covered over at least a few pages, just not enough I think)
e) VoIP Firewalls. One simply cannot lump that into one group. The differences in feature/architecture/functionality between categories of friewalls (not to mention models/brands), and how you use VoIP with them, is so critical I'm literally shocked there isn't a ton more detail on this. Look at other security books for data. There are entire books about just a particular firewall brand. (not that this book should get to that level of detail)
f) STUN/TURN/ICE. They are mentioned briefly, but really these technologies/protocols are another pandora's box of security issues, and should be addressed if crossing NAT's is at all useful for you. Likewise, Session Border Controllers are mentioned briefly in this book, but they are considered by most to be one of the fundamental pieces in VoIP security.

ok, enough time spent. I'm sorry for the length of this reply. Again, this book may appeal to you (to each his own), I just caution you that there is a lot more under the Voip security hood than is mentioned in this book.
I'm sure the authors are good guys - perhaps they wrote this book a long time ago and printing/publishing books is just too much delay to keep up with technology.
(although I'm still struggling to understand how 30 pages of codec waveform detail helps any voip security person)

22 of 25 people found the following review helpful:

3.0 out of 5 stars Did not live up to expectations, April 30, 2005

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

I decided to read 'VoIP Security' because I thought it would describe VoIP protocols and ways to secure them. The table of contents looked very strong and the preface seemed to meet my goals: "For one to truly understand Internet telephony, the reader must have a solid understanding of digital voice, telephony, networking, Internet protocols, and, most important of all, how all of these technologies are put together." Unfortunately, the book is confusing at times and is not an improvement over earlier VoIP security books. So-called 'reviewers' who write that this book 'goes heavily into explaining the low level mechanics of VoIP' reveal they don't read the books they purport to review.

Chapters 1, 2, and 3 discuss reasons to use VoIP, how voice is encoding into digital form, and telephony history. I found the wire pair discussions in ch 3 confusing; additional diagrams might have helped. Some text in the existing figures is so small as to be nearly illegible. Ch 4, on 'packet technologies,' is the worst in the book. Many of the 'functional activities by layer' in figure 4.1 are wrong (e.g., routing at layer 2). Page 89 says 'the IP identification number is mainly useful for identifying anomalous signatures.' While IP fragmentation is mentioned, that correct function of the IP ID seems played down.

The most frustrating part of ch 4 is the sudden discussion of the H.235 protocol, with absolutely no introduction to its purpose or what it is. This is especially unfortunate as the preceding 20 pages were wasted describing basic IP networking. H.235 is not explained until ch 8. Similarly, p. 102 and elsewhere compares SIP to H.323, without explaining H.323 or SIP! H.323 is tangentially covered in ch 8, and SIP makes an appearance in ch 5. A chapter that should have been the core of the book -- explaining VoIP protocols -- is its weakest. At the very best, this shows the book is poorly organized.

After presenting generic VoIP deployment issues in ch 6, ch 7 catalogs various VoIP security risks and ch 8 offers VoIP security best practices. I was surprised to realize that chs 7 and 8 are the only sections that really mention security at all, in a book called 'VoIP Security.' I did not find this material compelling, as much of it delivered generic security guidance -- some of it wrong. On p. 192 we read that 'Linux can be crashed with one pair' of fragmented IP datagrams (wrong). On p. 193 we read 'each broadcast address can support up to 255 hosts' (wrong, only true for /24 netblocks). On p. 263 we read 'rather than looking at one frame at a time, as with firewalls, NIDS usually don't add delay because they look across a broad collection of frames flowing in either direction' (what?). I got the impression this book suffered due to lack of digital security experience on the part of the authors and editors; they seemed much more like telecom practitioners.

Ch 9 presents legal issues in security (not really related to VoIP), and ch 10 concludes with a short 'future of VoIP.' I finished this book not much more informed about VoIP security than when I started. In fact, I turned to the older 2001 SAMS book 'Voice and Data Security' by Archer, et al, and found it covered protocols and security issues much better than 'VoIP Security.'

If Elsevier decides to print a new edition of this book, they should encourage the authors to take a hard look at what they discuss and where they discuss it. They should also consider what they omit. I think a real VoIP security book should explain how to configure and deploy the open source PBX Asterix and a VoIP proxy like siproxd for SIP. The new edition should do more than mention tools like 'voice over misconfigured internet telephones'; show them and others in action. Avoid the generic network and security discussions and concentrate on the topic at hand.

3 of 4 people found the following review helpful:

1.0 out of 5 stars Worst tech book I have ever read., April 16, 2006

By	The Great Mahershi "mahershi" (QoS Land!) - See all my reviews

This will end up being the worst tech book I have every read. The book starts off with lofty goals and ends up achieving none. None of the topics are presented properly. As pointed out in various reviews, chapter 4 is where the nightmare begins. That is not to say that the first three chapters are good, because there's really nothing worth reading in those first few pages.

The authors do NOT do justice to VoIP, to security, and to VoIP security.

Don't waste your money on this book.