Book review: Voice over IP Security
Based on the title, I would assume that the Cisco Press book Voice over IP Security: Security best practices derived from deep analysis of the latest VoIP network threats attracts primarily senior voice engineers who know that they have to secure their production networks. The author of the book strongly disagrees with my opinion, however, spending more than a third of the book on baseline explanations of VoIP, SIP, H.323, firewalls, NAT, DES, IPSec…. I enjoyed the overview chapters, as I last configured VoIP before SIP was invented, but an experienced VoIP engineer would be disappointed.
Part II of the book, “VoIP Security Best Practices,” looked more promising. Unfortunately, the author apparently was worried about those readers who would skip the introductory chapters, as he repeats most of the useful information from them in Chapter 6, “Analysis and Simulation of Current Threats,” adding perhaps 50% new content in each case. Chapter 7, “Protection with VoIP Protocol,” looked like another interesting topic, but again was very fundamental. It listed sample technology solutions, but never mentioned a single case in which the described solution would be applied in an operational network. Chapter 8, “Protection with Session Border Controller,” was even worse. It’s obvious that Cisco did not have a good SBC solution at the time the book was written, so the whole chapter reads like a Request for Proposal (RFP) put together by a security engineer wanting all the features mentioned in marketing materials from various vendors. I would much prefer having a few working case studies or even a list of desirable SBC features and a neutral comparison of available solutions.
The first chapter that could justify the book’s subtitle is Chapter 9 (out of 11), »Protection with Enterprise Network Devices,« which describes various voice-related security features offered by network devices manufactured by Cisco Systems. It covers PIX/ASA and FWSM firewalls, Unified Communications (UC) Manager and UC Manager Express (UCME), the phones and the switches. I can’t understand why the routers (apart from the UCME function) are not covered, as they could offer significant security benefits (including VoIP encryption). The omission of IDS/IPS systems throughout the book is also a mystery to me. Last but not least, I noticed the lack of coverage of any service provider VoIP products in Chapter 9. This is in stark contrast to the coverage of lawful interception in Chapter 10, »Lawful Interception Fundamentals,« and Chapter 11, »Lawful Interception Implementation,« which are applicable primarily to the service provider markets. One thus has to wonder which market (enterprise or service provider) the author is trying to target.
If you’re new to voice and security, this book will give you a great baseline introduction to various voice and security aspects as well as an overview of the VoIP security threats and potential solutions. It’s also an eye opener, describing various security threats that you probably haven’t considered yet. However, if you already know about voice and security, and you want to secure your VoIP network, you might be disappointed by the book’s lack of in-depth details related to actual network implementation.