Source: www.voip-news.com

WatchGuard Technologies has unveiled WatchGuard Fireware XTM, a new operating system for WatchGuard security appliances, which work on a variety of technologies including VoIP.

“WatchGuard’s vision of extensible threat management means giving customers the ability to extend or add on to or augment their security foundation,” said Eric Aarrestad, Vice President, Marketing at WatchGuard Technologies. “With Fireware XTM, businesses gain a new and formidable tool that keeps their networks, resources and sensitive data safe and highly secure.”

According to the company:

The new WatchGuard operating system, Fireware XTM, defends networks by adding innovative security features, including full HTTPS inspection, VoIP security, and IM and Peer-to-Peer (P2P) application blocking. Furthermore, Fireware XTM integrates new networking capabilities, including clustering, load-balancing and other networking features. Additionally, the new operating system also extends management capabilities by adding role-based access control (RBAC), centralized multi-box management and enhanced reporting functions. The combination of this makes Fireware XTM the most powerful operating system developed by WatchGuard needed for today’s ever-growing threats and dynamic business environments.

Source: www.voip-news.com

Radware is using NetLogic Microsystem’s NETL7 Layer 7 processors for its new DefensePro network security Solutions. The NetLogic processors are designed to enhance the performance and functionality of next-gen networks for high-definition video delivery over the Internet (IPTV), media-rich content over advanced mobile wireless services, voice transmission over the Internet (VoIP) and network security applications.

“We have been impressed with the superior performance, quality and ease-of-integration of NetLogic Microsystems’ NETL7 processors and SDK which have enabled us to get to market much sooner and with a more robust product,” said Avi Chesla, vice president of security, Radware. “By offering our comprehensive, high-performance network security product line that integrates NetLogic Microsystems’ industry-leading hardware accelerators, our new line of DefensePro IPS products provide customers with unparalleled performance and scalability for data center security protection.”

According to the companies:

Radware has collaborated with NetLogic Microsystems to use NetLogic Microsystems’ industry-leading NETL7 knowledge-based processors to accelerate deep-packet inspection (DPI) and enhance the wire-speed performance of Radware’s DefensePro systems. The NETL7 processor family comprises highly scalable solutions that provide real-time, uncompromised inspection performance from 250Mbps to 20Gbps with a common set of APIs and software development kit (SDK). By inspecting every bit in every packet against every security threat signature at wire-speed, the NETL7 processors enable comprehensive, best-in-class security solutions for next-generation data center, enterprise, service provider and small/midsize business networks.

“We are excited to have been selected by Radware for their new line of DefensePro network security products,” said Mike Ichiriu, senior director of Layer 7 products at NetLogic Microsystems. “DefensePro solutions are driving advanced security performance, functionality and services to new levels in next-generation data centers, and we’re glad to be delivering innovative processors into these advanced security systems.”

Source: www.voip-news.com

SIPvicious has the scoop on an add-on for Immunity CANVAS that provides security for VoIP applications.

There’s a risk to VoIP PBX, says Fortify. VoIP News of the UK has all the details.

Skype has some new hires and VoIP Watch has some opinions on them.

Source: www.voip-news.com

NetMotion Wireless is boosting mobile security with expanded support for new end-user authentication protocols. NetMotion’s Mobile VPN, Mobility XE makes it easier for companies to meet set standards.

According to the company:

The new functionality, available at no cost to most customers with existing maintenance agreements, allows IT administrators to flexibly deploy a host of strong user-authentication methods, including public key infrastructure (PKI), smart cards and biometric systems. The expanded authentication options also enable industries with strict regulations over data security, such as law enforcement, to become compliant with state and federal security guidelines, such as the Criminal Justice Information Systems (CJIS) Security Policy.

“At a time when revenues and budgets are shrinking, public safety agencies across the country are faced with meeting strict security standards for data delivery and user access to regional and federal information databases,” said Major Steven Williams, chief technology officer, Florida Department of Highway Safety & Motor Vehicles. “Support for these authentication methods helps our agencies meet these standards quickly and inexpensively so that our officers and employees can have mobile access to the information critical to their duties.”

Source: www.voip-news.com

Nortel is using Certicom’s security technology to improve cryptographic performance and simply application creation for its UC platform for U.S. Federal Government agencies.

According to Nortel:

Nortel plans to integrate Certicom ECC algorithms into its Application Server 5300, bringing this open, Session Initiation Protocol (SIP)-based software platform into conformance with U.S. National Security Agency (NSA) recommendations for cryptographic implementation.

Nortel has also licensed Certicom’s Security Builder(R) GSE(TM), which provides a pre-approved FIPS 140-2 cryptographic module for application development, saving both development time and cost of certification.

“We’re experts at developing solutions that meet or exceed the most rigorous security requirements,” said Chuck Saffell, chief executive officer, Nortel Government Solutions, which provides networking solutions and IT services for a number of U.S. Federal agencies.

Source: www.voip-news.com

Teltronics, Inc. is going to provide StarCall iPLUS, an IP-based, SIP-compliant multimedia platform to GE Security, Inc.

“This relationship not only provides an extra level of comfort in support of on-site safety for educational institutions but increases productivity and efficiency — saving time and money. We believe that Teltronics’ four decades of communications industry experience and the strength and reliability found in our Cerato voice communications solutions provide GE Security’s StarCall iPLUS a new level of sophistication and convenience to accommodate the required needs in a school setting,” said Teltronics’ Ewen Cameron.

“Collaboration with Teltronics has resulted in our StarCall iPLUS offering — the best-in-class solution for improving communications within educational facilities,” said Steve Hein, general manager, fire and life safety products, GE Security. “Teltronics’ industry knowledge and commitment to working with us has resulted in a solid, non-proprietary application that is fully integrated with our StarCall product.”

Source: www.voip-news.com

Sipera System’s Sipera IPCS security appliances  now have advance security for SIP trunking. Sipera VIPER Engine also has upgraded security as well.

“Many enterprises today are embracing Unified Communications because they see it playing a key role in increasing the productivity of their organization. What some overlook, however, are the security issues that arise any time an enterprise application is connected to the Internet,” said Matthias Machowinski, Infonetics Research Directing Analyst, Enterprise Voice & Data. “In order to realize the benefits of UC without increasing security risks, enterprises need to add security to their infrastructure that protects against threats in real-time.”

Sipera execs agree.

“As companies extend Unified Communications beyond the enterprise perimeter to allow SIP trunking and mobility solutions, they require sophisticated and comprehensive security from a dedicated UC security provider,” said Eric Winsborrow, Chief Marketing Officer for Sipera Systems. “Sipera’s comprehensive UC security provides threat protection, policy enforcement, access control, and privacy measures, along with the ability to simplify the deployment of SIP trunks and mobile workspaces. Sipera IPCS threat protection is backed by the expertise of and ongoing signature updates from Sipera VIPER Lab to ensure complete protection in real-time.”

Source: asteriskblog.com

Here is something for all Asterisk users out there.  Though we may all be very enthusiastic about Asterisk and the service it provides, we have to be practical and keep our eyes open for vulnerabilities.  Even the people over at Digium do not act like ostriches and keep their head buried in the sand – I guess most other service providers act the same way.  They are always on the look out for weaknesses that other unscrupulous individuals may take advantage of.

Recently, Joel R. Voss aka. Javantea reported a vulnerability in Asterisk systems that may result in denial of service.  Many other sites and blogs have subsequently spread the word about the possible problems that may arise from the vulnerability.  People over at Digium themselves have released an advisory about the issue.  They have also released work arounds that could help solve the issue and avoid potential problems that may arise from it.

Below is the description of the vulnerability as well as other important details that you may need to resolve the issue.  This was taken from Secunia:

Description:
A vulnerability has been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to improper verification of ACK responses during IAX2 handshakes, which can be exploited to spoof an IAX2 handshake and cause a DoS via high bandwidth usage.

The vulnerability is reported in the following versions:
* Asterisk Open Source 1.0.x (all versions)
* Asterisk Open Source 1.2.x (all versions prior to 1.2.28)
* Asterisk Open Source 1.4.x (all versions prior to 1.4.19.1)
* Asterisk Business Edition A.x.x (all versions)
* Asterisk Business Edition B.x.x (all versions prior to B.2.5.2)
* Asterisk Business Edition C.x.x (all versions prior to C.1.8.1)
* AsteriskNOW 1.0.x (all versions prior to 1.0.3)
* Asterisk Appliance Developer Kit 0.x.x (all versions)
* s800i (Asterisk Appliance) 1.0.x (all versions prior to 1.1.0.3)

Solution:
Asterisk Open Source 1.2.x:
Fixed in 1.2.28.

Asterisk Open Source 1.4.x:
Fixed in 1.4.19.1.

Asterisk Business Edition B.x.x:
Fixed in B.2.5.2

Asterisk Business Edition C.x.x:
Fixed in C.1.8.1.

AsteriskNOW:
Fixed in 1.0.3.

s800i (Asterisk Appliance):
Fixed in 1.1.0.3.

Provided and/or discovered by:
Joel R. Voss a.k.a. Javantea

Original Advisory:
Asterisk:
http://downloads.digium.com/pub/security/AST-2008-006.html

AltSci:
https://www.altsci.com/concepts/page.php?s=asteri&p=2

Here’s to hoping that you will be able to take care of the vulnerability before anything adverse happens!

Source: www.voip-news.com

Ahhh, finally. I knew it had to happen sometime: the New York Times talking about VoIP (or more specifically, VoIP security).

So, what do they have to say about VoIP? Well, for starters, it is just as vulnerable to attacks as computers. (Duh.) And there is an unprecedented number of vulnerability.

Here’s a snippet:

“Nobody takes VoIP security seriously enough,” contends Rick Dalmazzi, chief executive of Ottawa-based VoIPshield Systems, Inc., a VoIP security firm. Consumers who use telephone systems from companies like Vonage are using VoIP technology.

Mr. Dalmazzi’s contention that the VoIP industry is at serious risk may start to get more attention Tuesday, when the company releases a report that details a total of more than 100 security issues spread across the VoIP networks of three large VoIP business providers: Avaya, Cisco and Nortel. Hackers who know about these vulnerabilities can institute denial-of-service attacks, harvest customer data, record conversations and break into voice mailboxes.

Need help with your VoIP security? Click here to check out VoIP News’s Essential Guide to VoIP Security.

Source: www.voip-news.com

Sipera Systems is hoping their recent appointment of John Lochow as president and CEO is going to do for that company what it did for his previous company, Syndesis Limited. Under Lochow’s leadership, Syndesis revenues grew tenfold from $6 million to $60 million. Lochow has experience in both small and large enterprise  and service provider technology solutions companies.

Sipera is growing and expanding its VoIP/UC security solutions business, which is crucial to the security of enterprise VoIP.

“With the growing awareness in the marketplace of the need for comprehensive VoIP/UC security, now is the time for Sipera to bring its VoIP security leadership to a new level.  John is the person to help Sipera accelerate its momentum,” said Ben Scott, chairman of the board for Sipera Systems.

Lochow said he’s excited to join the organization.

“Sipera is at an inflection point with the demand for comprehensive VoIP/UC security solutions expanding as enterprises and service providers seek to protect and control real-time unified communications,” said Lochow.

Source: snapvoip.blogspot.com

VOIP security is not a subject we read or write much about because we are busy with getting products to the market. But VOIPSA, which I wrote about a year ago "VoIP Security Threat Taxonomy" has come to our aid again, this time with a new project, VOIPSA Best Practices project.
The media is awash with VOIP security concerns. I consider this is to be an excellent track as VOIP IP Telephony is picking up steam as never before. But most of the articles I read last week was by/about scanit.net research. Facts are good and applies to all of us, but the main reason I did not publish any article on it was because, Sacnit research was mainly based on it’s clients in a few middle eastern countires, an area where VOIP is banned in some places.
The new project by VOIPSA will start this week and here is the project description, From VOIPSA;
"This project aims to define a common set of industry-wide ‘best practices’ for securing VoIP systems against the threats outlined in the Threat Taxonomy. While specific practices will vary according to vendor and architecture, the document created by this group will provide an overall view of how best to secure VoIP systems.

These best practices will aim to mitigate security threats across the VoIP ecosystem including individual VoIP building blocks, supporting security technology components (SBCs, Firewalls, etc.), architecture and network design (NAT, VPN, port security, etc.), network management, and end point Access and Authentication to name a few.

The end objective of this project is to create a document that can be used as a companion to the Threat Taxonomy. This document will by its nature evolve over time and we expect to periodically issue new versions.

Right now, though, we are just getting started and we welcome the participation of anyone who would like to be involved. To participate, please sign up to the Best Practices working group mailing list."

So get your gears ready and join. It will be good for all of us.

Links;
VOIPSA Blog Article
VOIPSA Best Practices working group mailing list
And of course VOIPSA

Source: snapvoip.blogspot.com

VOIP security is not a subject we read or write much about because we are busy with getting products to the market. But VOIPSA, which I wrote about a year ago "VoIP Security Threat Taxonomy" has come to our aid again, this time with a new project, VOIPSA Best Practices project.
The media is awash with VOIP security concerns. I consider this is to be an excellent track as VOIP IP Telephony is picking up steam as never before. But most of the articles I read last week was by/about scanit.net research. Facts are good and applies to all of us, but the main reason I did not publish any article on it was because, Sacnit research was mainly based on it’s clients in a few middle eastern countires, an area where VOIP is banned in some places.
The new project by VOIPSA will start this week and here is the project description, From VOIPSA;
"This project aims to define a common set of industry-wide ‘best practices’ for securing VoIP systems against the threats outlined in the Threat Taxonomy. While specific practices will vary according to vendor and architecture, the document created by this group will provide an overall view of how best to secure VoIP systems.

These best practices will aim to mitigate security threats across the VoIP ecosystem including individual VoIP building blocks, supporting security technology components (SBCs, Firewalls, etc.), architecture and network design (NAT, VPN, port security, etc.), network management, and end point Access and Authentication to name a few.

The end objective of this project is to create a document that can be used as a companion to the Threat Taxonomy. This document will by its nature evolve over time and we expect to periodically issue new versions.

Right now, though, we are just getting started and we welcome the participation of anyone who would like to be involved. To participate, please sign up to the Best Practices working group mailing list."

So get your gears ready and join. It will be good for all of us.

Links;
VOIPSA Blog Article
VOIPSA Best Practices working group mailing list
And of course VOIPSA