Voice over Internet Protocol (VoIP) Security Review

Average Reviews:

(More customer reviews)Are you looking to buy Voice over Internet Protocol (VoIP) Security? Here is the right place to find the great deals. we can offer discounts of up to 90% on Voice over Internet Protocol (VoIP) Security. Check out the link below:

>> Click Here to See Compare Prices and Get the Best Offers

Voice over Internet Protocol (VoIP) Security Review[note: I am the same reviewer IP_Geek, but Amazon only lets you review once, so this is follow up]
Despite what Dr. Michael G. Mathews may believe, I really wanted to use my real name, and I have never worked for Exodus (although they may have been a customer of one of the companies I worked for, unknown to me). I have worked at 4 networking vendor/manufacturer companies, of which 2 were data vendors (routers/switches) and 2 VoIP companies. I currently work at a vendor who makes VoIP security products, and thus I felt it a bit unfair/dangerous to my employer to critique any book in a public forum. (because you can google my name and find out where I work)
I still feel that way, so I will try to convince you I have no agenda as easily as I can as follows:
1) My argument was simply that you should VERY carefully read the table of contents, including the page numbers. Dr. Mathews is quite right that this type of book will appeal to some people, just that in my humble opinion I hope those people are not put in charge of securing VoIP, because this book doesn't do it. (see below why)
2) I did not slam the authors in person or capabilities - I slammed the book they wrote. This book was published fairly recently (6 months ago), and this book is written from a VoIP perspective of several years ago, in my opinion. It is missing tons, and contains lots of frankly irrelevant content to the subject. If the title of the book "VoIP Security" is not meant to actually mean this is a book about VoIP Security, then I guess I don't understand what book titles are for. The back cover even says "This book will teach you how to plan for and implement VoIP security solutions...". I am taking issue with that statement, not the authors personally.
3) I think some people may like the book, because they are not already experts in VoIP security and thus don't know what they're missing. I believe I am pretty close to an expert. I was looking for a book I could recommend to my customers and colleagues who are not.
4) Dr. Mathews says "It addresses the protocol specifics, the technical issues, and the security options surrounding the protocol." I think that it addresses them if you don't know what they really are. I will tell you what I know is missing from this book:
a) TLS. Much of the VoIP industry believes TLS to be the future panacea for VoIP service security. (it's not used much today, but many are moving that way) That belief is true for eavesdropping protection/privacy, and server-side authentication. It is not true for DoS/DDoS attack protection, or user-side authentication. It is also not true for fraud prevention, and it adds many scalability/performance issues. The reasons for that, how SIP over TLS works at a protocol level, and more interestingly the security issues around it are not addressed in this book. That should be a whole chapter. As a side note, they say TLS requires TCP, which was true until the draft for DTLS came out for TLS over UDP, which has received much publicity in the VoIP security world. It came out in 2003 - long before this book was finished.
b) IPSec. The 3GPP/IMS world and some inter-carrier VoIP peering uses IPSec to secure VoIP, which like TLS only provides some security features/benefits but not others. Used by enterprises it also adds latency to RTP (because they use it in tunnel mode over TCP). I give the authors some credit - they did spend 10 pages on the VPN issues with IPsec (but it's not exactly how 3GPP uses it). I still think this topic should be a whole chapter.
c) SRTP. How SRTP is performed, from a protocol level and hardware/software level, leaves much to be desired. There is in fact much debate in the industry if it is needed at all, how it can be managed, how CALEA can be supported with it, etc. SRTP also does not protect the gateways/phones, and the implementation of it is the critical piece as to whether it's any good at all. The authors spend a couple pages on it - I would probably spend at least half a chapter on it - perhaps by removing the big section on how codecs work (which has virtually no relevance to VoIP security compared to this list). The fact there are different codecs is important, but not the formulas for the plot curves of A-law and u-LAw!
d) S/MIME. Some voip products do it, but most don't, and it breaks some things. Again, the protocol and security issues with S/MIME are not covered in much detail in this book. (although it's covered over at least a few pages, just not enough I think)
e) VoIP Firewalls. One simply cannot lump that into one group. The differences in feature/architecture/functionality between categories of friewalls (not to mention models/brands), and how you use VoIP with them, is so critical I'm literally shocked there isn't a ton more detail on this. Look at other security books for data. There are entire books about just a particular firewall brand. (not that this book should get to that level of detail)
f) STUN/TURN/ICE. They are mentioned briefly, but really these technologies/protocols are another pandora's box of security issues, and should be addressed if crossing NAT's is at all useful for you. Likewise, Session Border Controllers are mentioned briefly in this book, but they are considered by most to be one of the fundamental pieces in VoIP security.
ok, enough time spent. I'm sorry for the length of this reply. Again, this book may appeal to you (to each his own), I just caution you that there is a lot more under the Voip security hood than is mentioned in this book.
I'm sure the authors are good guys - perhaps they wrote this book a long time ago and printing/publishing books is just too much delay to keep up with technology.
(although I'm still struggling to understand how 30 pages of codec waveform detail helps any voip security person)Voice over Internet Protocol (VoIP) Security Overview

Want to learn more information about Voice over Internet Protocol (VoIP) Security?

>> Click Here to See All Customer Reviews & Ratings Now