Peter Thermos and Ari Takanen
Addison-Wesley
Upper Saddle River, NJ • Boston • Indianapolis • San Francisco
New York • Toronto • Montreal • London • Munich • Paris • Madrid
Cape Town • Sydney • Tokyo • Singapore • Mexico City
Praise for Securing VoIP Networks
“VoIP is part of the critical infrastructure. This excellent book highlights risks and
describes mitigations. It could not have come more timely.”
—Christian Wieser, OUSPG
“At a time when organizations are increasingly embracing VoIP as a major part of their
communications infrastructure, the threat landscape is looking increasingly bleak. This
book will enable its reader to look objectively at the real considerations surrounding
securely deploying VoIP today. The authors are recognized experts in this field yet wear
their learning lightly. The book is both authoritative yet easy to read. No mean feat!”
—Robert Temple, Chief Security Architect, BT Group
“The book provides a wealth of information on VoIP components and specific threats and
vulnerabilities. Instead of a generic discussion, it presents a comprehensive set of security
techniques and architectures to address VoIP risks.”
—John Kimmins, Telcordia Fellow
“Recent massive Denial of Service attacks against Estonia (starting April 27, 2007) and
YLE, Finland’s national public service broadcasting company, (starting May 15, 2007)
have made it clear it is better to act proactively. Read this book and prepare before it is too late.”
—Prof. Juha Röning , University of Oulu
Principal Investigator of Oulu University Secure Programming Group (OUSPG) Head
of Department of Electrical Engineering
“VoIP is part of the critical infrastructure. This excellent book highlights risks and
describes mitigations. It could not have come more timely.”
—Christian Wieser, OUSPG
“At a time when organizations are increasingly embracing VoIP as a major part of their
communications infrastructure, the threat landscape is looking increasingly bleak. This
book will enable its reader to look objectively at the real considerations surrounding
securely deploying VoIP today. The authors are recognized experts in this field yet wear
their learning lightly. The book is both authoritative yet easy to read. No mean feat!”
—Robert Temple, Chief Security Architect, BT Group
“The book provides a wealth of information on VoIP components and specific threats and
vulnerabilities. Instead of a generic discussion, it presents a comprehensive set of security
techniques and architectures to address VoIP risks.”
—John Kimmins, Telcordia Fellow
“Recent massive Denial of Service attacks against Estonia (starting April 27, 2007) and
YLE, Finland’s national public service broadcasting company, (starting May 15, 2007)
have made it clear it is better to act proactively. Read this book and prepare before it is too late.”
—Prof. Juha Röning , University of Oulu
Principal Investigator of Oulu University Secure Programming Group (OUSPG) Head
of Department of Electrical Engineering
 |
| Securing VoIP Networks Threats, Vulnerabilities, & Countermeasures |
Peter Thermos is CTO at Palindrome Technologies, which acts as a trusted
advisor for commercial and government organizations and provides
consultation in security policy, architecture, and risk management.
Previously Peter acted as Telcordia’s lead technical expert on key information
security and assurance tasks, including risk assessments, standards and
requirements development, network security architecture, and organizational
security strategy. He speaks frequently at events and forums including
the IEEE, MIS, Internet Security Conference, SANS, ISSWorld, IEC,
the 21st Century Communications World Forum, VON, and others. Peter
is also known for his contributions to the security community through discovery
of product vulnerabilities, the release of SiVuS (The First VoIP
Vulnerability Scanner), and the vopsecurity.org forum. Peter holds a masters’
degree in computer science from Columbia University where he is
currently furthering his graduate studies.
Ari Takanen is founder and CTO of Codenomicon. Since 1998, Ari
has focused on information security issues in next-generation networks and
security critical environments. He began at Oulu University Secure
Programming Group (OUSPG) as a contributing member to PROTOS
research that studied information security and reliability errors in WAP,
SNMP, LDAP, and VoIP implementations. Ari and his company,
Codenomicon Ltd., provide and commercialize automated tools using a
systematic approach to test a multitude of interfaces on mission-critical
software, VoIP platforms, Internet-routing infrastructure, and 3G devices.
Codenomicon and the University of Oulu aim to ensure new technologies
are accepted by the general public by providing means of measuring and
ensuring quality in networked software. Ari has been speaking at numerous
security and testing conferences on four continents and has been invited
to speak at leading universities and international corporations.
ACKNOWLEDGMENTS
First, we both would like to acknowledge IETF and everyone participating
in the work of IETF for their great work for VoIP and all communication
standards. A portion of the proceeds is donated to IETF to support their
efforts in standardizing the Internet. Keep up the good work!
Additional Acknowledgments from Peter Thermos
There have been several people that have paved the way towards the writing
of this book. Great thanks to Marko Laakso and Prof. Juha Röning from
University of Oulu for showing me how everything is broken in communication
technologies. Everything. And showing that there is no silver bullet
to fix that. My years as a researcher in the PROTOS project in the OUSPG
enabled me to learn everything there was to learn about communications
security. Out of all those communication technologies we were studying,
one family of protocols stood out like a shining supernova: VoIP. Thank you
to all Oulu University Secure Programming Group members for all the bits
and pieces around VoIP security. I know we did not cover all of them in the
book, but let’s leave something for the future researchers also! And a special
thanks to Christian Wieser who did not get bored of VoIP after learning
it, like many others did, but kept on focusing on VoIP security among
all those hundreds of other interesting communication technologies being
studied in the research team. Thank you Christian for all the help in putting
this book together!
Enormous thanks to all my colleagues at Codenomicon, for taking the
OUSPG work even further through commercializing the research results,
and for making it possible for me to write this book although it took time
from my CTO tasks. Thank you to everyone who has used either the
Codenomicon robustness testing tools or the PROTOS test-suites, and
especially to everyone who came back to us and told us of their experiences
with our tools and performing VoIP security testing with them. Although
you might not want to say it out loud, you certainly know how broken
everything is.
Special thanks to Jeff Pulver and Carl Ford out of Pulver.com for your
significant work in making VoIP what it is today, and for inviting me to
speak in more than ten different conferences that you have arranged.
Through meetings with all key people in VoIP (a list too long to fit on one
page), these conferences were probably the best learning experience for
me in the VoIP area. I am terribly sorry for the time it took for me to
understand that pointing out the problems was not the correct way of
preaching but rather pointing out the solutions. I hope we contributed to
the latter in this book!
I would like to thank everyone involved at Addison-Wesley and
Pearson Education, and all the other people who patiently helped with all
the editing and reviewing, and impatiently reminded me about all the
missed deadlines during the process.
Finally, thanks Peter for inviting me into this project, although it was
slow and painful at times, it certainly was more fun than anything else, and
I will definitely do it again!
Introduction
The convergence of land-line, wireless, and Internet communications has
stimulated the development of new applications and services which have
revolutionized communications. The interconnection between PSTN
(Public Switch Telephone Network) and IP (Internet Protocol) networks is
referred to as the Next Generation Network (NGN). And the interconnection
of Internet and wireless is referred to as IP Multimedia Subsystem
(IMS). Both architectures play an important role in our evolution from
traditional telecommunications to multimedia communications. You might
also have heard of the term triple play, which refers to a service provider’s
ability to offer voice, video, and data to subscribers as a bundled service.
Similarly, the term quad play refers to providing voice, video, data, and
mobile communications.
Whatever marketing term one decides to use, the underlying protocols
that define the NGN or IMS architecture remain the same. Voice over IP
(VoIP) is implemented using a subset of the same protocols, and thus it is
considered a real-time multimedia application that “runs” on NGN and
IMS. Additional real-time multimedia applications include video and
gaming.
Although the title of the book is Securing VoIP Networks, many of the
concepts on attacks, vulnerabilities, and protection mechanisms are applicable
to any multimedia application that is implemented using IP and the
associated signaling and media protocols.
Because telecommunications is part of the national critical infrastructure,
the security weaknesses of new technologies and protocols that
support telecommunications are of great concern. In addition, the security
and reliability of VoIP communications are an important requirement for
commercial organizations in many sectors, including financial, pharmaceutical,
insurance, and energy. Therefore, organizations that provide or use
VoIP communications need to maintain the proper controls to support
security and reliability.
stimulated the development of new applications and services which have
revolutionized communications. The interconnection between PSTN
(Public Switch Telephone Network) and IP (Internet Protocol) networks is
referred to as the Next Generation Network (NGN). And the interconnection
of Internet and wireless is referred to as IP Multimedia Subsystem
(IMS). Both architectures play an important role in our evolution from
traditional telecommunications to multimedia communications. You might
also have heard of the term triple play, which refers to a service provider’s
ability to offer voice, video, and data to subscribers as a bundled service.
Similarly, the term quad play refers to providing voice, video, data, and
mobile communications.
Whatever marketing term one decides to use, the underlying protocols
that define the NGN or IMS architecture remain the same. Voice over IP
(VoIP) is implemented using a subset of the same protocols, and thus it is
considered a real-time multimedia application that “runs” on NGN and
IMS. Additional real-time multimedia applications include video and
gaming.
Although the title of the book is Securing VoIP Networks, many of the
concepts on attacks, vulnerabilities, and protection mechanisms are applicable
to any multimedia application that is implemented using IP and the
associated signaling and media protocols.
Because telecommunications is part of the national critical infrastructure,
the security weaknesses of new technologies and protocols that
support telecommunications are of great concern. In addition, the security
and reliability of VoIP communications are an important requirement for
commercial organizations in many sectors, including financial, pharmaceutical,
insurance, and energy. Therefore, organizations that provide or use
VoIP communications need to maintain the proper controls to support
security and reliability.
VoIP communications can be a complex topic to understand at first,
but ignorance can be your biggest threat—confusion is even worse.
Therefore, to implement VoIP security effectively, you need to define and
properly articulate security objectives and requirements that pertain to
your environment. For example, some organizations require that calls
between customers and clients remain confidential, other organizations
may monitor calls for quality assurance, and some organizations can’t
afford to have any communications compromised. For those who are
considering deploying VoIP, the task of defining security objectives and
requirements has to take place during the design phase prior to the deployment
of the VoIP network. For those who already have deployed VoIP,
they should identify their security objectives and requirements and evaluate
their current posture to identify any inconsistencies that may exist. This
book will help you understand the threats and attacks associated with VoIP
and, most importantly, the protection mechanisms that you can use to
defend against those threats and attacks.
Deploying security in VoIP networks can be a challenging task, and it
requires interacting with subject matter experts from several areas, including
network security, engineering, operations, management, and product
vendors. The level of interaction is proportional to the size of the organization
and the size of the VoIP implementation. A Fortune-100 company
with thousands of employees requires more coordination and planning
compared to a small enterprise network that supports 250 employees. As
with any IP application, it is important to know what you want to achieve
with the deployment of VoIP and enforce appropriate security controls
accordingly. Many organizations erroneously perceive security as an addon
device or technology that can be added when needed. Security is a
process, not a product. As such, it is important to understand its role and
how it needs to be applied through the network life cycle, from the inception
and design phase to the retirement phase. This is also applicable to a
VoIP network, service, or product. Defining security requirements early in
the process will eliminate the perceived “added” cost of security if it is
added at later phases. In addition, it will help in building a proper foundation
to support mechanisms to mitigate current and emerging threats.
Some consider the primary drivers for implementing security to be
regulations1 and FUD (Fear, Uncertainty, and Doubt), which can cause a
reckless response and hinder the ability to develop an understanding of the
strengths and limitations of the deployed technology and thus enforce
reactive security rather than effective security. Understanding “what” we
need to secure and “why” helps us develop applicable security requirements
and controls without hindering functionality for the sake of security
and vice versa. The security of a network is as strong as its weakest link.
Therefore, identifying and analyzing the weakest link in the security of a
network, service, or product is critical. The topics discussed in this book
will help build a good understanding of the attacks and vulnerabilities associated
with VoIP, but most importantly it discusses in detail the protection
mechanisms that can be used to alleviate and manage the associated risks.
Although this book covers basic concepts of VoIP protocols and technologies,
it purposefully avoids detailed discussions on introductory
concepts since they are covered extensively in other books. Chapter 1
starts with a brief introduction on telephony, and Chapter 2, “VoIP
Architectures and Protocols,” provides a high-level discussion of the basic
components and protocols that support VoIP to help you quickly assimilate
the associated concepts. These discussions will provide a foundation in
understanding the chapters that follow. Each subsequent chapter focuses
on a specific area of VoIP security. Chapter 3, “Threats and Attacks,”
discusses threats associated with VoIP and provides examples of attacks
related to eavesdropping, unauthorized access, denial of service, and fraud.
Specific attacks can be performed in a number of ways, so we demonstrate
some variations to help you understand the importance of protection
mechanisms and their relation to the attacks. Chapter 4, “VoIP
Vulnerabilities,” focuses on vulnerabilities and provides a detailed discussion
and categorization of vulnerabilities associated with signaling and
media protocols. Chapter 5, “Signaling Protection Mechanisms”; Chapter
6, “Media Protection Mechanisms”; and Chapter 7, “Key Management
Mechanisms,” focus on analyzing protection mechanisms associated with
VoIP protocols along with their strengths and weaknesses. Chapter 8,
“VoIP and Network Security Controls,” discusses some of the components
that are currently used to support security in VoIP networks and also
presents related architectural considerations. Chapter 9, “A Security
Framework for Enterprise VoIP Networks,” presents a security framework,
aligned with the ISO 17799/27001 standard,2 for enterprise VoIP
networks. Finally, Chapter 10, “Provider Architectures and Security,” and
Chapter 11, “Enterprise Architectures and Security,” discuss service
provider and enterprise network architectures and security considerations.
Although this book purposefully does not discuss all the intricacies of
the functionality and operation of the associated VoIP protocols and
network elements, it provides enough information to help you understand
the issues related to VoIP security. We also provide links to additional
material for those who want to study the operation of VoIP protocols and
components in more detail.
VoIP and Telecommunications
To understand the security issues related to VoIP, you need to understand
some of the fundamental principles associated with circuit-switched
networks. An example of a circuit-switched network is the Public Switched
Telephone Network (PSTN). The PSTN is composed of interconnected
circuit-switched networks that are built, owned, and operated by private or
governmental organizations. The end devices are typically easy-to-use
dumb terminals that are connected to a smart and complex network, the
AIN (Advance Intelligent Network). AIN was introduced in 1991 by
Bellcore (Bell Communications Research) as a replacement to the existing
network to provide more flexible and sophisticated telecommunication
services (for example, call forwarding, call waiting, 800-toll free) for residential,
business, cellular, and satellite customers. Other intelligent end
devices are ISDN phones and PBX stations (Private Branch Exchange).
One fundamental property of circuit-switched networks is the physical
separation of signaling messages and circuit data (voice), whereas in VoIP
signaling media traffic is transmitted using the same physical medium.
Another fundamental property is access to the network. In circuit-switched
networks, access is limited to government or commercial organizations that
have financial and operational resources to connect and maintain their
infrastructure. To launch an attack against a circuit-switched network, the
attacker has to have access to a core network element such as a Signal
Transfer Point (STP).3 The cost of owning an STP or Service Switching
Point (SSP) and interconnecting to a circuit-switched network runs into
hundreds of thousands of dollars, whereas access to a VoIP network comes
at a fraction of the cost or even unrestricted. For example, in an enterprise
environment, access to the VoIP network is established by connecting the
user’s device (for example, a laptop or VoIP phone) in to an Ethernet
connection. In PSTN, terminals are dumb and cheap and are always physically
connected, making location of the device easy. An exception to this is
mobile telephone networks, where roaming has been enabled with agreements
between service providers. Still, in mobile telephony the device is
authenticated using a SIM card and other tamper-proof hardware.4 But the
user can not be authenticated to the network unless an authentication
mechanism is implemented in which the phone passes the user credentials
to the network for authentication and authorization (for example, biometric
authentication or voice recognition). This is difficult to implement in a
service provider environment since subscribers will have to provide identifiable
attributes to the provider upon subscription. Thus, currently users
may enforce pin authentication to prevent access to their phones and call
initiation. Also, the location of each cellular phone can be traced by law
enforcement agencies whereas in VoIP the actual phone (hard phone or
soft phone) may be located anywhere on the Internet.
A common business model for traditional fixed-line telephony
networks or PSTN is time-based interconnection charging. Subscribers are
charged by usage—more calls, higher bill. Although, lately, both fixed-line
and mobile telecommunication providers have established monthly plans
with unlimited calls for a fixed fee. However, these plans are applicable
only to local communications or to calls within a coalition of service
providers, as long-distance and international calling still carries a high
charge per minute. With the introduction of VoIP this charge for longdistance
calls diminishes. The international service may be provided at
lower cost by a VoIP service provider or an incumbent carrier that provides
VoIP. In traditional telecommunications there is a clear separation
between service providers and carriers, although some companies can act
as both. Carriers provide the core network connectivity between service
providers (the cabling and call termination/hand-off to PSTN) and service
providers build the last interconnection to the PSTN ensuring that the
consumers and enterprise customers have the required telephony services
available.
Telecommunication networks are part of the critical national infrastructure
and need to maintain requirements for high availability, security,
and quality of service. These requirements were emphasized by New
York’s State Office of Communications after reviewing the effects of 9/11.
Telecommunications network reliability, increasingly viewed through
a prism of national security and public safety considerations, is a
political and economic mandate.5
This need is also recognized in other countries around the world. For
example, the Australian Communications Authority (ACA) is carefully
monitoring the performance and reliability of the telecommunications
networks of any universal service provider that operates in Australia.6 The
Australian Network Reliability Framework (NRF) provides a good
example of how government agencies can set and enforce regulations or
recommendations that promote equal service and better quality of service
nationwide. In the U.S. the National Security Telecommunications
Advisory Committee (NSTAC) “provides industry-based advice and
expertise to the President on issues and problems related to implementing
national security and emergency preparedness (NS/EP) communications
policy7.” Besides reliability, the various national regulations typically have
other requirements for some of the services and functionalities, including
limitations on who can provide Internet and telecommunications services.8
In extreme cases, a named operator has exclusive rights for either national
or international telephony, or both.9 Special regulations exist for the legal
intercept of communications and for emergency services, including the
location of the emergency call. In addition, with regard to postal service,
telephony has requirements for privacy, but regulations for privacy of telephone
conversations vary internationally.
Table of Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiv
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xx
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxiii
Chapter 1: Introduction
VoIP and Telecommunications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
VoIP and IP Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
VoIP Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Challenges in VoIP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Risk Analysis for VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
VoIP as Part of IT and the Security Organization . . . . . . . . . . . . . . . . .21
Security Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Chapter 2: VoIP Architectures and Protocols
Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
VoIP Network Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Signaling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Media Transport Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Other IP Protocols Used in VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Chapter 3: Threats and Attacks
Definitions of Threats and Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Threats in VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Service Disruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Attacks Related to Telephony Services . . . . . . . . . . . . . . . . . . . . . . . .61
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Annoyance (That Is, SPIT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Unauthorized Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Masquerading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Chapter 4: VoIP Vulnerabilities
Categories of Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Configuration Management Vulnerabilities in VoIP . . . . . . . . . . . . . . .159
Approaches to Vulnerability Analysis . . . . . . . . . . . . . . . . . . . . . . . .160
Human Behavior Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Chapter 5: Signaling Protection Mechanisms
SIP Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Datagram Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . .183
S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
H.323 Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
MGCP Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Chapter 6: Media Protection Mechanisms
SRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
SRTCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Chapter 7: Key Management Mechanisms
MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
SRTP Security Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
ZRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Chapter 8: VoIP and Network Security Controls
Architectural Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Authentication, Authorization, and Auditing: Diameter . . . . . . . . . . . .270
User-Authorization-Request Command . . . . . . . . . . . . . . . . . . . . . . .278
VoIP Firewalls and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Session Border Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Intrusion Detection and VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Chapter 9: A Security Framework for Enterprise VoIP Networks
VoIP Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
External Parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Physical and Environmental Security . . . . . . . . . . . . . . . . . . . . . . . .301
Equipment Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Operations Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Information Systems Acquisition, Development, and Maintenance . . . .311
Security Incident Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Business Continuity Management . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Chapter 10: Provider Architectures and Security
Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Network Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Security in Provider Implementations . . . . . . . . . . . . . . . . . . . . . . . .327
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Chapter 11: Enterprise Architectures and Security
Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Network Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
Pages
| 384 p |
File Size
|
5,655 KB |
File Type
|
PDF format |
ISBN-13
ISBN-10 | 978- 0-321-43734-1 0-321-43734-9 |
Copyright
| 2008 Pearson Education, Inc |
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
