VAST: The Unified Communications Security Testing Suite
VoIP security assessments have become much easier with the release of VAST 2.77 from Viper Labs (the research division of Sipera). VAST stands for Viper Assessment Security Tools and is a collections of some of the best Unified Communications security test tools around. It is prepackaged for download as a live dvd and VMWare image. UCSniff, Videojak, and Videosnarf were developed by the Viper lab folks and are part of the distribution as well as metasploit, nmap, and other mainstream penetration testing tools. The current release of VAST even has the application Artemisa which is a SIP honeypot designed to look and smell like a SIP endpoint on the network, providing early warnings of attack attempts that may be targeting an organization.
One of the most useful tools in the VAST distribution for testing Unified Communications security is UCSniff. UCSniff includes a wide array of features that can be used to test voice vlan segmentation, foundational network security features, and whether or not phones are susceptible to eavesdropping. UCSniff will spoof a Cisco or Avaya IP phone and can automatically connect to the voice vlan if the switch is not configured to prevent unauthenticated devices through 802.1x. Once on the Voice VLAN, UCSniff will attempt to learn about other phones and their extensions, allowing the auditor to target specific phones for eavesdropping of voice, video, and dialed digits. This tool could not be simpler to use and provides strong evidence of weak security controls protecting the voice endpoints.
The ability to eavesdrop on Video calls is starting to become more of a concern for organization as they are actively looking for ways to reduce travel budgets through videoconferencing and telepresence. IP video cameras are rapidly replacing analog cameras for physical security as well. These technologies can be vulnerable if controls are not put in place to protect the video stream from interception. VideoJak is another tool found on VAST, which will capture live video streams and allow an auditor to alter the stream on the fly. This tool shows how someone with access to the video data path could manipulate what a security guard views on his or her screen. Remember, unified communications isn't just about voice. Video is an essential part of unified communications that should be secured as well.
These two applications are a small sampling of how VAST can help you with auditing your Unified Communications environment. Head over to the sourceforge project and take it for a spin. I bet you will find it very useful!
- · Rackspace debuts OpenStack cloud servers
- · America's broadband adoption challenges
- · EPAM Systems Leverages the Cloud to Enhance Its Global Delivery Model With Nimbula Director
- · Telcom & Data intros emergency VOIP phones
- · Lorton Data Announces Partnership with Krengeltech Through A-Qua⢠Integration into DocuMailer