Category: Resources

Updated List of IPv6 Resources for Application Developers

Recently I noticed that my list of IPv6 resources for application developers had not been updated since the second version of Migrating Applications to IPv6 was published in June 2012.  I’ve now gone ahead and updated the list to have all the links that I added to the second release of the book.

Now, granted, some of the links may not make much sense without the context of what is in the book, but they are all there so that you can easily visit them.  (And hey, if you want the context, why not buy the book? 😉

If you have suggestions for additional resources I should add, please do contact me as I’m always open to considering new content to add to the book.  From the beginning this has always been conceived as a collection of guidance for application developers looking to move their applications over to IPv6, so please do pass along any thoughts you think I should consider adding to the book. (Thanks!)

NSA Develops Secure Android Phones For Top Secret Calls

An interesting piece in the Australian edition of SC Magazine covers a recent presentation at RSA 2012 by Margaret Salter, head of the US National Security Agency (NSA) Information Assurance Directorate. She spoke about the NSA's "Mobility Program that aims to provide secure communication for government agencies using commercial "off the shelf" equipment.

The SC article focuses on the "Fishbowl" phones designed by the NSA and includes a number of interesting comments on the state of security implementations provided by vendors. It mentions that the NSA was looking to use SSL VPNs but due to a lack of interoperability wound up using IPSEC instead. Similarly they were looking to use DTLS-SRTP, but didn't find the implementations and so instead used "descriptions". The article has this excellent statement by Salter (my emphasis added):

Salter said the security specifications, such as those sought for the voice application, would be useful to everyone.

She urged colleagues to demand vendors improve unified communications interoperability.

“We need to send a message [about] standards, interoperability and plug and play," she said.

This need for interoperability and standards support was certainly one of the themes I tried to bring out in the book. It is indeed critical for the long term success of securing unified communications systems.

I also found it interesting that the NSA encrypts the voice twice:

Voice calls are encrypted twice in accordance with NSA policy, using IPSEC and SRTP, meaning a failure requires “two independent bad things to happen,” Salter said.

While there certainly is value in having multiple layers of security, I do wonder what this means in terms of computational overhead and/or latency. As our mobile phones have become more powerful, perhaps this is no longer a major concern.

Separate from the article, I was intrigued to read over on the NSA Mobility Program page that the first document they are releasing is the "Enterprise Mobility Architecture for Secure Voice over Internet Protocol (SVoIP)". From the page:

The first Mobility Capability document to be released is the initial draft release of the Enterprise Mobility Architecture for Secure Voice over Internet Protocol (SVoIP). It is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied. As a first step, this version contains guidance on the required procedures necessary to build and implement a SVoIP capability using commercial grade cellular mobile devices. Future releases will build on this architecture and will include mobile device management and data applications; and ultimately integrate the WIFI service with an expanded list of end devices.

The 100+ page PDF file looks to be a fairly comprehensive view into what is involved with rolling out a secure mobile communications solution. It's great to see this from the NSA and it is a great contribution to the ongoing efforts to secure VoIP communications.

NSA SecureVoIP

European Union Security Agency Releases Report Analyzing HTML5 Security

Html5logo 200ComputerWorld today reports that the European Network and Information Security Agency (ENISA) has released a detailed report analyzing the security of HTML5 and related web protocols.

While not directly related to Unified Communications, the reality is that many UC web interfaces, particularly for mobile devices, may turn to HTML5 as a way to create a web interface that provides an excellent user interface and works across all mobile devices.

Perhaps more importantly, the work of the RTCWEB/WebRTC working groups within the IETF and W3C, which I've written about over on Voxeo's blogs, is aimed at bringing the "real-time communications" functionality directly into the web browser. In other words, you wouldn't need a browser plugin or additional program on your computer to make voice, video or chat connections… it could happen entirely within the browser.

At that point every browser potentially can become a UC endpoint… and therefore a concern for communications security.

It's a lengthy document from ENISA, but worth a read as it dives into both analysis and recommendations for greater HTML5 security.

SecureLogix Releases Report: Voice And Unified Communications State of Security 2011

Stateofsecurity2011By way of the Voice of VOIPSA blog, I learned that SecureLogix had formally released their "Voice & Unified Communications: State of Security Report 2011". I saw a preview of this report in one of the final sessions at the Enterprise Connect event at the beginning of March and the data seemed quite compelling.

To put this in perspective, SecureLogix sells solutions that monitor your network and protect your VoIP/UC systems. While that creates a fairly obvious bias for a report like this, it also means that they do have great data from literally hundreds of networks where their tools have been deployed.

They've done a nice job packaging up the data, providing very readable charts, including solution diagrams and listing all sorts of resources at the end. The report is available now from the site:

You need to login to the site to download it today, but the folks I know at SecureLogix say that they will also be making it available from their own site in a few months.

Sure, you have to read the report understanding that it is written from the viewpoint of a vendor with an interest in selling security solutions... but regardless it is definitely a worthwhile document to read through. Kudos to SecureLogix for creating this report - and I look forward to seeing how it changes and evolves in the years ahead.

P.S. I found it interesting that the report talked about modems, which is something I actually didn't even touch on in the book and don't really think of as "VoIP" or "UC"... However, they certainly are components of the larger network security area of concern.