Understanding Voice-Over IP Security

This is a really good, but theoretical, in depth book on the fairly new subject of VoIP security. It is in places deep technical - not the kind of how-to-approach-the-problem type of book, but really describing in detail how things work. The reason why I picked this book was twofold. One, it really focuses on VoIP *security* - as opposed to many books on the subject that handle security or VoIP, with only one or two chapters on VoIP + security. Two, it is in-depth and detailed. Concerning the `in-depth' part, clearly it is. The style is dense, compact, almost academic. No pages of listings or screenshots - just a factual approach: I personally hate those 800 odd pages manuals full of listings, too large font, giving the impression the author is getting paid by the page... The objective of the book is to give a clear insight in `how it works'. It is clear that Mr. Johnston is a protocol oriented person, and quite a few things are explained and approached from that perspective. It will clearly help you in designing and architecturing a VoIP deployment, but remains theoretical. Do not expect being able to actually configure an Asterisk or other vendor product. But do expect to have a clear view on what matters and what does not, from a technical perspective. In my view, it targets solution designers, VoIP architects, to some extent the technically oriented CSO, but not so much the engineer. Chapters 9 and 10, Signaling and Media security are really tough reading: I had to go about 2 to 3 times through them! It's not that they are not well written, but the subject is really complex, and, given the style of the book, these chapters go in quite some detail. They are followed by two interesting chapters on PSTN Gateways and Identity handling. One thing I'm missing is a chapter on Session Border Controllers - possibly these are really too new, and the authors didn't want to venture into something so new it may change and obsolete the book too quickly. Overall, the book is well edited, with no irritating typos - as we see in too many books today. It is compact and easy to handle. Each chapter contains plenty of references to related publications: what you'd expect from any serious college textbook. The good: - Dense, concise, precise, detailed, complete - Product independent - a theoretical book - Good, no-frills publishing with no pointless screenshots and the like The not so good - Some parts are really hard to follow - Nothing on Session Border Controllers, but that seems to be the only missing point.

Now, VOIP security has been talked about for a few years; it started even before organizations started to deploy VOIP in greater numbers. Many folks like to say that "VOIP security is a disaster," but usually they don't explain how or why. Dave Piscitello does. In his excellent book ""Understanding Voice over IP Security" he provides excellent coverage of both VOIP technology basics as well as internet security fundamentals (which are admittedly more useful to the security beginners) Then he fuses the above information into a comprehensive coverage of VOIP security issues, from protocols to call fraud. VOIP and NAT? Security analysis of SIP protocol? VOIP and honeypots? PSTN gateway security? Public VOIP vs private VOIP? Is VOIP spam inevitable? Yes, all those and much much more are covered in the book. On the negative side, I had to skip through some of the security basics (yes, even a castle metaphor is there ...), but I am conscious of the fact that such content is indeed useful to people with networking background. At the same time, some of the esoterica of phone networks was completely new to me and thus exciting to read. I enjoyed the book; I liked that it is written to be useful to both security folks - who need to learn about VOIP - and network folks - who often need to acquire better security education. Dr Anton Chuvakin, GCIA, GCIH, GCFA [...] is a recognized security expert and book author. His current role is a Director of Product Management with LogLogic, a log management and intelligence company. A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3" and the upcoming book on PCI. In his spare time he maintains his security portal [...] and several blogs.

As a CTO of a software technology company in the middle of a VOIP project, I found this book invaluable in our research. There are very few books/guides/articles that talk about VOIP security and I believe this is huge thing to consider as you launch a VOIP network in your facilities or work with the protocols. The other book I read was not nearly as technical or complete and some issues defied standard communications standards which I believe were inaccurate. I can see from the writing that the authors bring complementary knowledge to the table. One being a data/internet security expert who considers voice "yet another stream of data to protect" and this agnosticism is IMO a good thing because it brings voice into the IT security realm in many enterprises. The other author is a voice and VOIP standards expert so he is able to call attention to the voice and voice protocol specific issues. The book utilizes many easy to read real world scenarios that lighten the material and distinguish it from being just a reference book on protocols and standards. These scenarios often incorporate well laid out diagrams and pictures that really help you understand what's happening. If you are investigating or implementing VOIP networks, I definitely recommend you get this book and read it cover to cover.

VOIP - the next big thing in network communication? Or a security disaster in progress? My money's on the latter, so I was happy to be able to read through this book. It has a lot of useful background material on security and security technology, and then ties it into VOIP and the current implementations of the VOIP suite. The authors don't exactly come out and say it but the situation for VOIP looks a bit grim - security kludged on as an afterthought largely by layering atop TLS and the non-existent non-functioning public key infrastructure. I found the book to be interesting an informative, and will recommend it as a reference to any of my friends who are so unfortunate as to have to deal with securing VOIP. mjr.

I picked up this book because I needed to know a few specific things about the security of VoIP systems, and discovered that it's not only a good source of information about VoIP security - it's a good source of information about IP network security in general. We're moving all these applications to IP/Internet, and we need to know what that means for security at the IP/Internet level, not just for voice but for all of the other applications. Putting Alan Johnston, with his expertise in SIP and VoIP, with Dave Piscitello, who is an expert in security, has produced a major win. "VoIP folks" and "security folks" will both want to read this book.