Re: [PEN-TEST] PBX Security

[David Spinks <david.spinks () dspinks41 freeserve co uk>]

Dear Joe

Please excuse my direct post as I've yet to have any message
approved by the moderator.

We (AEA Technology plc in the UK) undertaken a number of PABX
security reviews. Many of the most business sensitive voice
systems are those supporting the 999 (911) services in the UK.

Reliability is a key requirement here we use a methodology
developed out of the safety sector called FMEA (failure modes and
effects analysis) gives the analyst a chance of identifying common
mode and common cause failure modes in complex networks.

In terms of intrusion detection and monitoring most vendors will
have advanced tools which allow the network manager to monitor and
record in logs vast amounts of information on in coming and out
going calls. Tools to analyse the logs are also available.

Physical security of the switch and the management console are as
critical as found in IT networks.

I could go on ....

David Spinks




----- Original Message -----
From: Joe Traietta <JTraietta () ASAHIBANKNY COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: 04 October 2000 15:07
Subject: [PEN-TEST] PBX Security


> I have been asked to perform a security review on the PBX system
(NEC NEAX
> 2000 IVS) at my company.  I have virtually no PBX experience, so
I was
> hoping somebody could point me to a good resource, or pass along
some
> personal experience about reviewing / auditing a PBX system.
>
> Thank you.
>
> Joseph Traietta
> Data Security Officer
> Asahi Bank, New York Branch