Nickname: Jim

Review: SIP is not VoIP. It is a signalling protocol used in conjunction with other protocols to establish VoIP calls. As originally created, SIP was a "nice" protocol since it could be easily traced (it is text after all). Some vendors have pushed SIP. As an Avaya VAR, I have been responsible for architecting VoIP systems for thousands of endpoints. So far, I have yet to deploy a single SIP system in a production environment. Why? The answer is security, functionality, interoperability, etc.. Until the IETF working groups can develop a security standard and it is adopted by most of the major vendors, I will continue to treat SIP as a toy to play with. Proper design and deployment of a VoIP system can mitigate most threats. Some manufactures do a better job then others at providing an inherently secure product. Network architecture is another sore point. Many data networks only look to protect for threats at the edge. Proper segmentation of the internal LAN is just as important.

Date reviewed: Aug 4, 2006 9:15 PM

Nickname: Rusty Bayonet

Review: Good grief - the information in this article is so simplistic and out of date that Cisco et al should sue you for misrepresentation. SIP has been around for 8 years, do you think that Endler and Collier are the only ones with the insight to define these "attacks" or that there aren't mechanisms to avert them? You can't register on a SIP network without passing an authentication challenge. Admittedly, some vendors' authentication is stronger than others, but it isn't as simple as they make out. SIP elements can also (optionally) establish encrypted links between each other. Therefore, you could send a billion "invites" to a SIP server, but they would all get ignored if they didn't have the correct encryption certificate.

Date reviewed: Aug 2, 2006 8:37 PM