`
` F
`
`YOUR SOLUTIONS MEMBERSHIP
`
`HOW TO CHEAT AT
`
`Michael Gough
`
`The Perfect Reference for the Multitasked SysAdmin
`¢ Discover Why “Measure Twice, Cut Once” Applies to Securing a VoIP
`Infrastructure
`
`
`
`« Learn How to Secure an Entire VoIP Infrastructure and Defend Against Denial-
`of-Service and Hijacking Attacks
`
`* The Perfect Guideif VoIP Engineering is NOT Your Specialty
`
`Thomas Porter
`
`Page 1 of 14
`
`Facebook's Exhibit No. 1032
`Page 1
`
`Page 1 of 14
`
`
`
`Facebook's Exhibit No. 1032
`Page 1
`
`

`

`
`
`
`
`Syngress Publishing,Inc., the author(s), and any person or firm involved in the writing, editing, or production (col-
`lectively “Makers”) of this book (“the Work”) do not guarantee or warrantthe results to be obtained fromthe
`Work.
`
`‘There is no guarantee of any kind, expressed or implied, regarding the Work orits contents. The Work is sold AS IS
`and WITHOUT WARRANTY.You may have otherlegal rights, which vary from state to state.
`In no cvent will Makers be liable to you for damages, including any loss ofprofits, lost savings, or other incidental or
`consequential damages arising out from the Work orits contents, Because somestates do not allow the exclusion or
`limitation of liability for consequential or incidental damages, the abovelimitation may not apply to you.
`You should always use reasonablecare, including backup and other appropriate precautions, when working with
`computers, networks, data, andfiles,
`
`Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,”
`and “Hack Proofing®,”are registered trademarks of Syngress Publishing, Inc. “Syngress:‘The Definition of a Serious
`Security Library” ™, “Mission Critical™,” and “The Only Way to Stop a Hackeris to Think Like One™”are trade-
`marks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service
`marksoftheir respective companies.
`KEY
`SERIAL NUMBER
`out
`HJIRTCV764
`002
`PO9873D5FG
`003
`829KM8NJH2
`004
`VTY¥45Q9PLA
`005
`CVPLQ6WQ23
`006
`VBP965TST5
`007
`H863WD3E
`008
`2987GVIWMK
`009
`629MP5SDJT
`010
`IMWQ295T6'l
`
`PUBLISHED BY
`Syngress Publishing, Inc.
`800 Hingham Street
`Rockland, MA 02370
`
`How to Cheatat VoIP Security
`Copyright © 2007 by Syngress Publishing, Inc. All rights reserved. Printed in the United States ofAmerica. Except
`as permitted under the Copyright Act of 1976, no partofthis publication may be reproduced ordistributed in any
`form or by any means,orstored in a database orretrieval system, withoutthe prior written permission of the pub-
`lisher, with the exception that the programlistings may be entered, stored, and executed in a computer systern, but
`they may not be reproduced for publication.
`
`Printed in the United States of America
`1234567890
`
`ISBN 10: 1-59749-169-1
`ISBN 13: 978-1-59749-169-3
`
`Publisher: Amorette Pedersen
`Acquisitions Editor; Gary Byrne
`Technical Editor: Thomas Porter
`Cover Designer: Michacl Kavish
`
`Page Layout and Act; Patricia Lupien
`Copy Editors: Adrienne Rebello, Mike
`McGee
`Indexer: Nara Wood
`
`Distributed by O'Reilly Media,Inc. in the United States and Canada.
`For information on rights, translations, and bulk sales, contact Matt Pedersen, Director ofSales and Rights, at
`Syngress Publishing; email matt@syngress.comor fax to 781-681-3585.
`
`
`
`Page 2 of 14
`
`Facebook's Exhibit No. 1032
`Page 2
`
`Page 2 of 14
`
`Facebook's Exhibit No. 1032
`Page 2
`
`

`

`
`
`Contents
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Chapter 1 Introduction to VoIP Security... eee eee eee 1
`Introduction 6... ce eet ee tees2
`The Switch Leaves the Basement ....... 500202 e eres 4
`What Is VoIP? oo ttn es 6
`VoIP Benefits... 0. ce ee tes 6
`VoIP Protocols 0.0... eee ee eens 8
`VoIP Isn’t Just Another Data Protocol 2.2.66. eee eee ees9
`Security Issues in Converged Networks ..... 2000 e ee 11
`VoIP Threats... eee ee eae 14
`A NewSecurity Model... 0.06.0 15
`Summary... 0. eter ene 16
`Chapter 2 The Hardware Infrastructure .......-..+++- 19
`Introduction 6... ee ee ees 20
`Traditional PBX Systems 2.0... ees21
`PBX Lines
`.. 0. te ets22
`PBX ‘Trunks 2. 0c ee ee24
`PBX Features
`oo ce eens 25
`PBX Adjunct Servers... 06. e eee etree ees 28
`Voice Messaging ©... 6-0 ete eee ees 28
`Interactive Voice Response Servers 2... eee eee29
`Wireless PBX Solutions... 0.6. ee eee30
`Other PBX Solutions 0.0.6.6 eee tees 30
`PBX Alternatives
`.06 000 eee tees 30
`VoIP Telephony and Infrastructure ©... eee eee eee Oi
`Media Servers... ee tees 31
`Interactive Media Service: Media Servers ..........32
`Call or Resource Control: Media Servers .........5 32
`. Media Gateway. seer teens33
`Firewalls and Application-Layer Gateways
`.....---- 34
`Application Proxies oo eee34
`Endpoints (User Agents) Cette AD
`IP Switches and Routers 6... ee eee 38
`Wireless Infrastructure 2. eee 38
`Wireless Encryption: WEP... 6... eee eee38
`
`|
`
`i
`|
`
`
`
`Page 3 of 14
`
`Facebook's Exhibit No. 1032
`Page 3
`
`Page 3 of 14
`
`Facebook's Exhibit No. 1032
`Page 3
`
`

`

`xii
`
`Contents
`
`|
`
`A
`fy
`i
`
`Wireless Encryption: WPA2 ...........00 00000. 39
`Authentication: 802.1x 2.00000 es 40
`Power-Supply Infrastructure 26... ee eee 41
`Power-over-Ethernet (IEEE 802.3af) ............41
`UPS tee teen eas 42
`Energy and Heat Budget Considerations .......... 43
`SUMMALY oo eee cee tenet e es 44
`Chapter 3 Architectures ............0000 cece cece es 45
`Introduction 6... ee cnet cence, 46
`PSTN: WhatIs It, and How Does It Work? .........,..., 46
`PSTN: Outside Plant 22.0... eee 46
`PSTN:Signal Transmission 2... 0.00. eee ee ce 49
`T1 Transmission: Digital Time Division Multiplexing 49
`PSTN: Switching and Signaling .....0....0.0.0.... 55
`TheIntelligent Network (IN), Private
`Integrated Services, ISDN, and QSIG ............ 56
`ITU-T Signaling System Number 7 (SS7) ......... 57
`PSTN:Opcrational and Regulatory Issues .........., 61
`PSTN Call Flow... cece even en eng 61
`PSTN Protocol Security... . ee ce eee ee ee64
`SS7 and Other ITU-T Signaling Security ........... 64
`{SUP and QSIG Security .......00.0 0.00000... 66
`The H,323 Protocol Specification
`........0......00.,67
`The Primary H.323 VoIP-Related Protocols ............ 68
`H.225/Q.931 Call Signaling 2.00.00... cee ee, 71
`H.245 Call Control Messages ............0 000000. 75
`Real-Time Transport Protocol .....0.....0.0......, 77
`H.235 Security Mechanisms .........0 0.00.00 ceca, 78
`Understanding SIP oo... eee eee, 82
`Overview of SIP oe eee 83
`REC 2543 / RFC 3261 2.0. ea 84
`SIP and Mbone «00... eee eae 85
`|
`SIP Functions and Features ........0..00 00.0.0,87
`j 5) 85
`|
`User Location 2.2... 0.0.0.0 00. cece cece eee88
`\
`User Availability 0000. e eee e ee,88
`i}
`User Capabilities
`. 00... eee88
`|
`Session Setup... eee eee89
`
`
`
`Page 4 of 14
`
`Facebook's Exhibit No. 1032
`Page 4
`
`Page 4 of 14
`
`Facebook's Exhibit No. 1032
`Page 4
`
`

`

`Contents
`
`xlli
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Session Management... 0. see eee eres89
`SIP URIs 2... cc es ee eae 89
`SIP Architecture... eee 90
`SIP Components .. 0.000020 c ett tees90
`User Agents o 20 cece ees90
`SIP Server... ee eee 91
`Stateful versus Stateless
`. 6.0... eee 92
`Location Service... ee ees 92
`Client/Server versus Peer-to-Peer Architecture ........ 93
`Client/Server 0.0.00 tenes93
`Peer to Peer occ cc eee nes 94
`SIP Requests and Responses... 2-2 ee eee eter e ees94
`Protocols Used with SIP . 0... cee eee eee97
`UDP ooce eens 97
`Transport Layer Security 6... 066s ee ee ees98
`Other Protocols Used by SIP «6.6 eee eee eee 99
`Understanding SIP’s Architecture... 6.6. s ee eee 102
`SIP Registration 6.6 ee ents 102
`Requests through Proxy Servers
`...-...+-- ++ 05> 103
`Requests through Redirect Servers ....-.-..++-- 103
`Peer to Peer oo ce ees 104
`Instant Messaging and SIMPLE «06... 6. ee ee eee 105
`Instant Messaging 60... eee ee eee eee 106
`SIMPLE 1.0.0.0. 00 eee 107
`Summary... 0c cee et es 109
`Chapter 4 Support Protocols ......-- 6s see eee eee 111
`Introduction .. 0... ee ees 112
`DNS coc c ccc ee eee en eee ne 112
`DNSArchitecture... es 113
`Fully Qualified Domain Name .........-5------ 114
`DNS Client Operation 20... bee e eee 115
`DNS Server Operation ©. 0... see eee 116
`Security Implications for DNS «2.6... 117
`VETR occ c cece ee ee eee 118
`TFTP Security Concerns... 6.6 cee eee 118
`TFTP File Transfer Operation ..........-.-.-5- 119
`Security Implications for TFIP . 1.6... eee eee 119
`TTT occ ccc cc nett eee ees 120
`HTTP Protocol... 0.00 eee 121
`
`Page 5 of 14
`
`Facebook's Exhibit No. 1032
`Page 5
`
`Page 5 of 14
`
`Facebook's Exhibit No. 1032
`Page 5
`
`

`

`xiv
`
`Contents
`
`HTTP Client Request ...................... 121
`HTTPServer Response ................,..., 122
`Security Implications for HTTP ................. 122
`SNMP voce cece ener ene eeee123
`SNMPArchitecture... 0... eee eee.124
`SNMPOperation .........,.0.00.....00000. 124
`SNMP Architecture... 0... cee ee 125
`DHCP oo. cece cee cence. 126
`DHCPProtocol
`.. 0.0... eee. 126
`DHCP Operation... 0... eee, 127
`Security Implications for DHCP ................. 128
`SS 129
`RSVPProtocol»... 0.0.0... cee ee, 130
`RSVP Operation 2.00.0... ee eee. 130
`Security Implications for RSVP .......0....,..... 131
`SDP oo cece cece eeee 132
`SDP Specifications... 0... eee ee 132
`SDP Operation... 2. eee ee. 133
`Security Implications for SDP .................., 134
`Skinny occ cece cece eee 135
`Skinny Specifications 6... 0.0... eee 135
`Skinny Operation 6.6... 0.0.0.0. 0.0. 0.0.0.0... 135
`Security Implications for Skinny ............0..., 136
`Summary occ eee eee eee, 138
`Chapter 5 Threats to VoIP Communications Systems .. 141
`Introduction 2... 0. eee ee cece eee 142
`Denial-of-Service or VoIP Service Disruption ........., 142
`Call Hijacking and Interception. .................... 148
`ARP Spoofing... 0. cee cee eee. 151
`H..323-Specific Attacks... 0... cece eee eee. 155
`SIP-Specific Attacks 6. cece, 156
`SUMMALY eee eee eee. 157
`Chapter 6 Confirm User Identity................... 159
`‘Introduction 6.0... eee eee. 160
`802.1x and 802.111 (WPA2) ...... 00. ele. 163
`802.1x/EAP Authentication .............0000.... 164
`Supplicant (Peer) oo... 2. eee, 164
`Authenticator 26...e eee, 164
`
`|
`(
`
`|
`|
`
`|
`|
`|
`
`|
`
`1 P
`
`age 6 of 14
`
`Facebook's Exhibit No. 1032
`Page 6
`
`Page 6 of 14
`
`Facebook's Exhibit No. 1032
`Page 6
`
`

`

`Authentication Server... 00ers 164
`EAP Authentication Types
`.. 6-06 eee res 167
`BAP-TLS oo. nee 169
`EAP-PEAP ..... cee ee teens 171
`EAP-TTLS 000 ccc ee ene 171
`PEAPV1I/EAP-GTC oo. cc es 171
`BAP-FAST 0.00.2 ccc ee eens 171
`LEAP 0. ce ee ene 172
`FAP-MD-5 Joe ee ee 172
`Inner Authentication Types 6... eee eee 173
`Public Key Infrastructure ©... 6. ee ee eee 175
`Public Key Cryptography Concepts .... 0... 0.2 sees 176
`Architectural Model and PKI Entities .............. 178
`Basic Certificate Fields... 6... ee eee 180
`Certificate Revocation List... 0. ee eee 181
`Certification Path ... 00... teen 181
`Minor Authentication Methods .........-...00 5050s 182
`MAC Tools 2... eee 182
`MAC Authentication 2.0.0... eee eee 183
`ARP Spoofing ..6 6.6 e eet ees 183
`Port Security... eee es 183
`Summary oop eee ees 183
`Chapter 7 Active Security Monitoring .........-..-- 185
`Introduction 6.0... ee ees 186
`Network Intrusion Detection Systems .. 0.6... ee eee 187
`NIDS Defined . 00... ee eee 187
`Components . 0.06. eee ete 188
`Types oe terete eens 189
`Placement .. 0.0.0.0 191
`Important NIDS Features 2.0.6.6. e ee eee 194
`Maintenance 2... eens 194
`Alerting 2.02 c cere teen eee 194
`Logging 2.0.60. 0 ee ee teens 194
`Extensibility 0.000. 194
`Response oo. eee tees 194
`Limitations ... 0. ee eee 195
`Honeypots and Honeynets ... 0 ee eee ee eee es 195
`Host-Based Intrusion Detection Systems ..... 2.066.040. 196
`
`|
`
`|
`|
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Contents
`
`xv
`
`
`
`Page 7 of 14
`
`Facebook's Exhibit No. 1032
`Page 7
`
`Page 7 of 14
`
`Facebook's Exhibit No. 1032
`Page 7
`
`

`

`Contents
`
`Logging . 0. eeee eee eens 197
`Syslogoe ee eee ees 197
`SNMP 1.0... cect evenness 199
`What Is a Penetration/Vulnerability Test? 2. ......00.., 200
`Methodology 2.0... 6. eee eee eee 201
`Discovery 2.06. tee 201
`Scanning 2. eee eee 202
`Vulnerability Assessment 2.0... 0.0... 203
`Exploitation 00.0. eee 203
`Reporting oe eens 203
`SUMMALY oe ee ete etn 205
`Chapter 8 Logically Segregate Network Traffic....... 207
`Introduction 00... eee ene208
`VLANS 2. eee eee ee 209
`VLANSecurity... 0.0.00 cece ec cece ee eeee212
`VLANsand Softphones.........0.0.020202..0000. 212
`QoSand Traffic Shaping .... ee eee 214
`NATand IP Addressing . 6... cece ees 215
`How Does NAT Work? .. 0.00002 216
`NAT Has Three Common Modesof Operation ... .218
`NAT and Encryption ..... 0.0.0.0 c eee ees 221
`NATas a Topology Shield... 0... eee 225
`Firewalls 00. eee ee 225
`A Bit of Firewall History ...... 0.20.00. 00.0. 00000. 226
`Shallow Packet Inspection ......... 0.0.00. 0000 226
`Stateful Inspection 2.2... 6... ee ee 227
`Medium-Depth Packet Inspection ......... 00.05 227
`Deep Packet Inspection..........00......00005228
`VoIP-Aware Firewalls 0.0.0.0... cee eee 229
`11.323 Firewall Issues 2.0.0... eee ee 230
`
`SIP Firewall Issues... 0.0... eee231
`Bypassing Firewalls and NAT ................. 232
`Access Control Lists 2.2.0. ee 235
`SUMUMALY ee tee ee ees 237
`Chapter 9 IETF Encryption Solutions for VoIP ........ 239
`Introduction oko cee ees 240
`Suites from the IETF... 0... eee eee 240
`S/MIME: Message Authentication... 0.0.2... ee 241
`
`.
`
`:
`
`|
`|
`
`|
`
`|
`|
`|
`
`|
`
`|
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`|
`
`|
`|
`
`|
`
`
`
`Page 8 of 14
`
`Facebook's Exhibit No. 1032
`Page 8
`
`Page 8 of 14
`
`Facebook's Exhibit No. 1032
`Page 8
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Contents
`
`xvii
`
`.. 0.0... 002 eee eee 244
`S/MIME Messages
`Sender Agent 26.0... ce eee es 244
`Receiver Agent... 0. cee ete244
`E-mail Address 2.0.0.0... eet eee 244
`TLS: Key Exchange and Signaling Packet Security ....... 244
`Certificate and Key Exchange 6.6... eee eee ees245
`SRTP: Voice/Video Packet Security ©... cere eens247
`Multimedia Internet Keying... - 2.00. eee eee ee248
`Session Description Protocol Security Descriptions .
`.
`. .248
`Providing Confidentiality 0... ee ee 248
`Message Authentications ©. 66.06 cee eee ees 249
`Replay Protection 6.0... ieee ee eee eee250)
`Summary o 66... ee ete nes251
`Chapter 10 Skype Security..... 2... 0+ see eee eres 253
`Security 2. eet eee254
`Blocking Skype... 6. ens 257
`Firewalls 0... cee ete eee ees 257
`Downloads 2.0.0... ee ee 257
`Software Inventory and Administration .......... 258
`Firewalls oo. ccc ete eens 258
`Proxy Servers... cee et tees 260
`Embedded Skype... 0.0. c ee eee ees 260
`A Word about Security... 2... eee260
`Chapter 11 Skype Firewall and Network Setup....... 263
`A Word about Network Address Translation and Firewalls . .264
`Home Users 2.0... cece ee ee tee 266
`Small to Medium-Sized Businesses .......0.6.05+---266
`Large Corporations ©... 6.0 eee eee ees267
`What You Need to Know
`About Configuring Your Network Devices ............ 269
`Home Users or Businesses
`Using a DSL/Cable Router and NoFirewall ........ 269
`Small to Large Company Firewall Users ............ 269
`TCP and UDP Primer
`. 2.1.0... e eee eee 269
`NATvs. a Firewall 2.0.0 ee ee 270
`Ports Required for Skype... 6... cee eee 271
`Home Users or Businesses
`Using a DSL/Cable Router and No Firewall ........271
`
`Page 9 of 14
`
`Facebook's Exhibit No. 1032
`Page 9
`
`Page 9 of 14
`
`Facebook's Exhibit No. 1032
`Page 9
`
`

`

`
`
`xvili
`
`Contents
`
`
`|
`|
`
`|
`i
`
`
`
`
`
`
`
`Small to Large Company Firewall Users ............ 271
`Skype’s Shared.xml file... 0.00. cee 273
`Microsoft Windows Active Directory ..............273
`Using Proxy Servers and Skype 2.0... eee eee276
`Wireless Communications ...... 0.00... ccc eee ee277
`Display Technical Call Information .............278
`Small to Large Companies
`....0...000. 00.0005282
`How to Block Skype in the Enterprise ............04.282
`Endnote 2.6... ee eee eect tenes 283
`Appendix A Validate Existing Security Infrastructure
`285
`Introduction 200. cece ene reas 286
`Security Policies and Processes
`.........0..00 0.0000, 287
`Physical Security 20.0.0... cee 297
`Perimeter Protection 2.0.0... 0... cece ences 300
`Closed-Circuit Video Cameras .........2..00.., 300
`Token System... eee cece eee 300
`Wire Closets 0... 00. eee eee eens 301
`Server Hardening ....0 00.0 cece 301
`Bliminate Unnecessary Services ........0...00000.. 302
`Logging 2... ee eee eect e eens 303
`Permission Tightening ........ 00.00.0000, cease304
`Additional Linux Security Tweaks
`. 2.0... 306
`Activation of Internal Security Controls ............308
`Security Patching and Service Packs ...........,....312
`Supporting Services oo... eee eee 313
`DNS and DHCP Servers 2.0.0.0. 000.0 00.000313
`LDAP and RADIUSServers .. 0.0000. ee 315
`NTP oo. eee eee e ee ney 315
`SNMP oe eee enn 316
`SSH and Telnet .... 00.000 eee 317
`Unified Network Management .....0. 0.0 ..00.0 0005. 317
`Sample VoIP Security Policy... 00. .......00000,, 318
`Purpose vo eee eee cee eens 319
`Policy 0... cece cece319
`Physical Security 2... 0... cece eee 319
`VLANS 20. cece ete e eee e eee,319
`Softphones . 1.6... eee cece cece ens319
`
`Facebook's Exhibit No. 1032
`Page 10
`
`i
`i
`|
`|
`
`age 10 of 14
`
`I| P
`
`Page 10 of 14
`
`Facebook's Exhibit No. 1032
`Page 10
`
`

`

`Fneryption 2.00.00. eee ee BID
`Layer 2 Access Controls... - 0-0 e eee eer eee320
`Summary oe ee et 321
`Appendix B The IP Multimedia Subsystem:
`True Converged Communications ....-.. 6+... seeee, 323
`Introduction 2.0... te eee 324
`IMS Security Architecture 20... 0 000666 eee B25
`IMSSecurity Issues... ee eee 328
`SIP Security Vulnerabilities ©... 60. e eee 329
`Registration Hijacking ©... ... 02. ee ee eee 329
`IP Spoofing/Call Fraud .. 0.6.02. eee eee 329
`Weakness of Digest Authentication ............, 329
`INVITE Flooding «0.0.0... eee eee 329
`BYE Denial of Service .......0.0 00000000... 530
`RUP Flooding 2.0... cee eee 330
`Spam overInternet Telephony (SPIT) .........44 330
`Early IMSSecurity Issues... 00.22.0220 0 eee 330
`Pull IMS Security Issues 0... ee eee 331
`Summary oo. tee ees 332
`Related Resources 2...ee ne 332
`Appendix C Regulatory Compliance .............+4. 333
`Introduction 2.0... ee eens 334
`SOX:Sarbanes-Oxley Act... 006. e eee S86 |
`SOX Regulatory Basics... 0.6.0 ee 336
`Direct from the Regulations ... 6.0.6... 0. eee336
`What a SOX Consultant Will Tell You ........... 338
`SOX Compliance and Enforcement ............+4.341
`Certification»... 0... ee ee eee AT
`Enforcement Process and Penalties.............. 342
`GLBA: Gramm-Leach-Bliley Act... 0. eee ens 342
`GLBA Regulatory Basics... 0... eee eee 343
`Direct from the Regulations ...............05. 343
`What a Kinancial Regulator or
`GLBA Consultant Will Tell You .. 2.0.0. ......00. 347
`GLBA Compliance and Enforcement .............. 349
`No Certification 2... tee ee 350
`Enforcement Process and Penalties............5, 350
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 11 of 14
`
`Facebook's Exhibit No. 1032
`Page 11
`
`Page 11 of 14
`
`Facebook's Exhibit No. 1032
`Page 11
`
`

`

`XX
`
`Contents
`
`HIPAA: Health Insurance
`Portability and Accountability Act .................. 351
`HIPAA Regulatory Basics .......00.0....0.,00.. 351
`Direct from the Regulations ................., 351
`What a HIPAA Consultant Will Tell You ......... 358
`HIPAA Compliance and Enforcement .............359
`No Certification 0... eee cee eee 359
`Enforcement Process and Penalties............., 359
`CALEA: Communications Assistance
`for Law Enforcement Act 2.00.00. 0c. cece ue cece eee 360
`CALEA Regulatory Basics .......00..0. 000000004 363
`Direct from the Regulations ............0.55..364
`What a CALEA Consultant Will Tell You... ..... 375
`CALEA Compliance and Enforcement ............, 376
`Certification 6... cece eee 376
`Enforcement Process and Penalties............. .377
`E911: Enhanced 911 and Related Regulations ........,. 377
`E911 Regulatory Basics 20... 2. eee 378
`Direct from the Regulations ................., 378
`What an E911 Consultant Will Tell You ..........382
`E911 Compliance and Enforcement ............... 383
`Self-Certification . 0... ce ce ces383
`Enforcement Process and Penalties..............383
`EU and EU MemberStates’
`eConununications Regulations ...,........... 0.005, 384
`EU Regulatory Basics... 0... ee ey 385
`Direct from the Regulations .......0...0...... 385
`What an EU Data Privacy Consultant Will Tell You .389
`EU Compliance and Enforcement ..............., 390
`No Certification 6... ee cee ees 390
`Enforcement Process and Penalties. ............. 390
`SUMIMATY eee ec eee e eens 390
`
`
`
`
`
`Page 12 of 14
`
`Facebook's Exhibit No. 1032
`Page 12
`
`Page 12 of 14
`
`Facebook's Exhibit No. 1032
`Page 12
`
`

`

`
`
`
`|
`
`36
`
`|
`|
`
`|
`
`|
`i
`
`Chapter 2 © The HardwareInfrastructure
`
`
`
`
`
`
`,
`IM Clients
`Instant messaging is perhaps the dominant meansofreal-time communication on the
`Internet today, IM’s roots can be traced back to the Internet Relay Chat (IRC) networks,
`which introduced the chat room concept but did nottrack online presence and never
`reached the popularity of IM.Just as IM is the nextlogical step from IRC, voice chat is the
`next leap from text-based chat. Most of today’s most popular IM clients have included voice
`functionality, including AOL's Instant Messenger,Yahoo! Messenger, and MSN Messenger.
`Skype took the opposite approach and created a chatclient that focuses on voice as the star
`and text chat as an afterthought. Even Google jumped aboard the IM bandwagon,releasing
`Google Talk. Let's take a look at these clients to see what makes themsimilar, and what
`makes them different.
`AIM, AOL’IM service, surely wasn’t the first on the scene, butit has the largest base of
`users. Initially AJM was limited to users of the AOL Internetservice, but eventually it was
`opened up to the Internet as a whole. With the addition of a proprietary voice capability in
`late 1999,AOL was a VoIP pioneerofsorts. (although voice chat wasfirst available through
`Mirablis’s ICQ).Yahoo! Chat jumped aboard the voice bandwagon soon after, and Google’s
`more recent client has included voice from the beginning. In 2005,Yahoo announcedinter-
`operability with Google and MSN (whoalso has a voice chat plug-in for messenger thatis
`also used with its Live Communication Server product). In addition, Microsoft’s popular
`
`
`
`
`
`
`
`Outl
`Mich
`with
`Jabb
`
`XM
`
`infu
`dard
`wor
`seve
`cele
`phe
`the)
`taki
`|
`Vi
`Mc
`
`yol
`
`all)
`thi
`(tt
`7
`aii
`ol
`
`he
`he
`pM
`al
`i
`ul
`
`s
`tl
`I
`
`Page 13 of 14
`
`Facebook's Exhibit No. 1032
`Page 13
`
`Page 13 of 14
`
`Facebook's Exhibit No. 1032
`Page 13
`
`

`

`
`
`The Hardware Infrastructure ¢ Chapter 2
`
`
`
`
`
`
`
`
`
`po
`
`
`
`Outlook e-mail client (and entire Office suite in the case of LCS) canbe linked to
`Microsoft Messenger. Also worth mentioning is the Lotus Domino IM client that competes
`with Microsoft LCS in the enterprise instant messaging (and presence) space, as well as
`
`Jabber, which can be used to tie together both public and private IM services using the
`
`XMPPprotocol.
`
`Google Talk is the newest comer to the IM game. Though Google Talk is still in its
`
`infancy, it stands to succeed duelargely to a philosophical stand point, embracing open stan-
`
`dards over proprietary voice chat. Google Talk aims to connect many different voice net-
`
`works overa series of peering arrangements, allowing users to minimize their need to run
`
`several IM clients. Like Skype, Google seeks to bridge traditional phonecalls with Internet
`
`telephony, promising to federate with SIP networks that provide access to an ordinary tele-
`
`phonedial tone. Google recently releasedalibrary called libjingle to programmers, allowing
`
`them to hack new functionality into Google Talk. It will be interesting to see where Google
`
`takes Google Talk in the future.
`
`
`
`Video Clients
`Most ofus can probably think back andrecall seeing episodes of ‘The Jetsons when we were
`
`younger. Orpictures of the AT&T PicturePhone from the 1964 World’s Fair. Movies have
`
`all but promised these devices to beastaple of every day life in the future. And for decades,
`
`the video conference has been pushed by enterprises seeking to save money on travel
`
`(though investments in video conferencing equipment tend to sit around gathering dust).
`
`Live video on the Internet has its adherents, and today we see yet another wave of marketing
`
`aimed at the business use ofvideo. So, will video finally take off around VoIP just like audio,
`
`or is there something different going on here?
`
`The video phone has been tomorrow’s next big technology for 50 years but the issue
`
`has been more sociological than technological. Certainly, popular instant messaging clients
`
`have included video chat capabilities for some time now,although eachclient typically sup-
`
`ports only video between other users of the same client or messaging network, And
`
`although it always gives me a kick to see somcone else announcing that they've solved the
`
`gap with technology, the point is well taken that video is here to stay in VoIP systems—even
`
`if it doesn’t get as much use as VoIP.
`
`The latest on the video bandwagon is the Skype 2.0 release. At only 15 frames per
`
`second and 40 to 75 kbps upload and download, Skype Video works well on a standard
`
`home DSL line or better. Other popular IM clients with video include Microsoft's
`
`Messenger and Yahoo Instant Messenger. AIM now offers video as well.
`
`H.323-based IP videoconferencing systems have been available in hardware and software
`
`from many sources for almost a decade at this point, so there’s no shortage of vendorsin this
`space. And SIP video phonesare available from many of these same vendors and fromstartup
`companies in the SIP space.
`
`
`
`
`
`
`
`
`
`
`Page 14 of 14
`
`Facebook's Exhibit No. 1032
`Page 14
`
`Page 14 of 14
`
`Facebook's Exhibit No. 1032
`Page 14
`
`