[VoiceOps] Voice Security in MPLS networks -- When is it necessary?

Lee Riemer lriemer at bestline.net
Wed Oct 14 12:58:11 EDT 2009


It is a lot easier to tap a network than to tap a T1.  Most switches are 
already SPAN capable, but you could buy a hub, build a passive tap, do 
some ARP magic, or spoof a REINVITE to redirect the media.  By messing 
with ARP or a REINVITE and you effectively have a "key" to the closet.  
There are "tools" to do this.  However, it is much more of a pain, 
expense, and obvious, to buy a T1 set so you can listen in.  As for 
analog lines, any schmuck can tap those, but it's also somewhat obvious.

Just because your MPLS network is "private" doesn't mean the underlying 
provider can't see everything.  What if they misconfigure something and 
another customer is now the happy receiver of your data? How critical is 
your data and how paranoid are you.

My vote is for encryption.  If you have issues, then fix them or justify 
disabling it.

Guy.Ram at t-systems.com wrote:
>
> Hello,
>
>  
>
> Like your kind response to this question:
>
>  
>
> Would folks agree that for SIP traffic in a private MPLS network 
> should not necessarily require encryption. What is your advise for the 
> normal Enterprise ? I'm trying to understand where it makes prudent 
> sense to enable encryption and where it's redundant.
>
>  
>
> I'm trying to counter this statement:
>
> / /
>
> /that encryption of the media stream should be encouraged. Although 
> the MPLS network is private, it is easy to setup a traffic sniffer on 
> computers and to tap and record calls. This is unlike the ISDN world 
> where telecoms equipment is usually locked up and inaccessible to most 
> employees. Companies do accept encryption as normal overhead"/
>
>  
>
> What I've been told that most enterprise networks are switched, so the 
> connection from the desk goes to a switch and then right to the VoIP 
> system, so it's basically non-trivial to tap a phone line that way. 
> VoWiFi is different, but there are more issues than security with 
> that. Legacy environment equivalent for wired VoIP.
>
>  
>
> Also that Encryption will increase delay, reduce quality, and increase 
> BW consumption. I don't see a lot of need for encryption except across 
> a peering point for example.
>
>  
>
> Thanks,
>
> -guy
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20091014/f7b524aa/attachment.html>


More information about the VoiceOps mailing list