[VoiceOps] PCI Compliance and VoIP

Alex Balashov abalashov at evaristesys.com
Thu Oct 20 04:55:13 EDT 2011 

The technological logic of PCI and other compliance in relation to 
VoIP has always been elusive to me.

We had a customer a while back whose equipment was colocated in a 
well-known carrier hotel.  They bought DIA from Tier 1 vendor A, and 
they were buying SIP origination from another Tier 1 vendor B.  Both A 
and B had POPs in the building.

Now, sure, technically, this was going over the "public Internet", I 
guess, but, they were 50 ft from an extremely dense BGP peering mesh. 
  The realities of routing, both EGP and IGP-wise, in a place like 
that pretty much ensure that the traffic physically hops inside the 
building core network only.  Yeah, it's crossing a peering link 
between vendor A and B, but so what?

But no, that didn't fly for their major customer in turn -- a payment 
processor of some description or another.  No, they had to buy a 
dedicated IP circuit (well, mostly cross-connect) to vendor B and run 
their origination over that.  Because that's so much more difficult to 
tap than an customer->A->B flow.  Right.

And why is TDM or analog LEC infrastructure inherently secure?  In 
terms of interception, the process for tapping exterior analog plant 
and even deeply substrated DS0s is much better understood and widely 
implemented.  After all, that stuff has only been around for what, a 
few decades?  And while CALEA switch features and stuff like that is 
definitely accompanied by process and audit trail, the mechanical 
aspect of tapping is much easier than identifying, finding, extracting 
and playing back an RTP stream.

"But building employees can be made to provide assistance with tapping 
IP traffic flowing over the peering point!"  Yeah, because nobody's 
bribed ILEC personnel to assist with tapping wireline conversations 
before.

The point being, if I had something to hide from an organised criminal 
organisation or even a government, I'd take a so-called "unsecured" 
VoIP call over the public Internet any day over a TDM or analog line. 
  This crap is ridiculously arbitrary.

And that "dedicated", "point-to-point" cross-connect from customer 
"directly" to vendor B?  Yeah, that traffic physically flows through 
intermediate (and highly tappable) network elements on their side, 
too, like switches and routers, or maybe even an oversubscription bus 
provided by some MPLS or ONS-type optical aggregation box.  It's 
almost like a ... network!  Like the building network that facilitates 
the IX itself!

If somebody wants to mandate end-to-end encryption or >= network and 
transport-level security across the board, fine.  But to pretend that 
one type of circuit design through intermediate Layer 1-3 boxes is 
more secure than another is just infantile thumb-sucking that passes 
for financial security discourse.

Where do they come up with this crap?

</rant>

-- 
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/

More information about the VoiceOps mailing list