[VoiceOps] PCI Compliance and VoIP
Alex Balashov
abalashov at evaristesys.com
Thu Oct 20 04:55:13 EDT 2011
The technological logic of PCI and other compliance in relation to
VoIP has always been elusive to me.
We had a customer a while back whose equipment was colocated in a
well-known carrier hotel. They bought DIA from Tier 1 vendor A, and
they were buying SIP origination from another Tier 1 vendor B. Both A
and B had POPs in the building.
Now, sure, technically, this was going over the "public Internet", I
guess, but, they were 50 ft from an extremely dense BGP peering mesh.
The realities of routing, both EGP and IGP-wise, in a place like
that pretty much ensure that the traffic physically hops inside the
building core network only. Yeah, it's crossing a peering link
between vendor A and B, but so what?
But no, that didn't fly for their major customer in turn -- a payment
processor of some description or another. No, they had to buy a
dedicated IP circuit (well, mostly cross-connect) to vendor B and run
their origination over that. Because that's so much more difficult to
tap than an customer->A->B flow. Right.
And why is TDM or analog LEC infrastructure inherently secure? In
terms of interception, the process for tapping exterior analog plant
and even deeply substrated DS0s is much better understood and widely
implemented. After all, that stuff has only been around for what, a
few decades? And while CALEA switch features and stuff like that is
definitely accompanied by process and audit trail, the mechanical
aspect of tapping is much easier than identifying, finding, extracting
and playing back an RTP stream.
"But building employees can be made to provide assistance with tapping
IP traffic flowing over the peering point!" Yeah, because nobody's
bribed ILEC personnel to assist with tapping wireline conversations
before.
The point being, if I had something to hide from an organised criminal
organisation or even a government, I'd take a so-called "unsecured"
VoIP call over the public Internet any day over a TDM or analog line.
This crap is ridiculously arbitrary.
And that "dedicated", "point-to-point" cross-connect from customer
"directly" to vendor B? Yeah, that traffic physically flows through
intermediate (and highly tappable) network elements on their side,
too, like switches and routers, or maybe even an oversubscription bus
provided by some MPLS or ONS-type optical aggregation box. It's
almost like a ... network! Like the building network that facilitates
the IX itself!
If somebody wants to mandate end-to-end encryption or >= network and
transport-level security across the board, fine. But to pretend that
one type of circuit design through intermediate Layer 1-3 boxes is
more secure than another is just infantile thumb-sucking that passes
for financial security discourse.
Where do they come up with this crap?
</rant>
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the VoiceOps
mailing list