Categories
Business security surveillance & privacy voip

Why are the Major Telcos Afraid of encrypted voip?

A significant disconnect exists between the reality of today’s IP communications and the security concerns and needs of the customer (read encrypted voip).

Trefor.net welcomes VoIP Week guest contributor Peter Cox, UM Labs Ltd. Founder and CEO.

One of UM Labs’ long-standing customers is using our product to provide encrypted VoIP connections from remote users (mostly home workers) and to encrypt calls they make and receive on their SIP trunk. Their motivation is simple: They are in the USA and their business makes it necessary for them to work closely with federal government, a connection that subjects them to security and compliance requirements. This customer’s view is that applying encryption to all VoIP calls — including those made and received on their SIP trunk — is an essential step towards meeting these requirements. Even if some SIP trunk calls are then relayed in clear text, as is the case for PSTN calls, the encryption applied on the connection to their trunk provider protects their network and ensures the confidentiality of SIP trunk calls on the connection between the service provider and their office. This effort demonstrates that they are taking all reasonable steps to secure the network connections under their own control and is thus a significant step towards meeting the compliance requirements.

Recently, our customer’s existing service provider announced that they were considering discontinuing encrypted SIP trunk connections, and being unable to find an alternative they asked me for some alternative service provider recommendations. I posted the question to the SIP Trunking & Enterprise VoIP LinkedIn group and received a number of helpful replies. My question also sparked some interesting discussion. A number of the participants gave spurious reasons why encryption was too difficult or not needed on a SIP trunk. What surprised me most was that representatives of two very large and well known telcos weighed in against encryption. One claimed that providing an encrypted SIP trunk connection was incompatible with legal intercept requirements, while the other tried to claim that since enterprises trust their data on “private” networks shouldn’t they trust their voice as well?

Addressing the claim that SIP trunk connections are not compatible with legal intercept requirements, I submit that when properly implemented and with the appropriate systems encrypted VoIP does not prevent legal intercept or call recording for compliance purposes. What it does stop is unauthorised call monitoring. The risk of unauthorised call monitoring is not confined to VoIP, as there is a significant risk to calls on cellular networks (see my recent blog at http://tinyurl.com/k38suu3). Encryption also has a role to play in controlling other threats, including call fraud.

Regarding the comment about enterprises trusting their data on private network connections to service providers, this I found even more surprising. I have spent many years in network security and this is the first time I have heard a connection to a 3rd party service provider classified as sufficiently private to trust for data transmission without some form or additional security. While connection to service providers may be more controlled than the open Internet, they are not private. Most enterprises will naturally want to protect their data with a VPN, so it makes sense to do the same for voice.

Part of the problem is that part of the telecoms industry is stuck in the past, back in the days when the phone companies owned and operated the networks. Things have moved on, and a significant proportion of all communications now runs on IP networks, much of it on the Internet. The move to IP has spawned new applications such as presence and IM and is the driving force behind convergence. The use of IP networks, and specifically the Internet for voice and UC, is a big step forward, but we must recognise that a different set of security rules apply. We have the knowledge and technology to address the security issues. Rather than finding reasons to avoid implementing VoIP and UC security technologies, the industry needs to embrace them and promote their implementation.

I won’t name the two telcos, but if you are interested in seeing them incriminate themselves you can follow the full LinkedIn discussion at http://tinyurl.com/ofdqgjy.

This is a VoIP week post on trefor.net. Check out other VoIP themed posts this week:

Why are major telcos afraid of encrypted VoIP? by Peter Cox
Emergency calls and VoIP by Peter Farmer
VoIP, the Bible and own brand chips by Simon Woodhead
Why the desktop VoIP telephone isn’t going away by Jeff Rodman
Small business VoIP setup by Trefor Davies
VoIP fraud-technological-conventionality-achieved  by Colin Duffy

Categories
Business internet

Novation, novation, novation

I have recently novated three companies ADSL networks to Timico, including health charity “Stroke Association”.

Novation is the process whereby a company hands over its assets to another, in this case we are talking Wide Area Networks. There are a few reasons why companies do this:

  1. Increasing levels of internet usage drives the need for larger BT Central pipes. Disproportionately large steps in costs are incurred when increased capacity is required.
  2.  BT Central pipes of 34Mbps or less do not support L2TP, which is the technology basis for the modern MPLS Private Wide Area Networks. PWANs are far more efficient than traditional PPP/IP Sec based Virtual Private Networks (VPNs).  The Timico network is fully L2TP compliant.
  3. Increased availability is driving users towards faster 21CN-based ADSL2+ connections which require totally separate connectivity infrastructure. Timico provides an upgrade path, so that customers’ users can be automatically upgraded to ADSL2+ as soon as availability to 21CN is rolled out in their area.

To the uninitiated this might all sound a bit boring but in actual fact in these recessionary days it seems that more and more companies that traditionally ran their own networks are seeing that it makes sense to outsource.

The same cost pressures are starting to be seen in the Internet Service Provider (ISP) business with more and more ISPs putting up for sale signs.  Small ISPs are struggling to come up with the cash to upgrade their networks.  It is important to have cash in the bank these days and looking forwards to the end of the recession I can see the industry in a different shape to today.

Categories
broadband Business

Multi-Site Broadband VPN Deployments

If your company is deploying multi-site broadband VPNs you need to consider using a L2TP Private Wide Area Network. A PWAN employs Virtual Route Forwarding to offer complete security over a shared MPLS backbone.

 

The beauty of this approach is that you don’t need expensive MPLS connections – an ADSL line will do which can be a very cost effective way of providing security to remote sites.

 

Moreover there is a choice of PWAN with or without internet access. A company that needs only an inward facing network, for example for streaming music or messaging to stores completely removes the need for firewall support at each remote site.

 

For a slightly more sophisticated network with internet access and, say broadband VPN connectivity for mobile workers, only one centrally located firewall is needed (or two for resiliency).

 

This means that corporate resources such as billing platforms and CRM packages that would normally be located at the corporate HQ can now be located at a centrally positioned data-centre. This is then accessible to every site on the corporate network without the need to provide an expensive beefed up IP connection to the HQ and removes this as a single point of failure.

 

Typically not every ISP offers this kind of PWAN. It relies on BT Central pipes that support L2TP which the smaller pipes do not do. Larger consumer oriented ISPs that may well have the technology are potentially not interested in supporting what is essentially an unique circuit design for every customer.