Now, you're probably thinking several things about my little paranoid theory:
- "My government would never do something like that!" and/or "They're forbidden to listen without a warrant."
- "It's voice traffic, and they can't possibly have enough people to listen to all those calls."
- "I already encrypt my VoIP over the Internet." and/or "I'm not sending any secrets over the Internet. They're only going over my private WAN."
First, it's worth noting that although your government may not be spying on domestic traffic, many of you may work for multinational companies that do business globally. Thus, much of your traffic may route
Requires Free Membership to View
through several jurisdictions, each of which may be discouraged from spying on its domestic traffic but left free to spy on anything coming into or going out of the country. This was the theory behind Echelon.
Second, many people have pointed out that recording all the traffic that traverses the Internet would be quite a feat. Most have dismissed it as impossible. But text-to-speech and speech-to-text conversion software is pretty mature these days, and recording only those conversations with certain key words or with certain sources or destinations is a much simpler task. This possibility is one reason that encrypting voice traffic with SRTP (RFC 3711) is considered a best practice on the Internet, even though it isn't supported by most residential providers (such as Vonage).
 |
||||
|
|
|||
|
||||
Also, your private WAN traffic shares the same physical circuits with lots of other customers. This is true whether you use MPLS or a virtual circuit or point-to-multipoint technology such as ATM or Frame Relay. It's even true if your WAN is built from leased-lines such as T1s, which are circuit switched but still provisioned as small circuits over much larger physical connections in the backbone. Even as an innocent bystander, your company's data may still be at risk if an investigator obtains a warrant to sniff another company's data that happens to be serviced from the same POP. There are several ways to restrict the sniffing to a specific target, but no guarantee that they'll use one, or accountability if they don't.
Of course, each organization has to balance the cost of protecting its data with the risk of exposure, and most will conclude that additional security measures on their private WAN are not justified. But if you are concerned because you deal with sensitive data (e.g., medical records or technology research), then you should consider using SRTP on the WAN, just as you would on the Internet. And you might also consider encrypting each entire WAN circuit, if your topology permits.
About the author:
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry. He has co-authored several books on networking -- most recently,CCSP: Secure PIX and Secure VPN Study Guide published by Sybex.
This was first published in June 2006