With all the recent talk about AT&T and the NSA and secret rooms and wiretapping, many readers may be wondering not just about their privacy but about how to protect their companies. Whether or not this activity in particular is a threat will be the subject of much debate, but what is certain is that the situation is complex and easily abused. Not only is it possible to "sniff" individual circuits that comprise the Internet backbone, but the apparent lack of oversight and security controls (according to various news sources) means that if you're sending something interesting, there's little to prevent whoever is listening from selling your corporate secrets to your competitors, be the listeners government spies, "law enforcement," or your WAN provider's technicians and help desk.
Now, you're probably thinking several things about my little paranoid theory:
- "My government would never do something like that!" and/or "They're forbidden to listen without a warrant."
- "It's voice traffic, and they can't possibly have enough people to listen to all those calls."
- "I already encrypt my VoIP over the Internet." and/or "I'm not sending any secrets over the Internet. They're only going over my private WAN."
First, it's worth noting that although your government may not be spying on domestic traffic, many of you may work for multinational companies that do business globally. Thus, much of your traffic may route through several jurisdictions, each of which may be discouraged from spying on its domestic traffic but left free to spy on anything coming into or going out of the country. This was the theory behind Echelon.
Second, many people have pointed out that recording all the traffic that traverses the Internet would be quite a feat. Most have dismissed it as impossible. But text-to-speech and speech-to-text conversion software is pretty mature these days, and recording only those conversations with certain key words or with certain sources or destinations is a much simpler task. This possibility is one reason that encrypting voice traffic with SRTP (RFC 3711) is considered a best practice on the Internet, even though it isn't supported by most residential providers (such as Vonage).
This last thought is the most important point of this tip: You should realize that -- fundamentally -- the technology is the same for Internet and private WAN circuits. In fact, in many places, these circuits are probably logical provisions on the same physical fibers. From a practical standpoint, therefore, there's little difference between the public and private networks as far as privacy from sniffing is concerned.
Also, your private WAN traffic shares the same physical circuits with lots of other customers. This is true whether you use MPLS or a virtual circuit or point-to-multipoint technology such as ATM or Frame Relay. It's even true if your WAN is built from leased-lines such as T1s, which are circuit switched but still provisioned as small circuits over much larger physical connections in the backbone. Even as an innocent bystander, your company's data may still be at risk if an investigator obtains a warrant to sniff another company's data that happens to be serviced from the same POP. There are several ways to restrict the sniffing to a specific target, but no guarantee that they'll use one, or accountability if they don't.
Of course, each organization has to balance the cost of protecting its data with the risk of exposure, and most will conclude that additional security measures on their private WAN are not justified. But if you are concerned because you deal with sensitive data (e.g., medical records or technology research), then you should consider using SRTP on the WAN, just as you would on the Internet. And you might also consider encrypting each entire WAN circuit, if your topology permits.
About the author:
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry. He has co-authored several books on networking -- most recently,CCSP: Secure PIX and Secure VPN Study Guide published by Sybex.