It is a lot easier to tap a network than to tap a T1. Most switches are already SPAN capable, but you could buy a hub, build a passive tap, do some ARP magic, or spoof a REINVITE to redirect the media. By messing with ARP or a REINVITE and you effectively have a "key" to the closet. There are "tools" to do this. However, it is much more of a pain, expense, and obvious, to buy a T1 set so you can listen in. As for analog lines, any schmuck can tap those, but it's also somewhat obvious. Just because your MPLS network is "private" doesn't mean the underlying provider can't see everything. What if they misconfigure something and another customer is now the happy receiver of your data? How critical is your data and how paranoid are you. My vote is for encryption. If you have issues, then fix them or justify disabling it. Guy.Ram at t-systems.com wrote:
Hello,
Like your kind response to this question:
Would folks agree that for SIP traffic in a private MPLS network should not necessarily require encryption. What is your advise for the normal Enterprise ? I'm trying to understand where it makes prudent sense to enable encryption and where it's redundant.
I'm trying to counter this statement:
/ /
/that encryption of the media stream should be encouraged. Although the MPLS network is private, it is easy to setup a traffic sniffer on computers and to tap and record calls. This is unlike the ISDN world where telecoms equipment is usually locked up and inaccessible to most employees. Companies do accept encryption as normal overhead"/
What I've been told that most enterprise networks are switched, so the connection from the desk goes to a switch and then right to the VoIP system, so it's basically non-trivial to tap a phone line that way. VoWiFi is different, but there are more issues than security with that. Legacy environment equivalent for wired VoIP.
Also that Encryption will increase delay, reduce quality, and increase BW consumption. I don't see a lot of need for encryption except across a peering point for example.
Thanks,
-guy
------------------------------------------------------------------------
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops