Securing the Line Part 5 - Media Encryption

As discussed earlier, VLANs, ACLs, and firewall policies are extremely important components to any converged network security architecture. However, what these methods do not secure is the content within each call or conversation.

The industry is moving towards securing each media path used for voice, video, and data communication. Even internally, there are many threats that may potentially compromise the content within the packets transmitted over an IP network.

So, if this problem is known and widespread, then why isn't there an industry-standard encryption algorithm or method for securing voice/video media? It isn't so much about "what, or when" it can be done, but more of a "who" (as vendors) will accept it. This is simply turning into a business-case problem.

Especially in the telecom world, the vendors and developers of hardware and software dictate new development and feature releases. Except for open-source platforms such as Asterisk, which utilizes a "pluggable module" architecture, the users of proprietary platforms are locked into what is provided to them.

Given this, and especially in reference to heterogeneous architectures where multiple platforms and vendors are involved, it is best to use VPNs as a way to encrypt media passing from one location to another. Since the encryption method isn't switch or platform centric, proprietary methods can fall by the wayside.

Otherwise, TLS and IPSec (natively, without VPNs) and SRTP are excellent ways of securing media across a LAN. Of course, the platform, endpoints (clients), and any proxies or gateways in between must support the same methods, or you're left with a unsecure media path, or a multi-vendor multi-implementation nightmare.

What are you doing to internally and externally protect and encrypt voice media paths?