ETM sites can be complemented with circuit-switched VPN via an add-in PCI Mezzanine Card (PMC). Any "digital" call (voice, STU, fax or data) between ETM locations carried over an ISDN PRI, T1 or E1 trunk can be 168-bit 3DES-encrypted, thanks to a DSP coprocessor on the PMC and some well-thought-out coding.
Call Setup
We installed an ETM system between a single voice PRI (24 channels) and the production PBX in our labs at a private boarding school in New England. Installation is not for the faint of heart--we were happy to have one of SecureLogix's engineers on-site to help us integrate and configure the system.
Each PMC board can encrypt four spans, or up to 96 channels per PMC simultaneously encrypted using ISDN PRIs. And though the full ETM system should be installed by a SecureLogix engineer, the PMC is designed to be installed by site administrators. After the initial setup of the ETM system, you must power down to install the new PMC board, then reboot and reconfigure the system to enable TeleVPN.
For our tests, we used an ETM Model 3200 Communication Appliance to support our ISDN-PRI span. The 3200 used three 1-GHz Dell Windows 2000 servers running the ETM client and management packages and Oracle 9i database.
White Noise
We tested a preproduction version of the code, and the TeleVPN Call Shield functioned as advertised, securing calls between our labs and an ETM-equipped SecureLogix development site in Texas. The product lets a call connect and pass standard signaling information. The bearer/media portion of the call is encrypted in real time with a maximum 80-ms latency.
The ETM let us repeatedly sync up and conduct encrypted calls without a hitch via a 64-Kbps channel for voice, fax and modem calls. For testing purposes, we used a Telecommunications Techniques T-Berd 107A
(a handheld tool for installing and monitoring T-carrier service) to listen in on our PRI channel by channel. We were able to eavesdrop on speech, fax tones and modem energy during unencrypted communications. During encrypted calls, all we got was an earful of hissing white noise from the scrambled signal.
Security keys are wrapped using 3DES and a chip-specific Key Encrypting Key programmed during chip production that cannot be retrieved from the crypto processor. There is no practical way to hack the system; you'd need physical access to the encryption chip.
RSA key exchange occurs during handshake, and two security associations are used for each call. Session keys are destroyed after every call.
ETM-to-ETM Calling
Any phone extension on a span covered by the PMC is enabled for TeleVPN. Just place a normal call to another ETM-equipped site, and as soon as the receiving end answers, the two ETMs sync up and the call is encrypted. We discerned a short negotiation tone during "handshake" (SecureLogix says the handshake takes 16 ms), but it was not disruptive to the call.
TeleVPN function complements the firewall functionality of the core ETM suite. The TeleVPN Call Shield rules are managed in parallel with the standard telephony-firewall capabilities of the ETM. VPN Call Shield rules based on source numbers, destination numbers and HA (high assurance) determine if a call should be permitted, terminated and/or logged. HA is used to guarantee confidentiality--ensuring a 56- or 64-Kbps encrypted channel can be created, maintaining acceptable call quality.
For example, by combining the TeleVPN rules with the suite's standard TeleWall rules to protect a confidential medical report faxed between offices, the rules would be set on calling number, destination number, type of call and a "quality" 64-Kbps line connection for encryption. If all the specified criteria were not met, the call would not be allowed. If something happened midstream to jeopardize the call--say, line quality dropped below 64 Kbps--the connection would be dropped.
Management Updates
|
Good
• Secure voice communication without STUs
• Improved directory, reporting tools and GUI
• Improved SS7 support
Bad
|
EMT 4.1's revised TeleView Explorer-type interface lets administrators manage multiple ETM installations from a single tree structure. In previous versions, administrators had to open a new window for each site they wanted to view.
The product's new directory tool lets you map phone extensions with first name, last name, extension type, site, department, location,
e-mail address, mail code and comment fields. External address books (from LDAP or flat file imports) can be integrated into the ETM environment, and the directory can support up to 1 million listings.
Reporting tools also have been improved. Admins can sample subsets of data rather than running queries against the full database. The TeleAudit module provides detailed call records, billing estimation and CO/PBX diagnostic reports based on admin-definable criteria.
The Bottom Line
Existing SecureLogix ETM customers under support can upgrade to 4.1 free of charge. For those wanting to upgrade and take advantage of TeleVPN functionality, the DSP-equipped PMC starts at around $6,000 for the first span. For a base configuration (assuming two small sites), plan to spend about $12,000 on top off the basic ETM costs (minimally $40,000 or so total for two 400-user sites) for a yield of 24 encrypted channels per location. Remember that you need a properly equipped ETM at each site to take advantage of the TeleVPN technology. Any call made to a location without a TeleVPN installed will be a clear-channel call.
Joe Hernick is an IT director for a Fortune 100 firm; he has 12 years of consulting and project-management experience in data and telecom environments. Dean Ellerton is director of technology for a New England boarding school. Write to them at jhernick@nwc.com.
Post a comment or question on this story.
RSS
