[VOIPSEC] An issue of trust?

[Ron_Cramer at cargill.com]

It appears I should clarify my question in regards to a Telecom Service Provider
vs an Internet Service Provider.

Based on my experience, many enterprises would choose to trust telecom service providers
to keep data traffic private on a traditional layer 2 service such as frame relay or voice
services on POTS.  And, would choose not to trust Internet based communication, but to 
mitigate the Internet based risk with firewalls, encryption tunnels, etc.

Part of the logic used to differentiate between these two choices was that the traditional layer 2
services provided separation between the virtual private networks of the many customers serviced
by the Telecom Provider.  Since the packets are being forwarded at layer 2 the Telecom Provider
had no awareness of anything related to the Internet Protocol.  This also meant that the
Telecom Service Providers customers could not use IP based attacks against the carrier infrastructure.

As Telecom Service Providers move to offer IP-ware services - MPLS, VoIP or whatever
the Telecom Service Providers are vulnerable to IP based attacks.  I know there 
are many papers that state MPLS *can* be deployed with the same level of security
as a layer 2 service, but how can I *trust* the Telecom Service Provider will invest
the effort to operate a secure MPLS network.  Or, VoIP, or whatever?

Thanks and regards,

Ron



-----Original Message-----
From: Cramer, Ron - Ron_Cramer at cargill.com 
Sent: Thursday, June 15, 2006 1:19 PM
To: 'Voipsec at voipsa.org'
Subject: An issue of trust?


The issue of trust for your Telecom service provider, 
either traditional or VoIP based seems to be a fundamental
component for secure communications.

Can anyone identify an industry standard that an 
Enterprise can use to establish trust with a Telecom
vendor?  Something with well established decision
criteria, not just a high level guide to performing a
risk assessment.

Thanks in advance,

Ron