Secure IP Fax – Now Standard

Last fall, I blogged about a pending standard for securing facsimile communications over IP networks here and I spoke about this progress at the SIPNOC conference. Since that time, the standard, known as RFC 7345 has been approved by the Internet Engineering Task Force. The availability of a standard is very good news. There’s a common perception that fax isn’t used anymore, but there are a number of business to business (B2B) and consumer applications where fax still is common, including real estate, insurance, health care and legal applications. There are also a number of companies which provide fax by selling equipment, fax enabling technology, software or a hosted service.

So why should people or companies care about securing IP fax? Increasingly, most of our real time communications, whether by voice, fax, text or video, are transported over IP networks. Very often, they will travel over the Internet for a portion of their journey. The Internet is ubiquitous, but fundamentally unsecure unless the application or the transport layers provide security. Security can mean many different things, but is often referring to solutions for needs which include privacy, authentication and data integrity. The new RFC 7345 is designed to support these types of requirements by applying a standard known as Datagram Transport Layer Security (DTLS). One of the key reasons that the Fax over IP RFC uses DTLS is because the T.38 IP fax protocol most typically formats its signals and data using the User Datagram Protocol Transport Layer (UDPTL), unlike most real time media, which use the Real Time Transport protocol (RTP).  DTLS was designed to provide security services with datagram protocols, so it’s a good fit for T.38 IP fax.  The current version of DTLS is 1.2, which is defined in RFC 6347.

Getting a standard approved is really only the beginning. In order to get traction in the marketplace, there needs to be implementations. For example, T.38 was originally approved in 1998 by the International Telecommunications Union, but implementations did not become common until many years later, starting around 2005. In the time since, T.38 has become the most common way to send fax over IP networks and its been adopted by most of the fax eco-system.  On the plus side, a key advocate for the new standard is the Third Generation Partnership Program (3GPP), which is the standards group that drives standardization of services which will run over mobile networks, such as the emerging Long Term Evolution (LTE) network.  The SIP Forum is also continuing work on its SIP Connect interworking agreements and there is potential for including the new standard in a future version of SIPconnect.

I’ll continue to track what’s happening with respect to implementation of the standard.   As I noted in some of my previous posts, the current work on standardizing WebRTC is helping implementors to gain experience in important new standards for security, codecs and Network Address Translation (NAT) traversal. This WebRTC “toolkit” is also available in open source form.  The inclusion of DTLS in RFC 7345 joins the pending RTCWeb standards in providing new applications and use cases for these emerging standards. This will be good news for the user community, as features which were previously available only in proprietary get implemented in variety of products and services.  If you know of any plans in motion or want to learn more, please feel free to comment or get in touch with me.  You can also learn more by checking out my presentation on Securing IP Fax.

Advertisements

On the Road Again – SIPNOC 2014

I’ll be speaking next week at the SIPNOC conference in Herndon, Virginia.  SIPNOC is sponsored by the SIP Forum and covers a wide variety of topics related to SIP — the Session Initiation Protocol — with a particular focus on the needs of service providers.   It runs from June 9 – 12.

WebRTC continues to be a hot topic in the telecom industry and I’ll be on a panel with several other participants to discuss the relationship between SIP and WebRTC.   SIP has been the primary protocol for Voice over IP and is widely deployed.  WebRTC is much newer, but offers an interesting mix of audio, video and data capabilities and it can be accessed via popular browsers from Google and Mozilla.  WebRTC also has a rapidly growing eco-system.  Are SIP and WebRTC complementary standards which work well together or going in totally different directions?  Come to the panel and find out!

I am also delivering a presentation on a very exciting development in IP fax communications over SIP.  The presentation is entitled: Securing IP Fax – A New Standard Approach.  It’s been a long time coming, but there will soon be a new security standard for implementors of IP Fax over SIP networks.  In particular, the Internet Engineering Task Force is working on using an existing security standard known as DTLS and adding this as a security layer for T.38 fax.    I’ll be talking about the pending standard, why it’s needed and what kind of benefits can be expected for the many users of T.38 IP fax once the new standard is deployed.

I’ve attended SIPNOC as a speaker since its beginning four years ago.  It’s an excellent conference and offers an in-depth perspective on the latest news in SIP as delivered by an all star cast of speakers.  I hope you’ll be able to join us.

Securing Fax over IP for Business Communications

The recent controversy regarding NSA tracking of phone conversations has elevated concerns about security and privacy for business communications. Enterprises generally want to keep their communications private. Use of techniques such as private networks, firewalls and secured tunnels can help to protect internal communication from eavesdroppers, but there are also many exchanges which entail communication with third parties over public networks.

Facsimile is best known as a method of communicating images of printed pages over the Public Switched Telephone Network (PSTN) and many fax companies touted the PSTN as being much more secure than the public Internet, hence reducing the need for formal security approaches. But the circuit-switched network is rapidly being replaced by hybrid and all-IP networks, and a portion of business fax traffic is now sent over the Internet.

During the Nineties, the fax standards experts in the International Telecommunications Union (ITU-T) added annexes to the Group 3 fax T.30 protocol to protect against a variety of security threats. However, there was lack of consensus on how to proceed, so two different approaches were standardized. As attention turned to standardizing fax over higher speed V.34 links and over IP networks, the initial efforts to implement fax security using the new standard approaches fizzled out and never got traction in the marketplace.

Fast forward to 2013. Security and privacy now have a much higher profile. The NSA exposé and other security glitches like the Wikileaks exposures of government and corporate documents have increased awareness of the down side of unsecured documents and communication. In the meantime, as the phone network is being replaced by IP technology, most new sales of fax to the enterprise are for Fax over IP and the T.38 standard from the ITU is frequently used. Most applications of T.38 use a transport protocol called UDPTL (User Datagram Protocol Transport Layer) which is currently an unsecured protocol.

The conventional wisdom might have a “who cares?” attitude, since there’s a common perception that nobody uses fax anymore. However, fax still is used a great deal for a wide variety of business applications which include healthcare, financial and legal organizations, plus fax is integrated into a variety of business processes. Fax is also used for transmission of many normally confidential documents such as insurance claims, real estate transactions and legal notices, plus there are regulations such a HIPAA in the health care domain which require protection of documents from third parties.

For all of these reasons, the need for better security solutions for IP-based facsimile is becoming clear. In another realm of standardization, WebRTC is attracting a lot of attention as a next generation method for performing a wide variety of real time communications such as video and voice over web protocols. The original applications of the Session Initiation Protocol (SIP) were often implemented with little attention paid to security, so the WebRTC standards activities have examined the best approaches for addressing matters such as security and are recommending use of a relatively new security protocol known as Datagram Transport Layer Security (DTLS) to secure real time communications of media within WebRTC.

One advantage of DTLS is that it is relatively protocol agnostic and can be applied as a security layer for various different protocols. So this is a good time to consider how protocols planned for use in WebRTC might also have other applications. The Third Generation Partnership Program (3GPP) has recognized that IP fax is still an important application and wants to have a standard approach to secure faxes which are being transported over IP networks. As a result, there is now an Internet Draft being circulated for comments within the MMUSIC (Multiparty Multimedia Session Control) working group of the Internet Engineering Task Force (IETF) which proposes that DTLS be established as a transport layer that can be used to secure sessions of T.38 IP fax when running over the SIP protocol.

I’m personally enthusiastic about this direction and have made comments on the current draft. I find it ironic that the IETF is looking at adding security layer support to an ITU protocol, but in the world of standards, it’s useful for the work to be done by the experts who have the right domain expertise. In this case, the IETF created DTLS and there is interest in the combination of UDPTL and T.38 from the Fax over IP task group of the SIP Forum, so there is probably enough participation by the Internet and fax communities to produce a useful standard. At this writing, MMUSIC is considering adoption of this draft as an official working group item.

Stay tuned on this one. WebRTC is training a generation of engineers to use a new toolkit of various protocols, so the potential adoption of DTLS by the IP fax community may be a harbinger of a trend to re-purpose various components of the WebRTC initiative in innovative and surprising ways.

Security – A Teachable Moment?

The recent headlines about the NSA capturing data related to phone calls brings up a familiar topic – security. I’ve been managing a session border controller product for the past year and I’ve often been asked if the product supports security. This can be a frustrating question for a product manager, since security is a blanket term that can cover so many areas and this kind of naive question means that the discussion needs to start at a pretty basic level. However, the question can be turned around. One logical response is to ask what kind of security the person wants to know about. An even better response is to get back to basics and ask what are they — typically a customer — trying to protect. In other words, what are the threats?

In the world of international telecom standards, the definition of security starts with the analysis of threats. The National Standards Institute (NIST) wrote a fine paper on security for Voice over IP networks which can be found here. The authors analyzed potential threats to such networks and then proposed solutions. This is preferable to the approach that is often taken of prescribing a security solution before understanding what the goals of the security solution are.

Returning to the topic of the NSA, the President offered a response to critics saying that NSA was not recording phone calls, as if that was the only issue in play here. But if we look at this from a threats perspective, if you are an individual subscriber of phone services, you might want assurances from the service provider of privacy protecting both the content of your communications and the records of who you are talking to. We’ve all seen television shows where the police get a warrant to dump the cell phone records of a potential suspect and just by analyzing the call patterns, are able to figure out who they were calling, when and for how long. This kind of information is often called “traffic analysis” and it can be very revealing. If your company is discussing a merger deal with another company, getting access to these kinds of phone records might reveal the potential merger participants in advance of any public announcement. So is there an incentive for businesses and individuals to protect against people who want to do traffic analysis on their voice (or other) communications? You bet.

I’ve been hearing that argument that if people participate on Facebook and Twitter their public activities are an open book for anybody with Internet access. Sure, that’s true to an extent, though there are battles going on between Facebook and their members about where the privacy lines get drawn. However, I think most phone subscribers, be they individuals or businesses, expect that their private communications will remain so.

On the technical side, this story boils down to a question of where to draw the lines between security and privacy. If this story and the resulting publicity causes individuals and businesses to consider what information they’d like to remain private and which data is considered “fair use” by the government and under what guidelines, then maybe we can have a useful public debate on these matters and not “leave it to the experts.”