By the rule-book, you should be turning on encryption. If everything is internal, it won’t make much of a difference, but it is a checkbox on the compliance forms.
That being said – if you are on a modern Avaya CM system, turning on encryption is not a big deal. It used to be that we had to do troubleshooting by doing Wireshark traces everywhere to see what was happening on the phones, etc. That is significantly less the case now that we have tools like TraceSBC on Session Manager/SBCE. Even CM’s List Trace functionality gives some of this data – and the nice part is these tools work the same regardless if the traffic is encrypted or not.
Wireshark traces used to be the way that you were able to determine one-way audio, echos, etc. as well. Again, tools like Avaya Diagnostic Server and other VoIP tools have usurped those methods and they work regardless if the traffic is encrypted or not.
So, pretty much what I’m saying is that past the initial setup (which can take some wrangling with certificates, etc), there really isn’t any difference between the encrypted traffic and not as far as day-to-day operations go. There is really little reason not to do it these days.
From: Owen Smith [mailto:firstname.lastname@example.org]
Sent: Tuesday, December 08, 2015 2:31 PM
Subject: [IAUG Forums] - SBC encryption for internal calls. PCI DSS compliance
Hi All I am trying to determine if my organziation needs to turn encryption on for our SBC's. We are VOIP internally and have a contact centre within our location as well. Our calls come into the SBC from the carrier via PRI's etc. I am trying to determine if turning it on will help with PCI compliance or if it will only create an administrative burden. My concern is sniffing on the internal physical network primarily. Should there be anything else I should look at?
-----End Original Message-----