In the days when fax servers were fax boards and software physically in servers, the telephony connections went straight from physical ports into the PBX or phone network. However, these days, it is common for fax servers to exist as virtual machines with no fax boards, which connect through an IP connection to a telephony router in another location. SIP is used as the means to establish the connection.
Customers in healthcare and government have been asking us how to enhance the security over such an IP connection. SIP and T.38 do not encrypt data. One way is for the fax server to open a VPN connection as a client to the router or carrier. The overall data transfer is protected through the VPN protocol.
The second way is to encrypt SIP itself, which can be done through an additional layer of security provided by the virtual fax devices and the router, specifically with TLS. However, because T.38 does not support encryption of the data stream, G.711 must be used instead. G.711 is pure digital audio and can be encrypted, however it lacks the fax flow control of T.38. For G.711 to work for fax, therefore, a consistently high level of Quality of Service must be present end-to-end. Fortunately, most carriers and routers have been getting better at providing high-performance and reliable G.711.
Adding this level of TLS security between the fax server and router or carrier can be done with an enhanced security option, which is sold separately per port. If this is something you may need, set-up a consultation with your Biscom account executive or call our main number 978-250-1800.