Making a Federal Case
Secure communications tend to have a longer than usual life span
- By Bill Hartwell
- Oct 04, 2016
Communication has changed a lot in the last 10 years. With
the landscape shifting every day, it is inevitable that more
changes are on the way. Yet communication technologies
tend to have a longer lifespan than desktops or data servers.
Where the average lifespan of a server is three to five years, an
enterprise may have legacy voice equipment such as private branch
exchanges (PBXs) or media gateways that are at least twice that old.
In the public and government sectors, equipment can last even longer
as budgetary constraints force them to extend the life of their legacy
investments. Thus, while most enterprises (and nearly all communications
service providers) have already begun to migrate to IP-based
technologies, many government agencies are still using circuit-based
2G and 3G equipment in their communications networks.
Cost containment is part of the reason for government’s delayed
migration to IP communications, but it’s not the only reason, nor is
it the main reason. Circuit-based communications are inherently secure
because they use a “closed” network. Voice over IP (VoIP), on
the other hand, often uses the most open network imaginable: the
Internet. As a result, VoIP communications expose government organizations
to security risks in their communications, from IP-based
denial-of-service (DoS) attacks to caller ID spoofing. Just this July,
the U.S. Library of Congress website was hit with a sophisticated DoS attack that shut their website down over a three-day period.
What’s Driving the IP Migration?
Circuit-based communications operate using a protocol called Time-division
Multiplexing (TDM). For years, TDM has delivered high-quality
communications with limited security risks. But it has always existed as
a separate network. As the world moves toward IP-based communications
for everything, (data, voice, video and messaging) maintaining a
separate network for voice communications is impractical.
In fact, the Federal Communications Commission (FCC) is actively
working to set an official end date for TDM communications.
In the meantime, IP and TDM communications must interoperate
in order to complete voice calls or send texts. This interoperability
often rests on the shoulders of a media gateway or, increasingly, on a
device known as a (SBC) that supports secure voice over SIP, TDM
and SATCOM links.
The migration to IP isn’t being driven simply by industry trends.
IP communications are the future. They allow enterprises, organizations
and government agencies to consolidate data and communications
traffic onto a single network, versus running separate data and
communications networks in parallel. More importantly, they allow
data and communications applications to work together. This union
can take the form of a simple feature, such as a click-to-call button on
a mobile website, or in a complete mobile application with embedded
communications such as Skype or WhatsApp. As mobile devices replace
traditional desk phones, IP will become the underlying protocol
for all communications.
The Cost of IP Communications
IP communications require extra security. In return, organizations
get more communications features, lower costs in capex and opex
and more flexibility to embrace new technologies including mobile
applications and cloud services. In the data world, network security is
relatively straightforward: you protect the network entry points with
a firewall, encrypt sensitive data, use multi-factor authentication for
applications, encrypt certain transactions as well and you’re more or
less secure. All of these steps and procedures can impact network
performance slightly, but it’s rarely noticeable to the user. A web page
may load a half-second slower, or an application may hang for a moment
during the authentication process, but these are well within the
acceptable range as a user experience.
Voice and video are what are known as real-time communications.
These forms of communication need to be able to transfer
information from one end of a network the other in a seamless and
instantaneous matter.
If a data packet gets dropped in a web page download, the server
can simply re-request the packet and the page element loads a millisecond
later. If a voice packet gets dropped, however, it can’t always
be re-inserted into the conversation later. Too many dropped packets,
and a conversation becomes unintelligible. For this reason, a firewall
cannot be used to secure voice communications because it can’t stand
up to the rigors of real-time communications. An SBC, however, is
designed to do just that.
Choosing the Right SBC Is Critical
Session border controllers serve two important functions in an IP
communications network: they protect the network border from
DoS and other attacks, and they provide the interoperability needed
to connect different devices and protocols within the same communications
session. SBCs have been around for years, and today they
come in all shapes and sizes, from small SBCs with minimal features
designed to secure a single office network, to larger SBCs with a full
class of advanced features that are used by telecommunications carriers
and global enterprises. With the advent of virtualization, there are
even SBCs that can run as virtual instances on commercial-of-theshelf
(COTS) hardware or in the cloud.
Many SBCs have been designed to support extreme environments,
from global carrier networks that handle millions of concurrent calls
to enterprises in strictly regulated environments such as financial services
and healthcare. Government agencies themselves have created
stringent guidelines for voice security through their FIPS and JITC
certification programs. These certifications ensure that SBCs can
handle DoS attacks, manage high call overload volumes and operate
smoothly during registration floods.
Beyond security, government organizations often face unique
challenges around interoperability. In the U.S., roughly half of all government
communications networks still use TDM-based technology.
In addition, their networks are often a mix of different vendor solutions,
including multiple versions from the same vendor, resulting in
a variety of signaling and media protocols that need to be supported
in the same call.
Key Requirements of an SBC
Government agencies should heavily weigh three criteria when considering
an SBC platform: encryption, interoperability (both for signaling
and media) and virtualization. Nearly every SBC offers media
encryption, such as Secure RTP; and signaling encryption, such as
IPsec on some level. The key differentiation between SBCs occurs
when the level of encryption increases. Many communications environments
require encryption only some of the time; for example, a
network session initiated from a non-trusted wireless gateway in an
airport. But government organizations require encryption nearly all
of the time.
Why does this matter? Because encryption is a process and SBCs
have a finite amount of processing capacity. An SBC may claim to
handle 60,000 concurrent calls, but that number can drop to 8,000
calls when encryption is turned on. It’s vital, therefore, that government
organizations understand how an SBC performs with full-time
encryption loads, or they may quickly find themselves with an underperforming
network or buying twice as many SBCs as they originally
planned to do the same job.
Media transcoding and signaling interworking also consume
processing capacity and, in some cases, may even be handled by a
separate device that adds latency and cost to the network. Embedded
transcoding is a useful feature for this reason, especially as mobile
devices and video streaming increase in the network, since they drive single SBC is even more important when mixed TDM/IP environments
come into play.
In our own customer deployments, we’ve noted keen interest in
network elements that combine TDM gateway capabilities and SBC
functionality in a single device that allows TDM and IP networks to
communicate seamlessly. Given the fact that many government organizations
are just beginning to replace circuits with SIP trunks, signaling
interworking is a top-of-mind consideration for a lot of CIOs.
Virtualization is an increasingly important feature as well, particularly
in geographically diverse deployments. The trend in data centers
is toward virtualized environments, and the ability to deploy virtual
SBCs on shared servers is not only a great way to contain costs,
but is a physical necessity in environments such as naval ships where
data center space is extremely limited.
In the End
For government organizations, security isn’t a value-add or a nice-tohave.
It’s an absolute requirement. Fortunately for CIOs in this space,
they’re the beneficiaries of a mature SBC market that has already solved
some highly complex security and performance challenges for the
world’s carriers and enterprises.
That’s one of the advantages of not being an early adopter. These
CIOs also have their own set of unique challenges to face, from limited
budgets to an almost unlimited number of different network devices
inherited from past administrations. Selecting an SBC platform
that does what you need it to do today and supports what you want
to do tomorrow will ensure that your network evolves in a seamless,
efficient and secure manner.
This article originally appeared in the October 2016 issue of Security Today.