Making a Federal Case

Making a Federal Case

Secure communications tend to have a longer than usual life span

Communication has changed a lot in the last 10 years. With the landscape shifting every day, it is inevitable that more changes are on the way. Yet communication technologies tend to have a longer lifespan than desktops or data servers. Where the average lifespan of a server is three to five years, an enterprise may have legacy voice equipment such as private branch exchanges (PBXs) or media gateways that are at least twice that old. In the public and government sectors, equipment can last even longer as budgetary constraints force them to extend the life of their legacy investments. Thus, while most enterprises (and nearly all communications service providers) have already begun to migrate to IP-based technologies, many government agencies are still using circuit-based 2G and 3G equipment in their communications networks.

Cost containment is part of the reason for government’s delayed migration to IP communications, but it’s not the only reason, nor is it the main reason. Circuit-based communications are inherently secure because they use a “closed” network. Voice over IP (VoIP), on the other hand, often uses the most open network imaginable: the Internet. As a result, VoIP communications expose government organizations to security risks in their communications, from IP-based denial-of-service (DoS) attacks to caller ID spoofing. Just this July, the U.S. Library of Congress website was hit with a sophisticated DoS attack that shut their website down over a three-day period.

What’s Driving the IP Migration?

Circuit-based communications operate using a protocol called Time-division Multiplexing (TDM). For years, TDM has delivered high-quality communications with limited security risks. But it has always existed as a separate network. As the world moves toward IP-based communications for everything, (data, voice, video and messaging) maintaining a separate network for voice communications is impractical. In fact, the Federal Communications Commission (FCC) is actively working to set an official end date for TDM communications. In the meantime, IP and TDM communications must interoperate in order to complete voice calls or send texts. This interoperability often rests on the shoulders of a media gateway or, increasingly, on a device known as a (SBC) that supports secure voice over SIP, TDM and SATCOM links.

The migration to IP isn’t being driven simply by industry trends. IP communications are the future. They allow enterprises, organizations and government agencies to consolidate data and communications traffic onto a single network, versus running separate data and communications networks in parallel. More importantly, they allow data and communications applications to work together. This union can take the form of a simple feature, such as a click-to-call button on a mobile website, or in a complete mobile application with embedded communications such as Skype or WhatsApp. As mobile devices replace traditional desk phones, IP will become the underlying protocol for all communications.

The Cost of IP Communications

IP communications require extra security. In return, organizations get more communications features, lower costs in capex and opex and more flexibility to embrace new technologies including mobile applications and cloud services. In the data world, network security is relatively straightforward: you protect the network entry points with a firewall, encrypt sensitive data, use multi-factor authentication for applications, encrypt certain transactions as well and you’re more or less secure. All of these steps and procedures can impact network performance slightly, but it’s rarely noticeable to the user. A web page may load a half-second slower, or an application may hang for a moment during the authentication process, but these are well within the acceptable range as a user experience.

Voice and video are what are known as real-time communications. These forms of communication need to be able to transfer information from one end of a network the other in a seamless and instantaneous matter.

If a data packet gets dropped in a web page download, the server can simply re-request the packet and the page element loads a millisecond later. If a voice packet gets dropped, however, it can’t always be re-inserted into the conversation later. Too many dropped packets, and a conversation becomes unintelligible. For this reason, a firewall cannot be used to secure voice communications because it can’t stand up to the rigors of real-time communications. An SBC, however, is designed to do just that.

Choosing the Right SBC Is Critical

Session border controllers serve two important functions in an IP communications network: they protect the network border from DoS and other attacks, and they provide the interoperability needed to connect different devices and protocols within the same communications session. SBCs have been around for years, and today they come in all shapes and sizes, from small SBCs with minimal features designed to secure a single office network, to larger SBCs with a full class of advanced features that are used by telecommunications carriers and global enterprises. With the advent of virtualization, there are even SBCs that can run as virtual instances on commercial-of-theshelf (COTS) hardware or in the cloud.

Many SBCs have been designed to support extreme environments, from global carrier networks that handle millions of concurrent calls to enterprises in strictly regulated environments such as financial services and healthcare. Government agencies themselves have created stringent guidelines for voice security through their FIPS and JITC certification programs. These certifications ensure that SBCs can handle DoS attacks, manage high call overload volumes and operate smoothly during registration floods. Beyond security, government organizations often face unique challenges around interoperability. In the U.S., roughly half of all government communications networks still use TDM-based technology. In addition, their networks are often a mix of different vendor solutions, including multiple versions from the same vendor, resulting in a variety of signaling and media protocols that need to be supported in the same call.

Key Requirements of an SBC

Government agencies should heavily weigh three criteria when considering an SBC platform: encryption, interoperability (both for signaling and media) and virtualization. Nearly every SBC offers media encryption, such as Secure RTP; and signaling encryption, such as IPsec on some level. The key differentiation between SBCs occurs when the level of encryption increases. Many communications environments require encryption only some of the time; for example, a network session initiated from a non-trusted wireless gateway in an airport. But government organizations require encryption nearly all of the time.

Why does this matter? Because encryption is a process and SBCs have a finite amount of processing capacity. An SBC may claim to handle 60,000 concurrent calls, but that number can drop to 8,000 calls when encryption is turned on. It’s vital, therefore, that government organizations understand how an SBC performs with full-time encryption loads, or they may quickly find themselves with an underperforming network or buying twice as many SBCs as they originally planned to do the same job.

Media transcoding and signaling interworking also consume processing capacity and, in some cases, may even be handled by a separate device that adds latency and cost to the network. Embedded transcoding is a useful feature for this reason, especially as mobile devices and video streaming increase in the network, since they drive single SBC is even more important when mixed TDM/IP environments come into play.

In our own customer deployments, we’ve noted keen interest in network elements that combine TDM gateway capabilities and SBC functionality in a single device that allows TDM and IP networks to communicate seamlessly. Given the fact that many government organizations are just beginning to replace circuits with SIP trunks, signaling interworking is a top-of-mind consideration for a lot of CIOs. Virtualization is an increasingly important feature as well, particularly in geographically diverse deployments. The trend in data centers is toward virtualized environments, and the ability to deploy virtual SBCs on shared servers is not only a great way to contain costs, but is a physical necessity in environments such as naval ships where data center space is extremely limited.

In the End

For government organizations, security isn’t a value-add or a nice-tohave. It’s an absolute requirement. Fortunately for CIOs in this space, they’re the beneficiaries of a mature SBC market that has already solved some highly complex security and performance challenges for the world’s carriers and enterprises.

That’s one of the advantages of not being an early adopter. These CIOs also have their own set of unique challenges to face, from limited budgets to an almost unlimited number of different network devices inherited from past administrations. Selecting an SBC platform that does what you need it to do today and supports what you want to do tomorrow will ensure that your network evolves in a seamless, efficient and secure manner.

This article originally appeared in the October 2016 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3