Making a Federal Case

Making a Federal Case

Secure communications tend to have a longer than usual life span

Communication has changed a lot in the last 10 years. With the landscape shifting every day, it is inevitable that more changes are on the way. Yet communication technologies tend to have a longer lifespan than desktops or data servers. Where the average lifespan of a server is three to five years, an enterprise may have legacy voice equipment such as private branch exchanges (PBXs) or media gateways that are at least twice that old. In the public and government sectors, equipment can last even longer as budgetary constraints force them to extend the life of their legacy investments. Thus, while most enterprises (and nearly all communications service providers) have already begun to migrate to IP-based technologies, many government agencies are still using circuit-based 2G and 3G equipment in their communications networks.

Cost containment is part of the reason for government’s delayed migration to IP communications, but it’s not the only reason, nor is it the main reason. Circuit-based communications are inherently secure because they use a “closed” network. Voice over IP (VoIP), on the other hand, often uses the most open network imaginable: the Internet. As a result, VoIP communications expose government organizations to security risks in their communications, from IP-based denial-of-service (DoS) attacks to caller ID spoofing. Just this July, the U.S. Library of Congress website was hit with a sophisticated DoS attack that shut their website down over a three-day period.

What’s Driving the IP Migration?

Circuit-based communications operate using a protocol called Time-division Multiplexing (TDM). For years, TDM has delivered high-quality communications with limited security risks. But it has always existed as a separate network. As the world moves toward IP-based communications for everything, (data, voice, video and messaging) maintaining a separate network for voice communications is impractical. In fact, the Federal Communications Commission (FCC) is actively working to set an official end date for TDM communications. In the meantime, IP and TDM communications must interoperate in order to complete voice calls or send texts. This interoperability often rests on the shoulders of a media gateway or, increasingly, on a device known as a (SBC) that supports secure voice over SIP, TDM and SATCOM links.

The migration to IP isn’t being driven simply by industry trends. IP communications are the future. They allow enterprises, organizations and government agencies to consolidate data and communications traffic onto a single network, versus running separate data and communications networks in parallel. More importantly, they allow data and communications applications to work together. This union can take the form of a simple feature, such as a click-to-call button on a mobile website, or in a complete mobile application with embedded communications such as Skype or WhatsApp. As mobile devices replace traditional desk phones, IP will become the underlying protocol for all communications.

The Cost of IP Communications

IP communications require extra security. In return, organizations get more communications features, lower costs in capex and opex and more flexibility to embrace new technologies including mobile applications and cloud services. In the data world, network security is relatively straightforward: you protect the network entry points with a firewall, encrypt sensitive data, use multi-factor authentication for applications, encrypt certain transactions as well and you’re more or less secure. All of these steps and procedures can impact network performance slightly, but it’s rarely noticeable to the user. A web page may load a half-second slower, or an application may hang for a moment during the authentication process, but these are well within the acceptable range as a user experience.

Voice and video are what are known as real-time communications. These forms of communication need to be able to transfer information from one end of a network the other in a seamless and instantaneous matter.

If a data packet gets dropped in a web page download, the server can simply re-request the packet and the page element loads a millisecond later. If a voice packet gets dropped, however, it can’t always be re-inserted into the conversation later. Too many dropped packets, and a conversation becomes unintelligible. For this reason, a firewall cannot be used to secure voice communications because it can’t stand up to the rigors of real-time communications. An SBC, however, is designed to do just that.

Choosing the Right SBC Is Critical

Session border controllers serve two important functions in an IP communications network: they protect the network border from DoS and other attacks, and they provide the interoperability needed to connect different devices and protocols within the same communications session. SBCs have been around for years, and today they come in all shapes and sizes, from small SBCs with minimal features designed to secure a single office network, to larger SBCs with a full class of advanced features that are used by telecommunications carriers and global enterprises. With the advent of virtualization, there are even SBCs that can run as virtual instances on commercial-of-theshelf (COTS) hardware or in the cloud.

Many SBCs have been designed to support extreme environments, from global carrier networks that handle millions of concurrent calls to enterprises in strictly regulated environments such as financial services and healthcare. Government agencies themselves have created stringent guidelines for voice security through their FIPS and JITC certification programs. These certifications ensure that SBCs can handle DoS attacks, manage high call overload volumes and operate smoothly during registration floods. Beyond security, government organizations often face unique challenges around interoperability. In the U.S., roughly half of all government communications networks still use TDM-based technology. In addition, their networks are often a mix of different vendor solutions, including multiple versions from the same vendor, resulting in a variety of signaling and media protocols that need to be supported in the same call.

Key Requirements of an SBC

Government agencies should heavily weigh three criteria when considering an SBC platform: encryption, interoperability (both for signaling and media) and virtualization. Nearly every SBC offers media encryption, such as Secure RTP; and signaling encryption, such as IPsec on some level. The key differentiation between SBCs occurs when the level of encryption increases. Many communications environments require encryption only some of the time; for example, a network session initiated from a non-trusted wireless gateway in an airport. But government organizations require encryption nearly all of the time.

Why does this matter? Because encryption is a process and SBCs have a finite amount of processing capacity. An SBC may claim to handle 60,000 concurrent calls, but that number can drop to 8,000 calls when encryption is turned on. It’s vital, therefore, that government organizations understand how an SBC performs with full-time encryption loads, or they may quickly find themselves with an underperforming network or buying twice as many SBCs as they originally planned to do the same job.

Media transcoding and signaling interworking also consume processing capacity and, in some cases, may even be handled by a separate device that adds latency and cost to the network. Embedded transcoding is a useful feature for this reason, especially as mobile devices and video streaming increase in the network, since they drive single SBC is even more important when mixed TDM/IP environments come into play.

In our own customer deployments, we’ve noted keen interest in network elements that combine TDM gateway capabilities and SBC functionality in a single device that allows TDM and IP networks to communicate seamlessly. Given the fact that many government organizations are just beginning to replace circuits with SIP trunks, signaling interworking is a top-of-mind consideration for a lot of CIOs. Virtualization is an increasingly important feature as well, particularly in geographically diverse deployments. The trend in data centers is toward virtualized environments, and the ability to deploy virtual SBCs on shared servers is not only a great way to contain costs, but is a physical necessity in environments such as naval ships where data center space is extremely limited.

In the End

For government organizations, security isn’t a value-add or a nice-tohave. It’s an absolute requirement. Fortunately for CIOs in this space, they’re the beneficiaries of a mature SBC market that has already solved some highly complex security and performance challenges for the world’s carriers and enterprises.

That’s one of the advantages of not being an early adopter. These CIOs also have their own set of unique challenges to face, from limited budgets to an almost unlimited number of different network devices inherited from past administrations. Selecting an SBC platform that does what you need it to do today and supports what you want to do tomorrow will ensure that your network evolves in a seamless, efficient and secure manner.

This article originally appeared in the October 2016 issue of Security Today.

Featured

  • Security Today Announces The Govies Government Security Award Winners for 2025

    Security Today is pleased to announce the 2025 winners in The Govies Government Security Awards. The awards honor outstanding government security products in a variety of categories. Read Now

  • Survey: 60 Percent of Organizations Using AI in IT Infrastructure

    Netwrix, a cybersecurity provider focused on data and identity threats, today announced the release of its annual global 2025 Cybersecurity Trends Report based on a global survey of 2,150 IT and security professionals from 121 countries. It reveals that 60% of organizations are already using artificial intelligence (AI) in their IT infrastructure and 30% are considering implementing AI. Read Now

  • New Research Reveals Global Video Surveillance Industry Perspectives on AI

    Axis Communications, the global industry leader in video surveillance, has released its latest research report, ‘The State of AI in Video Surveillance,’ which explores global industry perspectives on the use of AI in the security industry and beyond. The report reveals current attitudes on AI technologies thanks to in-depth interviews with AI experts from Axis’ global network and a comprehensive survey of more than 5,800 respondents, including distributors, channel partners, and end customers across 68 countries. The resulting insights cover AI integration and the opportunities and challenges that exist with regard to security, safety, business intelligence, and operational efficiency. Read Now

  • SIA Urges Tariff Relief for Security Industry Products

    Today, the Security Industry Association has sent a letter to U.S. Trade Representative Jamieson Greer and U.S. Secretary of Commerce Howard Lutnick requesting relief from tariffs for security industry products and asking that the Trump administration formulate a process that allows companies to apply for product-specific exemptions. The security industry is an important segment of the U.S. economy, contributing over $430 billion in total economic impact and supporting over 2.1 million jobs. Read Now

  • Report Shows Cybercriminals Continue Pivot to Stealthier Tactics

    IBM recently released the 2025 X-Force Threat Intelligence Index highlighting that cybercriminals continued to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined. IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. Read Now

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.