Making a Federal Case

Making a Federal Case

Secure communications tend to have a longer than usual life span

Communication has changed a lot in the last 10 years. With the landscape shifting every day, it is inevitable that more changes are on the way. Yet communication technologies tend to have a longer lifespan than desktops or data servers. Where the average lifespan of a server is three to five years, an enterprise may have legacy voice equipment such as private branch exchanges (PBXs) or media gateways that are at least twice that old. In the public and government sectors, equipment can last even longer as budgetary constraints force them to extend the life of their legacy investments. Thus, while most enterprises (and nearly all communications service providers) have already begun to migrate to IP-based technologies, many government agencies are still using circuit-based 2G and 3G equipment in their communications networks.

Cost containment is part of the reason for government’s delayed migration to IP communications, but it’s not the only reason, nor is it the main reason. Circuit-based communications are inherently secure because they use a “closed” network. Voice over IP (VoIP), on the other hand, often uses the most open network imaginable: the Internet. As a result, VoIP communications expose government organizations to security risks in their communications, from IP-based denial-of-service (DoS) attacks to caller ID spoofing. Just this July, the U.S. Library of Congress website was hit with a sophisticated DoS attack that shut their website down over a three-day period.

What’s Driving the IP Migration?

Circuit-based communications operate using a protocol called Time-division Multiplexing (TDM). For years, TDM has delivered high-quality communications with limited security risks. But it has always existed as a separate network. As the world moves toward IP-based communications for everything, (data, voice, video and messaging) maintaining a separate network for voice communications is impractical. In fact, the Federal Communications Commission (FCC) is actively working to set an official end date for TDM communications. In the meantime, IP and TDM communications must interoperate in order to complete voice calls or send texts. This interoperability often rests on the shoulders of a media gateway or, increasingly, on a device known as a (SBC) that supports secure voice over SIP, TDM and SATCOM links.

The migration to IP isn’t being driven simply by industry trends. IP communications are the future. They allow enterprises, organizations and government agencies to consolidate data and communications traffic onto a single network, versus running separate data and communications networks in parallel. More importantly, they allow data and communications applications to work together. This union can take the form of a simple feature, such as a click-to-call button on a mobile website, or in a complete mobile application with embedded communications such as Skype or WhatsApp. As mobile devices replace traditional desk phones, IP will become the underlying protocol for all communications.

The Cost of IP Communications

IP communications require extra security. In return, organizations get more communications features, lower costs in capex and opex and more flexibility to embrace new technologies including mobile applications and cloud services. In the data world, network security is relatively straightforward: you protect the network entry points with a firewall, encrypt sensitive data, use multi-factor authentication for applications, encrypt certain transactions as well and you’re more or less secure. All of these steps and procedures can impact network performance slightly, but it’s rarely noticeable to the user. A web page may load a half-second slower, or an application may hang for a moment during the authentication process, but these are well within the acceptable range as a user experience.

Voice and video are what are known as real-time communications. These forms of communication need to be able to transfer information from one end of a network the other in a seamless and instantaneous matter.

If a data packet gets dropped in a web page download, the server can simply re-request the packet and the page element loads a millisecond later. If a voice packet gets dropped, however, it can’t always be re-inserted into the conversation later. Too many dropped packets, and a conversation becomes unintelligible. For this reason, a firewall cannot be used to secure voice communications because it can’t stand up to the rigors of real-time communications. An SBC, however, is designed to do just that.

Choosing the Right SBC Is Critical

Session border controllers serve two important functions in an IP communications network: they protect the network border from DoS and other attacks, and they provide the interoperability needed to connect different devices and protocols within the same communications session. SBCs have been around for years, and today they come in all shapes and sizes, from small SBCs with minimal features designed to secure a single office network, to larger SBCs with a full class of advanced features that are used by telecommunications carriers and global enterprises. With the advent of virtualization, there are even SBCs that can run as virtual instances on commercial-of-theshelf (COTS) hardware or in the cloud.

Many SBCs have been designed to support extreme environments, from global carrier networks that handle millions of concurrent calls to enterprises in strictly regulated environments such as financial services and healthcare. Government agencies themselves have created stringent guidelines for voice security through their FIPS and JITC certification programs. These certifications ensure that SBCs can handle DoS attacks, manage high call overload volumes and operate smoothly during registration floods. Beyond security, government organizations often face unique challenges around interoperability. In the U.S., roughly half of all government communications networks still use TDM-based technology. In addition, their networks are often a mix of different vendor solutions, including multiple versions from the same vendor, resulting in a variety of signaling and media protocols that need to be supported in the same call.

Key Requirements of an SBC

Government agencies should heavily weigh three criteria when considering an SBC platform: encryption, interoperability (both for signaling and media) and virtualization. Nearly every SBC offers media encryption, such as Secure RTP; and signaling encryption, such as IPsec on some level. The key differentiation between SBCs occurs when the level of encryption increases. Many communications environments require encryption only some of the time; for example, a network session initiated from a non-trusted wireless gateway in an airport. But government organizations require encryption nearly all of the time.

Why does this matter? Because encryption is a process and SBCs have a finite amount of processing capacity. An SBC may claim to handle 60,000 concurrent calls, but that number can drop to 8,000 calls when encryption is turned on. It’s vital, therefore, that government organizations understand how an SBC performs with full-time encryption loads, or they may quickly find themselves with an underperforming network or buying twice as many SBCs as they originally planned to do the same job.

Media transcoding and signaling interworking also consume processing capacity and, in some cases, may even be handled by a separate device that adds latency and cost to the network. Embedded transcoding is a useful feature for this reason, especially as mobile devices and video streaming increase in the network, since they drive single SBC is even more important when mixed TDM/IP environments come into play.

In our own customer deployments, we’ve noted keen interest in network elements that combine TDM gateway capabilities and SBC functionality in a single device that allows TDM and IP networks to communicate seamlessly. Given the fact that many government organizations are just beginning to replace circuits with SIP trunks, signaling interworking is a top-of-mind consideration for a lot of CIOs. Virtualization is an increasingly important feature as well, particularly in geographically diverse deployments. The trend in data centers is toward virtualized environments, and the ability to deploy virtual SBCs on shared servers is not only a great way to contain costs, but is a physical necessity in environments such as naval ships where data center space is extremely limited.

In the End

For government organizations, security isn’t a value-add or a nice-tohave. It’s an absolute requirement. Fortunately for CIOs in this space, they’re the beneficiaries of a mature SBC market that has already solved some highly complex security and performance challenges for the world’s carriers and enterprises.

That’s one of the advantages of not being an early adopter. These CIOs also have their own set of unique challenges to face, from limited budgets to an almost unlimited number of different network devices inherited from past administrations. Selecting an SBC platform that does what you need it to do today and supports what you want to do tomorrow will ensure that your network evolves in a seamless, efficient and secure manner.

This article originally appeared in the October 2016 issue of Security Today.

Featured

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West
  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

  • Cyber Overconfidence Is Leaving Your Organization Vulnerable

    The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced. Read Now

  • Mission 500 Debuts Refreshed Identity Ahead of Security 5K/2K at ISC West

    Mission 500, the security industry’s nonprofit charity dedicated to supporting children in need across the US, Canada, and Puerto Rico, has unveiled a refreshed brand identity ahead of ISC West. The charity’s new look includes a modernized logo with refined messaging to reinforce Mission 500’s nearly decade-long commitment to serving the needs of children and families in crisis. Read Now

    • Industry Events

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.