The VoIP Peering Puzzle�Part 45: SBC Architectures�Borderware
BorderWare Technologies, Inc. is headquartered in Toronto, Ontario, and has eleven sales and support offices and 140 employees throughout North American and Europe.
The company has focused on messaging security solutions for enterprise and government customers since 1984, winning some blue ribbon accounts during that time. These include TELUS, one of Canadas largest telecommunications companies, where Borderware protects inbound threats to the organizations network and secures 5 million customers; BAWAG, the largest bank in Austria, where the products control outbound content, protecting the privacy and personal information of the customers; and NATO, where they manage the messaging infrastructure and secure the e-mail network from threats.
The BorderWare products are considered application-specific firewalls, and are designed for specific network security requirements. Conventional firewalls are designed to protect inter-networks from intrusive traffic, however application-specific servers inside the network must remain open to external connections in order to function effectively. This openness brings a certain degree of vulnerability, as once the information is passed through the firewall, the entire messaging infrastructure is also more open to attack from hackers, malicious code, viruses, and other threats.
The BorderWare Security Platform is an architecture that powers these application-specific firewalls that are designed to support e-mail, instant messaging, web, VPN, and outbound applications: a system that the company claims to have deployed for 8,000 customers worldwide. One of these applications, SIPassure, is designated as a VoIP Security Gateway. BorderWare designates this as a new class of product that combines the best features of an enterprise firewall, an application-layer gateway, and a session border controller.
SIPassure is designed to secure all of an organization's SIP-based applicationsincluding VoIP service, video conferencing, and other messaging applicationsas it incorporates functions that go far beyond the capabilities of traditional perimeter firewalls that are not designed to manage and secure real time communications functions. Further, newer threatsincluding denial of service, call hijacking ,and service theftcan lead to service disruptions if left unchecked. All have the potential to compromise the security of both voice and data applications, and certainly make the deployment of SIP applications more challenging.
The SIPassure app includes six distinct functions that are designed to reduce these potential threats and optimize VoIP network operation: SIP traffic management, service continuity, encryption and privacy, SIP security, abuse and spam prevention, and session border control.
With SIPassure deployed at either the network edge or in the DMZ, the SIP Traffic Management function manages all inbound and outbound SIP sessions, applying NAT access rules and other policy decisions. The associated Quality of Service (QoS) process applies a configurable Type of Service (ToS) tag to each packet, which allows the rest of the network infrastructure to apply the appropriate prioritization required to maintain voice quality.
The Service Continuity function is designed to provide voice service with a minimum of disruptions, and protects the core infrastructure from vulnerabilities at the network level, the protocol level, and the application level, blocking unwanted traffic before it reaches the VoIP or SIP application servers. This function adds protection against vulnerabilities such as flooding attacks, call termination attacks, and unauthorized call transfers.
The Encryption and Privacy function reduces the risk of unauthorized call monitoring on the VoIP network by encrypting both the call setup traffic and the audio information streams. For calls between two locations, a SIPassure gateway can be deployed at each end of the connection, thus removing the need to deploy encryption at every end station.
The SIP Security function secures the critical VoIP and SIP applications by providing a multi-layered security architecture. This includes stateful inspection and packet filtering at the network level to ensure that only legitimate traffic is allowed to reach the destination device, and also hiding the details of the network from hackers; the inspection of SIP and RTP packets at the protocol level to assure that they conform to protocol specifications; plus application-level policy filters and controls to protect against directory harvesting and spam over Internet Telephony (SPIT).
The Abuse and SIP Spam Prevention function provides comprehensive protection against a wide variety of network, protocol, and application level attacks, including identity theft and impersonation, session hijacking and redirection, session eavesdropping, v-mail bombing and SIP Spam.
Finally, the Session Border Control function provides both Near-end and Far-end NAT traversal for both SIP and RTP, QoS support, and also integrates with third party load-balancing technologies.
SIPassure is a software-based solution, allowing these functions to be embedded into existing applications, such as IP PBXs, softswitches, and SIP application servers, and therefore operating over a wider range of hardware platforms.
Further details on BorderWares products and the SIPassure architecture and can be found at www.borderware.com/sipassure. Our next tutorial will continue our examination of vendors SBC architectures.
Copyright Acknowledgement: © 2007 DigiNet Corporation ®, All Rights Reserved
Mark A. Miller, P.E., is President of DigiNet Corporation®, a Denver-based consulting engineering firm. He is the author of many books on networking technologies, including Voice over IP Technologies, and Internet Technologies Handbook, both published by John Wiley & Sons.