The VoIP Peering Puzzle�Part 48: SBC Architectures�Sipera System
Founded in 2003, Sipera Systems, Inc. provides comprehensive VoIP security solutions to enterprises and service providers that protect, control, and enable real-time unified communications. The firm is headquartered in Richardson, Texas, with a development center in Hyderabad, India and currently employs approximately 70 individuals. Sipera is backed by three well-established venture capital firms: Sequoia Capital, Austin Ventures, and STAR Ventures.
Sipera is also home to the VIPER (Voice over IP Exploitation Research) Lab. While VoIP technology is becoming increasingly popular because of the new applications it can support, it also exposes networking infrastructures to a whole new set of signaling and media vulnerabilities and other security issues. These include fuzzing, reconnaissance, floods, and distributed floods that can effect the network as a whole; plus misuse and spoofing, stealth attacks, and spam that can target end users. The VIPER Lab has identified thousands of potential security threats and vulnerabilities that can be launched against VoIP networks and systems, and document their work as VoIP Threat Advisories (see http://www.sipera.com/index.php?action=resources,threat_advisory) and Recent Attacks (see http://www.sipera.com/index.php?action=resources,vulnerabilities).
This research has led to the development of two key Sipera product lines. The first is the LAVA (Load Analysis and Vulnerability Assessment) tool, which tests a networks readiness to resist a VoIP-related attackincluding floods, distributed floods, stealth, and spam. The second is the IP Communications Security (IPCS) line of products, which combine VPN, Firewall/SBC, Intrusion Prevention, Anti-Spam, Compliance, and Troubleshooting functionality for VoIP in a single device, securely enabling IP PBXs, VoIP remote users, SIP trunks, hosted VoIP services, and IP Multimedia Subsystem (IMS) or Unlicensed Mobile Access (UMA)-based networks.
The Sipera IPCS product family targets both enterprises and service providers, positioned as a VoIP security appliance that offers both session border controller functionality such as firewall/NAT transversal, as well as media and signaling encryption. This is Sipera's flagship product line, and they partner with IP Telephony vendors such as Avaya, Cisco, Nortel, and others to ensure that their security appliance can be seamlessly integrated into customer networks.
The IPCS product goes above and beyond the capabilities of a traditional SBC by offering enterprise policy enforcement, which allows control of who talks to whom based on network, user, device, and time of day.
Perhaps more importantly the IPCS offers VoIP intrusion prevention and threat mitigation based on specialized VoIP security techniques such as behavior learning, fingerprint verification, and sophisticated deep packet inspection for media and signaling anomalies, instead of just the protocol scrubbing offered by many SBCs.
As mentioned, the IPCS line is designed for both enterprise and carrier applications.
The enterprise-class appliancesthe IPCS 210, 310, 410 and 510are deployed in front of the IP PBX to protect it from attack and to enforce policesor, in the enterprise DMZ, to securely enable applications such as VoIP remote users and SIP trunks.
The carrier-class IPCS 520 product is deployed inline for intrusion prevention or in 'tap' mode for intrusion detection/troubleshooting. These products combine threat prevention, policy compliance, and secure access in a single device that supports many converged networking applications, including IP PBX deployments, SIP trunks, voice and data Virtual LANs (VLANs), VoIP remote users, instant messaging systems, and hosted VoIP service.
To protect against malicious attacks, the products incorporate a variety of VoIP-specific security techniques that include anomaly detection, protocol scrubbing, rogue media blocking, and behavior learning, and in turn protect against VoIP-specific denial of service, reconnaissance, spoofing, stealth, and spam attacks.
To control system deployments, the products include a centralized policy management system, which identifies each call flow, and either allows, denies, or applies routing and security functionality to each session, based upon granular signaling, media, and security rules. This framework enables enterprises to enforce policies based upon the network, user, device, and time of day. The systems also enable secure access, by including next-generation border control functionality, including local and remote firewall and NAT, a security proxy for authentication of endpoints, and confidentiality of signaling and media traffic.
The IPCS 210 is designed for 200 users, 50 simultaneous sessions, 10 Mbps throughput and 2 links; the IPCS 310 has a capacity of 1,000 users, 250 simultaneous sessions, 200 Mbps throughput and 2 links; the IPCS 410 can handle 10,000 users, 2,000 simultaneous sessions, 1 Gbps throughput and 4 links; the enterprise-class IPCS 510 and the carrier-class IPCS 520 are equipped for 100,000 users, 10,000 simultaneous sessions, 2 Gbps throughput and 4 links.
Further details on the Sipera Systems architecture and products can be found at www.sipera.com. Our next tutorial will continue our examination of vendors SBC architectures.
Copyright Acknowledgement: © 2007 DigiNet Corporation ®, All Rights Reserved
Mark A. Miller, P.E., is President of DigiNet Corporation®, a Denver-based consulting engineering firm. He is the author of many books on networking technologies, including Voice over IP Technologies, and Internet Technologies Handbook, both published by John Wiley & Sons.