Network Sites: xchange magazine B/OSS Magazine B/OSS Conference & Expo Channel Partners Conference & Expo PHONE+ VON Conference & Expo VON
xchange
Search  
Weekly E-mail Newsletter 

HomeChannels News Articles Blogs Webinars White Papers E-Books Resource Directory Events Media Kit Contacts

Session Controllers Enable Secure Interconnection for End-to-End VoIP

Micaela Giuhat
03/01/2004

Tier 1 service providers need the utmost in security and performance to securely interconnect their VoIP networks with other carriers and offer high-quality service. Unfortunately, existing network equipment, such as media gateways, routers and softswitches, are not equipped to satisfy these demands. Fortunately, the latest advanced session controllers have been specifically designed to protect network boundaries, so carriers can provide cost-effective end-to-end VoIP with confidence. As the number of connections and the complexity of networks continue to grow, carrier-class session controllers have also strived to meet the security, scalability and operations needs of carriers, making it possible for carriers to deliver the same quality their customers are used to from the PSTN, but without accessing the PSTN which inserts latency and cost.


Defining Carrier-Class Performance

Session controllers are quickly proving to be a critical network element. They are dedicated systems with the processing power to securely handle, evaluate, monitor and terminate thousands of simultaneous calls with no latency. Simply adding security features to existing network components, such as routers or media gateways, does not provide the high level of performance required to adequately evaluate and monitor signaling and media streams in VoIP networks in real time. In fact, carriers who might consider using media gateways for VoIP interconnection cannot interconnect with carriers using private address spaces because media gateways lack demarcation, address normalization functionality and the ability to scale cost-effectively -- three features necessary for Tier 1 deployments.

Because carrier-class session controllers are equipped with substantial processing power, they have moved beyond simple firewall traversal mechanisms to provide deep inspection, on a packet-by-packet basis, and monitoring tools that protect against potential security threats and the ability to act on them.

Carrier-class session controllers also generate critical network and usage data on the media and signaling information that can be imported by a carrier's billing system to capture origination and termination revenue.


Security

Of course, implementing carrier peering configurations could immediately raise critical security concerns. However, networks utilizing carrier-class session controllers are protected from security threats because the equipment proactively detects patterns and monitors every packet. In fact, the latest carrier-class session controllers have been engineered to detect denial of service attacks and rogue RTP streams, providing carriers with a source and level of protection that was not previously available.

In IP, voice is a complex communication form consisting of signaling packets as well as voice packets. Both offer opportunities to attack a network, so it is imperative that the session controllers authenticate, authorize, validate, evaluate, continuously monitor, and take action on all packets; no other equipment in the network can perform these functions - especially at high performance levels.

For example, the session controller detects if an incoming signaling message is a real invite or a mock invite. Or, if there are a large number of invites from an accepted source, it determines their validity. If they are not from an accepted source, there could be a problem with an end device or a denial of service attack in progress and the session controller must stop the call immediately. If the large number of invites is valid, the session controller restricts the number of simultaneous invites so as not to overload the softswitch. The session controller also examines the packets to see if they are correctly structured. If not, it denies the call. If it detects that the packets are out of sequence, it inspects them.

Once the signaling stream is authorized, the session controller continues to monitor the packets to confirm that the voice is coming from an authorized source. If the source changes, the session controller must determine if this is an authorized change (a gateway failover recovery, for instance) or if someone is trying to attack the network using rouge RTP.

The session controller is also responsible for protecting each network's privacy and topology when interconnecting with other carriers. It does this by hiding IP addresses and removing proprietary information from the headers and payload. It also translates and reinserts information when a call re-enters a network.


Reliability

VoIP service reliability is expected to be as high as the reliability offered by the PSTN, so no single point of failure can exist in the network. A second session controller must be on active standby or in a load-sharing configuration, ready to take over in the event of failure. (It does not have to be colocated with the primary controller.)

In VoIP, any switchover to redundant equipment must not be perceivable by the caller. With data IP, multi-second failover rates are acceptable. However, in voice they must be sub-second, or callers will think they have been disconnected. The ideal way to achieve sub-second rates with carrier-class session controllers is by using proprietary mechanisms supported by robust microprocessors. This same processing power allows these units to support up to 42,000 simultaneous two-way calls in a single box, thus enabling the ultimate in scalability for VoIP service.


Delivery

In the past, carriers had no mechanisms to collect and monitor VoIP services in real time, so they were unable to detect, work around or anticipate roadblocks to delivering reliable high-quality service. Equipped with significant monitoring and management systems that can link to existing back office systems, today's advanced session controllers offer capabilities comparable to the active network management available with TDM Class 5 switches. These are benefits that other network equipment cannot offer.

For instance, operators can easily provision new users and intuitively create a customer profile using a GUI. Well-designed session controllers make it easy to perform real-time troubleshooting, to collect statistics related to calls and global session controller functionality, to determine precisely which network is having a problem, to receive and evaluate alarm conditions, and to view real-time call handling and error detail information across the network. Typically, users can control these features and send such information to a central location for further monitoring or evaluation.

The improved security and performance features available in the latest carrier-class session controllers significantly reduce the complexity involved in end-to-end VoIP. As a result, carriers can confidently and securely deploy high-quality, reliable end-to-end VoIP services.


Micaela Giuhat is AVP of product management at Netrake Corp. She can be reached at micaela@netrake.com.

    Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
    RSS Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines

    Post a Comment

    Email Email this article Comment Add a comment
    Print Printer version Reprints Order reprints
    RSS RSS Feed Bookmark Bookmark article

    Tags


    Similar Articles

    Most Popular



    Sponsored Linksxchange Announcements
    All material on this site Copyright © 2010 Virgo Publishing, LLC. All rights reserved.
    Privacy Statement | Terms of Service | Contact