Newport Networks Sesson Border Controller
Home Company Investors Solutions Product News Contact White Papers
Search Site Map

White Papers

IPsec and VoIP
 Security and IMS
 Emergency Calls in VoIP
 UK Interconnect
 Session Control in IMS
 NAT Traversal
 QoS, Bandwidth
 SIP Security
 Lawful Intercept
 VoIP Bandwidth

Resources

What is a Session Border Controller?
 Glossary
 Bandwidth Calculator

SIP Security and Session Controllers - White Paper

Security between Networks

Securing the customer connection is not the only precaution that a Service Provider must take. Connections at VoIP peering points must also be secured. A recent Yankee Group report cited 'Network topology hiding' as one of the key drivers behind deploying Session Controllers. We refer to a Session Controller sited at a peering point as a Core Session Controller. A Core Session Controller performs several duties:

  • It hides the real addresses of your customers from peer networks
  • It hides the details of your internal network from peer networks
  • It polices the connection to other Service Providers
  • It can remark QoS settings between Service Providers
  • It provides detailed call information

Protect your customers

A Core Session Controller acts as a proxy for all users in a network. The home network's DNS ensures that all off-network calls are routed to the Core Session Controller. It does this by giving the address of the Core Session Controller as the address of any remote Call Agent. The session controller creates new signalling and media addresses that are sent to the remote network. The called party in the remote network sees the session controller as the source of the call. All signalling and media will be returned via the Session Controller. In this way, the called party has no visibility of the user's real address.

Incoming calls are also routed via the home network's Core Session Controller. The remote network's DNS supplies the address of the Core Session Controller as the home network's Call Agent. Therefore, the Core Session Controller receives all calls coming into the home network. It presents its own addresses in the reply for both signalling and media.

This architecture prevents visibility of the user's real network address in the remote network. The Core Session Controller can prevent scanning and DOS attack at the peering point. At Newport Networks, we believe that the carrier-class 1460 session controller is ideal for deployment in these demanding locations. Designed for high availability, it offers service providers a reliable method of securely interconnecting multimedia networks.

VoIP Peering

Figure 4 - Core Session Controller at a VoIP Network Peering Point

Protect your network

VoIP peering - In addition to hiding the address of the user, the Core Session Controller performs peering between networks and hides the internal network details. The Core Session Controller acts as an end-point for the two legs of the SIP call: one to the home network and one to the remote network. This means that details of routing in one leg are not passed to the other. There is a clean separation between the networks. Therefore, the only information visible in the remote network is that of its own network.

Police the border

A Core Session Border Controller provides peering for all inter-network multimedia traffic. The Newport Networks 1460 session border controller polices traffic flow-by-flow as it enters and leaves the network. Calls established using SIP carry an identifier of the media type. The 1460 measures the actual flow against expected flow for the requested media type. This can prevent service theft, i.e. requesting a low bandwidth connection and using high bandwidth media. If excessive data rates are seen, corrective action is taken. For example, it can dump excess traffic, it can generate an alarm or it can create punitive charging records.

The 1460 session controller can check and, if necessary, remark QoS bits. This can be done generically for each network, or specifically for each session. This prevents users from manipulating the quality settings of their call to get a better service than they are paying for. This also enables carriers to enforce IP-IP interconnect agreements to deliver 'end-to-end' SLAs.

Conclusion

Session controllers enhance the security of multimedia networks both in the access network and in the core. In the access network, they hide a user's real address and provide a managed public address. This public address can be policed, minimising the opportunities for scanning and DOS attacks. Session controllers permit access to clients behind Firewalls whilst maintaining the Firewalls effectiveness. In the core, session controllers protect both the users and the network. They hide network topology and the users' real addresses. They can also police bandwidth and QoS abuse.

The Newport Networks 1460 session controller is a carrier-class solution suitable for these applications. Built to provide 'five 9s' availability, it is designed for demanding deployments at both network peering points and in the access network. Service Providers who plan to roll out voice and multimedia services over IP must consider security as an integral part of the service. Deploying the right infrastructure lays the foundation stones upon which all successful future services will be built.

Page 4 of 4



See Also

SIP Security and the IMS Core

Session Control in the IMS


VoIP peering and network security
Copyright © 2007 Newport Networks Ltd. All rights reserved. RSS | Site Map | Extranet | Blog | Terms of Use | Privacy