Security For Multi-Tier, Multi-Owner Converged Networks Table of Contents An Accelerating Trend Toward Outsourcing... 1 The Attendant Security Threat... 2 Security Concerns with Hybrid Networks... 2 Security for Cascading Network Architecture... 3 Action Items For Communications Vendors Seeking To Help Customers Operate Multi-Owner Networks... 4 Example Use Cases:... 4 It Takes A Next-Generation SBC... 5 Learn More... 6 Session Border Controllers (SBCs) have long been thought of as devices only useful for securing SIP trunking into the enterprise. But the definition of border has become blurred, and SBCs have morphed over the past few years into defacto devices for securing all SIP communications including SIP trunking and access by remote workers in and out of the enterprise. SBCs are now security devices to be deployed at the intersection or edge of each communication hub linking communications to the enterprise core network. The primary driver in this is the rise in the use of outsourcing, and the resultant multi-tier, multi-owner converged networks. Any communications vendor interested in helping its customers deploy mobile collaboration solutions in the age of these converged networks should be aware of this trend, and of the implications it has on network security. An Accelerating Trend Toward Outsourcing According to ResearchMOZ, outsourcing is on the rise. In a February 2013 report 1, the market research firm said: A trend that began about a decade ago for telecommunications network operators has accelerated in recent years. This trend, to outsource infrastructure as well as certain operational support to third-party managed communications providers, is reaching its next stage in evolution. Historically, telecom operators have looked to service bureau providers for intermediation services, database services, and various OSS/BSS support. The more recent trend has been to outsource infrastructure as a service in order to reduce Capital Expenditure (CapEx) and to use as negotiation leverage for improved pricing on next-generation networks such as IP Multimedia Subsystem (IMS) and LTE infrastructure such as Voice over LTE (VoLTE). The demand for managed services is high across every industry vertical because it gives organizations flexibility and technical advantages. According to a study 2 published by MarketsandMarkets, enterprises having their services outsourced look forward to risk sharing and to reducing their IT costs and IT commitments, so that they are able to concentrate on their core competencies. 1 Telecom Managed Services Market 2013-2018, ResearchMOZ, 18 February 2013. 2 Managed Services Market Global Advancements, Market Forecasts and Analysis, Marketsand Markets, August 2013. The study which includes managed data centers, networks, mobility, infrastructure, communications, security, and other areas predicts a jump in the managed-services market from $142.75 billion this year to $256.05 billion in 2018. Organizations implementing managed services have reported a 50 60 percent increase in the operational efficiency of their outsourced processes. The implementation of managed services reduces IT costs by 30 to 40 percent in these enterprises. avaya.com 1
Rather than providing risk sharing, as the large organizations at the center of these converged networks had hoped, the increased use of hosted networks has led to the threat of insider attacks by outsiders. The Attendant Security Threat Evolving telephony networks such as TDM, SS7, and IP are creating opportunities for service providers and outsourcing companies to offer different types of services such as MPLS, managed and private MPLS, WAN, and managed WAN. Third-party companies are enabling large, focused organizations to meet needs outside of their core competency. They act as integral parts of these organizations, but are providing the same services for multiple companies. Examples include outsourced customer service, infrastructure services such as cloud, and outsourced IT. Rather than providing risk sharing, as the large organizations at the center of these converged networks had hoped, the increased use of hosted networks has led to the threat of insider attacks by outsiders by malicious players in the outsourced service organizations. Security Concerns with Hybrid Networks Moving to a hosted, or cloud based, network solution can offer advantages in terms of operating expenses and management but the extension of the private, protected domain by integrating off-site, outside-controlled architectures can also lead to significant security concerns. Businesses that are considering hosted architectures as a method to extend their private network applications are actually opening up their private network domains to security issues. Not only is the integration of networking capabilities between two different organizations complicated technically; it is also hard to accomplish securely, especially from a communications perspective. Each network connection needs protection from entities on the other network and yet communication has to flow freely. The first step in preventing this kind of occurrence is to secure each domain in such a way that workers can only access the communications network through a private connection, and making sure that third-party workers on the WAN or MPLS don t have access. Within networks, there are multiple zones requiring multiple layers of access, thus the need for more levels of security. Financial institutions and call centers are good examples of enterprises requiring additional layers of security within their private networks. And the distinction may not be geographic, within each remote center it may be necessary to offer secure, protected access domains depending on the user profiles and work applications required. With more remote participants and even added network structures included in the enterprise communications hierarchy, it becomes easy to understand the value in adding a Session Border Controller to protect the network not only from external interference but to maintain protection from threats that might originate from extensions of the primary network domain itself. avaya.com 2
Without a security device, one person on a network might be able to snoop on another person on the same network or the WAN. Each location needs to be protected from each of the other locations. Security for Cascading Network Architecture SBCs can play a key role in meeting this converged network challenge. Instead of having one SBC where the network connects to the trunk, enterprise networks now need SBCs at both ends of every connection to a zone. Mobile collaboration is a focus of many organizations today and is a key part of their BYOD strategies. As enterprises evolve and adapt a more mobile collaboration strategy, maintaining network security again is of paramount interest. Avaya offers products to help enable that strategy and support the enterprise need for better security regardless of the overall network architecture. Figure 1: A representative large enterprise, multi-site network incorporating remote workers Figure 1 depicts a managed multiprotocol label-switching (MPLS) network in which third parties can connect to a campus that is linked by a private WAN with multiple networked buildings. Higher education and healthcare networks are often configured this way. Within this core telecommunications network, each intersect point highlights the need for security to protect the remoteoffice workers from others on the MPLS or WAN. Without a security device, one person on a network such as this, might be able to snoop on another person on the same network or the WAN. Each location needs to be protected from each of the other locations: Core from campus Core from remote Remote from campus Remote from core avaya.com 3
Communications need to be secure and confidential using TLS, voice SRTP, and video SRTP. There should be redundancy and failover at each intersecting point of the networks. And the SBCs need to be aware of the other SBCs (security zones) and devices so that only those locations and devices are permitted to communicate with the core network. The SBCs can be implemented to allow redundancy at each security zone, registration point, and communication hub. Action Items For Communications Vendors Seeking To Help Customers Operate Multi-Owner Networks Any communications vendor seeking to help its customers deploy mobile communications and operate multi-owner converged networks needs to prepare itself to address the issues. The following list of action items can serve as a checklist for providing secure network connectivity: Understand the customer s network and pain points. Know about their specific privacy concerns, such as HIPPA, FERPA, and so forth. Find out whether communications from remote offices can be expected to contain sensitive information. Determine whether information at any of the locations should not be shared with one or more of the others. Know the level of trust between locations: Partner agreements? Contracts? Legal-disclosure agreements? Collecting this information will help mobile communications providers develop an architecture that can maintain efficient communication with adequate security. A deep understanding of the security posture on the customer s network is helpful, but keep in mind that attempting to approach the problem by bolstering that infrastructure can complicate the issue and make it harder to manage. The goal is to achieve a layer of network security that encompasses all users while simplifying the effort on any user s part. Example Use Cases: The extension of the network beyond the traditional private domains is affecting many industries and many IT professionals. For example: Healthcare A centralized medical location wants it s network domain to connect multiple outside medical offices, branch diagnostic centers, and consulting physicians. Call Center A business needs to incorporate work at home or remote call center facilities, some at international sites, yet all supported within a common network fabric to assure reliable collection of business analytics and premium customer responsiveness. avaya.com 4
Outsourced manufacturing A primary manufacturer needs to provide off-site material information, pricing information, and detailed plans for multiple sub-contractors. Single network configuration will improve time-to-market but also can lead to significant security lapses in network design. It Takes A Next-Generation SBC The SBC is no longer just an external enterprise border. With the addition of outside providers extending the services beyond the normal controlled enterprise boundaries, session border control can now be considered a necessary security layer even within what was previously called the private enterprise network. And with this increased urgency around edge security, selecting SBCs becomes a more important task. Figure 2: Avaya SBCE 6.2 deployed to provide both session border control and internal network SIP VoIP security The diagram in figure 2 shows two typical implementations for extended protection of a call center. The first (1) demonstrates connectivity to a remote agent. In this situation, the enterprise can install a back-to-back solution. The core network environment is protected as remote workers connect to the core via a separate Avaya Session Border Controller for Enterprise (SBCE). The Avaya SBCE maintains security and NAT bindings as well as end-to-end encryption in this back-to-back (B2B) scenario. The second situation (2) depicts the addition of a remote agent work group where a third Avaya SBCE is added at the remote site s edge creating a back-to-back-to-back (B2B2B) scenario. This allows for treatment of the work group as Remote, isolated from both the main network and the core and supports encryption of signaling and media from the clients to the Avaya Session Border Controller for Enterprise, and then to the core if desired. avaya.com 5
About Avaya Avaya is a global provider of business collaboration and communications solutions, providing unified communications, contact centers, networking and related services to companies of all sizes around the world. For more information please visit www.avaya.com. Avaya Aura platform users with complex networks can now deploy the Avaya Session Border Controller for Enterprise to secure communications and protect multi-tiered networks that incorporate remote workgroups, cloud providers, and outsourced service groups. The Avaya SBCE design protects against eavesdropping, unauthorized access to sensitive data, or DOS and DDoS attacks that may be launched from within the network. The Avaya SBCE can be utilized in a back-to-back device configuration (as in Figure 2) for extending security to external domains, or for a cascaded network architecture. And for additional protection, multiple Avaya SBCEs can be deployed for survivability in high-availability system layouts. Avaya SBCE 6.2 is a SIP-based unified communications (UC) security appliance. It can support security requirements at the edge for session border control and can also solve internal network SIP VoIP security needs. The Avaya SBCE is designed to provide extra protection, permitting outsourced entities access to services delivered via an Avaya Aura UC applications infrastructure. The Avaya Session Border Controller for Enterprise is designed to offer enhanced remote worker security, and support secure network-to-network integration while maintaining end-to-end visibility of the network and complete quality of service monitoring. Learn More For more information about how Avaya SBCEs can enhance the security of the solutions you provide to your customers, please contact your Avaya Account Manager or Authorized Partner, or visit us at www.avaya.com. 2014 Avaya Inc. All Rights Reserved. All trademarks identified by,, or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. 02/13 UC7446 avaya.com 6