New Users
Home
Analysts & Consultants
People
Channel Advantage
Products
Technology
Case Studies
Awards
About This Guide
Safeguard Converging Networks with a Purpose-Built Multiservice Security Gateway
Current Scenario: The drive to provide rich, multimedia service offerings and simplify networks compels service providers to combine fixed and mobile networks to create a converged IP infrastructure. Fixed-Mobile Convergence (FMC) enables operators to provide services to users regardless of their access technology – but opens the provider infrastructure to the full gamut of Internet security attacks. Customers will not adopt these new converged services if security vulnerabilities threaten service availability, privacy, data integrity or quality. To safeguard these next-generation services, operators need a next-generation solutions that can concurrently deploy every major security function without compromising carrier-class performance, scalability and quality of service.
Tomorrow's Technology Today: To protect promising new carrier FMC revenue streams, Reef Point, in 2006, introduced the IMS Security Gateway -- a new class of security solution that: Adheres to the 3GPP IMS (IP Multimedia Subsystem) standard for carrier-class network architectures Provide all major security functions Concurrently runs all major security functions on every packet entering the carrier network while ensuring predictable performance and QoS even as users are added. This new class of system is based on a revolutionary transparent packet processing architecture and custom-built processors to ensure comprehensive security function processing without sacrificing performance, scalability or QoS. Security products designed for enterprise networks offer limited scalability. Originally designed to terminate hundreds—maybe thousands—of users into an enterprise for remote access, these products cannot scale to terminate the hundreds of thousands of connections required to serve the UMA and IMS markets. They also do not have the carrier-class operations support required to effectively integrate into the mobile provider’s existing back-end Operational Support System (OSS). Nor can they meet the reliability requirements for carrier-class deployments. Routers that have been re-engineered to incorporate single-purpose security-specific blades scale poorly when tasked with the multiservice security and scalability requirements of wireless and converged infrastructures. Although these routers may be able to increase scalability by adding multiple security blades, they quickly become operationally complicated and lose effectiveness. This solution architecture actually compromises redundancy and scale requirements. It jeopardizes operational efficiency by requiring that the system operate at less than full capacity to allow for the failure of one or more individual security blades. Blade-based solutions are much more complex to operate—particularly when operators are trying to determine which blade terminates a particular end user connection and to maintain an effective distribution of user terminations when load-balancing traffic. Some have proposed using session border controllers to secure UMA and IMS deployments. Since session border controllers were originally designed to function as Session Initiation Protocol (SIP) proxy devices—not as purpose-built, highly scalable security solutions—the architecture needed for secure termination was not part of their original product design. Because session border controllers were not purpose-built to provide security, instead focusing on call processing and proxy services as a means to solving the Firewall/NAT complications introduced by SIP, they can offer only limited performance and scalability when confronted with multiservice security requirements. Their manufacturers also often lack the intense focus on security that a security vendor would maintain—and that is required for safeguarding converged networks. Finally, session border controllers have limited virtual routing support, generally limited to static routing within each virtual router in the platform. This translates into requirements for an additional edge router to be deployed with the session border controller for the VPN market, adding cost and complexity to the solution. Reef Point’s Security Gateway moves security to the edge of the IMS network and separates the media and signaling plane security functionality, dramatically increasing the performance and scale of the solution and enabling mass market deployments of IMS. The Gateway protects both the IMS subscriber's link into the IMS network as well as the IMS core elements, including the Call and Session Control Function (CSCF) Servers, Application Servers and the Home Subscriber Server. The gateway combines a comprehensive set of security services into a single solution that includes secure termination, authentication, data confidentiality, VOIP and media flow security, Denial of Service (DOS) attack protection, Network Address Translation (NAT) traversal, and Quality of Service (QOS). Deployed as such, the Gateway provides end-to-end security, encompassing the user device, access network, core network and applications. The Reef Point IMS Security Gateway features include: Massive Scalability - The solution supports up to 150,000 simultaneous registered users, with support for up to 1 million simultaneous media flow connections (sessions); significantly reducing capital and operating costs when compared to other approaches such as session border controllers that support only one tenth the capacity. Comprehensive Multiservice Security - The solution is the only IMS security device that provides robust threat defense including IPsec VPNs, stateful firewalls, denial of service attack prevention, intrusion detection, custom firewall filtering, dynamic virtual routing with NAT Traversal, session limiting and bandwidth theft prevention. Rich SIP Security Features - By separating security for the control and media flows in an IMS network, the solution provides the industry's highest performance and scalability for IMS networks available today. Reef Point supports multiple authentication and encryption methods for securing SIP sessions, a carrier-scale SIP Application Layer Gateway for high-performance, transparent SIP firewall, rich SIP denial of service protection, per-flow traffic mirroring to ensure compliance with lawful intercept , and per-flow QoS to ensure prioritization of real-time media and prevention against toll fraud. Purpose-built, Carrier-class Design – The solution’s unique Transparent Architecture, based on custom processors, enables concurrent application of every major security function to every packet that enters and traverses the network – without compromising performance or QoS . This is achieved by assigning a fixed processing budget to every major security function so network performance and QoS are maintained even at high user and session scalability. No other solutions have this capability.
Tomorrow's Technology Today: To protect promising new carrier FMC revenue streams, Reef Point, in 2006, introduced the IMS Security Gateway -- a new class of security solution that:
This new class of system is based on a revolutionary transparent packet processing architecture and custom-built processors to ensure comprehensive security function processing without sacrificing performance, scalability or QoS.
Security products designed for enterprise networks offer limited scalability. Originally designed to terminate hundreds—maybe thousands—of users into an enterprise for remote access, these products cannot scale to terminate the hundreds of thousands of connections required to serve the UMA and IMS markets. They also do not have the carrier-class operations support required to effectively integrate into the mobile provider’s existing back-end Operational Support System (OSS). Nor can they meet the reliability requirements for carrier-class deployments. Routers that have been re-engineered to incorporate single-purpose security-specific blades scale poorly when tasked with the multiservice security and scalability requirements of wireless and converged infrastructures. Although these routers may be able to increase scalability by adding multiple security blades, they quickly become operationally complicated and lose effectiveness. This solution architecture actually compromises redundancy and scale requirements. It jeopardizes operational efficiency by requiring that the system operate at less than full capacity to allow for the failure of one or more individual security blades. Blade-based solutions are much more complex to operate—particularly when operators are trying to determine which blade terminates a particular end user connection and to maintain an effective distribution of user terminations when load-balancing traffic. Some have proposed using session border controllers to secure UMA and IMS deployments. Since session border controllers were originally designed to function as Session Initiation Protocol (SIP) proxy devices—not as purpose-built, highly scalable security solutions—the architecture needed for secure termination was not part of their original product design. Because session border controllers were not purpose-built to provide security, instead focusing on call processing and proxy services as a means to solving the Firewall/NAT complications introduced by SIP, they can offer only limited performance and scalability when confronted with multiservice security requirements. Their manufacturers also often lack the intense focus on security that a security vendor would maintain—and that is required for safeguarding converged networks. Finally, session border controllers have limited virtual routing support, generally limited to static routing within each virtual router in the platform. This translates into requirements for an additional edge router to be deployed with the session border controller for the VPN market, adding cost and complexity to the solution.
Reef Point’s Security Gateway moves security to the edge of the IMS network and separates the media and signaling plane security functionality, dramatically increasing the performance and scale of the solution and enabling mass market deployments of IMS. The Gateway protects both the IMS subscriber's link into the IMS network as well as the IMS core elements, including the Call and Session Control Function (CSCF) Servers, Application Servers and the Home Subscriber Server. The gateway combines a comprehensive set of security services into a single solution that includes secure termination, authentication, data confidentiality, VOIP and media flow security, Denial of Service (DOS) attack protection, Network Address Translation (NAT) traversal, and Quality of Service (QOS). Deployed as such, the Gateway provides end-to-end security, encompassing the user device, access network, core network and applications.
The Reef Point IMS Security Gateway features include:
Conclusion: The security gateway enables service providers to safeguard both subscriber connections and the mobile packet core against service-disrupting attacks to ensure the availability and security of new multimedia services while increasing customer loyalty. Increase availability Provide extensible authentication across multiple access technologies Reduce effect of global security threats Expedite service adoption rates
Conclusion: The security gateway enables service providers to safeguard both subscriber connections and the mobile packet core against service-disrupting attacks to ensure the availability and security of new multimedia services while increasing customer loyalty.
Reef Point Corporate Headquarters 8 New England Executive Park Burlington, MA 01803 USA Tel: 1-781-505-8300 Fax: 1-781-505-8316
Download the actual white paper From Info Security Products Guide site: CLICK HERE
Recommend this to others:
HOME |
ADVERTISE WITH US |
TELL US ABOUT YOURSELF |
UPDATED PRIVACY POLICY |
Copyright © 2006 Silicon Valley Communications - All rights reserved.
