SIP components Accepts SIP requests, maps the address into zero or more new addresses and returns those addresses to the client. Does not initiate SIP requests or accept calls. Redirect Server Provides information about a callers possible locations to redirect and proxy servers. May be co-located with a SIP server. Location Server Contacts one or more clients or next-hop servers and passes the call requests further. Contains UAC and UAS. Proxy Server Supports real-time, 2-way communication with another SIP entity. Supports both signalling and media, similar to H.323 terminal. Contains UAC. SIP Terminal Receives and responds to SIP requests on behalf of clients; accepts, redirects or refuses calls. UAS (user agent server) Caller application that initiates and sends SIP requests. UAC (user agent client)
Comparison of H.323 and SIP Yes Yes Multiparty calls No Yes Multimedia conferences URL Host or Tel Number Addressing Explicit or timeout Explicit or TCP Release Call termination Yes No Instant messaging Yes Yes Encryption 250 pages 1400 Pages Size of standards Moderate Large and Complex Implementation Up and coming Widely deployed Status RTP/RTCP RTP/RTCP Media Transport ASCII Binary Message format SIP over TCP or UDP Q.931 over TCP Call signaling Yes Yes Parameter negotiation SIP just handles set-up Full Protocol Stack Completeness Modular Monolithic Architecture Yes No Compatibility with Internet Largely Yes Compatibility with PSTN IETF ITU Designed by SIP H.323 Item
“ The challenge of VoIP security is not new. History has shown that advances and trends in information technology typically outpace the corresponding realistic security requirements. Such requirements are often tackled only after these technologies have been widely adopted and deployed” – Cable Datacom News
An Internet VPN is configured on the customers own equipment e.g. a router. A tunnel is created between two customer sites normally using IP Sec (IP Security) on the customer router and the traffic is routed over the Internet. It is a very low-cost way of establishing a VPN between two locations. However, there is no commitment with regard to speed of delivery of the data and at times when the Internet is busy it may not be possible to establish a connection at all or to transmit data with any reasonable speed. Many corporate customers will not use this type of VPN as it can route over many different service providers' networks and is subject to the same security risks as the www.
Sole traders and companies who only need to exchange email and perhaps a small amount of data are the major users of Internet VPNs. If a customer is comparing the price of an Internet VPN to that of an internet IPVPN it is important not to focus too much on the price of the IPVPN as two totally different services are being compared.
GRE (Generic Route Encapsulation) is another method of creating a tunnel which can then form a VPN between two sites. The most common use of GRE tunnels is to transport legacy i.e. protocols other than IP across MPLS networks. For example a customer with a fully meshed IPVPN over an MPLS core network could connect two sites using a GRE tunnel and send SNA traffic (i.e. non IP traffic) between the two sites without having to convert the SNA to IP before it entered the IPVPN.
It can also be used as an unsecured internet VPN for non-sensitive traffic.
IP Sec (IP Security) based VPNs use authentication mechanisms to ensure that only valid clients can connect across the tunnel. In addition there are different encryption algorithms that can be applied to IP Sec tunnels to ensure that the data passing through the VPN is not compromised. An IP Sec VPN is a point to point tunnel that can also be established between two sites that are connected into a multi-site IPVPN with MPLS. This would be used for example to connect two bank computer sites together where security of data transfer between mainframes is vital. The two sites would send email over the normal MPLS IPVPN fully meshed VPN and just use the IP Sec tunnel for special data between the two computers.
IP sec Key features Authentication Data Concealment (Encryption) Mobility Global Open Standards Based Manageability
IP sec VPN Mail Business Partner Internet Branch Office Ethernet Data Internal Web Site Headquarters Mobile User Directory Services and Management Zone CA Corporate Infrastructure VPN Gateway VPN Gateway Remote User
The big picture: Convergence of Internet and digital telecom networks IP Backbone Network Community server Service provider Server (e.g. GIS) TV set Mobile terminal PC CA server E-commerce server Mobile NW Operator sphere
When the wireless terminals in the above big picture are capable of supporting seamless communication, authentication and authorisation of users, various kind of contents - including text, voice and video streams, geocoded contents, etc. – and practically any conceivable application or service, one can begin to talk about a Personal Trusted Device (PTD)
A device where M-commerce transactions can be launched, credit card information stored, access to corporate resources allowed through PTDs now
Evidently, if there is no risk of losing the device and data then it makes sense to keep as much as possible data, also critical, at the device
However, on the contrary, if the risk of losing the device to a thief, or if losing the data because of a device crash or any other technical problem is high, it is advisable to minimise the amount of critical data kept at the device
Self-destruction of the data if misuse attempt is detected by the device
Privacy related data and algorithms that monitor what combinations of data handed out from the device while using various external services could lead to privacy violations or threats
Refraining from accessing networked services
Rroviding full security for communications over the air interface (end-to-end message encryption, end to authentication, authorisation)
Technical support for the countermeasures at PTD
Reliable access control and authorisation
This is a prerequisite for any security and privacy scheme; if a malicious person gets access to the data at the device just by getting hold of it physically, nothing much can be done anymore; Physical security of the PTD is thus a key ingredient in the security field
The second security sphere is a proper authentication (PIN, biometric authentication, etc.)
Third sphere is a proper authorisation of data access stored at the device
Fourth sphere is protecting the device against malicious programs that are run there
The idea here is to store only a portion of a particular data half-granule at the PTD and another granule at a network component/other device so that both granules are useless alone, I.e. cannot be used unless first combined; thus grabbing the device or the other half-granule at the network would not yet grant access to the other half-granule
The problem with the scheme is that if there is no network connection, the legal user can neither use the data, because the half-granules cannot be recombined