An emerging trend among Unified Communications vendors these days is support for federation between UC systems in different organizations. Perhaps the first to market was Microsoft OCS Federation which allows two enterprises with Office Communications Servers to share presence, instant messaging, voice, and video. Google Wave launched last June with support for Wave Federation Protocol which allows wavelets in a wave to be hosted across different organizations. In November, Cisco launched their Intercompany Media Exchange product which uses a protocol called VIPR (Verification Involving PSTN Reachability) for opportunistic federation between participating organizations. Avaya, Cisco/Jabber, Reuters Messaging, Google, and others also support XMPP federation which enables presence and instant messaging to be directly shared between organizations.
What VoIP/ UC Security issues come into play with UC Federation schemes like these? For starters, trust needs to be established between federation partners – this is typically done via digital certificates. But from there we have many policy and identity questions to address, such as:
- Who in my federation partner organization gets to know about my CEO’s presence and availability?
- What thresholds can be set to prevent a federation from becoming the conduit for a Denial of Service attack?
- How does a given E.164 (telephone) number get mapped to the right user@domain handle?
- Is there any way for a federation partner to use my VoIP system for their toll calls (toll fraud)?
During the next few weeks, I’m going to be exploring some of these UC Federation security questions here on the VOIPSA blog along with others raised by you, our loyal readers. Has your organization implemented any UC federation yet? What are the security issues around federation that concern you the most?
Hi Andy,
Please checkout NextPlane (www.nextplane.net) we have solved the federation issues between dissimilar UCs that you pointed out on your recent blog.
NextPlane’s Federation Server and Federation cloud services are being used by global 1000 companies.
Please let me know if you need to see it in action.
Regards,
–Farzin
farzin@nextplane.net
IBM Lotus Sametime has been connecting to public and other IM networks for quite sometime via the Sametime Gateway (now part of the Sametime Standard package). One of Sametime technical team gave me the following additional information I wanted to share:
For connecting to AOL and Yahoo, Lotus Sametime uses the SIP secure protocol to make secure client and server connections using client/server certificates purchased from one of the support CA’s –> http://publib.boulder.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=/com.ibm.help.sametime.v85.doc/config/config_gw_ssl_supported_ca.html
For XMPP-based networks, it requires creating a public DNS record to verify trust, with a level of dial back authentication that assures the host/IP connection info matches what the public DNS server has stored in its database.
Happy to connect you with additional experts if that would help your follow-on postings.
Farzin: I’m aware of NextPlane and would be happy to interview you for UCfederate.info to discuss the NextPlane product and solutions in more detail. While the NextPlane product does help customers address a subset of the UC federation problem, it’s a stretch to suggest you’ve solved the UC federation problem in general, partly because it’s like saying someone’s solved “cloud computing” (i.e. the terminology for both “unified communications” and “federation” isn’t universally well-defined) and partly because the universe of communications and collaboration apps is much bigger than what can be covered with XMPP or SIP.
Jacques: Yes, XMPP federation is fairly well defined at this point. I touch on this a bit more in my latest VOIPSA blog post, but thanks for sharing the Sametime links – I’m sure this will be useful for some of our readers. If you think one or more of your expert contacts would be interested in doing an interview for UCfederate.info, drop me a note directly. Thanks!
Pingback: EnThinnai Blog » Blog Archive » Presence: Better You Pull, For I ain’t Pushing it