UC Federation and VoIP/UC Security

An emerging trend among Unified Communications vendors these days is support for federation between UC systems in different organizations. Perhaps the first to market was Microsoft OCS Federation which allows two enterprises with Office Communications Servers to share presence, instant messaging, voice, and video.  Google Wave launched last June with support for Wave Federation Protocol which allows wavelets in a wave to be hosted across different organizations.  In November, Cisco launched their Intercompany Media Exchange product which uses a protocol called VIPR (Verification Involving PSTN Reachability) for opportunistic federation between participating organizations.  Avaya, Cisco/Jabber, Reuters Messaging, Google, and others also support XMPP federation which enables presence and instant messaging to be directly shared between organizations.

What VoIP/ UC Security issues come into play with UC Federation schemes like these?  For starters, trust needs to be established between federation partners – this is typically done via digital certificates. But from there we have many policy and identity questions to address, such as:

  • Who in my federation partner organization gets to know about my CEO’s presence and availability?
  • What thresholds can be set to prevent a federation from becoming the conduit for a Denial of Service attack?
  • How does a given E.164 (telephone) number get mapped to the right user@domain handle?
  • Is there any way for a federation partner to use my VoIP system for their toll calls (toll fraud)?

During the next few weeks, I’m going to be exploring some of these UC Federation security questions here on the VOIPSA blog along with others raised by you, our loyal readers. Has your organization implemented any UC federation yet? What are the security issues around federation that concern you the most?

This entry was posted in Federation, VoIP Security on by .

About Andy Zmolek

Andy has been involved with product development and network security for over a decade, and is a co-author and technical editor for the book, "Practical VoIP Security," published in April 2006 by Syngress. Andy was most recently a senior manager in Avaya's Unified Communications Division, driving security and identity planning and strategy for across the Avaya product line, focusing primarily on on applications and next-generation platforms. Previously at Avaya, he led teams within Information Technology, Services, and Strategy & Technology Business Units. Andy was an early advocate for Avaya initiatives in Security, SIP, Presence, and VoiceXML; he has two patents granted and at least nine others pending from his work in Unified Communications. Prior to joining Avaya, Andy directed network architecture and operations at New Era of Networks (now Sybase), a pioneer of enterprise application integration (EAI) technology. Andy got his start in the industry building real-time simulation networks for missile and satellite programs at Raytheon, most notably Sidewinder and Tomahawk. Andy holds a degree in Mathematics from Brigham Young University and lives in Highlands Ranch, Colorado.

4 thoughts on “UC Federation and VoIP/UC Security

  1. Farzin Shahidi

    Hi Andy,

    Please checkout NextPlane (www.nextplane.net) we have solved the federation issues between dissimilar UCs that you pointed out on your recent blog.

    NextPlane’s Federation Server and Federation cloud services are being used by global 1000 companies.

    Please let me know if you need to see it in action.



  2. Jacques Pavlenyi

    IBM Lotus Sametime has been connecting to public and other IM networks for quite sometime via the Sametime Gateway (now part of the Sametime Standard package). One of Sametime technical team gave me the following additional information I wanted to share:

    For connecting to AOL and Yahoo, Lotus Sametime uses the SIP secure protocol to make secure client and server connections using client/server certificates purchased from one of the support CA’s –> http://publib.boulder.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=/com.ibm.help.sametime.v85.doc/config/config_gw_ssl_supported_ca.html

    For XMPP-based networks, it requires creating a public DNS record to verify trust, with a level of dial back authentication that assures the host/IP connection info matches what the public DNS server has stored in its database.

    Happy to connect you with additional experts if that would help your follow-on postings.

  3. Andy Zmolek Post author

    Farzin: I’m aware of NextPlane and would be happy to interview you for UCfederate.info to discuss the NextPlane product and solutions in more detail. While the NextPlane product does help customers address a subset of the UC federation problem, it’s a stretch to suggest you’ve solved the UC federation problem in general, partly because it’s like saying someone’s solved “cloud computing” (i.e. the terminology for both “unified communications” and “federation” isn’t universally well-defined) and partly because the universe of communications and collaboration apps is much bigger than what can be covered with XMPP or SIP.

    Jacques: Yes, XMPP federation is fairly well defined at this point. I touch on this a bit more in my latest VOIPSA blog post, but thanks for sharing the Sametime links – I’m sure this will be useful for some of our readers. If you think one or more of your expert contacts would be interested in doing an interview for UCfederate.info, drop me a note directly. Thanks!

  4. Pingback: EnThinnai Blog » Blog Archive » Presence: Better You Pull, For I ain’t Pushing it

Comments are closed.