Standard interfaces can put the purpose of an OSS application into crystal-clear focus, even before you develop or purchase a solution, says Doug Strombom

Let’s say you are a telecommunication service provider and want to offer a new service – a package of downloadable music, for example. To provide even this relatively simple service, providers must implement new service platforms and then integrate the service into their Operations Support Systems (OSS), the backbone IT infrastructure of all telcos.

The fact is, service providers have relatively few options: either build customised applications or implement commercial off the shelf (COTS) applications.  Although some IT groups still create homegrown applications, COTS solutions have become more widely accepted in recent years. 
Although integration costs are often hidden within other budget items, integration is one of the highest technology expenses that telecoms companies pay.
According to Mick Reeve, Group Technology Officer at BT: “OSS configuration costs are usually three to ten times as high as the systems' original purchase price. And integration is one of the hardest parts. It requires difficult mapping of data and functionality between applications, so project timelines often suffer long delays. As a result, the whole industry pays a very high 'integration tax' and a high 'configuration tax' that slows down service innovation and hurts the ROI of almost every OSS project.”
Over the last few years, a large number of leading telecoms companies have banded together to address this problem. They want to turn the traditional 'buy now and integrate later' IT approach on its head. The solution they propose is to mandate that OSS vendors support open standards for Applications Programming Interfaces (APIs). It doesn't sound too exciting – until you consider the costly alternative of continuing to do business as usual. 
One obvious example of this phenomenon is the closely aligned work of the TeleManagement Forum (TMF) and the OSS through Java Initiative (OSS/J). TMF – the dominant standards body in the telecommunications OSS area – offers a blueprint called 'New Generation OSS' or 'NGOSS'. OSS/J offers a suite of downloadable APIs for gluing OSS applications together.  The combination of these two efforts adds up to a powerful, implementable OSS standard. Together TMF and OSS/J have pushed hard for the widespread adoption of open-standard APIs by telecommunication service providers and vendors alike.
“The combined example of TMF and OSS/J, and the business value of what those standards do, is just becoming widely recognised by service providers,” says Doug Strombom, CEO of Tigerstripe and an OSS/J Steering Committee member. “As more and more service providers become aware of this business value, and urge their peers and suppliers to use the standard, it's inevitable that adoption rates will accelerate.”
Another benefit is that open interface standards help clarify why we purchase OSS in the first place. We call them 'information systems,' but how many times have we implemented one without ever getting any information back at all? Standard interfaces can put the purpose of an application into crystal-clear focus, even before you develop or purchase a solution. 
Strombom refers to this as a 'contract first' approach to OSS management. “With contact-first integration, finally we have a way to explicitly state what a system does. Service providers know the value that each system will provide – or won't provide – and can make wiser investment and end-of-life decisions. Using clearly-defined, open interfaces eases the pain of integration – less time, lower costs, and better quality – and it allows the service provider to have more control over the development process,” he says. “It's the difference between merely administrating your OSS and managing your OSS.”
Although service providers tend to define value in multiple ways, a growing body of business experience indicates that open, industry standards deliver real value. Some service providers are motivated by business agility and time to market. IT has been a laggard when it comes to delivering support for the new services that marketing demands.
Incumbent service providers are under threat from agile new entrants – including Internet-based companies who are able to offer compelling services very quickly almost anywhere. This highly competitive environment demands that all players figure out flexible system architectures.
Still other service providers are focusing on reducing lifecycle IT costs. Wisely so, since IT directly affects overall profitability. IT budgets are decreasing or flat, but OSS departments must address the ever-increasing complexity associated with new network service offerings like 'quadruple play.' The management of these services is daunting, since enterprise applications need to handle all aspects including order handling, service activation, quality management, inventory, and billing.

Vodafone implements standards
Standards are clearly the answer – if they are          implementable. And that's the catch according to Joerg Frankenberger, head of Network Management Engineering for Vodafone Germany. He clearly recalls the day he discovered OSS/J interface standards at an industry trade show. 
For Vodafone, the big issue was not simply to launch new services, but rather to find better ways to manage the way those services are delivered and supported.
“Of course we can offer new services, but can we ensure quality?” says Frankenberger. “The complexity of network OSS architecture is increasing at a phenomenal rate. It's incredible how many networks and applications are involved in the support of new services... we face a huge number of technologies to manage.  Linking each system point to point, is just not supportable because it's so expensive and time consuming.
“It was at TeleManagement World a few years ago that I first saw a catalyst project using NGOSS” he says. “It made a very academic impression on me. NGOSS would be the ideal OSS solution, but it seemed to be more theoretical than something I could actually use. I thought: good thing, but in reality hard to achieve.”
Once he discovered OSS/J, in many ways the fulfillment of NGOSS, Frankenberger realised that “someone had anticipated what we needed”.
“When I became aware of OSS/J, I had a good feeling that it could be the way to iterate towards an NGOSS enterprise architecture,” he says. “From my point of view, OSS/J is the USB plug for OSS.”
The Vodafone OSS/J initiative began with a feasibility study, then quickly became a proof of concept project.   “The business driver for adopting OSS/J was our need to connect more and more OSS at reasonable costs, enabling us to spend our budget for application development instead of on integration,” Frankenberger said.
For Vodafone's proof of concept trial, they integrated service management systems used by Vodafone's Network Management Centre via OSS/J's Trouble Ticket (TT) API. From concept to completion, the proof of concept took approximately eight months; a period that he says was lengthened by Vodafone's decision to open the implementation to multiple parties. “We wanted to test it in a business environment involving software vendors, consultants – a lot of participants in a professional way.”
Frankenberger says: “We wanted to compare OSS/J versus an alternative based on a proprietary EAI implementation using Vodafone proprietary interfaces. Part of our feasibility study was to compare OSS/J and other middleware integration concepts against our business scenarios.” The result of the feasibility stage, he says, was that “OSS/J offered already-defined APIs and seemed to be more efficient.”
Vodafone's first OSS/J implementation was comparable in terms of time, money and manpower to an ordinary interface implementation. However, Frankenberger insists, the implementation represented a great deal more.
“Considering that this was our first contact with a new technology, and that we were also writing an integration cookbook for future OSS/J solutions, this was not a lot of time,” he says. “It brought much more value than just an interface and showed us the clear potential to save money using OSS/J. For the next project, we had estimated savings of about 20 percent. It turned out to be better than that.”
Those savings help to explain why OSS/J adoption is spreading from Vodafone Germany throughout Vodafone's other operating companies (OpCo).
“We use OSS/J for what we call cross-border business interfacing,” Frankenberger says. “This means we can effectively communicate between different OpCos within the Vodafone Group. The first step was implementing the Trouble Ticketing API, which connects the different trouble ticketing systems at the different OpCos to each other by means of OSS/J.”
In addition to the TT API, Vodafone is implementing other OSS/J APIs like Quality of Service (QoS) for Fault Management purposes. Frankenberger adds: “We have found that the benefits of OSS/J are cumulative. The more you do, the more you are able to reuse capabilities and achieve greater benefits. It's kind of a self accelerating improvement that you get.”

Start small
As the Vodafone case study shows, the best approach to implementing a new enterprise-wide architecture it to start small and add new functional areas in incremental stages. Many service providers begin by focusing on a specific high value areas that will get the attention of top management. Early success can help gain crucial executive buy-in and additional programme funding and support. 
Often service providers turn to a middleware platform as a panacea for integration challenges. Middleware such as an Enterprise Services Bus (ESB) facilitates easy message transfer between all the enterprise applications. But middleware is a “blank slate” that can be used in many ways. The result often is a lot of unplanned expense, trying to figure out how to configure the middleware for specific business needs.
“The problem with proprietary middleware is that it's much more expensive and there aren't open standards behind it. So you either need to fund your own interface R&D or try to re-use proprietary integrations that have been done by others in the past,” Frankenberger says. “Either way it's proprietary and there's no cost sharing – there's no plug-and-play at all.” 
So how is standards-based integration different?  Standards like OSS/J provide a technical framework for integration. The standard APIs define an application-independent, or 'canonical,' form of the information that passes across the interfaces. The API also defines the behaviour of the interface, such as the notifications, queries, and other events. These standard transactions can be mapped to the proprietary databases and functions of each application. In short, the standards provide a cheaper, faster, re-usable and reliable way to do integration. 
One of the critical success factors for adopting open standards is whether the organisation establishes appropriate policies and governance. Someone with authority must insist on using open standards.  Otherwise, there may be too much resistance. OSS project managers often focus mainly on project costs and deadlines, and may consider open interfaces to be a luxury they cannot afford. OSS engineers often are most comfortable with their familiar, non-standard techniques. Project oversight by leaders who insist upon using open standards is needed to overcome this natural resistance.
It is imperative that the service provider take a very active role here – proactive management is really the only option. The productivity increase from better interface management can be impressive over time. This takes a commitment to acquiring the knowledge, processes, and tools that make open standards really perform.

A critical mass of adoption
Service providers and vendors are increasingly adopting open interface standards such as OSS/J. “A tipping point of adoption will occur when a critical mass of purchasers and vendors support open standards,” says Tigerstripe's Strombom. To encourage this to happen sooner, better collaboration mechanisms are needed.  An ecosystem of tools, training, and consulting services are growing up around OSS/J to address this need. “The OSS/J ecosystem includes software like Tigerstripe's, which greatly reduces the learning curve about standards and increases the productivity of interface developers,” says Strombom. “We are encouraging adoption by taking the pain out of open standards support.”
Vodafone is convinced that the more service providers and suppliers support OSS/J, the more the industry as a whole will benefit. “We are encouraging service providers and vendors to support OSS/J,” Frankenberger says. “Some vendors resist the move to standards because they make money by providing integration services. The flip side of the coin is that their profit margins suffer because of the high cost of providing integration services. Looked at from the right perspective, open standards makes sense for everyone.”
“I'm certain at this point that OSS/J is not stoppable,” Frankenberger says. “It's not a question of whether or not the industry will adopt OSS/J. It's more a question of when. And we are doing what we can to make industry adoption happen faster.”                               

– Since this article was submitted, OSS/J has become part of the TeleManagement Forum.

• Doug Strombom is CEO of Tigerstripe and an OSS/J Steering Committee member. He can be reached at: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

• William F. Wilbert is communications director for the OSS through Java Initiative and can be contacted via e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it  

Barry Dowd looks at why companies are moving away from traditional Key Performance Indicators, such as average call handling time, towards measures that can streamline the business and really communicate something about the customer experience

The call centre has long been acknowledged as a vital source of KPIs to inform marketing and the boardroom of precisely what customers are asking for. As a result, there is a trend in the billing and CRM industry towards sharing of customer preference data with in-house marketing departments so that more personalised services can be provided. This empowers frontline customer service agents (CSA) to harness cross sell and upsell opportunities when they are on the phone.

In fact, some companies have gone as far as providing their customer service centres with sales targets, tightening the integration between customer feedback and the services they are offering. But an unhappy customer is not going to be receptive to offers to purchase further services, so getting the basics right in the call centre is critical.
By the same token, an effective fraudster can look like your best customer if you are simply looking at usage levels and not checking credit history and other customer information. So an integrated system that provides the business with a complete view of the customer is equally important.

What to look for
When choosing a call centre solution it is important to always keep an eye on the future requirements of your business. Therefore you need to ensure that the solution will scale with your business. You need to ensure that it will integrate with existing systems, rather than needing reinvestment, and you need to make certain that there is a clear and simple upgrade path.
Your agents are on the frontline of your business, so once you've ticked all the boxes for the business and system requirements, you need to remember it is vital that your customer service staff can quickly get to grips with the technology. Training on new systems can impact on service and sales, as CSAs come up to speed. So a clear, intuitive interface can deliver real cost-benefits. Having a graphical user interface (GUI) is a major benefit because it not only reduces training time but also provides call centre staff with quick access to real time customer information – vital in making informed decisions on matters such as customer retention and marketing new offerings.
Vodafone found that deploying a single billing and CRM platform with a user-friendly GUI significantly reduced training time. Each Vodafone customer service agent takes only a week to get comprehensively trained on the system – considerably less than with the previous combination of systems. The familiar interface was widely embraced, with CSAs exploiting their new tool quickly and enthusiastically.
To be most effective, CSAs need rapid access to complete customer histories when they are dealing with queries on the phone. Having a single, real time view of customer activity is a real asset, providing your staff with the latest information at their fingertips when they are speaking to your customers. Ideally, the single platform approach presents one source of data to be maintained by call centre staff and so reporting to other parts of the business is made much easier.
A single customer service/billing platform, that links and unites data from all parts of the business, also helps early detection of potential fraud. For example, usage thresholds can be applied to customers' accounts, which enable the operator to set a bar if there is excessive call spend on inappropriate tariffs, and therefore limit losses. 
Operators that deploy a billing platform with an integral CRM element enable call centre staff to have immediate access to customer histories for same day callers, or call backs, so customers don't suffer the frustration of repeating information to different agents. If the customer has already called that day the service agent can see the details on the system and deliver a speedier resolution. Workflow features enable customer service staff to 'pass' workflow events on, with the associated history for that customer, safeguarding the resolution of customer queries and ensuring quality control.

The new KPIs
In the case of Martin Dawes Systems' telecoms clients, KPIs enable the marketing departments to put together bundles and offers which are tailored to that customer and encourage further usage of services such as SMS, mobile email or content. The uptake of these targeted offers will help maintain or increase the average revenue per user.
Broadly speaking, KPIs are broken down into:  Financial, Customer and Operational Performance.
Within these broad categories detailed measures can be applied to analyse revenue/profit generation, operating costs, efficiency ratios, as well as customer behaviour – satisfaction, retention, churn, bad debt, and softer measures such as employee morale, absenteeism and staff attrition.
Analysis and review followed by the appropriate action will improve business performance.
The revenue generation areas deliver KPIs in terms of customer value and ARPU as well as providing information on uptake of new offers, services and tariffs. This is information helps guide the business on the market acceptance of new services.
Churn figures from the call centre not only provide the business with an insight into the network popularity, but also give an indication into the long term value of customers, lost or gained, against predefined targets.
Operating costs are a key indicator of efficiency that the call centre can provide to the business, particularly in the current climate of new service roll outs, balancing the cost of acquisition of customers against the cost of serving them is essential. Operators are increasingly under pressure to demonstrate where new services have been embraced by subscribers. Once again the call centre figures can provide crucial insight into return on operator investment.
Clearly, customer contact is the CSA's stock in trade.  Here the business can measure the levels of customer satisfaction and personalised service delivered to key clients, track levels of first time resolution, and monitor the interaction method preferred for customers; whether this be phone, fax, e-mail or online account management.
Again, the monitoring of interactions gives an indication of the efficiency ratios of the business by providing cost comparisons of CSA: customer ratio and percentage of calls handled and issues resolved or escalated. You cannot sell to an angry customer, so getting this interaction right is crucial and having a window on success rates is vital to informing business strategy.

The integration challenge
A major factor in being able to see and respond to KPIs is to move away from the traditional 'silo' approach to customer management. This facilitates measurement of KPIs by holding the data in a single database and providing reporting capabilities across its functional areas. 
Getting all of the touch points from your customers collated into one single data source does entail a carefully planned and executed integration process. During one system implementation, 11 legacy solutions had to be consolidated onto a single CRM billing platform.
Rather than applying traditional KPIs, the operator looks across its business and measures indicators such as the call centre solution's impact on churn and debt, as well as the impact on average revenue per user.  These are all bottom line influencing factors.
An effective system for tracking KPIs also feeds into revenue assurance within the business. Having an end-to-end system linking the call centre to the banks, credit checking and fulfilment agencies, facilitates effective processes, enables fraud to be highlighted early and provides a clearer real-time record of calls.
This trend towards using call centre KPIs to inform marketing also means that the call centre moves away from being a cost centre to becoming a profit centre for the business. While there has been a clear progression towards providing online self-care to enable maximum access for your customers, for more complex queries people love to talk. A call centre system that provides a single view of your customer information is the best way to ensuring their satisfaction and retention – the most important KPIs of any business.

• Barry Dowd is the Customer Service Director at Martin Dawes Systems, and can be contacted via: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

IMS is missing centralised OSS service management systems that will provide IMS elements with needed service oriented rules and business policies, says Paul Scarff

As the telecommunications industry continues to try to get its arms around the complexity of delivery architectures and operational management of IP multimedia subsystem (IMS), service providers and equipment manufacturers are focusing their attention on the IMS business case and on getting a better understanding of the technology from a deployment and operational support systems perspective. In addition, many players are also trying to determine whether IMS’ initial purpose should be to facilitate fixed mobile convergence, support next-generation services, or do both.

While concentration on these issues continues, it would be to the advantage of everyone involved in IMS to add one more important requirement to the mix: the need to close a critical gap that threatens to deflate the promise of IMS and turn it into just another silo in carriers’ networks.
The gap is created by the fact that while the IMS architecture itself is meant to handle the complexities of creating, authorising and delivering disaggregated services across multiple networks and access media, it does not provide the associated OSS service management functionality that is necessary to turn the whole process into a billable service.

Missing link
Simply put, the IMS landscape is missing centralised OSS service management systems that will provide IMS elements with needed service oriented rules and business policies, as well as links to OSS/BSSs in both the legacy and IMS domains. Centralised management will enable customers to use old and new services and enable operators to create, configure, provision, assure and bill for those services. From an operations perspective, centralised service management orchestration will provide the necessary ‘marching orders’ to IMS elements for each session, of which many will be highly individualised and tailored to the consumer’s preferences and usage history.
The IMS business case for most service providers requires that they introduce the new domain in phases. As they migrate to IMS, service providers will not be scrapping their legacy platforms in the foreseeable future. With the proper OSS integration framework between the two domains, provided by centralised service management, IMS will enable service providers to add new services to their legacy infrastructures with greater ease. And, it will allow them to make legacy services such as voice mail or caller ring-back tone available to IMS sessions.
The addition of an overarching centralised service management system in a pre-IMS environment will enable service providers to accomplish three key tasks that will smooth their migration to IMS:
1. Support existing silos (legacy services and functions) in legacy networks as service providers phase in their IMS architectures.
2. Manage new services supported by their IMS architectures.
3. Enable necessary service to network technology abstraction between legacy and IMS domains as services are turned up in the IMS domain.

Legacy support
While IMS is very, very new, service providers have embraced the fact that there is a need for IMS, or something very much like it, in the future. At the moment, however, no one knows just how long it will take for IMS to blossom or how much of a role it will play during its initial phases. As a result, service providers are looking for a means of evolving into IMS as it matures. They are willing to cap their existing silos and grow their networks in the direction of IMS, but they lack the flexibility and the OSS tools that enable them create a strategy and proceed accordingly.
When plotting their migration to IMS, service providers want the flexibility to do what they want to do when they want to do it. Phased introduction means that service providers must rely on their legacy systems to provide revenue-generating services for as long as necessary. Because it ties their existing silos to IMS, the centralised service management system helps service providers continue to provide legacy services and features to customers during the migration process. And it also keeps IMS from becoming a silo that requires its own management system(s). Furthermore, it is a safe bet that some legacy services may never migrate to IMS, so the ability to tie their legacy domains to the IMS domain for the foreseeable future is important to service providers.
 
IMS support
As IMS services are rolled out, a centralised service management system will provide the necessary capability to manage the horizontal network technology layers (eg DSL, DOCSIS, PacketCable, WiFi, WiMax, GSM, CDMA, etc.) within the IMS architecture. While IMS service delivery elements (i.e. HSS, CSCF, SDPs, Application Servers, etc.) are capable of setting up and tearing down sessions on the fly, they cannot manage themselves.
Because services are specific to each individual, each and every time a session is established, the IMS elements need to be told what limits, preferences and features are available to the end user who will be billed for their event and on-demand service requests. The centralised service management system provides the necessary interfaces between the IMS elements and the resources (eg presence and location servers, entitlement servers, etc.) that contain information relating to that end user.
As sophisticated services that rely on flexible, yet specific, billing capabilities are introduced by service providers, their IMS elements will need access to new levels and layers of billing information as it pertains to each end user. It will be advantageous to have the ability to update individual end user information on a per session basis. For example, an end user may wish to pay for extra bandwidth for a specific session. Or they may want to update their feature sets, profile or buddy list going forward.
The IMS elements must have a means of accessing this information in order for service providers to squeeze the most profit out of their new services. A centralised service management system provides their IMS elements with the ability to access to static and dynamic information.

Migration support
As there are very few greenfield IMS deployments, most service providers plan to implement a phased migration to IMS. For this reason, service providers are in need of a means of abstracting the network elements, features and functionality that are being replaced as new IMS elements are added to take their place. Abstraction will also be of use when adding an element (eg SDP, application server, etc.) to support a new service, feature, or OSS/BSS capability.
It is highly unlikely that service providers will dismantle legacy OSS/BSSs. So service providers that do not want to recreate their customer information databases in the IMS domain will benefit a great deal if the information these systems hold can be accessed by elements or OSS/BSSs created in the IMS domain and vice versa. Because it wraps around legacy silos and the IMS silo, the centralised service management system is critical to providing an open, federated information model so that an integrated view of the subscriber’s profile is managed for all services.
By providing this kind of support, centralised service management system facilitates a better quality of experience (QoE) for service providers’ customers. Excellent QoE is essential for IMS to succeed. In no way can the end user be weighed down by klugey features and functionality or inaccurate billing. End users do not want to have to reintroduce themselves to the IMS network, or even be aware of it for that matter.
The complexity of the network, especially during migration to IMS, must remain hidden from end users. This is tricky for service providers because the particulars related to each end user will be in play during each session and generally be of more importance than ever before. Centralised service management helps keep confusion and complexity hidden because it provides a common subscriber view, an integrated view of the service delivery network and interfaces to existing information that service providers would otherwise have to completely recreate in order to begin serving their existing customer base in the IMS domain while they continue offering services in the legacy domain.

• Paul Scarff is Director of Wireless OSS Solutions, Sigma Systems and can be contacted via e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it   www.sigma-systems.com

Session border controllers (SBCs) play an important role delivering the necessary features for serving the enterprise with IMS and TISPAN networks, says Seamus Hourihan

Tier one service providers and network equipment vendors around the world have generally embraced IMS as the architecture for building next-generation wireless, wireline and converged service networks. Yet, that general embrace doesn’t necessarily equate to capital invested and massive deployments today. In fact, in a recent Heavy Reading report Session Management, IMS, and the Future of Session Border Controllers, of the service providers surveyed, 41 per cent of respondents did not know when they’d implement IMS. Encouragingly, 37 per cent of respondents had deployments underway or would by the end of 2007. This gap between enthusiasm and deployment is due, in part, to the work that remains with the architectural frameworks.

Immersed in the dogma and excitement of IMS is a hidden danger: the enterprise is missing. By blindly implementing this next generation architecture according to current specs, service providers could leave behind their most profitable customer segment: the enterprise. IMS, the architecture defined by 3GPP for the delivery of real-time voice, video and multimedia services using SIP over packet networks, is exclusively focused on mobile wireless networks. This architecture is being extended by ETSI TISPAN to more completely satisfy the service delivery requirements in fixed wireline networks. However, even the TIPSAN architecture has yet to satisfy all the requirements associated with delivering services to enterprises. Bridging this gap, session border controllers (SBCs) play an important role delivering the necessary features for serving the enterprise with IMS and TISPAN networks.

SBCs in IMS/TISPAN architectures
IMS, as defined by 3GPP and extended by ETSI TISPAN for wireline networks, is an architecture defined in terms of functional elements, not products. While there is not an element specifically called ‘session border controller’, the defined functions exactly point to the features on SBC platforms. Within the extended IMS architecture there are two different types of SBCs: the access SBC and the interconnect SBC.
The access SBC satisfies the requirements at the border where subscribers access the IMS core. It incorporates two functional elements from the IMS and TISPAN architectures:  the Proxy-Call Session Control Function (P-CSCF) and the Access Border Gateway Function (ABGF).
• P-CSCF – is the SIP signaling contact point, the outbound/inbound ‘proxy’ for subscribers within IMS and TISPAN networks. The P-CSCF is responsible for forwarding SIP registration messages from the subscriber’s endpoint, the User Element (UE), in a visited network to the Interrogating-CSCF (I-CSCF) and subsequent call set-up requests and responses to the Serving-CSCF (S-CSCF). The P-CSCF maintains the mapping between logical subscriber SIP URI address and physical UE IP address and a security association, for both authentication and confidentiality. It supports emergency call (E911) local routing within the visited network, accounting, session timers and admission control. Admission control is implemented with an interface to an external IMS Policy Decision Function (PDF) or ESTI TISPAN Resource and Admission Control Subsystem (RACS). The P-CSCF interacts with A-BGF for control of the boundary at the transport layers including pinhole firewall, Network Address and Port Translations (NAPT) and numerous other features.
• A-BGF – controls the transport boundary at layers 3 and 4 between subscribers and the service provider’s network. It performs all of the functions and features of the I-BGF. In addition, in wireline networks, it provides network-based NAT traversal for the media flows.
The interconnect SBC addresses the requirements at the boundary where different service provider networks interconnect or ‘peer.’ It incorporates three functional elements from the IMS and TISPAN architectures: the Interconnect Border Control Function (I-BCF), Inter-working Function (IWF) and Interconnect Border Gateway Function (I-BGF).
• I-BCF – provides overall control of the boundary between different service provider networks. It provides security for the IMS core in terms of signaling information by implementing a Topology-Hiding Inter-network Gateway (THIG) sub-function. This sub-function performs signaling-based topology hiding, IPv4-IPv6 inter-working and session screening based upon source and destination signaling addresses. The I-BCF also invokes the Inter-Working Function when connecting non-SIP or non-IPv6 networks, and performs admission control and bandwidth allocation using local policies or via interface to ETSI TISPAN Resource and Admission Control Subsystem (RACS). Lastly, the I-BCF interacts with I-BGF for control of the boundary at the transport layers including pinhole firewall, NAPT and numerous other features.
• IWF – provides signaling protocol inter-working between the SIP-based IMS network and other service provider networks using H.323 or non-IMS SIP implementations.
• I-BGF – controls the transport boundary at layers 3 and 4 between service provider networks. This function acts as a pinhole firewall and NAT device protecting the service provider’s IMS core. It controls access by packet filtering on IP address/port and opening/closing gates (pinholes) into the network. It uses NAPT to hide the IP addresses/ports of the service elements in the IMS core. QoS packet marking, bandwidth & signaling rate policing, usage metering and QoS measurements for the media flows are additional features supported by the I-BGF.

Serving the enterprise with IMS cores
Seven enterprise-specific requirements are currently lacking from today’s next generation architecture definitions. These functions are best implemented at the border of the IMS core, in session border controllers, to maximize service reach, assure SLAs and protect the IMS service infrastructure. The specific features defined below enable service providers to use their IMS and TISPAN cores to connect to and service their business customers with next generation services.
Surrogate registration of IP PBX & IAD phones – IMS assumes that each SIP endpoint (e.g., wireline phone, wireless phone, softclient) is capable of registering itself with its Serving Call Session Control Function (S-CSCF). However, many enterprise phones connect to SIP IADs or SIP/H.323 IP PBXs and can not register with the IMS core. The phones register with the aggregation © device (IAD or IP PBX) and that aggregation device will not forward the endpoint registrations to the IMS core. SIP registration on behalf of each individual phone located behind an aggregation device is a mandatory requirement for serving those endpoints with IMS services.
H.323 IP PBX - SIP IMS interworking – The vast majority of installed enterprise IP PBXs from vendors such as Avaya, Cisco, Siemens use H.323 as the trunking signaling protocol to connect with the outside world. Even as vendors add SIP support to their IP PBXs, deployed IP PBXs likely will remain H.323. The enterprise H.323 IP PBXs cannot be served by the SIP-based IMS core. H.323-SIP IMS interworking enables service providers to interwork these IP PBXs with their IMS network. This must include support for H.323 supplementary services, number normalization and translation to support overlapping private dial plans (i.e., 3- or 4-digit dialing).
VPN bridging – Many large enterprises use private IP address spaces that often overlap with other enterprises or use service provider supplied MPLS VPNs defined by IETF RFC 2547 to securely interconnect many office locations. The ability to bridge multiple security and IP address domains is required, enabling SIP and H.323 devices to connect to an IMS core for hosted IP Centrex services or IP PBX trunking while maintaining tight enterprise security.
Adaptive NAT/firewall traversal – IMS assumes NAT/firewall devices are not present between subscriber mobile phones and the IMS core. Enterprises, however, use NAT/firewalls to secure their networks, thus blocking all incoming calls. In order to allow the IMS core to deliver calls to enterprises, a NAT traversal function is required to enable trusted sessions to traverse enterprise-based NAT/firewalls. For the enterprise, the access SBC, represented by a single well-known IP address in a trusted service provider’s network, is more secure than alternative methods such as multiple STUN and TURN servers.
DoS/DDoS protection for IMS edge and IMS core elements – Denial-of-service (DoS) and distributed DoS (DDoS) protection from both malicious attacks and non-malicious overloads is a functional requirement absent from both 3GPP and ETSI TISPAN architectures. Without this protection, even a flood of registration messages after a city-block power failure could aversely disrupt all services. A border element that can protect itself and the IMS core elements from signaling and media attacks is critical to reliable service delivery.
Overload protection for IMS core elements – Mechanisms for preventing overloads on S- and I-CSCF functions are also missing from IMS. Service providers will require a border element to perform call rate limiting or code gaping for each CSCF based upon the number of sessions or session establishment rate. Selective admission control based upon destination or source telephone numbers to ensure valuable enterprise calls are always accommodated even in the presence of high volume, low value consumer televoting is also crucial.
Transcoding – The G.711 and G.729 codecs defined by the ITU are the de-facto-standards used by IP phones and PCs in enterprises today. The SBC needs to support transcoding to enable these enterprise endpoints to communicate with wireless and wireline endpoints that use different codecs such as AMR, EVRC, SMV and QCELP in mobile networks and other wireline codecs such as iLBC, G.723.1, G.726 and G.728.
Enterprises generate the most profits for service providers today, yet IMS and derivative next generation architectures are functionally deficient in delivering services to their most valuable customers. Session border controllers fulfill functional requirements as defined by 3GPP and ETSI and go beyond those requirements to allow service providers to wisely invest in IMS and sell services based on their IMS core to their business customers.

• Seamus Hourihan is Vice President of Marketing and Product Management, Acme Packet and can be contacted via e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

John Marinho looks at the ways in which IMS technology can provide both improved services for end-users and increased revenue opportunities for service providers

Service providers, whether wireline or wireless operators, want to breakaway from or avoid commodity-priced voice and data services. Despite several proposed mergers that may reduce the number of service providers, this objective will remain. Thus providers are turning to converged services to generate not just sustainable revenues from new and current customers, but brand loyalty and new services revenue as well.

As part of this effort, service providers are exploring blended lifestyle services that can be offered seamlessly across devices regardless of access technology. The most common applications being targeted as a new revenue source are multimedia and interactive services, such as video and mobile video gaming.
To deliver blended lifestyle services, network operators must introduce a new network architecture that facilitates rapid service introduction and makes blending cost-effective through disintegration of applications from the device and the access method. The IP Multimedia Subsystem (IMS) architecture enables next generation converged communications services. Already some carriers have announced their IMS plans. Moving to IMS now offers both wireless and wireline service providers significant long-term benefits:
• Creates customer loyalty by providing lifestyle communications environment
• Opens a unique opportunity to be first to market with new revenue-generating services
• Minimises capex and opex while evolving to next-generation communications network
• Drives continuous increase in demand for network capacity and bandwidth
IMS creates customer loyalty
The discussion to-date about customer loyalty has focused on churn. Service bundles have helped carriers reduce churn and therefore improve operating efficiency. With IMS-based networks and services, the conversation can shift to customer loyalty that results from a lifestyle communications environment. IMS-based services are ‘brought’ directly to the user, on the device and method of access of their choice, in a manner that is simple, seamless, personal, portable and secure. The user accesses all the services and applications with a single sign-on and these services and applications find the user whenever and wherever they are needed. It is clear that the first provider to deliver this environment will gain loyalty of the customer who is unlikely to seek any other experience anywhere else.
Deploying the IMS architecture gives a service provider the opportunity to be first-to-market with a range of services that are customisable to specific localised market requirements. In a market where multiple players compete for the same customer, early market entry and service flexibility can produce market share and profitability.
Early market entrants have the advantage of capturing the early adopters and technology savvy high-end customer segments, where they can maximise their profits. Service providers who are late to deploy the services face greater competition, will have higher acquisition costs, and increased price pressure resulting in lower profitability.
With IMS, a service provider can substantially reduce the time required for deployment, standardisation, integration and testing of every new service before it can be launched, thereby allowing an operator to introduce services more rapidly.
IMS can enable new converged and existing services for subscribers using wireline or wireless access. This increases value to end-users. Wireless usage has grown because customers see greater value in mobile access to features and applications. An IMS-based network adds further value through blending of services that may be available currently as separate services. For example, a subscriber could simultaneously have web portal-based management of personal call features and policies, presence capability to detect the availability of individuals on the subscriber’s contact list, and the ability to share a video clip with the contacts while discussing it with them, regardless of their type of access – wireline or wireless – or device.
The ability to blend services and applications benefit all carriers and also can lead to beneficial business relationships between carriers. A wireline carrier, for example, can partner with a Mobile Virtual Network Operator (MVNO) to produce blended services that are available to customers under each partner’s separate brand. In another example, a wireless carrier may partner with a broadband access provider to develop and brand blended services.
Customers are likely to find the features, applications, and blending of applications enabled by IMS actually to be superior, and be willing to pay a premium. These applications can be targeted, for example, at ‘prosumers’ – end users whose professional and personal lives overlap – or youth and families who are willing to pay for additional lifestyle services such as multimedia content and messaging, video telephony, and interactive gaming.
Lucent Technologies primary market research found that users in the youth, family and prosumer segments are interested in services that allow them to share information, via their preferred delivery method, with multiple individuals across multiple carriers’ networks at the time of their choosing. The three segments cited specific applications that are evidence of an interest in blended lifestyle services. The youths wanted universal messaging, presence capabilities to know when a contact is reachable, and the ability to instantly share video and data files with multiple contacts. Family respondents valued the ability to share contact information and schedule information that is updated by automatic alerts for schedule changes. They also were interested in video and data file sharing. Prosumers placed a priority on the ability to instantly establish a conference call and share data files, supported by automatic alerts for data changes.
The findings were determined without consideration as to the type of network or access – wireline, wireless etc. – indicating that users are ready for anytime, anywhere services that would be available via an IMS-based network. The research conclusions were consistent with earlier Lucent research focusing on mobile data services that found that the concept of ‘always on/always available’ services resonates with users. The mobile data research also revealed the users’ willingness to pay a fee each month for services in specific segments. The attractive services ranged from services with broad appeal, such as location-based services to those with niche appeal, ie gambling.
In a separate study that involved business modelling for IMS-based blended lifestyle services, Lucent Bell Labs researchers evaluated a specific set of applications and determined that the overall average revenue per user (ARPU) for a ‘generic’ operator is likely to increase 40 per cent annually over the next five years due to blended ‘lifestyle’ services based on these applications.
The applications included:
• One voice mailbox for both wireless and wireline
• Same inbound and outbound call logs on your wireless and wired calls
• Instant messaging between wireless and wired
• Corporate dial plan that is the same on wireless and wired
• Interactive push to talk
• Active Phonebook.
IMS is an open standards architecture that provides the network framework for converged communications services. This approach can offer a more cost-effective network that can support any type of multimedia services. The applications can be more easily developed and introduced in the network. Also, the modular network design lets carriers reuse components for cost savings.
Expense reductions also result from less churn, due to increased loyalty to new revenue generating services, and more efficient network access.
When customers buy multiple services from one carrier, they are much less likely to switch carriers. Single-service churn rates typical are in the range of 1.7 per cent to 2.5 per cent. Churn rates for multiple-service bundles may drop to 1 per cent to 1.5 per cent. Lower turnover means lower marketing and sales costs as the incremental cost of selling another service to an existing customer is much smaller than the average cost of making the initial sale. The incremental cost of billing, handling customer inquires, and collection for adding more services to the same customer is also smaller than the average cost.
The IMS architecture also allows service providers to benefit from the fact that the communications sessions are transported in the most efficient method for the particular session. For example, as more and more subscribers are making wireless calls from a fixed location, the IMS architecture optimises routing through delivering voice or data services via a variety of network options, including access available in the location, such as WiFi access points, thereby lowering the cost of transport and off-loading macro-wireless system capacity for other calls.
Service providers also can save through the elimination of redundant systems as they deploy ubiquitous services across access devices. In addition, the common standards-based architecture makes deploying new services easier and cheaper than individual point solutions using existing systems. In its study Bell Labs analysed the value of IMS for a traditional set of voice and data services. Over the 5-year period, total operating expenses decrease about 10 per cent, from $805M using a point solution to $723M with an IMS solution.

The next step in profitability
As service providers consider their next steps to win in their markets, they have an opportunity to move now toward IMS and take advantage of the benefits outlined above. The modular structure of IMS architecture creates a unique opportunity to evolve toward this new IMS-based network in a step-by-step, evolutionary way. The initial capital expenditure will be more than offset by the long-term value of introducing converged services as quickly as possible. By blending service features, operators can create intelligent ‘lifestyle’ services, which generate greater end-user demand and higher average revenue per user than traditional services, and differentiate operators from their competitors. A service provider that converges all types of multimedia services in a seamless way by moving to IMS can lower costs, create customer loyalty and unleash greater opportunity for new revenues, market share and increased profitability.                                                       

• John Marinho is vice president of strategic marketing for Lucent Technologies  www.lucent.com

Security and compliance are – in theory at least – intrinsically linked. And, the sooner both are treated on equal terms, the better, says Nigel Kilpatrick

Corporations today face unprecedented pressure to ensure compliance. Every day they feel the increasing weight of legal requirements such as FSA regulation, Sarbanes-Oxley (SOX) and most recently Markets in Financial Instruments Directive (MiFID). Dealing with strict requirements to improve corporate governance practice by shareholders, unions and even employees, is now a standard part of daily business life.

Companies have also spent a vast amount of money meeting the enormous compliance challenge. However, the real business challenge has only just begun. Has the massive investment in compliance been matched by a forensic-level focus on the security of those firms who now hold a badge of honour? When personal information is stored electronically, does the consumer feel more confident about the security of their personal data just because their financial advisor is striving to meet MiFID compliance?
Security and compliance are intrinsically linked, in theory, if not in practice.
For example, how could a global retailer who has just been through the pain of a rigorous SOX audit allow users of laptop computers to use their home wireless connection to access corporate resources?
Is it conceivable that a pharmaceutical business, whose very existence is regulated by the weighty mandate of the FDA, could miss staff using unrestricted web mail to send themselves research data to be worked on at home?
Unfortunately, the answer has to be yes to both scenarios. Why? Compliance and regulation are actually relatively simple things to approach. Yes, they can be expensive to work through as we have seen with SOX – a regulation which has already accounted for billions of pounds of lost profits for those touched by it. However, with compliance, someone writes down a list of dos and don’ts and firms just have to pay the price of ticking the endless list of boxes.
Security, however, is a different beast. It has been the poor relation to compliance over the last few years because – apart from operational security standards such as BS7799 – nobody has written a ‘pharmaceutical’ guide to best practice e-mail use to protect trial results, or the ‘financial services’ guide to inappropriate use of mobile devices.
Compliance and governance are absolute things; you will do this and you won’t do that. Security is a relative science; it might be better to do this one day, and due to a change in our global business operations, it might be better to do that the next.
Both businesses and the public sector have to judge their relative security based on general risks, but also on the specific risks that only their business can assess and respond to. A financial services firm whose head office is in London will have slightly different challenges to one who is based in Moscow. A retailer who does 99 per cent of his business in stores will face different challenges to one that does 99 per cent online.
Compliance and regulation are based on one rule for all, whereas security is as much a judgmental strategy as it is a best practice one. Since I looked last, there is only one BS7799 standard, but there are at least 20 firewalls on the market that I could name as reasonable solutions. When the European Union put MiFID together they didn’t consider that there are thousands of CIO’s of financial firms around Europe all with their own personal view of how their e-mail gateway should be built and operated, as well as the raft of possible technologies and designs that could be pieced together.
Perhaps the ‘security’ community needs to take a few lessons from the compliance and governance market in making its discipline part of the organisational culture, in the same sense that MiFID, SOX and FSA have become. We must recognise that these regulatory issues are more important to those firms that have to comply because without them they cease to be businesses. They are very rarely optional, but could we not argue that best-practice security is also not truly something firms can decide to opt in or out of? 
So, exactly how do we get good practice security back on the time and investment agenda?
In regulated environments, companies that cannot demonstrate high levels of information security controls cannot be truly compliant. Even in non-regulated environments, being unable to demonstrate information security controls, at best leaves the business open to attack or to adverse reputation risks.
For those companies that are listed on stock exchanges the day is fast approaching, if not already here, when the ability to show high levels of compliance and security become a key investment criterion to the general investing public.
Compliance that includes security is a process of governance, just as is risk management, information asset management and auditing. Companies that are ignoring improvements such as monitoring internal security breaches due to budget issues need to consider cost cuts in other areas to fund improved security.
It is widely understood by many security professionals that a secure perimeter is only half the battle. Strong internal security controls need to be in place to have an effective overall security strategy. Good security strategies come not only from the ability to catch rogue employees, but also to prevent legitimate human errors. This can only come from good security awareness programmes.
Converting from traditional methods of security awareness such as paper-based information leaflets, posters, classes and passive intranet sites, to electronic delivery of policies and procedures to employees by their specific job function will negate any discrepancy of funding one area of compliance versus another.
And, this is exactly what has been at the forefront of the compliance and governance regimes.
MiFID is seen as something that employees must follow and comply with because it is fundamental to the business. Businesses may not like it, but because it is clearly something that they and their fellow businesses must follow, then they take it seriously and invest in education and training for staff.
As information security still tries to live as a technocracy, where users just follow orders and there is no real education as to why they should, it will always sit lower in the pecking order.
It is the inclusion of mandatory educational awareness by bodies such as the Financial Services Authority that have driven escalation of knowledge within businesses.  The Chairman of a FTSE Financial Firm can probably quote you chapter and verse about the pain her business is going through to achieve MiFID.  However, she probably isn’t aware that her company is using Checkpoint or McAfee for example, or know why her business is spending millions of pounds every year on making it a safer place to be.
In the animal world, parents neglect their offspring because they are too busy building nests and defending their territory. Unless security decides that it is not a discussion around IPS versus IDS or PIX versus Checkpoint, and views itself as a true business survival discipline, then it will continue to be the runt of the litter.

• Nigel Kilpatrick is Sales and Marketing Director, Iconium Limited, and can be contacted via tel: +44 1403 754300; e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

On the battlefield, it is important to understand one’s opponent, just as in our everyday roles it’s our customers that we have to comprehend, says Bhaskar Gorti

One of the hottest topics under debate in telecoms these days is the emergence of what have become known as ‘triple’ or ‘quad’ play service providers. Using a single core network infrastructure and associated OSS/BSS IT systems, service providers who traditionally focused only on one service domain – such as cellular, fixed or cable entertainment – are now moving into adjacent fields on the game board. What were once fixed boundaries between different technologies and industry sub-sectors are becoming highly permeable and service providers are having to move out of their comfort zones to compete in new areas for access to the customers’ pockets and purses.

The late ‘90s may have seen a stirring of some of the technological and commercial forces now being unleashed – such as early versions of VoIP, content services and the emergence of many small service providers – but these largely fizzled out during the financial downturn. Now, however, these are back with a vengeance, along with some newer and largely unexpected entrants such as community networking services from MySpace, and the tentacle-like reach of Web-based entities like Google.
As each service provider gears up for this seismic shift in the telecoms terrain, assembling armouries of new technologies, services and partnerships, long term commercial success is only going to come by coordinating an increasingly diverse and complex set of activities and focusing these more directly on the customer. What has historically been a relatively two-dimensional service world is fast becoming multi-dimensional, challenging traditional business models. The issue now is how to make money through all these new customer delivery channels in a world where revenues from voice calls continue to fall.
The forces driving this change are already becoming clear. Wireless communications, in both cellular and WiFi/WiMax/WLL incarnations, are rapidly becoming ubiquitous in both developed and developing countries with VoIP-based services already starting to challenge and indeed bypass the cellular incumbents. Location services, long reliant on over-complex technologies and dubious business cases, look set to enjoy a resurgence of interest, building on open platforms like GoogleEarth and Web 2.0 concepts. On top of this, the growing confidence in the MVNO model will continue to increase service and application diversity in both the enterprise and personal communications spheres.
In the fixed domain, telecom incumbents, cable operators and start-ups are all looking to bundle IP connectivity with content and entertainment packages, reaching further in many cases into the home or office environments than before. While many regulatory and technical issues remain to be resolved with IPTV and broadband content rights, the continuing falls in voice revenues are forcing operators here to aggressively enter new and previously unexplored domains.
For the business readers of Sun Tzu’s The Art of War – a favourite of the airport book shop business section – or any of the other books interlinking military and commercial strategies, history is once again at hand to cast a light on some of these issues. It’s arguable that what our industry is currently facing is similar to that faced by armies, air forces and navies during the last century when it came to conducting synchronised combined operations. Just as three very different cultures, technologies and mindsets had to be brought together with a reasonable degree of co-ordination – which frequently involved the banging together of the large egos amongst the commanders of the different forces – so too must telecommunications companies integrate their operations.
In this context, however, the objective is not to bring overwhelming force down on one fixed point on the map, but instead to manage an increasingly long and multi-dimensional logistics and distribution chain, target the customer and, ultimately, extract the maximum profits from them. The really tricky part involves opening up the customer to get them to pay for all the new services now on offer, making them feel valued – but at the same time protect that relationship from all the new competitive forces out there and still enable them to become part of a revenue-generating community themselves by sharing their content or participating in social networking groups.
While a lot of these new service concepts are essentially still at the beta stage, this doesn’t mean that operators can rest on their laurels. As voice tariffs continue to plummet and basic broadband connectivity over fixed radio or ground links becomes an ever-cheaper commodity, service providers have to find a way of crossing the revenue chasm that’s currently in front of them.

Billing as a key enabler
While telecoms begins to play out its own version of combined operations across land and the airwaves, there’s one dictum of Sun Tzu’s that remains highly relevant – at least after a tweak or two. While his writings always emphasised the importance of understanding one’s combatant, in our everyday roles it’s our © customers that we have to understand.
To be sure, the triple and quad-play models are increasing the complexity of the delivery chain from our ends, but from the customer’s perspective they couldn’t for the most part care how services are delivered – they just want them where and when they need them and at the right price. While newer IP-based technologies are cutting capital investment costs for service providers, coexistence with legacy systems is going to be a fact of our industry for some years yet and ‘big bang’ switchovers will be necessarily limited.
In this context, it starts to become obvious that it’s in the customer-facing elements of the infrastructure where the most immediate – and yet strategic – returns can come from. Just as with the combined operations analogy, the technological equivalents of new weapons systems might be continually appearing out of the laboratories and off the production lines, but unless they can be delivered successfully to the most appropriate targets then the supporting innovation will count for little.

Facets to consider
There are a number of different facets to consider here when it comes to designing the back office systems needed to manage the incredible complexity that we now face. For a start there are the issues of rating for services and bundles of services. If customers already complain about the difficulty of understanding the many tariffs on offer from their mobile service providers, how are they going to respond when fixed-mobile, content, entertainment and broadband access offerings get added to the pot? Irrespective of the complexity of the signalling, authorisation and charging functions going on behind the scenes, the customer demands simplicity and transparency across all aspects of the supplier-user relationship.
This rallying cry of simplicity and transparency also applies to the internal operations of a service provider as well as to their relationships with the increasing number of third parties that will be involved in creating services. In some cases these may be TV or radio programmes, in others it will be VNOs set up to specifically target market niches based on ethnicity or special interests. The addition of content and broadcast services also changes the regulatory ground rules that service providers will have to adhere to, both in the areas of financial reporting as well as social responsibility around such issues as advertising, gambling or adult services.
Internally, the unrelenting drive to roll more and more services out to market in shorter and shorter timescales also places increasing pressure on the back office, especially in the field of revenue management and product life cycle management. With service and application development moving towards ‘Internet time’, where product lifecycles may be measured in weeks or even days – such as around major music, sporting or charity events – service providers will effectively be flying blind unless they have ready access to the relevant data on the success or failure of a particular offering.
If the industry sometimes took a relatively cavalier approach to the problems of fraud and revenue leakage in the past, this laxness cannot continue. Imagine the state of the world today if armies, air forces and navies could not have worked together to synchronise combined operations during the last century. As Sun Tzu proposes, military and commercial strategy share a great many of the same principles.
As the industry moves to a truly triple-play world, the strategic enabler for the ‘Combined Operations’ battlefield of the 21st Century will be one that unites different technologies, working practices and mindsets.
As the customers themselves become truly mobile – accessing services through a variety of different devices and access technologies – and the value of service and content transactions starts to rise, any vulnerabilities will hit both the bottom line and the confidence levels of customers and business partners. 

• Bhaskar Gorti is SVP, Worldwide Sales, Services, Marketing and Alliances, Portal.  www.portal.com

Possessing the ability to perform in-depth monitoring of a wireless environment is one of the key elements of maintaining a secure, workable WLAN, says Chris Bell

There probably hasn’t been an announcement in your corporate newsletter, and the subject isn’t likely to have come up in discussions of political intrigue at your water-coolers, but there is about to be a significant promotion within your organisation. Chances are that the Wireless LAN (WLAN) that has been diligently operating in your warehouses and factory floors for years is about to take its first significant steps into your office spaces.

The WLAN is being promoted from blue-collar workhorse to white-collar enabler. That it has taken so long for the WLAN to get its office job has been largely due to problems of perception. WLANs have been seen as hard to manage (a real career killer), difficult to scale up to enterprise demands, and lacking in certain requirements such as bandwidth, security and quality of service (QoS).
Recent improvements in underlying security schemes have gone a long way to bring about this promotion. Add to this the on-going developments of QoS techniques and proposals to increase bandwidth to wire-speed equivalents, and suddenly WLANs can truly be described as enterprise-ready.
However, risks are inherent in any wireless technology and these risks haven’t gone away. Some of these risks are similar to those of wired networks, some are exacerbated by wireless connectivity and some are new. Without doubt, the most significant source of risks in wireless networks is that the technology’s underlying communications medium, the air, is accessible to intruders and is at the mercy of interference from a variety of sources. 
Risks typically associated with wireless communications include loss of confidentiality and integrity, and the threat of denial of service (DoS) attacks.  Unauthorised users, it is feared, may gain access to systems and information, corrupt data, consume network bandwidth, degrade network performance, launch attacks that prevent authorised users from accessing the network, or use resources to launch attacks on other networks. 
So, today’s corporate network managers need to understand how to embrace this newly promoted co-worker. They need to know not only how the wireless revolution is taking place, but also how wireless technology will affect the day to day monitoring and management of network data.
Maintaining the security, reliability and overall performance of a wireless LAN requires the same kind of ability to look ‘under the hood’ as the maintenance of a wired network. However, wireless networking presents some unique challenges for the network administrator and requires some new approaches to familiar problems. 

Meeting previous shortcomings
Communications security is often described in terms of authentication, confidentiality and integrity. In its first incarnation published in 1997, the 802.11 WLAN standard failed to adequately address these points. The ensuing debate about how to fix these basic flaws went on for seven years, finally coming to a conclusion with the publication of a new amendment, 802.11i, in July 2004. 
The 802.11i standard takes a modular approach to securing wireless communications, allowing systems architects and designers to select the protocols and mechanisms that best suit their environment.  Confidentiality and integrity is provided by any one of three protocols, WEP, TKIP or AES.  Although WEP (Wired Equivalent Privacy) is still retained as part of the standard to provide backwards compatibility with legacy hardware and operating systems, it is deprecated in favour of either TKIP or AES, as there are many tools available to quickly compromise systems secured with WEP. TKIP (Temporal Key Integrity Protocol) is based on the same encryption algorithm as WEP, but uses key management algorithms to generate a new key for every packet that is transmitted through the air. AES (Advanced Encryption Standard) represents a complete move away from the WEP protocol and is a logical choice for providing confidentiality and integrity services for new WLAN installations. Both TKIP and AES inherently protect a WLAN from attack by devices with spoofed or cloned Ethernet (MAC) addresses.
Authentication services are provided either by using a pre-shared key or by using the 802.1x framework (another IEEE standard) to hook into higher level authentication services, such as EAP or Kerberos. Pre-shared key authentication relies on a well-known secret remaining secret. It is possible, using freely available tools, to capture traffic sent by a device connecting to a WLAN Access Point (AP) and then run an off-line dictionary attack to determine the shared-secret. The pre-shared key should therefore be treated as though it is a password and should contain upper and lower case characters, numbers and extended ASCII characters as a minimum.
The WLAN industry’s marketing arm, the Wi-Fi Alliance, has taken steps to popularise the extremely technical nature of 802.11i with the introduction of compatibility testing for security services known as Wi-Fi Protected Access (WPA). All products tested at Wi-Fi labs around the world must support these security services to receive even basic approval and display the coveted Wi-Fi logo on products. One in four devices sent for testing fails to get over even this quite low hurdle.

Striking a balance
Of course, defending corporate resources must begin with a statement of policy. Without a policy there can be no enforcement, and without enforcement there is no security. Analysts have been recommending the development of specific WLAN policies for many years, but still large numbers of organisations remain fundamentally unprepared.
Once the policy has been developed, steps need to be taken to ensure that it is adhered to. This requires the implementation of technologies to monitor WLAN traffic backed up with the resources and the plans to act on the information that is received.
The right defence is the one that is balanced and that matches the expected range of attacks. As the proliferation of Intrusion Protection Systems (IPS) for WLANs demonstrates, the passive elements of authentication, encryption, and integrity check must be backed up by active elements such as monitoring and pursuing attempted breaches, maintaining security discipline, and so forth. The right defence is one in which a breach requires just slightly more time and effort from attackers than they are willing to invest. Security measures impose costs and constraints on the defender. Like any other business decision, these trade-offs must be made with eyes open.
Simply enabling the features in 802.11i or WPA will not provide a truly secure wireless environment. Threats can come from a wide variety of sources and can be either malicious or unintentional. One must be able to determine quickly whether an unknown wireless device actually represents a threat to corporate resources or whether a sales rep has simply turned on his laptop while waiting to go into a meeting.

Analysing the problems
Having the ability to perform in-depth monitoring of your environment is the key to maintaining a secure, workable WLAN. A wireless analyser can provide an accurate picture of the devices in your network, showing which users are connected to which APs (Access Points). It can also display statistics about the utilisation of the WLAN, showing signal and noise measurements on every channel on which traffic is detected.
A good wireless analyser can be used to monitor compliance with security policies, and to identify, intercept, log, and analyse unauthorised attempts to access the network. Modern network analysers can automatically respond to security threats in a variety of ways, making them ideal tools both for monitoring and for more focused analysis. Expert, real-time analysers scan traffic on a network, looking for anomalies and sub-optimal performance. They provide a set of expert troubleshooting and diagnostic capabilities and problem detection heuristics based on the network problems found.
Many systems will detect rogue APs and unknown clients, which is only really useful if you are then able to see the traffic that is passing across these connections. Having the ability to capture traffic on the WLAN and to track this traffic as it passes through the wired network can provide invaluable information about the overall security and integrity of your systems.             

• Chris Bell is European Sales Engineer, WildPackets
www.wildpackets.com