Security at the access edge requires fully authenticated, validated and encrypted connections to protect subscribers, plus comprehensive application-level perimeter security to defend service provider and enterprise infrastructures.

However, this level of “deep” or “strong” security requires more time to execute the function which introduces more delay into the transmission. While non-interactive applications such as email (SMTP) and web (HTTP) are not sensitive to latency, jitter and loss, real-time applications are and even minor performance degradations can result in an unacceptable quality of service.

For this reason, Covergence Session Manager (CSM) was specifically architected and optimized to execute security functions on real-time traffic without degrading performance or compromising quality of service. You can read more about CSM's architecture here

Purpose-built CSM delivers the coordinated, comprehensive protection required to make SIP secure:

Authentication and authorization – Recognizing that most service providers have an authentication and authorization infrastructure in place, CSM provides comprehensive support for standard and vendor-specific authentication techniques such as SIP Digest and TLS. This allows administrators to implement fine-grained, identity-based access control policies that ensure the authenticity of all subscriber communications.




Signaling encryption – Using the Transport Layer Security (TLS) protocol, CSM encrypts and decrypts SIP messages at the network edge, preventing call hijacking and other threats based on the visibility and mutability of signaling. Encryption is critical for ensuring the authenticity, confidentiality and integrity of SIP signaling streams.




Media encryption – Using the Secure Real-time Transport Protocol (SRTP), CSM encrypts and decrypts media streams, preventing eavesdropping, media injections and other attacks based on the visibility and mutability of media. Media encryption is critical for ensuring the authenticity, confidentiality and integrity of real-time communication, since network tools can easily capture and replay unencrypted media streams.




Signaling and media validation – Many exploits and attacks are based on the presentation of invalid signaling or media. For example, the injection of invalid signaling information is the basis for most buffer overflow attacks. CSM terminates, validates and regenerates all SIP signaling and SIP-associated media streams. A combination of semantic (stateful) and syntactic (stateless) validation prevents attacks, even by authenticated subscribers, and ensures that the media sessions set up by SIP user agents match those that were negotiated during associated signaling dialogs.




Attack prevention – CSM constantly monitors for abnormal activity and denies resources to sessions that match an attack profile. The CSM denial of service (DOS) and distributed-DOS detection and mitigation shield both service provider and enterprise infrastructures from disabling brute force attacks.




Virus scanning – CSM scans SIP-enabled file transfers using integrated anti-virus technology from industry-leading anti-virus vendors. Application-aware scanning prevents the propagation of viruses via IM and other SIP applications.

CSM appliances sit at key control points in the network, in line with all SIP signaling and media traffic. From this vantage point, they provide a complete, synchronized, stateful view of all SIP signaling and associated media flows, a fundamental requirement for application-level security.

CSM's management interfaces allow administrators to assign security policies to SIP sessions with specific layer 1 – 7 attributes—source network, destination network, user, group, department, role, etc.—enabling total control over all SIP-based activity.

Click here for a CSM security feature list
Click here for a complete list of TLS/SRTP endpoints support by CSM