Interview with Tim Leisman, CEO, Borderware

 

 

You come from Internet background. Do you think you have the right background to address voice as an application? Most companies with Internet background have not been able to make a mark in VoIP market.It is mostly the ones with telecom background.

 

It is a fair comment. It is mostly the ones with telecom background. We come from Internet security world and we do have an obvious advantage in Internet communications and firewalls. SBC vendors initially made a nice impact in the telco marketplace. The difficulty of the telco marketplace is that it is a lot smaller than the enterprise marketplace and in fact telcos are realizing that they are becoming service providers for voice as an application to consumers. Those telcos that are starting to get interested in the VoIP security are basically the Internet groups inside both telcos and enterprises.

 

Do you mean that VoIP security issues come into the realm of Internet type applications?

 

Yes. As an example, IM over SIP using SIMPLE is a typical source of threat. It is actually the Internet side of it that has called in for the attention over security issues. So what you are going to see over the next 6 to 9 months is more and more Internet focused companies performing better in the market.

 

Could that be because the underlying protocol is SIP, which is very Internet type in orientation?

 

That is another way of looking at it. SIP as a protocol is very similar to SMTP. The security issues that you have with email, you are going to have the same kind of issues with the SIP protocol because it has too many similarities. For the last couple of years companies have identified plenty of security loopholes within SIP environment. So as the market moves along and we work on such issues we also bring some of the firewall capabilities together like NATing.

 

Tell us a bit about your SIP firewall product?

 

When we named this product as SIP firewall, the market was rather difficult. People did not really understand, did not know what they needed to do and the concept of firewall was based all on bits, bytes and packets. Now, going beyond that in the voice world, you have got to start looking at not just the packets themselves, you got to be looking at lot more as to what is happening within the SIP protocol.

 

If all you do is pure security, then you are not going to sell much these days because the perceived threat is not big enough. We do a lot of things that SBCs do but SBCs are typically $100,000 to start with and then you move up from there. We are trying to build security appliance for SIP that has a lot of capabilities of SBCs at a price point between 10K, 20K to about 110K.

 

General purpose firewalls do not generally do the deep packet inspection needed to protect corporations using VoIP. How capable is your SIP Firewall in doing deep packet inspection in VoIP networks?

 

If I am talking to you on a VoIP line, how many packets do you think would be used in 5 seconds? It is actually in tens of thousands of packets. So if I look at one individual packet within that stream and do the deep packet inspection on that one packet, how useful do you think that really is. The whole concept of deep packet inspection is very interesting marketing theory and marketing ploy. How capable are we of doing deep packet inspection?  Well, we are as capable as everybody else. At a packet level we do identical to what all of these other parameter solutions do.

 

Do you have a SIP firewall version that caters to carrier environment?

 

We have large telco customers like Telus and Swisscom. Most of the deals we have in this area are with carriers who are provisioning VoIP services to SMBs. I do not know what you call carrier level capability but we can scale well. If you are talking a couple of million subscribers we can do that with no problem. Actually the bigger issue here is that you offer a lower price point and what the adoption is and how fast the carriers are moving. But if you just try to sell pure security device, that is a tough call right now because we have not had the kind of mass attacks and stuff that will drive the panic buying that you saw in the email market 5 years ago. If that happens, it will be good for our business.

 

What do you think about the prospects of a SBC Software Development Kit such as the one offered by Data Connection. Do you think SBCs can be OEMed like a SIP stack?

 

If things like NATing are the features and functionality that you are looking for in SBC, then a software solution makes sense. However the concept of having just the pure software solution of security has failed in the market place in the past and will fail in the future. People want security to be on a secure appliance that is capable of withstanding different types of attacks and not just the ones that are purely within that system.

 

What VoIP security standards are available to vendors and developers at  present?

 

At the moment we all have to admit that the standards are very sketchy around VoIP. There are very few standards that are being adhered to by the vendors. For example, in case of encryption, SOTP is the one standard. However none of the vendors are implementing SOTP yet. Since this is still a very early technology, we are still not finding a huge amount of compliance by vendors and that is an issue for any kind of early stage market. Standards are something that we are going to deal with for probably the next 9 to 18 months.