The global Verification Involving Public Switched Telephone Network (PSTN) Reachability (ViPR) Network (ViPRNet) brings together Session Initiation Protocol (SIP), the PSTN, and peer-to-peer (P2P) technology to enable companies to collaborate with partners, suppliers, and customers - the kind of collaboration that gives you a competitive edge.
Today, competing successfully depends on collaborating successfully, which means collaborating with unified communications across enterprise boundaries. Participation in a global ViPRNet, based on the Cisco® Intercompany Media Engine (Cisco IME), enables companies to use high-resolution video and wideband audio, document sharing, presence recognition, voice and email, and all their other communications tools and applications to make meetings with partners, suppliers, and customers as effective as success demands. It even enables enterprises to share internal directories and other information with their communication partners. Cisco IME uniquely combines SIP, PSTN, and P2P technology to unfetter communications and save significant costs, with extremely high security and reliability.
The Cisco IME network is remarkably uncomplicated: Users just dial phone numbers. It also requires remarkably little administration. Cisco IME is appropriate for financial services, education, manufacturing, healthcare, and just about any other industry. If communications federation is what you need, this is your system.
Cisco IME: Competing Successfully Means Collaborating Successfully
Meetings used to look like this: perhaps five people in a room seeing each other face to face, hearing everybody easily, passing charts and drawings back and forth, reading body language, and building trust. In a well-planned meeting, your team had all the information you needed to make decisions on the spot.
But the word "team" has a new meaning now. Economic stresses and globalization are forcing you to collaborate with co-workers around the world. Moreover, in addition to propelling operating efficiencies, economic stresses have caused many companies to cut back to core competencies and outsource noncore functions, including important ones such as design, engineering, and even sales.
Today, a team is likely to be a dispersed group of people, not just at your company but also at other companies: suppliers, partners, customers, and perhaps even competitors. When you and the other four people "in the room" meet, you are likely to be in different locations. When you meet, each of you is sequestered on your own enterprise island, without the communications bridges you need to collaborate productively with the others.
Meetings are inhibited by lowest-common-denominator communications imposed by time-division multiplexing (TDM) links: You cannot hear everybody easily, and you cannot share documents as if you were passing them around the table. You are also inhibited by enterprise firewalls and the vagaries of divergent software.
So the word "collaboration" also has a new meaning. The operative concept is boundaryless, rich, unified communications conveying all the information you have available within that one room. You need access to everything from Caller ID information and detailed business cards to an unfettered combination of high-resolution video and audio, document sharing, presence recognition, integrated voice and email, instant messaging, and other interchanges.
When you collaborate beyond boundaries fully, you will make better decisions faster. You will have more of those "Aha!" moments that come from in-depth interactions among people with different experiences and perspectives. You will get to know each other and build trust. You will collaborate as if you were face to face.
Competing successfully depends on collaborating successfully.
Getting Off Your Island
Cisco IME builds secure bridges from your enterprise island to others with practically no administration on your part. Users do not even have to type email addresses or URLs. To reach anyone anywhere in the world who is part of the ViPRNet and then freely use the whole range of rich, unified communications capabilities, the user just dials a phone number.
Here are two examples: You, based in Dallas, can meet with team members in Sydney and London with high-quality video and audio as well as document sharing, even though your companies use different meeting software. If you have a question for someone at a supplier company, you can reach into that company's directory to find the right individual or group.
With its existing and potential capabilities, Cisco IME revolutionizes communications, as befits a technology based on the Internet itself. This unique technology brings together SIP, P2P, and the PSTN to enable people in different enterprises around the world to meet securely and productively.
Federation for Real Collaboration
Alert on Availability
Cisco IME networking enables people to go far beyond Internet basics such as email, simple document sharing, and conferencing. Meeting participants can see colleagues virtually face to face, pick up on visual cues such as body language not perceptible without high-definition video and audio, establish personal relationships, meld into a team, and brainstorm - and that is just the beginning (Figure 1).
Figure 1. Cisco IME Routes Calls over SIP Trunks and Enables Full Unified Communications and Numerous Other Benefits
Why Were Islands Built?
Why did companies isolate themselves on islands? In one word, security. It was not supposed to be this way. SIP was intended to link users freely across the Internet in peer-to-peer sessions. Spammers, hackers, and other malefactors changed that, however, and companies found it necessary to raise barricades.
The Open Pinhole
The primary security problem is the open pinhole. For unrestricted communications, each company or domain must run a SIP server with a port open to the Internet.
That open port is reachable from anywhere on the Internet and is not guarded by firewalls and other network security provisions. A workable concept in the early days of email, this port has become an opening for deluges of spam and denial-of-service (DoS) attacks. Administrators have understandably become reluctant to leave a wide open SIP port facing the Internet.
The Ease-of-Use Problem
Cisco IME solves the open pinhole problem. It also solves the other primary problem with SIP: While SIP is widely deployed within companies and other domains, using it as designed requires Internet identifiers between domains. The sending domain must find the receiving domain's Domain Name Server (DNS) identifier: a URL (such as cisco.com), and one or more IP addresses that will reach that domain, or, if SIP is being used, an email-style SIP universal resource identifier (URI).
But most SIP deployments use phone numbers, not URIs. Huge numbers of users do not have the latter. Moreover, many endpoints in SIP deployments do not use Internet protocol but, like non-IP phones, are circuit-based devices linked to the SIP network through a gateway. Because the universal identifier still tends to be the PSTN phone number, intercompany federation over the Internet requires mapping a phone number to a domain.
There is also the human factor: Phone numbers are most people's method of choice for making contact. Phone numbers have uniform formats within countries, making them easier to use than email addresses, they tend to be shorter, and almost everyone can be reached through one.
Required: A New Federation Model
Fixing the open-pinhole problem requires a fundamentally new model for federation, one in which problems are addressed as part of the design from the beginning, not as an afterthought. The new model must also be built around use of phone numbers.
The global ViPRNet is a single P2P ring composed of Cisco IME instances installed by each participating enterprise along with one or more gatekeeper bootstrap servers maintained by Cisco.
After your company is on the network, you can freely communicate with people at any company on the network, subject only to the companies' own policies.
As it takes its place on the ring, each enterprise system becomes part of a distributed database that holds all phone numbers participating in the ViPRNet and the specific node servers where they are stored. For redundancy, each piece of data is stored twice: on its own domain server and on another.
Scalability and Fault Tolerance
The distributed database is actually a huge distributed hash table (DHT). All ViPRNet phone numbers are hashed for security before they enter it; the DHT also contains the identifier for the node that stores that phone number. When a user dials a call, the company Cisco IME looks around the DHT to find the ID of the node that holds the called party's hashed phone number and SIP identifier.
The called company's privacy is protected. The calling company's server sees the receiving company's node ID, not its SIP identifier, so the first server is prevented from learning that the phone number maps to the second server's domain.
DHT storage is created within each node in an overlay network created through the Resource Location and Discovery Base Protocol (RELOAD). When a given number makes or receives a call, the overlay network employs the Chord peer-to-peer lookup algorithm to locate the particular node that holds the desired (hashed) phone number. The Chord algorithm helps ensure that the lookup will take no more than logN2 hops, where N is the number of nodes on the ring. Chord is economical: For a ring of 1024 nodes, the worst case would be 10 hops.
The use of this ring configuration makes the global ViPRNet both scalable and fault tolerant. There is no central authority or provider. Companies of whatever size just join and register with the bootstrap server, and if they are approved, they are on the network.
ViPR Ease of Use
The P2P ring and the DHT comprise the infrastructure of the ViPRNet. Operating over that infrastructure is Cisco's patented Verification Involving PSTN Reachability (ViPR) technology, which underlies the ViPRNet federation model. The ViPR protocol, which has been submitted to the IETF for consideration as a standard, is a fundamentally new technology in which security and ease of use are the starting points of design, not afterthoughts.
ViPR-based software makes the Cisco IME network easy to use because all you do to make calls employing rich unified communications is dial phone numbers. It also makes the network secure because all access is governed by call details known only to the Cisco IME for the calling and called phones.
PSTN and SIP
Setting up a link between two people at different companies is where the PSTN meets SIP. You in Company A establish a connection to Bob in Company B by calling him over the PSTN. If both companies are members of the global ViPRNet, the next time you dial Bob, your call agent places the call on the ViPRNet using SIP. Since this call and subsequent calls go over the network in SIP form, all the rich communications capabilities of a.com and b.com work cohesively and securely.
Here is how the PSTN call creates the secure link: After your call, your call agent "wakes up" and realizes that you have called an outside number. It checks whether this number belongs to a domain on the ViPRNet. If it does, the agent then ascertains that Bob's company, b.com, is willing to receive calls from you individually. It sends your domain name, a.com, to the b.com agent. Your initial PSTN call to Bob has created a record of four call details that the b.com call agent asks the a.com agent to confirm: the calling and called numbers and the start and stop times of the call.
The only way b.com's call agent can know the details of your call to Bob is if it received the PSTN call, and the only way it could have received the call is if it owns the phone number. Of course, the only way the a.com agent could know these details is if your number placed the call.
If both call agents have the correct call data, the b.com Cisco IME server sends Bob's SIP URI to the a.com Cisco IME server along with a ticket - an encrypted object - for your call agent to use when routing a call from you to Bob over the ViPRNet.
The a.com call agent stores this ticket to place it in the header of subsequent calls from you to Bob; only the b.com call agent can decode the ticket and approve the call. By storing Bob's SIP URI and the ticket, the a.com call agent "learns" and caches the route from you to Bob. (Because a.com must approve any calls to you, Bob must call you over the PSTN to set up parallel call details and a return ticket.)
The next time you call Bob, the a.com call agent sends the SIP URI it learned for Bob over a TCP/TLS connection. If the agent cannot complete the call using the Bob's SIP URI, it routes the call over the PSTN, so all calls are delivered.
Nobody but you and Bob can use this particular Cisco IME link. Even Alice at a.com will have different PSTN call details from her initial call to Bob or Barbara at b.com and, of course, a different ticket. In addition, nobody can get onto the ViPRNet except other pairs who have gone through the same validation process.
Still More Security
The fact that a domain can call a specific number in another domain over SIP only if it has called the same number over the PSTN is crucial to fending off Internet-based spam and DoS attacks.
Calling numbers on the PSTN, especially internationally, costs money, so the ViPR system creates a financial disincentive. Even if a spammer manages to acquire a domain on the ViPRNet, ringing every phone in another domain would require having previously called each number on the PSTN (breaking some countries' laws). In addition, if the malefactor has already spammed the PSTN number, there probably would not be much incentive to spam a second time.
As an additional security measure, the ticket is valid only for a certain period of time, such as a few weeks or months or a year, as set by b.com company policy, after which Alice must call Bob over the PSTN again to have a new ticket created.
The Enterprise's Role: Deploying Cisco IME
The enterprise installs Cisco IME, which comes in two versions, on a Cisco Media Convergence Server (MCS) or a server with similar capabilities. The Cisco 7825 MCS can serve up to 10,000 users, and the Cisco 7845 MCS can serve up to 40,000 users.
The enterprise also needs Cisco Unified Communications Manager (UCM) Version 8.0, which acts as the call agent, and Cisco ASA 5500 Series Adaptive Security Appliances Version 8.3, which handles perimeter security and monitors quality of service (QoS).
There are three deployment models, including one for third-party private branch exchanges (PBXs):
• Native Cisco Unified CM 8.0 integration
• Integration with Cisco Unified CM 6.0 and 7.0
• Third-party PBX integration
Figures 2 and 3 show the integration models.
Figure 2. Cisco IME Is Linked to Cisco Unified CM 8.0 or Cisco Unified CM Session Management Edition 8.0, Which Is linked to the Cisco ASA Device, the PSTN, and the Company's Phones
Figure 3. Cisco IME Is Linked to Cisco Unified CM Session Management Edition 8.0, Which Is Linked to the PSTN and the Cisco ASA Device and, Through SIP, to Cisco Unified CM 6.0, Which Is Linked to the Company's Phones (This Is Also the Model for Connecting to Third-Party or Older PBXs and Their Phones)
The enterprise Cisco IME stores its domain's phone numbers, the SIP URIs for them, and the company's policy choices about who is permitted to call whom. It can maintain a black list of prohibited numbers and domains. It can also maintain a white list of the domains in a closed user group. Alternatively, it can permit access from and to anyone on the global ViPRNet.
Both domain- and prefix-level data is stored in the Cisco IME server, so the system can, according to policy, block certain departments or locations from reaching specific departments or locations at another company. It can also block all its phone numbers from being generally readable over the ViPRNet.
In addition, since it acts as a part of the DHT, the server will store - but will not be able to access - redundant hashed information from other companies, and another domain will store its data.
After Cisco IME, Cisco Unified CM 8.0, and Cisco ASA 5500 Series are set up and policies installed, ViPRNet communications take very little administrative time. The three components operate in the background, needing attention primarily only when the company adds capacity or changes policy.
The Bootstrap Server
The bootstrap server, which is replicated in several Cisco data centers, checks the credentials of and authenticates any new Cisco IME trying to join the network. In doing so, the bootstrap server weeds out the domains of known malefactors. Other ongoing tasks are helping ensure that the Cisco IMEs are configured properly to use the network, distributing information about routing to the various nodes, sending out tokens periodically to check network health, and monitoring traffic to see how many SIP messages are sent and validated each second and similar metrics.
ViPRNet at Work
Any company in any industry anywhere can benefit from joining the ViPRNet. A few examples from various industries indicate the abundant possibilities.
• Claims processing: Claims specialists at insurers or government payers can collaborate in real time with administrators at hospitals and doctors' offices to clarify issues and get more documentation.
• Access to specialists: Physicians and specialists within hospital networks can consult more effectively through video meetings and sharing of medical images and records.
• Research collaboration: Unified communications can stimulate and speed up research shared by groups at research organizations across the country or on other continents, and this access can be far more frequent and effective than traveling to meet or simply talking over the phone or sending documents.
• Troubleshooting: Maintenance personnel can share live streaming video of problems from the factory floor with a remote equipment vendor to solve breakdowns and other problems faster and reduce downtime.
• Design collaboration: Original equipment manufacturer (OEM) engineers can collaborate with product manufacturers, even in multiple locations, seeing and discussing designs, mockups, and prototypes as well as sharing data in real time through a mix of video conferencing, audio conferencing, and file sharing. They can also use presence to locate and link in other engineers or product managers for impromptu conversations.
• Access to remote interviewing: Candidates can be interviewed remotely using the ViPRNet, which brings in video using the normal telephone numbers, providing a richer and more personal experience while saving costs.
• Delivery of real-time lectures for remote classrooms: Areas where location would normally limit teaching options and availability can now offer classes with complete subject parity, regardless of the venue.
• Research coordination among universities: Use of the ViPRNet in conjunction with your existing telephone network enables more frequent, productive, and richer collaboration among colleagues, expediting research projects.
• Access to vendor subject-matter experts: A salesperson or even a customer can call and meet with an expert from a vendor's company to talk about product features or troubleshoot problems. Imagine how this can improve technical support for complex products. Call center representatives can have similar access to subject-matter experts.
• Global sourcing: As in design collaboration, personnel from various companies in the supply chain can meet from all over the world to discuss deadlines, shipping schedules, the needs of various members of the chain, and other matters to improve just-in-time delivery of components and time-to-market for new products.
• Making loans: A loan officer can meet with a client to discuss documentation with both being able to view questions on various forms and statements, hastening the loan-approval process and decreasing the need to rework documents.
• New channels: In most financial institutions, compliance officers do not allow personnel to discuss data with other staff members or customers through web sharing, email, or Internet chat. The security built into Cisco IME could make this sharing acceptable policy, avoiding slow faxing and mailing of documents and reducing the need for in-person visits.
By routing calls over the Internet rather than the PSTN, Cisco IME can save companies substantial sums on local and long-distance calling. Cisco estimates that the solution can reduce charges for a large enterprise by 30 to 50 percent and total cost of ownership (TCO) by up to 10 percent.
Cisco also estimates that Cisco IME can often pay for itself within about 18 months (Figure 4).
Figure 4. As This Example Developed for One Company Shows, Cisco IME Produces Substantial Savings in a Number of Areas, and Those Savings Add Up over Time
Removing the Communication Barriers
The global ViPRNet is a graceful and inventive path to rich, unified communications across company boundaries. It requires no changes in user behavior and little administration, and it provides secure transport and interoperability with equipment from other vendors.
Interoperability - eliminating the barriers to collaboration - is one of Cisco's main goals. Cisco recognizes that people within enterprises and their partners, suppliers, and customers operate in different workspaces, with different applications, on different devices and operating systems. Interoperability among all these is absolutely crucial for enterprises doing business today.
In overcoming differences between individual devices and applications, networks, and companies, enterprises remove barriers among people working for common goals.
Cisco's collaboration architecture, consisting of infrastructure, collaboration services, and communication and collaboration applications, is uniquely designed to enable boundaryless collaboration and to give people choices in how they collaborate.
Cisco IME takes its place in this architecture, giving people not only secure, reliable intercompany collaboration, but also honoring their preferences. With its peer-to-peer SIP connections, the system enables you and other users to use any devices and applications you choose. You can also use as much or as little unified communications as you need, from a simple phone call to document sharing to full-fledged Cisco TelePresence™ conferencing, even escalating on the same call.
With Cisco's collaboration architecture, communications freely follow the form and the flow of the work. Smoothness yields success.
Benefits for Service Providers
Although Cisco IME is installed on customer premises and calls are routed over the Internet, large opportunities are available for telecom companies, including wireless and cable service providers, as well.
Many service providers already offer rich, unified communications, so helping their business customers join the global ViPRNet is a natural evolution for them. By offering Cisco IME to their customers, service providers can:
• Offer hosted Cisco IME, firewall, and extranet services
• Differentiate their offerings by providing premium QoS
• Give their customers greater value with innovations such as connectivity groupings at reduced rates over the secure ViPRNet
Wireless service providers gain their own benefits. They can:
• Deliver enterprise-class services on IP endpoints: for example, enabling unified communications such as secure videoconferencing or visual caller ID between enterprise and mobile phones
• Reduce customer costs because their mobile interconnect costs are less
• Increase customer recruitment and retention through the "network effect," as more companies join the ViPRNet
Cable service providers can offer all their business customers enterprise-class unified communications that:
• Increase customer satisfaction and retention
• Help the customers improve productivity
• Provide cost savings that increase as the ViPRNet grows to include more companies
For More Information
For more information about Cisco Intercompany Media Engine, please visit http://www.cisco.com/go/b2buc or contact your local Cisco account representative.