An integral part of the IMS is the ability to move freely between various IMS domains. To ensure that this movement is secure, the security gateway (SEG) provides a secure crossover point between security domains. From the IMS perspective, a security domain is basically a network managed by a single network authority (e.g., the Verizon Wireless, Cingular Wireless, Sprint/Nextel, and T-Mobile networks are all unique security domains). The security gateways, are found at the borders between the network operators.
From an operational perspective, the SEG processes all control-plane traffic that passes between the security domains. Its job is to enforce the security procedures of its security domain (i.e., if you know the password to the security domain you can come in). Since it is a bidirectional process, the SEG can also determine if a control-plane message is allowed to leave the security domain. The span of interaction of the SEG can include all or some of the other SEGs it can reach. To avoid the single point of failure problem, network operators might have more than one SEG in a security domain.