Version 1.0 by Simon HarrisonJune 14th 2013 VIRTUAL CONTACT CENTER in the Cloud Vocalcom High Availability Voice Mediant 4000 SBC Configuration

Audiocodes HA Mechanisms Audiocodes SBC High Availability provide :  A 1+1 redundancy scheme  A keep-alive mechanism to automatically switchover SBC in case of failure  A call context synchronization in order to preserve active calls during a switchover  A method to upgrade SBC firmware without disturbing current calls (Hitless Software Upgrade)  A single configuration and auxiliary files repository for the M4K cluster

Vocalcom Deployment

Version 1.0 by Simon HarrisonJune 14th 2013 CONTACT CENTER in the Salesforce CloudVIRTUAL CONTACT CENTER Mediant 4000 HA

Mediant 4000 HA – Mode 1 – Local Deployment

Mediant 4000 HA – Mode 2 – Geographical Redundancy

Mediant 4000 HA – Firewalls Config  The following table provide rules to setup SBC firewall in case of security activation or, in case of geographical HA, for filtering nodes on the SBC’s MAINTENANCE vlan Source Host Dest Host Dest PortProtocolComment M4K-1M4K-2669UDPKeep-Alive packets M4K-2M4K-1669UDPKeep-Alive packets M4K-1M4K-22442TCPHA Control and Data packets M4K-2M4K-12442TCPHA Control and Data packets M4K-1M4K-280TCPFile Transfert M4K-2M4K-180TCPFile Transfert

Mediant 4000 HA: Pre Requisites  High Availability Feature key (licensing)  Two Mediant 4000 SBC  Two Gigabit Ethernet ports per switch  Power Consumption M4K HA : 230VAC, 75W

Version 1.0 by Simon HarrisonJune 14th 2013 CONTACT CENTER in the Salesforce CloudVIRTUAL CONTACT CENTER SBC Security

SecurityConnectivityQoE AudioCodes Session Border Controller AudioCodes Session Border Controller Main Tasks

Perimeter Defense Firewall and Access Control Encryption Topology Hiding Denial of Service protection Call Theft and Fraud protection Interoperability SIP Normalization DTMF Conversion Fax Conversion Protocol/Coder Policing Voice Transcoding NAT Traversal SLA and QoS Assurance Call Admission Control QoS Monitoring and Troubleshooting Voice Service Assurance Survivability AudioCodes Session Border Controller (SBC) - Key Roles

Accept messages based on SIP header properties. For exp, request URI etc SIP Digest Authentication SIP Access List & Classification Brute force DoS Protocol Vulnerabilities SIP dialog Attacks UnClassified SIP Traffic TCP attacks, Identity Spoofing Context Identification SIP Message Policy TCP/TLS Integrity and Authentication Layer 3-4 Firewall and Rate Limiting Legitimate Traffic Filter oversized SIP messages, unwanted SIP bodies, SIP syntax policing Filter out SIP messages which do not belong to an open dialog Call Admission Control Overcome TCP vulnerabilities, perform TLS authentication Look at the IP addresses and ports to filter unwanted packets and throttles the incoming packet rate Unauthorized Access Calls over Limit How Does AudioCodes SBC Secure SIP Traffic 12

Security : Topology Hiding  Topology hiding is important for hiding network internals and for privacy  Achieved through use of SIP B2BUA: –VIA stripping – each B2BUA leg will have its own VIA rules independent of the other leg –Independent Route/Record Route in each leg –Host name modification (e.g. To/From) –Inserting the SBC Contact in each leg –Different Call ID for each leg –NAT/Layer 3 Topology Hiding – modification of Src. IP address in IP Header –Restrict caller ID for un trusted legs AudioCodes Proprietary and Confidential Information

Security : DoS/DDoS  Protection against DOS/SIP attacks –Access list within layer 3 and layer 5 –Layer 3 Rate limiting according to local and remote IP port and transport type –SIP Dialog rate and concurrent calls limiting –Rich message filtering rules: message size, number of headers, message body types, request type and more  Protection against SIP vulnerabilities  OS/IP stack vulnerabilities handling  Passed DoD tests and got FIPS140 certificate

Security : Call Admission Control  Limit number of concurrent calls per Subnet/SIP trunk  Limit number of registered users per subnet  Limit call setup rate per Subnet/SIP trunk/user (average and burst)  VoIP codec policing and prioritizing  Self overload protection  Registration flood protection and throttling  Protocol Validation

Security : Encryption  TLS –SSL 2.0, SSL 3.0, TLS 1.0 –Re handshake –Mutual authentication –Certificate Revocation Checking –Verify Subject Alt Name against the provisioned proxy name  SRTP-RFC 4568 sdes (voice, video) –SRTP enforcement –Best effort SRTP using two media lines  IPSEC – Control & management only  VPN (MSBG)

Mediant 4000 SBC Highlights  Med to high-density SBC platform –250 to 4000 SBC sessions and more…  Based on field proven AudioCodes SBC family  High availability with 2-box redundancy  State-of-the art AMC (MicroTCA) based platform  Cost effective compact footprint (1U)

Mediant 4000 SBC Highlights  Strong DOS/DDOS and VoIP firewall protection  Easy SBC session capacity upgrades via software key  SIP TLS security and Media Encryption  Media handling including transcoding capabilities –Wide range of vocoders including Low Bit Rate (LBR), wireline, cellular and wideband vocoders –Decoupling of DSPs (Transcoding) from CPU (SBC sessions)

Version 1.0 by Simon HarrisonJune 14th 2013 CONTACT CENTER in the Salesforce CloudVIRTUAL CONTACT CENTER TeleHouse 2 Deployment of first SBC in production

TeleHouse 2 Deployment : Rack Utilization & Power Consumption 6U used in cabinet Total power consumption : 8 power connectors are needed to plug each power supply HardwareUsed Power QtyTotal Mediant W6450 W Total450 W

TeleHouse 2 Deployment : Network Connections  Mediant 4000’s Red Ethernet connection carries SIP signaling and media using a single IP address Orange Ethernet connection is used for OAMP purpose (remote access, supervision…) 2 ports per switch and per Mediant 4000 are needed