January 23-26, 2007 Ft. Lauderdale, Florida High Volume Applications SIP Trunking for the Contact Center Presented by Pete Sandstrom, CTO BandTel Janne Magnusson, Director Operations Ingate Due to slides with Flash animation, please review in Slide Show Mode

January 23-26, 2007 Ft. Lauderdale, Florida Session Overview 1. Why have signaling 2. “Inside” SIP 3. SIP Enterprise Benefits 4. SIP Benefits For The Contact Center 5. The Role of the Internet Telephony Service Provider (ITSP) 6. Special ITSP Services 7. Call Center Architectures 8. SIP and the Future

January 23-26, 2007 Ft. Lauderdale, Florida 1. Why Have Signaling Signaling provides the mechanism to setup, route, monitor disconnect a call Signaling provides a way to alert a station (i.e. ring the phone). Signaling provides a way to meter the service (i.e. lets the carrier generate you a bill)

January 23-26, 2007 Ft. Lauderdale, Florida 2. “Inside” SIP Signaling

January 23-26, 2007 Ft. Lauderdale, Florida 3. SIP Enterprise Benefits Save Costs - SIP Trunking can reduce trunking costs by 40%. Convergence of the enterprise network organization - the data group is becoming the data/telecom group. Provisioning is simplified - increasing or decreasing capacity is now simply a keyboard stroke and management is simplified with SIP Trunking. Fewer Carriers- having the IP pipe and voice service from one source improves operations, reduces billing errors, simplifies “finger-pointing” problems and offers better price/SLA negotiations.

January 23-26, 2007 Ft. Lauderdale, Florida 4. SIP Contact Center Benefits New Applications - SIP and IP “frees one from location” allowing amazing new inbound and outbound possibilities. Virtual Trunking - SIP can enable new applications not possible in TDM space due to the nature of IP being un- tethered from a specific location. Geographical Unification - SIP can unify may disperse enterprise offices into one virtual entity, and do so without any special leased circuit trunking facilities.

January 23-26, 2007 Ft. Lauderdale, Florida SIP Adds “Intelligent Signaling” The problem - calling client needs to talk to an agent that specializes in handling accounts receivable issues on a particle product for a particular company. The serving contact center enterprise has agents in one of it four locations that can service the clients needs. 1.Inbound Caller Needs - to get to contact center agent in a timely manner 2.Inbound Caller Needs - to get to the agent with the right expertise to handle their need 3.The Contact center needs - a virtual presence via virtual trunking 4.The Contact center needs - an unencumbered standard mechanism to terminate the caller to the right agent 5.The contact center needs - to do all of the above in an economical manner

January 23-26, 2007 Ft. Lauderdale, Florida Inbound Contact Center with “Intelligent Signaling” Intelligent CC Front end CC has no agents free CC has qualified agents free CC has no qualified agents CC has no agents free SIP ITSP PSTN

January 23-26, 2007 Ft. Lauderdale, Florida Outbound Contact Center Possibilities With SIP “Intelligent Signaling” Outbound call centers generally dial out (auto dialers) at a rate that exceeds the number of physical agents that are sitting in the call center. Only a fraction of the calls made get answered at the far end. In order to keep the agent pool busy and talking at all times, a ratio of dialed calls to agents is maintained. Many times that ratio can be as high as 4, 5, or even 6 calls dialing for every agent present. The result in TDM space is wasted bandwidth and wasted circuits Lots of calls “ringing”

January 23-26, 2007 Ft. Lauderdale, Florida Outbound Contact Center Possibilities with SIP “Intelligent Signaling” With SIP, bandwidth used for “call progress” tones is eliminated. Callers-talking/bandwidth ratio is increased radically (4 to 5 times in some cases).

January 23-26, 2007 Ft. Lauderdale, Florida 5. The Role of the ITSP-Internet Telephony Service Provider Getting to the ITSP - should be “seamless” to the customer. Total Resiliency - in the event of an ITSP element failure (it will happen) real-time dynamic fault switchover must be in place. Load to the ITSP - dynamic diverse routing to multiple call processing elements should be automatic and with “no downtime.” Getting to the Public Switched Telephone Network (PSTN) - the ITSP client needs many paths to and from the PSTN for resiliency and guaranteed continuation of service.

January 23-26, 2007 Ft. Lauderdale, Florida Fulfilling the Role: BandTel’s N-Plus™ Architecture

January 23-26, 2007 Ft. Lauderdale, Florida QoS and the Internet: The Economics of peering and why it works in North America IP NET - B IP NET - A Bandwidth (BW) managed Zone: IP carrier peers watch and police each other BW limited Zone: BW limits strictly enforced by carrier In North America, we see a great call: Packet Delay: < 100 msecs Packet loss < 4% Jitter < less then 10 msecs

January 23-26, 2007 Ft. Lauderdale, Florida 6. Special ITSP Services Routing Plan Flexibility – QoS Security – at the ITSP and Customer Premise Special Services; i.e. Early Media (Silent Running) Online Traffic Monitoring (TotalView) Online Billing Traffic Re-routing (Total Reroute)

January 23-26, 2007 Ft. Lauderdale, Florida MPLS with IP = High QoS

January 23-26, 2007 Ft. Lauderdale, Florida Security: at the ITSP POP Dynamic Authentication (Message Digest 5) - ITSP must watch for ID theft and flag. IP authentication (static IP address) - virtually impossible to spoof if ITSP drops “source routed packets” at the border controller. Split Paths - the ITSP should split media (conversations) and signaling to different redundant locations, making media/signaling taps virtually impossible at the Customer Premise Equipment (CPE) side. Secure Borders - ITSP must save secure Points of Presence (POPs) that can restrict/deny all outside attacks such as: DOS (Denial of Service) IP Spoofing SPIT (Spam over Internet Telephony) VOMIT (Voice Over Mis-configured Internet Telephony)

January 23-26, 2007 Ft. Lauderdale, Florida Security: at the Customer Site The CPE Border - SIP-Aware Firewall (SAFW) that allows L5 (Transport Layer 5) Security (i.e. no L2 (Datalink Layer 2) pinholes*) is a must have. Authentication - must require ITSP Message Digest 5 (MD5) encryption or IP Authentication for Account Authorization. Split Paths - the ITSP should split media (conversations) and signaling to different redundant locations, making media/signaling taps virtually impossible at the CPE side. Security Inside - most fraud occurs from inside the CPE border. –Trojans - lurking on enterprise servers –Disgruntled or dishonest employees - past and present

January 23-26, 2007 Ft. Lauderdale, Florida TotalView: The User Can See

January 23-26, 2007 Ft. Lauderdale, Florida Real-Time Call Activity

January 23-26, 2007 Ft. Lauderdale, Florida Accounting History

January 23-26, 2007 Ft. Lauderdale, Florida 7. Call Center Architectures - with Dedicated IP Pipes 1 - The IP pipe is dedicated to VoIP so no QoS arrangements are needed with the carrier. 2 - No firewall is needed as there are no LAN connections with other enterprise devices. 3 - This is a common architecture for dedicated media gateway deployments.

January 23-26, 2007 Ft. Lauderdale, Florida Call Center Architectures - with Shared IP Pipes 1 – VoIP and bulk enterprise share the same IP pipe. 2 – The SAFW-SIP-Aware Firewall handles all the QoS issues by prioritizing VoIP traffic over the bulk enterprise network. 3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc. 4 – Architecture offers partial QoS for VoIP (no inbound UDP QoS). 5 – Excellent utilization of IP pipe resources.

January 23-26, 2007 Ft. Lauderdale, Florida 8. SIP and the Future Voice to packet is happening; its just better- packet networks (IP in particular) are easier to manage and provision. As such the transition form voice to packet is inevitable. New Services - In IP space new possibilities arise due to the nature of the Technology. The media travels with its destination address inside, freeing it from circuits, and the inherent limitations of circuits. New Choices - in packet space the end telecom user is empowered, and free to let the market work in their favor as alternate service providers are a keystroke away.

January 23-26, 2007 Ft. Lauderdale, Florida Summary Successful ITSPs will be: Resilient (fault tolerant) Scalable Secure and Provider a network and customer premise architecture that offers QoS.

January 23-26, 2007 Ft. Lauderdale, Florida What is Required for SIP to Traverse? Signaling between the SIP client and its SIP registrar –In both directions –May be on the same or on different sides of the firewall Callers must be able to reach the SIP registrar –At all times if you want to receive calls –Problem if caller on the outside and SIP registrar on inside (e.g. an IP PBX or MS LCS) Media (the voice or video packets) must flow end to end –In both directions –Must reach the correct end point, even on a network with private addresses –Pin holes must be opened and media routed (NATed) Who shall be in control of all of this?

January 23-26, 2007 Ft. Lauderdale, Florida Who Shall be in Charge of the Firewall? The firewall manager, the users or some service provider? STUN, TURN, ICE: –The users are in control, for SIP and ANY OTHER USAGE –The firewall has to be sufficiently open to allow this –Still cannot handle when the SIP Server is on the inside (e.g. IP PBX or MS LCS) Session Border Controllers with Far end NAT traversal: –The service provider is in control –The firewall has to be sufficiently open to allow this UPnP: –The clients (most often Windows) controls the NAT/Firewall (for ANY USAGE) –Both the client and the firewall must implement UPnP –Clients still have to have open binding outside to SIP registrar SIP capable firewall –The firewall manager has a possibility to be in charge

January 23-26, 2007 Ft. Lauderdale, Florida Two Types of SIP Capable Firewalls SIP Proxy based SIP aware Firewall/NATs (Intertex, Ingate) –General, can handle complex call scenarios –Encryption (TLS and SRTP) –Authentication –Additional functionality possible (Remote SIP Connectivity, VoIP Survival, SIP server, PBX etc.) Lower level ALG SIP aware Firewall/NATs –Difficult to handle more than basic scenarios –TLS not possible

January 23-26, 2007 Ft. Lauderdale, Florida The Function of a SIP Capable Firewall SIP capable Firewall SIP Proxy/Registrar SIP Signaling 10.x.xx168.x.xx Check the SIP signaling Rewrite for the different address spaces Forward the signaling to the correct SIP proxy or client -For inbound calls – need to know location of each SIP user (unless registrar is on the inside) Open pinholes in the firewall for the media -Only for the duration of the call -Only between the exact endpoints Media flows through the pinhole (UDP/TCP) Media Close pinholes after the call

January 23-26, 2007 Ft. Lauderdale, Florida The Ingate Solution…. Fully SIP-Capable Firewalls SIP TLS S I P SIP Ingate Firewall ® Normal Firewalls With SIP-Proxy and -Registrar

January 23-26, 2007 Ft. Lauderdale, Florida Ingate SIParator ® You Don’t Need to Replace your Firewall! Normal Firewalls DMZ SIP SIP-enables any firewall

January 23-26, 2007 Ft. Lauderdale, Florida Encrypted SIP-signaling –Support for TLS encryption. Encrypted media –Support for RTP media streams created by Microsoft Windows Messenger. –Support for SRTP (Sdescriptions) Encryption TLS SRTP In the clear RTP Termination TLS MS Encryption In the clear SRTP Transcoding IP-Phone Ingate Firewall or SIParator IP-PBX / SIP Server SRTP TLS Pass through TLS

January 23-26, 2007 Ft. Lauderdale, Florida Authentication SIP Digest authentication –Equivalent to http Digest. –Each user has a username and password. –Servers can verify that users are who they really claim to be. –Can be selected for different SIP methods. TLS authentication –Clients can verify that the Server is what it claim to be. –Hop-by-Hop Encryption between each SIP device. TLS can be used in only parts of the signaling path. –Gives encrypted Instant Messaging –Support for Mutual TLS (MTLS) Local and external (RADIUS) user database supported

January 23-26, 2007 Ft. Lauderdale, Florida SIP Filtering IP addresses and/or networks filtering –The unit can be configured to allow SIP traffic from only certain IP addresses and/or networks SIP To and From header filtering –Filters can be applied both on user and domain level. –Filtering on SIP header examples: can call but not the other way around. can not call SIP content (MIME type) filtering –Filtering on specific SIP content types e.g. Message (IM), Precense etc –Can only be applied on “overall” level not per user or domain –One application could be to e.g. prevent the use of IM. Class 1xx message processing filtering –Select if status messages about the negotiation process will be forwarded to the client or stay in the server.

January 23-26, 2007 Ft. Lauderdale, Florida DoS Attack Prevention Ingate has experience of DoS attacks in normal data firewall environments but we have not yet seen any SIP specific attacks outside our own lab Available today –Ability to black list on IP address / Domain –SIP message loop detection –Maximum/guaranteed bandwidth (QoS) settings ensure that VoIP traffic is maintained in certain scenarios –Ingate architecture ensures that existing media sessions are unaffected by an overloading attack against the SIP stack –Management access is also isolated from SIP attacks allowing remedial action to be taken –Blocking of SIP packets on kernel level

January 23-26, 2007 Ft. Lauderdale, Florida Logging Extensive SIP logging –All SIP packets can be logged in a readable format in the log –Detailed debug logging to understand Ingate behavior Flexible log monitoring –Log information can be stored locally or sent via syslog and . Status monitoring –SNMP supported –All register users displayed –All active session displayed including session status (state, used ports and detection of one-way media) Call data records –Accounting information can be sent to a RADIUS server according to RFC 2866.

January 23-26, 2007 Ft. Lauderdale, Florida Questions?

January 23-26, 2007 Ft. Lauderdale, Florida About BandTel Headquartered in Newport Beach, California, BandTel is a leading worldwide provider of SIP Trunking services. The company is dedicated to ensuring its customers and partners alike have access to the most reliable, end-to-end VoIP service available on the market today. Its N-Plus™ network architecture is designed to solve the throughput and redundancy problems on high-capacity SIP-based networks and eliminate any single point of failure. BandTel continues to develop strong partnerships with leading carriers and telecommunications companies, including Global Crossing, XO Communications, Level 3, Qwest Communications, Verizon Business, and Primus.

January 23-26, 2007 Ft. Lauderdale, Florida About Ingate Formed 2001 –Firewall technology from Cendio Systems Appliance firewalls since 1994 –Capital and SIP technology from Intertex Data AB Began SIP development in 1998 Released the worlds first SIP capable Firewall in 2001 Located in Stockholm and Linköping, Sweden with a subsidiary, Ingate Systems Inc., based in Hollis, NH. Confirmed IP-PBX interoperability: 3Com, Asterisk, Avaya, Broadsoft, Cisco Call Manager, Ericsson MX-One, Mitel, Pingtel, SER, Shoretel, Sphere, Swyx, Zultys Confirmed carrier interoperability: Bandtel, Broadband.com, Cbeyond, Global Crossing, IP-Only, O1, RNKTel, Tele2, VoEx

January 23-26, 2007 Ft. Lauderdale, Florida For More Information About SIP Trunking Visit BandTel’s New SIP Trunking Resource Center