Presentation is loading. Please wait.

Presentation is loading. Please wait.

What does an SBC do? Speaker Notes/Script:

Published byMarlee Gallegos Modified over 9 years ago

Similar presentations

Presentation on theme: "What does an SBC do? Speaker Notes/Script:"— Presentation transcript:

1 What does an SBC do? Speaker Notes/Script:
Read the title and subtitles.

2 Carrier SBC’s Enterprise Network SP Network IP PBX Intranet
FW Intranet Carrier SBC Carrier SBC Historically designed to sit at the SP’s edge to protect the carrier. Complex to use command-line devices Provides a distinct separation between networks while providing a means of transporting signaling and media Perform topology hiding for the SP Tracking calls (CDR) for billing Act as a Network Address Translator (NAT) for the SP Provides admission control to limit calls from customer (and insure SLA) Protocol Internetworking for H.323 and SIP 11/26/2012

3 Enterprise SBC Enterprise Network DMZ Mobile Users, Telecommuters
IP PBX DMZ SRTP/ RTP Internal FW Avaya SBCE External FW/NAT Remote Worker Intranet Internet SIP Trunking Avaya SBCE Encryption TLS proxy SRTP proxy Enablement FW / NAT traversal Call admission control Signaling and media firewall Security Floods and fuzzing prevention Spoofing prevention (fingerprint verification) Media anomaly prevention Stealth attack prevention Tollfraud Prevention Anti-spam Whitelist/Blacklist Behavior learning © 2012 Avaya, Inc. All Rights Reserved. 06/01/2012

4 Avaya SBCE: SIP Trunking Architecture
Use Case: SIP Trunking to Carrier Carrier offering SIP trunks as lower-cost alternative to TDM Heavy driver for Enterprise adoption of SBC Support Aura, IPO and CS1K From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ Firewall Firewall Enterprise CS1000 DMZ Internet SIP Trunks Carrier Avaya SBCE DMZ is recommended not required. From a Security standpoint, this is the recommended architecture. Parallel Architectures are common Y Configurations Carrier SIP trunks to the Avaya Session Border Controller for Enterprise Avaya SBCE is located in a DMZ behind the Enterprise firewall Services: security and demarcation device between the IP-PBX and the Carrier NAT traversal, Securely anchors signaling and media, and can Normalize SIP protocol

5 NAT Traversal SBC External IP Address IP PBX FW IP Address Enterprise Internet or Provider Network At a basic level think of it this way: If the SBC sends an INVITE message to the carrier, can the carrier reply and reach IP address ? No. The SBC facilitates NAT Traversal by making sure all signaling messages have a REACHABLE return address. In this example, the INVITE would have a source address of When a reply is sent it reaches the firewall which forwards to external IP Address.

6 Understanding Toll Fraud
Toll fraud can only be prevented by a holistic approach involving best practice configuration of many elements in a UC environment. Examples include: Customized tuning of SBC to set intelligent call thresholds for outbound and inbound traffic (based on time of day for optimal fine-tuning) Enable short-call toll fraud duration Limit international calls to only valid destinations for needed countries

7 DoS and Toll Fraud Protection
Single Source DoS Any type of DoS attack that is directed against one or more enterprise endpoints that originate from a single source (normally spoofed). Stealth DoS/DDoS A type of low‐volume DoS attack that is directed against an endpoint where the source of the call is constantly changed. Call Walking A type of DoS attack whereby serial calls originating from a single source (normally spoofed) are directed against a sequential group of end‐points. Toll Fraud Refers to internal or external users using the corporate phone system to place unauthorized toll calls. Phone DoS/DDoS A type of DoS attack that is directed against a single enterprise end‐point.

8 DoS and Toll Fraud Protection
DoS settings can be customized Time-of-Day can be used to refine DoS settings Specific protection exist for ‘Short Duration Toll Fraud’ as well: Short call duration toll fraud is where a large number of short calls (less than 1-2 seconds) are made to make money on the ‘connect’ fees.

9

10

11 Avaya SBCE: Remote Worker Architecture
Use Case: Remote Worker Extend UC to SIP users remote to the Enterprise Solution not requiring VPN for UC/CC SIP endpoints From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ Firewall Firewall Enterprise DMZ Internet Remote Workers Avaya SBCE Remote Worker are external to the Enterprise firewall Avaya Session Border Controller for Enterprise Authenticate SIP-based users/clients to the enterprise Securely proxy registrations and client device provisioning Securely manage communications without requiring a VPN

12 Remote Worker: VPN vs VPNless Endpoints
VPN Endpoint VPNless Endpoint VPN Headers add additional size to traffic. In aggregate reduces bandwidth. Encrypts traffic, yet does not validate it. (Encrypting and distributing a virus isn’t helpful) No ability at VPN head-end to distinguish between voice and data traffic. Ultimately voice quality suffers. Cumbersome user experience for real-time communication application TLS/SRTP encrypts the traffic with a smaller bandwidth footprint than VPN Signaling and media are unencrypted at the SBC and inspected at Layer 7 to validate the traffic before it is allowed through Numerous policies allow Enterprise control of endpoints. Consistent user experience for applications

13 Session Manager is NOT required for SIP Trunking
Call Servers For SIP Trunking, an accepted architecture is: Call Server + SBC Call Server + SM + SBC A valid call server is CS1k 7.5 CM 5.2.1 IPO 8.x SM must be 6.x Session Manager is NOT required for SIP Trunking For SIP Trunking if these basic requirements are not met there is no opportunity with this customer UNTIL these elements are there.

14 Avaya SBCE 4.0.5 and 6.2 Interoperability Matrix
All Tests performed in the SIL Labs Platform No SM SM 6.1 SM 6.2 CS1K R7.5 R4.0.5/R6.2 IPO R8.0 NA CM R5.2.1 CM 6.0.1 CM R6.2 Supported - Tested Not Supproted or Tested.

15 IPO 8.x ONLY supports SIP Trunking
ONLY certified with AT&T at the moment A generic app note is in the works to accommodate additional carriers

16 Carriers Tested as of November 10th, 2013.
Alestra AT&T AT&T Puerto Rico Belgacom Bell Canada Broad-Connect Broadview BT Global Services BT HIPCOM BT Italia BT Wholesale Cable & Wireless CenturyLink Colt Etisalat Fastweb SPA Frontier Gamma IntelePeer KPN Level 3 MTSAllStream PAETEC Phonect QSC Sprint Swisscom Tele2 Telefonica del Peru Telenor Teliasonera TELUS T-Mobile NL UPC Vamoin1/KPN Verizon Business Virgin Media Vodafone DE Vodafone NL VoicePulse Windstream Worldnet P. Rico XO Find App Notes Here:

17 SIP Trunking Qualification
Must include supported call servers (CS1, CM, SM, IPO) Must be explicitly tested with that given configuration with the carrier. Example: If CMSBC->Service Provider ‘A’ is tested, that does NOT mean CMSM->Service Provider “A’ is tested. Make sure the specific configuration is documented with an App Note. If the architecture is valid, but it is not tested, then escalate through Jack Rynes

18 SIP Trunking with AACC AACC – If this is a basic SIP Trunking deployment involving: Service Provider - SBC SMCM There may be a valid solution for the SBC but all call flows should be vetted with the CSE’s.

19 SIP Trunking with Call Center Elite
CC Elite – If this is a basic SIP Trunking deployment involving: Service Provider - SBC SMCM -and- Avaya Experience Portal is NOT part of the call flow There may be a valid solution for the SBC but all call flows should be vetted with the CSE’s.

20 Avaya SBCE Key Features
Speaker Notes/Script: Read the title and subtitles.

21 The Unique Avaya Solution for UC Application Security
Authenticated Endpoints Allow supporting protocols with full NAT Giving you Full Features Enterprise Remote Avaya Session Manager (SIP) Internal Phone (RTP) Enterprise DMZ Firewalls Encrypted Sessions Remote NAT & Firewall Avaya SBCAE Intranet Internet Remote Phone Configuration (HTTPS) Certificate Authority (SCEP) Personal Profile Manager (SOAP) Directory Server (LDAP) Web Server (HTTP) Presence and IM (XMPP) Security UC Policy, Access control, & Authentication Privacy (encryption) with TLS, SRTP UC Threat protection Comprehensive Services Directory, Web applications, Login profiles Remote Management Configuration management, Certificate, PKI management Hi

22 ASBCE 6.2 System Capacity Session Border Controller capacities are rated in Simultaneous Sessions A simultaneous session = a communication session between 2 SIP endpoints Can think of it as analogous to a DSO in the ‘old world’ Key for engineering is to understand the numbers of sessions required in the solution For Secure SIP trunking, look at the number of TDM DSOs required For Remote Worker, calculate required call volumes Capacity in Simultaneous Sessions Max Capacity W/out Encrypt Max Capacity With Encrypt HA 2000 1000 SA 2000 1000 RW BOX ST Box Portwell CAD-0208 SA 500 250 ‘Rules of Thumb’ SIP trunking usually 5 users per ‘SS’ Must account for higher ratio in small Remote Worker must consider both On-net and off-net requirements Remember, in Dell configs, Encryption Services impact capacity

23

Download ppt "What does an SBC do? Speaker Notes/Script:"

Similar presentations

Cloud Communications Ecosystem Panel Alan Bugos, Vice President of Technology October 15th, 2013.

Cloud Communications Ecosystem Panel Alan Bugos, Vice President of Technology October 15th, 2013.
Introduction to SIP “Trunking” in the Enterprise

Introduction to SIP “Trunking” in the Enterprise
The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer 651.796.7043

SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer
Addressing Security Issues IT Expo East 2011. Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
Unified. Simplified. Unified Communications Launch 2007.

Unified. Simplified. Unified Communications Launch 2007.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
1 The Need for Enterprise Session Border Controller The E-SBC allows the enterprise to control its SIP implementation.

1 The Need for Enterprise Session Border Controller The E-SBC allows the enterprise to control its SIP implementation.
Lync 2014 4/11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

Lync /11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Steven J. Johnson President Ingate Systems Inc. Enabling SIP to the Enterprise.

Steven J. Johnson President Ingate Systems Inc. Enabling SIP to the Enterprise.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
TANDBERG Video Communication Server March 2008. TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.

TANDBERG Video Communication Server March TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)
IP Communications Services Redefining Communications Teresa Hastings Director WorldCom SIP Services Conference – April 18-20, 2001.

IP Communications Services Redefining Communications Teresa Hastings Director WorldCom SIP Services Conference – April 18-20, 2001.
© 2009 Avaya Inc. All rights reserved. Page 1 AT&T Mobile Extension with Avaya one-X Mobile.

© 2009 Avaya Inc. All rights reserved. Page 1 AT&T Mobile Extension with Avaya one-X Mobile.
All rights reserved © 2006, Alcatel Benefits of Distributed Access Border Gateway in the Access  Benoît De Vos Alcatel, May 29 th 2006.

All rights reserved © 2006, Alcatel Benefits of Distributed Access Border Gateway in the Access  Benoît De Vos Alcatel, May 29 th 2006.

Similar presentations

Ads by Google