Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | marshall-coatsworth |
View: | 215 times |
Download: | 2 times |
EMEA Techshare 2009
The Future Begins
Session Border ControllersConnecting the IP World
Acme Packet and Avaya Lead The Way
April 9, 2009
Neil Segall, Business DevelopmentMargie Frasier, Channel Development
EMEA Techshare 2009
The Future BeginsAgenda
Why should I care about SBCs?
What is an SBC?
Product Overview
Working together
EMEA Techshare 2009
The Future Begins
We are not Bugs Bunny!!
Beep Beep
Argh!~
EMEA Techshare 2009
The Future Begins
Why should I care about SBCs?
Reduce costDeliver business agilitySecure loyal customers
EMEA Techshare 2009
The Future BeginsMarket Trends
Service providers
– Making SIP value available to enterprises
– Relying on SBCs for peering and secure access
– Reselling or recommending CPE SBCs for security and interworking
Enterprises and contact centres
– Embracing converged voice/data for UC, CC, & CEBP
– Migrating increasingly to SIP
– Moving to SIP trunking for lower costs & power consumption
– Recognizing identity, trust and security as critical to UC success
– Dealing with interworking and regulatory concerns
EMEA Techshare 2009
The Future Begins
Future of interactive communications?
The Internet
IIFF
The Federnet
FF FF
FF
FF
EMEA Techshare 2009
The Future Begins
Federnet: The eight driving factors
1. In IP, we trust no one
2. Addresses will forever be a collection of heterogeneous schemes
3. SIP is not the only signaling protocol
4. Codecs will never converge to a couple - audio & video
5. Unlimited bandwidth, QoS and signaling resources will forever be a myth
6. Some sessions are more valuable than others
7. IP IC regulation will increase
8. Business models will never be homogenous
EMEA Techshare 2009
The Future Begins
MX
Application Platform
Next Generation Communications
App
3rd Partyendpoints
Avaya CMBranch /
Stand alone
o o o
Remote workersOver Internet
o o o
Application Platform
G8603rd Party PBXs
App
Avaya one-X®
endpoints
PSTN ProvidersOutsourcersFederated
SystemManager
App MMVP
CM
SM
SMSM
Communication Manager Core
SIPTrunks
MediaServers TDM
Trunks
Access
Connection
Application
Internet
Acme PacketSBC
EMEA Techshare 2009
The Future Begins
Joint Value Proposition
Acme Packet SBCs augment Avaya solutions for UC and CC
– Defend SIP signaling elements against security threats, overloads
– Eliminate border signaling and many other interoperability issues
– Preserve session quality under load and adverse conditions
– Extend Avaya application reach across IP network borders
– Support regulatory compliance
Key Benefits
– Faster Avaya solutions deployment at lower risk and cost
– Safe use of cost-effective SIP trunks
– High-quality session delivery to workers across the enterprise
– Improves customers options for customizing their networks
EMEA Techshare 2009
The Future Begins
What is an SBC?
EMEA Techshare 2009
The Future Begins
Session – real-time, interactive communications – voice, video & multimedia - using SIP, H.323, MGCP/NCS, H.248
Border – IP-IP network borders
– Interconnect/peering: between service providers
– Subscriber access:enterprise, residential or mobile services
– Data center: retail or wholesale services
– Enterprise: intra- &extra-enterprise
Control
– Security
– Service reach maximization
– SLA assurance
– Revenue & cost optimization
– Regulatory compliance
What is a Session Border Controller?
Largeenterprise Mobile
services
PSTN
PSTN origination & termination
Directory services
IP transit
PSTN termination
IP contact center
Residential & business
services
EMEA Techshare 2009
The Future BeginsWhy SBCs Instead of Firewalls?
Because traditional firewalls cannot:
– Prevent SIP-specific overload conditions and malicious attacks
– Open / close RTP media ports in sync with SIP signaling
– Track session state and provide uninterrupted service
– Perform interworking or security on encrypted sessions
– Scale to handle many 1000s of real-time sessions
– Provide carrier class availability
InfoSec deploy defence-in-depth model with application-level security proxies for email and web applications
– Same model applies for IP telephony, UC and IP contact center applications
EMEA Techshare 2009
The Future Begins
Completes Avaya’s cost effective end-to-end SIP architecture
– SIP trunking and border interworking– Remote site & worker connectivity – Reduced maintenance costs
Provides best-in-class VoIP & UC security
– Integrated with Avaya Session Manager, Communication Manager and Voice Portal
Assures quality and high availability– Disaster recovery and survivability
Helps achieve regulatory compliance– Emergency calls, privacy, recording
Acme Packet SBC secures & assures Avaya unified communications
Redundant data centers
Contact center, audio/video conferencing,
IP Centrex, etc.
To PSTN
SIP
Tele-worker
Nomadic/ mobile user
SIP
Remotesite
1. SIP trunking border 2. Hosted services border
3. Internet border
HQ/ campus
Remotesite
CCUC
H.323
Regionalsite
Federatedpartners
InternetPrivate network
ASM
APKTAPKT
APKTAPKTAPKTAPKT
APKTAPKT
APKTAPKT
APKTAPKT APKTAPKT
EMEA Techshare 2009
The Future Begins
Product Overview
EMEA Techshare 2009
The Future BeginsAcme Packet Products
4,000-72,0001,000-16,000
250-8,000150-500#
sessions
5,000-80,000
Data Center
LargeMediumSize
1,250-40,000
Data Center
750-2,500
Data Center / branch office
20,000-360,000# lines
# agents
Data Center
(w/transcoding)
Net-Net 4250
Net-Net 4500
Net-Net 9200
Net-Net 3800
75-250 125-4,000 500-8,000 2,000-36,000
UC
CC
EMEA Techshare 2009
The Future BeginsNet-SAFE Security Framework
SBC DoS/DDoS protection
– Protect against SBC DoS/DDoS attacks & overloads
Access control & VPN separation
– Dynamic, session-aware access control for signaling & media
– Support for L2 and L3 VPN services & traffic separation
Topology hiding & privacy
– Complete service infrastructure hiding & user privacy support
Viruses, malware & SPIT mitigation
– Deep packet inspection enables protection against malicious or annoying traffic
Encryption and Authentication
– TLS, IPSEC, SRTP
Monitoring and reporting
– Record attacks & attackers
– Provide audit trails
SBC DoS protection
Fraudprevention
Accesscontrol
Topology hiding
& privacy
Serviceinfrastructure
DoSprevention
Virusesmalware& SPIT
mitigation
EMEA Techshare 2009
The Future BeginsDynamic ACLs and Hardware Based Security
All Unauthorized traffic rejected by Hardware Authentication
NN-SD
XHttp Request
Dropped at Wire Speed!!
Unuauthorized Protocol or Destination port
Authorized Traffic Flows are based on:
•Source IP address/range
•Source IP Port
•Protocol
•Destination IP address
•Destination IP port
•VLAN + Physical Port
X
HARDWARE BASED AUTH:
Other Authorizations at Wire Speed:
•DoS Blacklisted Users Rejected (matched on above Flow Definitions)
SIP Invite
Blacklisted User
X
Software Based SBCs cannot provide this!
EMEA Techshare 2009
The Future BeginsSignaling Based Security
Stateful awareness of SIP sessions allows for fine-tuned security measures a FW cannot provide:
Next Hop Device (i.e. Avaya SM) constraints exceeded
SIP Invite
Reject with 4xx UnauthorizedX
NN-SD
Bandwidth Exceeds Allowed LImit
SIP Invite
Reject with 503 Unavailable (configurable response)X
SOFTWARE/SIGNALING BASED AUTHORIZATION :
Authorized Traffic Flows can be based on:
•User Registration Status
•SIP packet format (Legal?)
•Traffic Filters based on SIP header content
•Source or Destination URI format
•Codec type
•Bandwidth or Session Admission Control
•Overload constraints (CPU and Next hop)
•Signaling Rate Limit
Unregistered Users (Rejected at SIP level)
SIP Invite
Reject with 4xx UnauthorizedX
EMEA Techshare 2009
The Future BeginsHandling of Ports for Media
VoIP often requires a different media port per source for RTP flows
Net-Net SD Dynamically Opens ports for RTP/RTCP (Media streams) – Secure Latching :
INVITESDP C= (Source): 10.0.0.1, port 1046
Open media port from “Pool Y”. Remember mapping from 192.168.11.101 (Pool Y) to 10.0.0.1:1046;
Open a media port from pool X. Remember mapping from 10.100.1.100(Pool X) to 136.2.7.100:4300
Net-Net 10.100.1.100UDP Ports:
49152-65535(Pool “X”)
192.168.11.101UDP Ports:
49152-65535(Pool “Y”)
136.2.7.100
200OKSDP C= (Source): 136.2.7.100, port 4300
INVITESDP C= (Source): 192.168.11.101, port 49152
200OKSDP C= (Source): 10.100.1.100, port 49152
10.0.0.1
BYE
200 OK
XClose Media Ports and Removed from SBC cache
FW Must Keep ports open at all Times
EMEA Techshare 2009
The Future BeginsIt’s not just about security
Legacy data infrastructure is not enough
– Signalling protocol interworking
– Service reach maximization
– QoS / Accounting
– Session replication
– High availability
EMEA Techshare 2009
The Future BeginsHeader Manipulation Rules
Benefit – allows SBC to perform SIP header/parameter manipulation based on regular expressions
Problem overcome – interoperability issues, unique routing needs, protocol normalization and fix-up
Details– Regular expression search and store capability– Ability to do repetitive search and replace– Boolean logic support– Supports operations on MIME body, e.g. SDP– Allows codec re-ordering & stripping– Ability to insert information into Call Detail Record VSAs
– HMR for ISUP (conversion between any variation of SIP, SIP-I, SIP-T)
EMEA Techshare 2009
The Future BeginsHosted NAT traversal (HNT)
Problem: remote-user NAT traversal
– Inbound VoIP/UC can’t get through DSL/cable modem firewall / NAT
– Home worker can’t reconfigure FW/NAT
– NAT-T techniques (STUN / TURN / ICE) are limited and vary widely by device: an IT support headache
Solution: host NAT traversal in SBC– Standardizes NAT methodology– Proven solution: globally deployed– Scalable with very low latency
Benefit: lower cost, complexity of deployment, support– No end-user action required– One centralized box to manage– One methodology for NAT traversal
Remote User
IPT UC CC
Internet
CPE NAT/FW messes up secure
VoIP
Enterprise Data Centre
EMEA Techshare 2009
The Future BeginsQoS measurement & reporting
Benefits– Enables real-time evaluation of network & route performance – Enables Enterprises to validate SLAs from their service providers– QoS based call admission control
Capabilities– Per-flow statistics including jitter, latency, packet loss, byte and packet counters– Hardware based RTP/RTCP header inspection – no performance impact– Reported through call accounting interface (Radius) or via FTP
Segment A Segment B
EMEA Techshare 2009
The Future BeginsIP Session Replication
Benefit – reduces costs and decreases complexity
Problem overcome – reduces the number of devices/interfaces involved in call capture and replication; SBC scales better than alternative methods
Call recording servers (CRS) are provisioned per ingress realm
– SBC replicates and forwards signaling and media
– SBC load balances session across recording servers
PBXAvayaACM/ASM
EMEA Techshare 2009
The Future BeginsHigh Availability
No loss of active sessions (media and signaling)
Supports new calls
1:1 Active Standby architecture
Failover for
– Node failure, network failure, poor health, manual intervention
– 40 ms failover time
Checkpointing of configuration, media & signaling state
Preserves CDRs on failover Shared virtual IP/MAC addresses
10.0.0.1
Find SD through DNS round-robin or configured proxy
sd0.co.jp
10.0.0.1
sd0.fc.co.jp
Active Standby
X
All sessions stay up. Process new sessions immediately
Active
New call
EMEA Techshare 2009
The Future Begins
Working together
EMEA Techshare 2009
The Future Begins
PBXAvaya CM
HQ/Regional Data Center
UC Reference Architecture
27
Branch Office
PBXRouter
SIP Trunking Service
PBXACM / DO PBXAvaya SM
Analog,Digital
SIP
SIP
SIP
SIP
SIP
SIPSIP
SIP
Customer choice of complete local call processing intelligence in branch or if desired, no survivability
Avaya Session Manager implements session routing for inter-branch and branch to HQ; manages centralized dial plan
Mini Border Element provides secure access to distributed SIP trunking services for branch/remote locations
SBC provides secure access to centralized SIP trunking services for HQ/regional centers
SIP
Internet
RTP
Remote clients
SIP Trunking Services
EMEA Techshare 2009
The Future BeginsAvaya / Acme Packet Interop
Acme Packet part of Avaya Development and SV models– Acme Packet equipment in Avaya R&D & Services labs– Avaya equipment in Acme Packet labs
Formal Interop Testing and Documentation– DevConnect - Acme Packet is a Platinum partner
• Peering and Access– ACM: NN4250 & NN4500 complete, NN3800 in progress– ASM: NN4250, NN4500 and NN3800 in progress– AVP/ICR: NN4250, NN4500 and NN3800 in progress
• Online Application Notes and configuration guides
– SITL will certify SIP trunks• Testing ongoing in NA, CALA, EMEA, and APAC
EMEA Techshare 2009
The Future Begins
29Acme Packet - company overview – Q3 2008
Revenue($M)
Revenue($M)
Acme Packet at a glance
Session Border Control (SBC) category creator & leader with 50-60% market share, founded August 2000
Top tier customers worldwide
– 600+ customers in 92 countries
– 29 of top 30, 89 of the top 100 service providers
Market focus: enterprise, contact centre, and service provider
400+ employees in 25 countries, Burlington, MA headquarters
Public company (NASDAQ: APKT) w/ strong revenue growth, profits & balance sheet
Healthy, Profitable, Leading, Growing
$3.3
$16.0
$36.1
$84.1
$113.1$116.4
2003 2004 2005 2006 2007 2008
EMEA Techshare 2009
The Future BeginsCompetition
Primary competitive threat: customer inertia
– Ignorance of need for SBCs
– IT security staffs must be educated
Next-best threat: Cisco Unified Border Element (CUBE)
– All software: small scale, low performance
– Lacks DoS protection, advanced routing, high availability
– Years behind on features and protocol support
– Very limited non-Cisco product interoperability
EMEA Techshare 2009
The Future BeginsGo-to-market strategy
Channel focus in EMEA - over 60 people– Business and channel development provide commercial and technical support
– Direct touch Sales and Engineering team directly supports opportunities
– EMEA HQ in Madrid has training and lab facilities
– Field systems engineering supports evaluations & trials, informal training
Technical support - 24x7x365 from Burlington, MA, USA headquarters– Protocol and platform focus areas
– Telephone hotline for critical problems
– Web portal
Training
– Configuration and troubleshooting courses
– Boston, Madrid, Moscow, or at customer site
• English, Spanish, Italian, French, German, Russian, Dutch, Portuguese
EMEA Techshare 2009
The Future BeginsAcme Packet helps close more Avaya business faster
Minimize risk for migration to Avaya
– Interworking and compliance / security / service quality
Reduce cost and increases value of Avaya solution
– Enables secure use of cost-effective SIP trunks
– Supports Flatten Consolidate & Extend (FCE) model
Provide a competitive advantage over Cisco
– Superior SBC solution
– Strong relationships with service providers
– Prevent Cisco from getting more foothold
EMEA Techshare 2009
The Future Begins
33Acme Packet confidential
The Managed Services Opportunity
Managed CPE SBCs enable multiple services to be safely delivered through SIP Trunks
– IP Contact Centres
– Unified Communications Services
– IP PBX connectivity
Business partner managed SBCs mean:
– Annuity revenue
– Account Control and opportunity to sell multiple services
– Services Revenue Opportunity
EMEA Techshare 2009
The Future BeginsValue proposition
The: Acme Packet SBC solutions
is for: Mid- to large-size enterprises and contact centres across all vertical markets and geographies
who need to: Connect to public/private SIP Trunk Services, and support Remote / Mobile Workers
in order to: Reduce cost
Deliver business agility
Secure loyal customers
Meet regulatory compliance mandates
EMEA Techshare 2009
The Future BeginsAcme Packet Contacts - EMEA
Andreas Waechter, Sales Director, Enterprise, [email protected] (Germany) Margie Frasier, Channel Development Manager, [email protected] (Italy) Geraint Evans, Technical Director, [email protected] (UK)
HEADQUARTERS
Relationship Manager: Neil Segall [email protected]
Technical Director: Ray DeQuiroz, [email protected]
Chief Engineer: Mike Aglietti, [email protected]
Channel Development: Laurie Coppola [email protected]