18
Nov. 2015 Die All - IP - Strategie der Carrier, direkte oder indirekte SIP Anbindung? Johannes Weiß Pre Sales DACH
Nov. 2015
Die All-IP-Strategie der Carrier, direkte oder indirekte SIP Anbindung?
Johannes WeißPre Sales DACH
AudioCodes – brief overview
• Voice Experts for over 21 years
• Manufacturing chips, boards, products
and providing solutions and services
• Global partner to leading telecom players including Alcatel-Lucent,
Avaya, Broadsoft, Microsoft, Genesys, NSN, Interactive Intelligence
• Extensive Interoperability with different PBX/IPBX systems
• Strong brand for quality & performance
Agenda
A E-SBC is an Enterprise Session Border Controller deployed and managed by the service partner or
enterprise customer to connect quickly, confidently and securely to VoIP services
Topics:
AudioCodes E-SBC Family
SIP Trunk Challenges
Benefits of AudioCodes E-SBC
E-SBC Portfolio
Mediant 500
Mediant 2600 Mediant 4000 Mediant 9000
Mediant SEMediant VE
Mediant 800B Mediant 1000B Mediant 3000
Hardware SBCs
Software SBCs
Hybrid SBCs
Same software means uniform functionalitymaking it easy to plan and deploy
Mediant 500L
Enterprise migration
Use of traditional TDM-PBX
Migration to IP-PBX or UC
E-SBC for
Interoperability
Survivability
Security
Remote Users
SLA and Quality Assurance
P B X
P S T N
S I P T r u n k
Internet
U C / I P P B X
EnterpriseData Center
Service Provider Network
SIP Trunk Provider
Internet Provider
PSTN Provider
S B C
S I P T r u n k
The different kinds of session border controllers
Enterprise Service Provider A Service Provider B
E-SB
C
Acc
ess
SBC
Peer
ing
SBC
Capability Enterprise SBC SP Access SBC SP Peering SBC
ScaleUp to 4000sessions
>=20000
Registrations data base
Few (remote workers only)
Many none
Routing Rules Hundreds Few Thousands
Peer
ing
SBC
E-SBC roles
Security
• VoIP Firewall
• Demarcation
• Topology Hiding
• Access Control
• Encryption
• Denial of Service
• Call Theft and Fraud
Connectivity
• SIP Normalization
• NAT Traversal
• Voice Mediation & Transcoding
• DTMF Conversion
• Fax Conversion
• Protocol/Coder Policing
SLA and QoS
• Call Admission Control
• QoS Monitoring and Troubleshooting
• Voice Service Assurance
• Survivability
2013 Global Fraud Loss Estimate:$46.3 Billion (USD) annually
VoIP systems make these kind of attacks much easier
Top 5 Fraud Methods Reported by Surveyed Companies:
Toll Fraud Impacts
0.00
2.00
4.00
6.00
Fraud Method
SubscriptionFraud
PBX Hacking
Account TakeOver
Source: 2013 CFCA Global fraud loss Survey
Bill
ion
(U
SD)
The most damaging form of toll fraud The idea is to exploit an IP PBX and find a way to take
an inbound call and hair-pin out to an international number
Dial-Through Fraud (DTF)
PBXITSP / Internet
Enterprise usersAttacker sells access to users who dial in and back out
Many calls generated to long distance or international destinations
1
2
3
4
Telephony denial of service attacks (TDoS) are increasing in severity and frequency
Unauthorized users flood the system with bogus access requests and prevent legitimate users from accessing the system
Keeping these calls active for long duration, the attacker prevents voice network resources from being used by legitimate callers
TDoS - Telephony Denial of Service
ITSP / InternetPBX
TDoSAttacker
Agents
Customers cannot reach the agents
AudioCodes E-SBC
Monitoring and Reporting
Data Confidentiality
and Privacy
Protection against Unauthorized
Access
Protection against Attacks
and Threats
Robust Management
Security
Gartner recommendation for securing enterprise voice:
“Implement session border controllers (SBCs) to control and log the security policies between the specific security zone for real-time voice and video communication and the other security zones.”
AudioCodes E-SBC provides an extensive set of features to protect an enterprise voice network:
Accept messages based on SIP header properties. For exp, request URI etc Filter oversized
SIP messages, unwanted SIP bodies, SIP syntax policing
Filter out SIP messages which do not belong to an open dialog
Overcome TCP vulnerabilities, perform TLS authentication
Look at the IP addresses and ports to filter unwanted packets and throttles the incoming packet rate
How Does AudioCodes E-SBC Secure SIP Traffic
Interfacing with various IP-PBXs
RFC 3261 is the largest SIP RFC
Not a ‘super tight’ spec:
”Should”: 344 times
”Can”: 475 times
”May 381” times
”Option: 144” times
Lots of room for interpretation
Media incompatibilities add to complexity
SIP implementation variances can lead to interoperability issues across multivendor systems and service provider networks
Handling these incompatibilities at the core SBC is complex and risky and may lead to service outages
Why a E-SBC on premise is needed
Voice quality is a critical factor in business satisfaction ratings
Varying service quality and availability can degrade call quality
Identifying problems in VoIP networks is difficult There is uncertainty of where the actual problems lie (at the Enterprise or the SP network)
This may lead to “finger pointing”
SIP Trunk Provider
Enterprise A
Enterprise B
Packet loss
Latency, Jitter
C4/5 Application Server
Access SBCInternet
Configure your SBC in 5 minutes with SBC Wizard
SIP Trunk Interoperability Service
SIP Trunk Interoperability is costly and time consuming for service providers Businesses want to protect their investments in legacy communications equipment Hundreds of different solutions must be certified for interoperability On premise software upgrades requires recertifying the interoperability
AudioCodes interoperability service: Certify new IP-PBX vendors with the SIP trunk service with a 2-3 weeks SLA Assists service providers during official certification of their service with Lync
- Pre-testing: Testing in AudioCodes lab or SP labs- Official testing at certification lab (Tekvision/Wipro)
Embedded WebRTC gateway
IP Phone
AudioCodes Access SBC
Service Provider Network
SIP/WebSockets
ICE/DTLS
Opus/UDP/SRTP
SIP/TLS
SRTP
Embedded WebRTCGateway
WebRTC allows1. Single wireline number
across all devices phone, tablet, desktop and mobile phone
2. Click2Call for support (contact centers)
Application Server
