Firewall with SIP ALG Back-to-back user agent –Fully state-aware at layers 2-7 –Inspects and modifies any application layer header info (SIP, SDP, etc.) –Can terminate, initiate, re-initiate signaling & SDP –Static & dynamic ACLs Maintains single session –Fully state-aware at layers 3 & 4 only –Inspects and modifies only application layer addresses (SIP, SDP, etc.) –Unable to terminate, initiate, re-initiate signaling & SDP –Static ACLs only 3 Acme Packet Summary comparison: SBCs vs. Firewalls with SIP ALGs SIP trunking Data center IP PBX UC server SIP trunking Data center IP PBX UC server SBC
SBC vs. firewall w/ SIP ALG comparison Security scenarios 4 Acme Packet Use case scenario Business challengeTechnical requirementsSBC FW w/ ALG SBC/FW DoS/DDoS self-protection Prevent malicious or non-malicious SIP signaling or media attacks & overloads from making the SBC or FW non-responsive * Dynamically block attacks * Detect/reject non-compliant (signaling, protocol, traffic levels) SIP sessions * Initiate SIP BYEs to tear down core-side sessions * Statefully control legitimate SIP registrations during overloads Network abuse control Prevent unauthorized or fraudulent network usage * Control number & bandwidth of simultaneous sessions * Strip unauthorized codecs from SDP headers * Scan SIP header attachments for unauthorized content
SBC vs. firewall w/ SIP ALG comparison Application reach, regulatory scenarios 5 Acme Packet Use case scenario Business challengeTechnical requirementsSBC FW w/ ALG IP PBX and UC protocol interworking Translate dissimilar signaling (SIP, H.323), transport (UDP, TCP, SCTP) & encryption (none, TLS, SRTP, IPsec) * Terminate SIP sessions and translate layer 2-7 protocol information * Fix protocol anomalies & inconsistencies Remote site NAT traversal Enable users behind FW/NATs to originate and receive VoIP calls and UC sessions * Keep FW pinholes open by resetting SIP registration interval to less than FW port TTL and caching SIP registrations by FW IP/port Session replication for recording Comply with regulatory requirements and maximize customer service quality * Replicate all SIP signaling and media to recording server(s) in addition to intended recipient * Replicate selective or all sessions
SBC vs. firewall w/ SIP ALG comparison Availability scenarios 6 Acme Packet Use case scenario Business challengeTechnical requirementsSBC FW w/ ALG Data center disaster recovery Assure constant service availability and quality * Network SBC – detect failure of datacenter SIP session agents and re- route SIP sessions * Datacenter SBC – translate phone numbers in SIP headers for SIP trunk geo-redundancy Remote site survivability Provide alternative path for VoIP/UC traffic when primary path becomes unavailable * Monitor link and routing state of upstream router & SIP registration state of remote IP PBX/UC server * Re-route SIP signaling and media to alternative trunking provider, PSTN media gateway or Internet High availability operation Ensure no loss of active sessions or session state during failover * Checkpointing of SIP signaling, media and configuration state between active & standby elements
SBC vs. firewall w/ SIP ALG comparison SLA assurance scenarios 7 Acme Packet Use case scenario Business challenge Technical requirementsSBC FW w/ ALG QoE-based routing Maximize voice quality and reliability of services and applications * Actively monitor voice QoS thresholds and ASR * Re-route or redistribute traffic as needed * Release media within access network to optimize quality IP PBX/UC server session admission & overload control Ensure continuous service availability and quality, even under adverse traffic loads and/or attack * Dynamically monitor server status and control SIP signaling flows to IP PBX/UC servers accordingly
The leader in session border control for trusted, first class interactive communications
Your consent to our cookies if you continue to use this website.