Presentation on theme: "What does an SBC do? Speaker Notes/Script:"— Presentation transcript:
1What does an SBC do? Speaker Notes/Script: Read the title and subtitles.
2Carrier SBC’s Enterprise Network SP Network IP PBX Intranet FWIntranetCarrier SBCCarrier SBCHistorically designed to sit at the SP’s edge to protect the carrier.Complex to use command-line devicesProvides a distinct separation between networks while providing a means of transporting signaling and mediaPerform topology hiding for the SPTracking calls (CDR) for billingAct as a Network Address Translator (NAT) for the SPProvides admission control to limit calls from customer (and insure SLA)Protocol Internetworking for H.323 and SIP11/26/2012
4Avaya SBCE: SIP Trunking Architecture Use Case: SIP Trunking to CarrierCarrier offering SIP trunks as lower-cost alternative to TDMHeavy driver for Enterprise adoption of SBCSupport Aura, IPO and CS1KFrom a SECURITY Stand Point, it is recommended the SBCE be in the DMZFirewallFirewallEnterpriseCS1000DMZInternetSIP TrunksCarrierAvaya SBCEDMZ is recommended not required. From a Security standpoint, this is the recommended architecture.Parallel Architectures are commonY ConfigurationsCarrier SIP trunks to the Avaya Session Border Controller for EnterpriseAvaya SBCE is located in a DMZ behind the Enterprise firewallServices: security and demarcation device between the IP-PBX and the CarrierNAT traversal,Securely anchors signaling and media, and canNormalize SIP protocol
5NAT TraversalSBC External IP AddressIP PBXFW IP AddressEnterpriseInternet or Provider NetworkAt a basic level think of it this way: If the SBC sends an INVITE message to the carrier, can the carrier reply and reach IP address ? No.The SBC facilitates NAT Traversal by making sure all signaling messages have a REACHABLE return address. In this example, the INVITE would have a source address ofWhen a reply is sent it reaches the firewall which forwards to external IP Address.
6Understanding Toll Fraud Toll fraud can only be prevented by a holistic approach involving best practice configuration of many elements in a UC environment.Examples include:Customized tuning of SBC to set intelligent call thresholds for outbound and inbound traffic (based on time of day for optimal fine-tuning)Enable short-call toll fraud durationLimit international calls to only valid destinations for needed countries
7DoS and Toll Fraud Protection Single Source DoSAny type of DoS attack that is directed against one or more enterprise endpoints that originate from a single source (normally spoofed).Stealth DoS/DDoSA type of low‐volume DoS attack that is directed against an endpoint where the source of the call is constantly changed.Call WalkingA type of DoS attack whereby serial calls originating from a single source (normally spoofed) are directed against a sequential group of end‐points.Toll FraudRefers to internal or external users using the corporate phone system to place unauthorized toll calls.Phone DoS/DDoSA type of DoS attack that is directed against a single enterprise end‐point.
8DoS and Toll Fraud Protection DoS settings can be customizedTime-of-Day can be used to refine DoS settingsSpecific protection exist for ‘Short Duration Toll Fraud’ as well:Short call duration toll fraud is where a large number of short calls (less than 1-2 seconds) are made to make money on the ‘connect’ fees.
11Avaya SBCE: Remote Worker Architecture Use Case: Remote WorkerExtend UC to SIP users remote to the EnterpriseSolution not requiring VPN for UC/CC SIP endpointsFrom a SECURITY Stand Point, it is recommended the SBCE be in the DMZFirewallFirewallEnterpriseDMZInternetRemote WorkersAvaya SBCERemote Worker are external to the Enterprise firewallAvaya Session Border Controller for EnterpriseAuthenticate SIP-based users/clients to the enterpriseSecurely proxy registrations and client device provisioningSecurely manage communications without requiring a VPN
12Remote Worker: VPN vs VPNless Endpoints VPN EndpointVPNless EndpointVPN Headers add additional size to traffic. In aggregate reduces bandwidth.Encrypts traffic, yet does not validate it. (Encrypting and distributing a virus isn’t helpful)No ability at VPN head-end to distinguish between voice and data traffic. Ultimately voice quality suffers.Cumbersome user experience for real-time communication applicationTLS/SRTP encrypts the traffic with a smaller bandwidth footprint than VPNSignaling and media are unencrypted at the SBC and inspected at Layer 7 to validate the traffic before it is allowed throughNumerous policies allow Enterprise control of endpoints.Consistent user experience for applications
13Session Manager is NOT required for SIP Trunking Call ServersFor SIP Trunking, an accepted architecture is:Call Server + SBCCall Server + SM + SBCA valid call server isCS1k 7.5CM 5.2.1IPO 8.xSM must be 6.xSession Manager is NOT required for SIP TrunkingFor SIP Trunking if these basic requirements are not met there is no opportunity with this customer UNTIL these elements are there.
14Avaya SBCE 4.0.5 and 6.2 Interoperability Matrix All Tests performed in the SIL LabsPlatformNo SMSM 6.1SM 6.2CS1K R7.5R4.0.5/R6.2IPO R8.0NACM R5.2.1CM 6.0.1CM R6.2Supported - TestedNot Supproted or Tested.
15IPO 8.x ONLY supports SIP Trunking ONLY certified with AT&T at the momentA generic app note is in the works to accommodate additional carriers
16Carriers Tested as of November 10th, 2013. Alestra AT&T AT&T Puerto Rico Belgacom Bell Canada Broad-Connect Broadview BT Global Services BT HIPCOM BT Italia BT Wholesale Cable & Wireless CenturyLinkColtEtisalatFastweb SPAFrontierGammaIntelePeerKPNLevel 3MTSAllStreamPAETECPhonectQSCSprintSwisscomTele2Telefonica del PeruTelenorTeliasoneraTELUST-Mobile NLUPCVamoin1/KPNVerizon BusinessVirgin MediaVodafone DEVodafone NLVoicePulseWindstreamWorldnet P. RicoXOFind App Notes Here:https://devconnect.avaya.com/public/dyn/d_dyn.jsp?fn=103
17SIP Trunking Qualification Must include supported call servers (CS1, CM, SM, IPO)Must be explicitly tested with that given configuration with the carrier.Example: If CMSBC->Service Provider ‘A’ is tested, that does NOT mean CMSM->Service Provider “A’ is tested. Make sure the specific configuration is documented with an App Note.If the architecture is valid, but it is not tested, then escalate through Jack Rynes
18SIP Trunking with AACCAACC – If this is a basic SIP Trunking deployment involving:Service Provider - SBC SMCMThere may be a valid solution for the SBC but all call flows should be vetted with the CSE’s.
19SIP Trunking with Call Center Elite CC Elite – If this is a basic SIP Trunking deployment involving:Service Provider - SBC SMCM-and-Avaya Experience Portal is NOT part of the call flowThere may be a valid solution for the SBC but all call flows should be vetted with the CSE’s.
20Avaya SBCE Key Features Speaker Notes/Script:Read the title and subtitles.
21The Unique Avaya Solution for UC Application Security Authenticated EndpointsAllow supporting protocols with full NATGiving you Full FeaturesEnterpriseRemoteAvaya Session Manager (SIP)Internal Phone (RTP)Enterprise DMZFirewallsEncryptedSessionsRemote NAT & FirewallAvaya SBCAEIntranetInternetRemote Phone Configuration (HTTPS)Certificate Authority (SCEP)Personal Profile Manager (SOAP)Directory Server (LDAP)Web Server (HTTP)Presence and IM (XMPP)SecurityUC Policy, Access control, & AuthenticationPrivacy (encryption) with TLS, SRTPUC Threat protectionComprehensive ServicesDirectory, Web applications, Login profilesRemote ManagementConfiguration management,Certificate, PKI managementHi
22ASBCE 6.2 System CapacitySession Border Controller capacities are rated in Simultaneous SessionsA simultaneous session = a communication session between 2 SIP endpointsCan think of it as analogous to a DSO in the ‘old world’Key for engineering is to understand the numbers of sessions required in the solutionFor Secure SIP trunking, look at the number of TDM DSOs requiredFor Remote Worker, calculate required call volumesCapacity in Simultaneous SessionsMax CapacityW/out EncryptMax CapacityWith EncryptHA20001000SA20001000RW BOXST BoxPortwell CAD-0208SA500250‘Rules of Thumb’SIP trunking usually 5 users per ‘SS’Must account for higher ratio in smallRemote Worker must consider bothOn-net and off-net requirementsRemember, in Dell configs, EncryptionServices impact capacity