We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byMarlee Gallegos
Modified about 1 year ago
What does an SBC do? 1
© 2012 Avaya Inc. All rights reserved. 2 Carrier SBC’s Carrier SBC IP PBX Intranet FW Carrier SBC Historically designed to sit at the SP’s edge to protect the carrier. Complex to use command-line devices Provides a distinct separation between networks while providing a means of transporting signaling and media Perform topology hiding for the SP Tracking calls (CDR) for billing Act as a Network Address Translator (NAT) for the SP Provides admission control to limit calls from customer (and insure SLA) Protocol Internetworking for H.323 and SIP Enterprise Network 11/26/20122 SP Network
© 2012 Avaya Inc. All rights reserved. 3 Enterprise SBC Internet IP PBX Intranet DMZ Avaya SBCE Internal FW External FW/NAT Mobile Users, Telecommuters SRTP/ RTP Remote Worker Avaya SBCE Encryption TLS proxy SRTP proxy Enablement FW / NAT traversal Call admission control Signaling and media firewall Enterprise Network Security Floods and fuzzing prevention Spoofing prevention (fingerprint verification) Media anomaly prevention Stealth attack prevention Tollfraud Prevention Anti-spam Whitelist/Blacklist Behavior learning 06/01/2012© 2012 Avaya, Inc. All Rights Reserved.3 SIP Trunking
© 2012 Avaya Inc. All rights reserved. 44 Avaya SBCE: SIP Trunking Architecture Use Case: SIP Trunking to Carrier Carrier offering SIP trunks as lower-cost alternative to TDM Heavy driver for Enterprise adoption of SBC Support Aura, IPO and CS1K From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ Carrier SIP trunks to the Avaya Session Border Controller for Enterprise Avaya SBCE is located in a DMZ behind the Enterprise firewall Services: security and demarcation device between the IP-PBX and the Carrier −NAT traversal, −Securely anchors signaling and media, and can −Normalize SIP protocol InternetEnterprise Avaya SBCE DMZ SIP Trunks Carrier CS1000
© 2012 Avaya Inc. All rights reserved. 55 NAT Traversal Enterprise IP PBX Internet or Provider Network FW IP Address 18.104.22.168 SBC External IP Address 192.168.45.4 At a basic level think of it this way: If the SBC sends an INVITE message to the carrier, can the carrier reply and reach IP address 192.168.45.4? No. The SBC facilitates NAT Traversal by making sure all signaling messages have a REACHABLE return address. In this example, the INVITE would have a source address of 22.214.171.124. When a reply is sent it reaches the firewall which forwards to external IP Address.
© 2012 Avaya Inc. All rights reserved. 66 Understanding Toll Fraud Toll fraud can only be prevented by a holistic approach involving best practice configuration of many elements in a UC environment. Examples include: –Customized tuning of SBC to set intelligent call thresholds for outbound and inbound traffic (based on time of day for optimal fine-tuning) –Enable short-call toll fraud duration –Limit international calls to only valid destinations for needed countries
© 2012 Avaya Inc. All rights reserved. 77 DoS and Toll Fraud Protection Single Source DoS Any type of DoS attack that is directed against one or more enterprise endpoints that originate from a single source (normally spoofed). Stealth DoS/DDoS A type of low ‐ volume DoS attack that is directed against an endpoint where the source of the call is constantly changed. Call Walking A type of DoS attack whereby serial calls originating from a single source (normally spoofed) are directed against a sequential group of end ‐ points. Toll Fraud Refers to internal or external users using the corporate phone system to place unauthorized toll calls. Phone DoS/DDoS A type of DoS attack that is directed against a single enterprise end ‐ point.
© 2012 Avaya Inc. All rights reserved. 88 DoS and Toll Fraud Protection DoS settings can be customized Time-of-Day can be used to refine DoS settings Specific protection exist for ‘Short Duration Toll Fraud’ as well: –Short call duration toll fraud is where a large number of short calls (less than 1-2 seconds) are made to make money on the ‘connect’ fees.
© 2012 Avaya Inc. All rights reserved. 9
© 2012 Avaya Inc. All rights reserved. 11 Avaya SBCE: Remote Worker Architecture Use Case: Remote Worker Extend UC to SIP users remote to the Enterprise Solution not requiring VPN for UC/CC SIP endpoints From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ Remote Worker are external to the Enterprise firewall Avaya Session Border Controller for Enterprise −Authenticate SIP-based users/clients to the enterprise −Securely proxy registrations and client device provisioning −Securely manage communications without requiring a VPN InternetEnterprise Avaya SBCE DMZ Remote Workers
© 2012 Avaya Inc. All rights reserved. 12 Remote Worker: VPN vs VPNless Endpoints VPN Endpoint VPN Headers add additional size to traffic. In aggregate reduces bandwidth. Encrypts traffic, yet does not validate it. (Encrypting and distributing a virus isn’t helpful) No ability at VPN head-end to distinguish between voice and data traffic. Ultimately voice quality suffers. Cumbersome user experience for real-time communication application VPNless Endpoint TLS/SRTP encrypts the traffic with a smaller bandwidth footprint than VPN Signaling and media are unencrypted at the SBC and inspected at Layer 7 to validate the traffic before it is allowed through Numerous policies allow Enterprise control of endpoints. Consistent user experience for applications
© 2012 Avaya Inc. All rights reserved. 13 Call Servers For SIP Trunking, an accepted architecture is: –Call Server + SBC –Call Server + SM + SBC A valid call server is –CS1k 7.5 –CM 5.2.1 –IPO 8.x SM must be 6.x For SIP Trunking if these basic requirements are not met there is no opportunity with this customer UNTIL these elements are there. Session Manager is NOT required for SIP Trunking
© 2012 Avaya Inc. All rights reserved. 14 Avaya SBCE 4.0.5 and 6.2 Interoperability Matrix All Tests performed in the SIL Labs PlatformNo SMSM 6.1SM 6.2 CS1K R7.5R4.0.5/R6.2 IPO R8.0R4.0.5/R6.2NA CM R5.2.1R4.0.5/R6.2 CM 6.0.1R4.0.5/R6.2 NA CM R6.2R4.0.5/R6.2 Supported - Tested NANot Supproted or Tested.
© 2012 Avaya Inc. All rights reserved. 15 IPO 8.x ONLY supports SIP Trunking ONLY certified with AT&T at the moment A generic app note is in the works to accommodate additional carriers
© 2012 Avaya Inc. All rights reserved. 16 Carriers Tested as of November 10 th, 2013. Alestra AT&T AT&T Puerto Rico Belgacom Bell Canada Broad-Connect Broadview BT Global Services BT HIPCOM BT Italia BT Wholesale Cable & Wireless CenturyLink Teliasonera TELUS T-Mobile NL UPC Vamoin1/KPN Verizon Business Virgin Media Vodafone DE Vodafone NL VoicePulse Windstream Worldnet P. Rico XO Colt Etisalat Fastweb SPA Frontier Gamma IntelePeer KPN Level 3 MTSAllStream PAETEC Phonect QSC Sprint Swisscom Tele2 Telefonica del Peru Telenor Find App Notes Here: https://devconnect.avaya.com/public/dyn/d_dyn.jsp?fn=103
© 2012 Avaya Inc. All rights reserved. 17 SIP Trunking Qualification Must include supported call servers (CS1, CM, SM, IPO) Must be explicitly tested with that given configuration with the carrier. –Example: If CM SBC->Service Provider ‘A’ is tested, that does NOT mean CM SM->Service Provider “A’ is tested. Make sure the specific configuration is documented with an App Note. –If the architecture is valid, but it is not tested, then escalate through Jack Rynes
© 2012 Avaya Inc. All rights reserved. 18 SIP Trunking with AACC AACC – If this is a basic SIP Trunking deployment involving: Service Provider - SBC SM CM There may be a valid solution for the SBC but all call flows should be vetted with the CSE’s.
© 2012 Avaya Inc. All rights reserved. 19 SIP Trunking with Call Center Elite CC Elite – If this is a basic SIP Trunking deployment involving: Service Provider - SBC SM CM -and- Avaya Experience Portal is NOT part of the call flow There may be a valid solution for the SBC but all call flows should be vetted with the CSE’s.
Avaya SBCE Key Features 20
© 2012 Avaya Inc. All rights reserved. 21 Avaya SBCAE Remote Enterprise Intranet The Unique Avaya Solution for UC Application Security Internet Avaya Session Manager (SIP) Internal Phone (RTP) Remote Phone Configuration (HTTPS) Certificate Authority (SCEP) Personal Profile Manager (SOAP) Directory Server (LDAP) Web Server (HTTP) Presence and IM (XMPP) Enterprise DMZ Firewalls Remote NAT & Firewall Security UC Policy, Access control, & Authentication Privacy (encryption) with TLS, SRTP UC Threat protection Comprehensive Services Directory, Web applications, Login profiles Remote Management Configuration management, Certificate, PKI management Hi Authenticated Endpoints Allow supporting protocols with full NAT Giving you Full Features
© 2012 Avaya Inc. All rights reserved. 22 Session Border Controller capacities are rated in Simultaneous Sessions –A simultaneous session = a communication session between 2 SIP endpoints –Can think of it as analogous to a DSO in the ‘old world’ –Key for engineering is to understand the numbers of sessions required in the solution For Secure SIP trunking, look at the number of TDM DSOs required For Remote Worker, calculate required call volumes ASBCE 6.2 System Capacity 22 Portwell CAD-0208 Max Capacity W/out Encrypt Max Capacity With Encrypt HA SA 1000 250 2000 500 Capacity in Simultaneous Sessions ‘Rules of Thumb’ SIP trunking usually 5 users per ‘SS’ Must account for higher ratio in small Remote Worker must consider both On-net and off-net requirements Remember, in Dell configs, Encryption Services impact capacity
IT Expo SECURITY Scott Beer Director, Product Support Ingate
The leader in session border control for trusted, first class interactive communications.
Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
© 2013 Avaya Inc. All rights reserved Avaya UC Collaboration Solution A complete solution for midsize companies Mobility Video SecurityNetworking.
Remote Workers Without the Hassle Jeff Johnson – Avaya Dwight Reifsnyder - NACR Session 446.
Unified. Simplified. Unified Communications Launch 2007.
SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer
PART 2: Product Line. Tenor Switches & Gateways Tenor AX Series Solution For Medium to Large Enterprises Available in 8, 16, 24 and 48 port Available.
March 2009 Sipera Overview. 2 © 2009 Sipera Systems, Inc. All Rights Reserved. About Sipera Leader in real-time Unified Communications (UC) security.
Mobility And Anywhere Access Clancy Priest Technology Services Director City of Hayward.
Ingate & Dialogic Technical Presentation SIP Trunking Focused.
Quintum Confidential and Proprietary 1 Quintum Technologies, Inc. Session Border Controller and VoIP Devices Behind Firewalls Tim Thornton, CTO.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
To Rent or Buy the IP PBX? Maybe it’s Both…. Building a VoIP Solution That Enables Both.
1 The Need for Enterprise Session Border Controller The E-SBC allows the enterprise to control its SIP implementation The Ingate SIParator ®
1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.
Solutions for SIP The SIP enabler We enable SIP communication for business What the E-SBC can do for you.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Existing PBX Existing Phone Handsets Numbering Plan to digit Internal extensions 9 for an outside line 3 digits.
Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.
SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.
Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.
CounterPath Corporation William Khris Kendrick: – Director of Business Development and Channel Marketing – –
VoIP Security Sanjay Kalra Juniper Networks September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 3 VoIP Issues.
SIP Trunking As a Managed Service Why an E-SBC Matters By: Alon Cohen, CTO Phone.com.
©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.
© 2009 Avaya Inc. All rights reserved. Introduction to SIP Trunking in the Enterprise Henry Pinera Systems Engineer February 2009.
© 2011 AudioCodes Ltd. All rights reserved. AudioCodes Confidential Proprietary Avaya DevConnect Certified Enterprise Session Border Controllers April.
Scenarios Lync-Skype Audio (v1) Add to contact list/Block users [Lync to MSA] Block Skype Connectivity Instant Messages and Presence Updates P2P Audio.
Securing your IP based Phone System By Kevin Moroz VP Technology Snom Inc.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Adoption of IP in the Next Generation Contact Center Rupesh ChokshiGautham NatarajanDirector, AT&T.
IP Communications Services Redefining Communications Teresa Hastings Director WorldCom SIP Services Conference – April 18-20, 2001.
Common Misconceptions Alan D. Percy Director of Market Development The Truth of Enterprise SIP Security.
Introduction Steven Johnson President Ingate Systems Inc.
1 The Need for Enterprise Session Border Controller The E-SBC allows the enterprise to control its SIP implementation.
Peer-to-Peer Solutions Between Service Providers David A. Bryan CTO, Jasomi Networks October 10, 2002 – Fall VON, Atlanta, GA.
DMZ (De-Militarized Zone) Network Security. Privilege levels in Cisco routers Cisco IOS offers 16 privilege levels ◦ User Exec mode: Level 1 ◦ Privilege.
Network Security DMZ (De-Militarized Zone). J. Wang. Computer Network Security Theory and Practice. Springer 2008 General Framework.
© 2009 Avaya Inc. All rights reserved. Introduction to SIP Trunking Alan Klein Consulting Systems Engineer February 2009.
Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Security fundamentals Topic 10 Securing the network perimeter.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
© 2017 SlidePlayer.com Inc. All rights reserved.