1. SIP Trunking Workshop for Service Providers
With real life considerations and practical solutions for offering SIP Trunks using Ingate and Intertex E-SBCs
The Ingate SIP Trunk-Unified Communications Summit
© Intertex Data AB, Ingate Systems, February 2011
Karl Erik Ståhl
President and CTO, Intertex
Chairman and CTO, Ingate 1 1

2. 1. The Case for SIP Trunking
1:00pm-1:30pm Moderator: None
Opening remarks and overview of the benefits of SIP trunking and UC for service providers, by Ingate Systems.

3. 2. Delivering SIP to the Enterprise
1:30pm-2:30pm Moderator: Maloff NetResults
1:30-1:35 Moderator
1:35-2:00 Broadvox
2:00-2:30 Intertex Data AB – Practical solutions

4. There is more to it… Voice only, or Voice & Data on the pipe?
PSTN
SIP Trunking Provider GW
SIP System
Voice only, or Voice & Data on the pipe?
Internet or Private Pipe?
Quality Measures on the Pipe?
Is there a (data) Firewall in the way?
Delivery to just a PBX?
… or to a UC LAN
Is an E-SBC required? When?
Who provides/owns the E-SBC?
Just SIP Trunking of PBXs or also
Remote users
Hosted services
PBX with
system
phones
SIP Trunk
Interface 

5. SIP Trunking Provider Network
This Would be Simple
SIP Trunking Provider Network
Public Internet GW
PSTN
SIP System
SIP Trunk
Firewall
IP-PBX
In enterprises where the VoIP LAN is logically separated from data LAN, it is possible to directly connect to a managed SIP Trunking service over a separate pipe (Nobody would even consider connecting such VoIP LAN directly to a SIP Trunking Service Provider offering his service on open Internet!). There are however security issues in addition to the restrictions in features a separate VoIP LAN introduces… (no remote users, no PC softphones, no multimedia handsets, etc.)
Data LAN
VoIP LAN

6. But This is What We Want Public Internet IP-PBX SIP Trunking ProviderGW
PSTN
SIP System
Remote Users
Intertex IX78
IP-PBX
Demarcation point of service and bringing SIP communication to the LAN
Data & VoIP LAN
Soft Clients and Multimedia Terminals

7. So this is Not a Good Solution, at least not for a General Service
SIP Trunking Provider Network
Public Internet GW
PSTN
SIP System
No Remote Users!
Provider: Security Warning!
Managed
SIP Trunk
Firewall
Enterprise: Security Warning!
IP-PBX
In enterprises where the VoIP LAN is logically separated from data LAN, it is possible to directly connect to a managed SIP Trunking service over a separate pipe (Nobody would even consider connecting such VoIP LAN directly to a SIP Trunking Service Provider offering his service on open Internet!). There are however security issues in addition to the restrictions in features a separate VoIP LAN introduces… (no remote users, no PC softphones, no multimedia handsets, etc.)
Data LAN
VoIP LAN
Will Service Provider issue IP addresses to every Phone?
No Soft or Multimedia Clients! ??
UC?

8. And there is Often a Non SIP Capable Firewall in Place
SIP Trunking Provider GW
PSTN
SIP System
Remote Users
Ingate/Intertex E-SBCs enable SIP based Live UC Across the Borders!
(SIP does not traverse ordinary NAT/Firewalls.)
IP-PBX
SIParator®
Firewall
Data & VoIP LAN
Soft Clients and Multimedia Terminals

9. And There are Different Types of PBXs to Consider
PSTN
SIP Trunking Provider Network GW
SIP System
A Good E-SBC Should Provide:
NAT/Firewall Traversal – Must NAT to same address space!
Basic SIP and Network Interoperability - E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc.
Features - E.g. Remote Users, Administration (remote and local)
Security - LAN/PBX/VoIP network protection, Service attack protection
SIP Trunk
IX78 1)
2) 3) 4) 5)
2) 3) 4) 5)
2) 3) 4) 5)
VoIP & Data LAN
PBX Type 2
IP-
PBX
Few PBXs are of this type. Asterisk with firewall (IPtables /NETfilter) can be compiled and configured this way, but requires a lot.
VoIP & Data LAN
IP-
PBX
PBX Type 1
Modern IP-PBXs are of this type. Media goes directly between phone and SIP Trunk.
 SIP Trunk Interface  
Signaling:
Media:
Data LAN only
PBX with
system
phones
PBX Type 1.5

10. NAT & Firewalls are a Severe Infrastructure Problem…
A common Network and common Protocols changed our lives:
SMTP gave us global !
HTTP gave us the Web!
NATs and Firewalls were designed to allow such protocols.
IMS
(SIP based)
What about SIP for Live Person-to-Person Communication?
Internet
web
SIP does not traverse the common NATs and firewalls protecting the LANs . FW FW FW FW
LAN
LAN

11. Why are NATs and Firewalls Such Obstacles
Typical Internet protocol (SMTP, HTTP…)
Internet
HOST
SERVER
SIP is the Protocol for IP Communication
Person-to-Person,
BUT IT DOES NOT REACH THE USER’s!
SIP (and H.323…) connects Person-to-Person
Internet
PERSON
Locate the person
Set up a session +
Open real time media streams

12. Ordinary Voice IADs – Good for Telephony Replication…
Telephone ports (FXS) on the CPE is a popular way to deploy IP telephony. By logically placing the SIP clients on the outside of the NAT/Firewall, unreliable work-around methods like STUN, TURN and ICE become unnecessary. However, this only gives POTS replication, often even stopping general SIP based services!
Internet
SIP to the LAN or WiFi
Calls between SIP clients on LAN
Calls between internal ATA ports and LAN clients
Call transfers, 3-party calls, etc.
Using SIP generally over the Internet (Operator “took all the SIP”)
(Users must not be deprived of general SIP-functionality!)
Often problems with, or total lack of:
The 5060 SIP-port is just grabbed on the outside to the FXS ports!
Lower level SIP ALGs often cause problems and do not handle more than basic scenarios.

13. Our CPEs are SIP Capable NAT/Router/Firewalls
IMS
Internet
SIP
No battery draining of WiFi mobile phones, otherwise caused by keep-alive packets* inhibiting sleep mode.
* Work-around methods for SIP NAT-traversal like STUN, TURN, ICE and Far End NAT Traversal use frequent keep-alive packets to keep holes in the NAT/Firewall open.
Problems solved where they occur
Wired or wireless SIP clients (phones, soft clients, PDAs)
No special requirements on the SIP Client – Just standard SIP
All Intertex CPEs have a SIP Proxy based SIP aware Firewall/NAT
General, can handle complex call scenarios and all SIP services
Additional functionality available (SIP server, PBX functionality etc.) 13

14. QoS: Common VoIP and Data Pipe
SIP Trunking Provider
Public Internet GW
PSTN
SIP System
E-SBC also Data Firewall
IP-PBX
Demarcation point of service and bringing SIP communication to the LAN
Data & VoIP LAN
Using the Ingate or Intertex as the enterprise firewall allows both prioritization and traffic shaping.

15. QoS: Separate VoIP Pipe in Parallel with Data
SIP Trunking Provider
Public Internet GW
PSTN
SIP System
E-SBC SIParator®
Firewall
IP-PBX
Demarcation point of service and bringing SIP communication to the LAN
Data & VoIP LAN
No prioritization or traffic shaping to be done by the E-SBC. But get a good pipe!

16. QoS: Common VoIP and Data Pipe with Firewall
PSTN
PSTN
Public Internet
SIP Trunk Provider GW
SIP System
IP-
PBX
NAT/
Firewall
Bridge for Existing NAT/ Firewall (non SIP aware)
Data & VoIP LAN
WAN SIParator mode allows the Ingate or Intertex to control data usage on the Pipe to assure sufficient voice bandwidth!
WAN SIParator®
SIP Trunk Provider GW
Public Internet
SIP System
IP-
PBX
NAT/
Firewall
SIParator®
Data & VoIP LAN
If common IP pipe, the existing firewall must restrict bandwidth usage to allow sufficient voice bandwidth. Often problematic.

17. Advanced QoS Configurations for Ingate
At a detailed level, for SIP and other traffic

18. Intertex IX78 Smart QoS Defaults
For traffic shaping, just fill in your bandwidth!
(For internal ADSL it is mostly automatic.)
Data will be pushed back in favor of voice to keep the used bandwidth within the limit.
And for a specific SIP Trunk provider one can select for the voice:

19. The Intertex IX78 Supports All of these Architectures!
Carriers having Quality Separated Triple Networks can Preferably Reuse Those for SIP Trunking. Clouds may be Private or Globally Routable.
Private Virtual Circuits
E.g. Telia
Internet
ADSL
PVC1
IP-TV
VoD
IMS
VoIP
PVC2
PVC3
E.g. Telia
Internet
Ethernet
VLAN1
IP-TV
VoD
IMS
VoIP
VLAN2
VLAN3
Virtual LANs (VLAN)
E.g. B2
Internet
Ethernet
WAN1
IP-TV
VoD
IMS
VoIP
WAN2
WAN3
IP QoS Separated Subnets
IP Level QoS
E.g. BT
Internet
ADSL or Ethernet
Priority3
Priority2
Priority1
IMS
VoIP
IP-TV
VoD
The Intertex IX78 Supports All of these Architectures! 19

20. Application Innovation Requires it!
On Telia’s (Sweden’s Incumbent Telco) Network, the IX78 Delivers a Multimedia LAN, Ready for UC PBXs, Hosted Services and End-to-End SIP Services
Internet
All services must be available to multimedia terminals! – Over controlled high QoS pipes as well as over the Internet.
The Multimedia LAN
IMS
VoIP
TR-069
IP-TV
VoD
Internet
Application Innovation Requires it!
WiFi
VLANs or ADSL Virtual Circuits
The Multimedia LAN
Telepresence
IP-
PBX
     
PDA

21. 3. The Value of a Service Provider Demarcation Point
2:30pm-3:30pm Moderator: Maloff NetResults
2:30-2:35 Moderator
2:35-3:00 EarthLink Business
3:00-3:30 Intertex Data AB – Practical solutions

22. Service Provider Demarcation Point
PSTN
SIP Trunk Provider
THE POINTS GW
Public Internet
Delivery of Service:
To a PBX or UC LAN
Provisioning, Definition of Service:
Installation, Configuration, CAC
Monitoring:
Network performance, QoS MOS
Management:
Support, Debugging, Upgrade
Billing - Why not?
Here we know what is going on!
SIP System
Service Provider’s Demarcation Point
IP Access
IP-
PBX
NAT/
Firewall
Data & VoIP LAN

23. The Role of the E-SBC To get SIP Trunking working: But don’t forget:
SIP NAT/Firewall Traversal
Must NAT SIP to the protected private address space!
Basic SIP and Network Interoperability
E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
SIP Repair
E.g. Call Transfer, Fragmented packets, Bugs, etc.
But don’t forget:
Security
LAN/PBX/VoIP network protection, Service attack protection
QoS – Quality of Services
Requirements depending on IP delivery and firewall
Features
E.g. Remote Users, Administration (remote and local)
Provisioning, Monitoring, Management

24. All Types of PBXs has to be Supported
PSTN
SIP Trunking Provider Network GW
SIP System
A Good E-SBC Should Provide:
NAT/Firewall Traversal – Must NAT to same address space!
Basic SIP and Network Interoperability - E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc.
Features - E.g. Remote Users, Administration (remote and local)
Security - LAN/PBX/VoIP network protection, Service attack protection
SIP Trunk
IX78 1)
2) 3) 4) 5)
2) 3) 4) 5)
2) 3) 4) 5)
VoIP & Data LAN
PBX Type 2
IP-
PBX
Few PBXs are of this type. Asterisk with firewall (IPtables /NETfilter) can be compiled and configured this way, but requires a lot.
VoIP & Data LAN
IP-
PBX
PBX Type 1
Modern IP-PBXs are of this type. Media goes directly between phone and SIP Trunk.
 SIP Trunk Interface  
Signaling:
Media:
Data LAN only
PBX with
system
phones
PBX Type 1.5

25. Public Internet IP-PBX
Also Important to Support Multimedia and UC Terminals and Remote Users in a Modern UC PBX Environment
SIP Trunking Provider
Public Internet GW
PSTN
SIP System
Remote Users
Intertex IX78
IP-PBX
Firewall
Demarcation point of service and bringing SIP communication to the LAN
Data & VoIP LAN
Soft Clients and Multimedia Terminals

26. Creating an Interface for ALL PBXs
IP-
PBX
Proxy Mode
IP-PBX talks to SIP System
Registration/Authentication model must match
Little configuration in the IX78
Service credentials in the PBX
B2BUA Mode (Proxy still doing the basics)
IP-PBX only talks to the IX78
Wider separation between PBX and SIP System
Service Credentials only in the IX78
More SIP Normalization possibilities (e.g. REFER)
Any new operator service platform only requires IX78 reconfiguration (the PBX configuration can remain)
IP-
PBX

27. Trunk-side Parameters
SIP Connect 1.1 can be setup
(for any PBX)
Read-only value set by Service Provider (in some cases). Regulates customer’s monthly fee!

28. PBX-side Parameters

29. Registration, Call Routing, CallerID
SIP Connect 1.1 Setup

30. Trouble Shooting & Debugging – Network Status

31. Trouble Shooting & Debugging – Logging!

32. Trouble Shooting & Debugging – Internal SIP Log

33. Packet Captures Creates a WireShark PCAP network trace
Network Interface Selection – All Interfaces
Start – Stop - Download

34. Monitoring - Call Quality Statistics
Internal Call Log, containing CDRs with Quality Statistics. Can be output via SYSLOG, RADIUS (Ingate) or to the management system iEMS (see later).

35. Management of the CPE / E-SBC
Provisioning, Configuration, Monitoring, Reporting, Upgrade, Logging, Debugging, Diagnostics, Support…
Experience:
Existing management systems often difficult to change
Resistance against touching what has been built over the years
Remote GUI access to CPE often used
Requirements
Quite few functions and possibilities are actually used
Alive, Configured, Upgrades, New configuration - A must!
Often on wish list: Bad Sound (MOS) alarm, etc.
EMS (instead of NMS) is a trend
Element Management System (EMS)
Specially built for the Product
Interfaces to OSS and Fault Management System at high level.
Intertex and Ingate EMS in progress – iEMS
Easy to program and interface to
Highly scalable

36. Element Management System – The iEMS
Functions for Provisioning, Monitoring, Reporting, Diagnostics, Logging, Debugging, Support, Configuration and Upgrade. Available now with basic functionality.
Will handle both Ingate and Intertex Firewalls and SIParators.
Highly scalable, runs on PC servers under the Linux OS.
HTTPS/SOAP interface to the IX78. Can read and write all configuration parameters, as well as asynchronous reporting by the device (like SNMP traps).
Web based secure access to the iEMS. Customized portals for operators, installers and customers, for the purpose of administration, management and usage.
The iEMS has northbound interfaces for integrating with the operator’s OSS and Fault Management systems, using XML-RPC and/or SOAP.

37. iEMS – CDRs with Call Quality Metrics

38. OSS, Fault Management, etc.
iEMS Interfaces
<?xml version="1.0"?>
<methodCall>
<methodName>setTrunk</methodName>
<params><param><struct>
<member><name>version</name><value>1.0</value></member>
<member><name>ems</name><value><struct>
<member><name>username</name><value>installer</value> <member><name>password</name><value>foobar123</value></
</struct></value></member>
<member><name>service</name><value><struct>
<member><name>registrar</name><value>sip.intertex.se</ <member><name>proxy</name><value>proxy.intertex.se</value </struct></value></member>
<member><name>trunk</name><value>
<array><data>
<value><struct>
<member><name>identity</name><value> </val <member><name>password</name><value>foobar</value></membe
</struct></value>
<member><name>identity</name><value> </val
<member><name>password</name><value>barfoo</value>
</data></array>
</value></member>
</struct></param></params>
</methodCall>
CPE
WAN
OSS, Fault Management, etc.
Northbound API
Southbound API
WEB GUI DB
XML-RPC (or SOAP) (GET/SET/EVENTS)

39. SIP Trunking Made Easy
Installation Wizard

40. SIP Trunk-UC Workshop Startup Tool – Network Topology
Select the deployment according to the picture
Assign IP Addresses, the tool will config the Ingate.
The following two pages show the configuration of the Ingate while installing a SIP trunk. The Ingate Startup Tool with preconfigurations is being used.
Status Information, helpful for troubleshooting

41. SIP Trunk-UC Workshop Startup Tool – IP-PBX Selection
Select IP-PBX Vendor and Model
Assign the IP-PBX IP Address
For every IP-PBX vendor on the List Ingate has captured the programming requirements to ensure quick and easy config
Assign the IP-PBX Domain (if required)
The following two pages show the configuration of the Ingate while installing a SIP trunk. The Ingate Startup Tool with preconfigurations is being used.
Status Information, helpful for troubleshooting

42. SIP Trunk-UC Workshop Startup Tool – ITSP Selection
Select ITSP Vendor
For every ITSP vendor on the List Ingate has captured the programming requirements to ensure quick and easy config
User Account Information, DID Assignment and Registration Authentication
Assign the ITSP IP Address
The following two pages show the configuration of the Ingate while installing a SIP trunk. The Ingate Startup Tool with preconfigurations is being used.
Status Information, helpful for troubleshooting

43. 4. Ensuring Interoperability – The Key to Service Revenue Growth
3:30pm-4:30pm Moderator: Maloff NetResults
3:30-3:35 Moderator
3:35-3:50 Bandwidth.com
4:00-4:30 Intertex Data AB – Practical solutions

44. PBX and ITSP Interoperability
Large variation among PBX:s
Even larger variation towards ITSP:s
“SIP Connect” recommendation by SIP Forum
… helps and improves, but is not implemented yet.
Installation tools
Ix78 Wizard live demo
Ingate Start UP Tool – See Provision section!

45. Confirmed Interoperability: Ingate & Intertex SIP Trunk Providers already interoperate with most IP-PBXs
3Com
Aastra
Aastra MX One
Digium/Asterisk
Avaya IP Office
Avaya SES/CM
Avaya QE
Brekeke
Broadsoft
Cisco Call Manager
Ericsson MX-One
Fonality
Innovaphone
Interactive Intelligence
Iwatsu
LG Nortel
Microsoft
Mitel
NEC / Sphere
Nortel BCM
Nortel SCS
Objectworld
Panasonic
Pingtel
Samsung
SER
Shoretel
Siemens 8000
SIP-Gear
Sonus
Sphere Communications
Swyx
More in pipeline....
360 Networks
Airespring
AT&T
BandTel
Bandwidth.com
Broadvox
BT (British Telecom)
Cablecom
Cbeyond
Cellip
Comm Partners
Cordia Corporation
Excel Switching
Gamma Telecom
Global Crossing
IP-Only
Nectart
Juma Networks
Level 3
Netlogic
Nexvortex
Nuvox O1
Paetec
Primus
RNK Telecom
TDC
Telavox
Tele2
Tele Pacific
Teletek
Telia
Toplink
Tritel
VoEX
Voice Flex
VoIP Unlimited
Voxbone
Voxitas
XeloQ
More in pipeline.....
SIP Trunk
Carrier Equipment
Acme Packet
Broadsoft
NexPoint
More in pipeline.....
Sonus
Sylantro
SER
Compliant with

46. Is there a SIP Connect Compliant IP-PBX + ITSP?
If any, the E-SBC could just be SIP proxy, with only simple network setup, and perform:
NAT / Firewall traversal
QoS (Quality of Service)
SIP Security (Attack Protection)
Monitoring and Debugging
Ingate & Intertex E-SBCs can be SIP Connect towards the ITSP, but specific towards the PBXs
Ingate & Intertex E-SBCs can be SIP Connect towards the PBXs, but specific towards the ITSP
But usually, we have to be specific to both the ITSP and the PBX

47. Trunk-side Parameters
SIP Connect 1.1 can be setup
(for any PBX)

48. PBX-side Parameters

49. Registration, Call Routing, CallerID
SIP Connect 1.1 Setup

50. If More is Required – There is plenty...

51. and More

52. ... and if that is not enough
There is Generic Header Manipulation
E. g. add Diversion header: $(from.user)% %3e
To cope with not foreseen behavior
Can fix much – not all
Needs SIP expertise
How do we know what to configure and how to set it up?

53. Roll-out and Maintenance
Ease and security of role out and maintenance, are
main Service Provider concerns
Initial configuration
SIP Trunking requires input from 3 “places”
Numbers and credentials from Service Provider
Information/Knowledge about the PBX and ITSP
Information about the customer network and setup
More complex than usual
And all compiled at installation time
Upgrades
New configuration
Exchange of hardware

54. Ingate has the Startup Tool for a very wide variety of PBXs and ITSPs
“Out of the Box” setup and commissioning of the Firewall and SIParator products
Update current configuration
Product Registration and unit Upgrades, including Software and Licenses.
Automatic selection of ITSP and IP-PBX
Backup of Startup Tool database
Located at FREE!

55. For Volume Deployment there Must be Provisioning The IX78 has Several Provisioning Methods
Web Wizard adapted to Provider’s Trunk Service
No Provider integration needed
Installer inputs trunk side and PBX side data
Configuration fetched from Provider’s Web Server
Configuration, Upgrades, Licenses
At boot, by timer, or by kick (on request)
Installer runs small Wizard for PBX side
Via Element Management System: iEMS
Provider inputs Trunk Data manually or automatically via OSS (via XML-RPC or SOAP)
IX78 connects automatically
Or a combination can be used (on request)
In the two latter methods, URL’s to the Provider’s provisioning server and iEMS are preloaded in the IX78, or fetched via DHCP.

56. The SIP Trunking Configuration Wizard
jkjjk

57. 5. Addressing Security Issues
4:30pm-5:30pm Moderator: Maloff NetResults
4:30-4:35 Moderator
4:35-5:00 Ingate – Presenting a case study.
5:00-5:30 Intertex Data AB – Practical solutions

58. Security Privacy – little concern today Theft of Service & Toll Fraud
Denial of Service (DoS)
Protecting the PBX
Protecting the Service Provider

59. Privacy – Similar to PSTN
SIP Trunking and SIP UC can be more private than traditional PSTN solutions (POTS and PRI)
Compromising Privacy of POTS and PRI requires physical presence, and these are never encrypted
SIP signalling and media rarely encrypted, but can be

60. Signaling Encryption
TLS is Transport Layer encryption and certificate check Both Ingate and Intertex E-SBCs can transcode between UDP, TCP and TLS for any call 60

61. Privacy - Media SRTP is encryption of the media (voice)
The Ingate E-SBCs can transcode between RTP (in the clear) and SRTP (encrypted) media 61

62. Theft of Service & Toll Fraud
What is Theft of Service? (or Intrusion of Service)
A Third Party attempting to defraud either the Enterprise or the Carrier
Devices attempting “Spoof” a Client device in an attempt to look like an extension (or enterprise) and gain services directly 62

63. Theft of Service & Toll Fraud
Now a Real World Problem
But only a Problem when:
Authentication is not used. There are:
Digest Authentication (password)
IP address
Relies on that packets must return to the caller
MTLS (TLS is not sufficient)
The Caller must be authenticated
Too weak passwords are used
Most common cause!
Typical 1234, admin, demo, test or the extension number
The methods are good – The usage may be poor.. 63

64. Trend for Theft Protection
Service providers provision the credentials for their service, so the customer never sees them.
Service Providers are starting to own CPE edge equipment (E-SBCs) and provision the security credentials for their own access to that CPE. 64

65. IX78 Preventing Unauthorized Usage
Simple General Default Configuration in the Intertex IX78
Remote users to the PBX can be authenticated by the IX78 (also) 65

66. Allowed Usage of the SIP Trunk66

67. Protection Against Password Guessing
Brute Force Attack Protection Attackers are nowadays trying to find simple passwords by brute force testing. 10 – 100 trials/second have been seen (e.g. SipVicious / friendli-scanner). After 3 trial we pretend all attempts are wrong, so the correct one is never found. 67

68. Denial of Service (DoS)
What is Denial of Service?
A Third Party makes a communications resource unavailable to its intended users
Generally consists of the concerted efforts to prevent SIP communications service from functioning efficiently or at all, temporarily or indefinitely
One common method of attack involves saturating the target (victim) IP-PBX with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable 68

69. Denial of Service Nowadays Real DoS Attacks are Occurring
Few pure DoS attacks, but scanning for open SIP servers and trying passwords (e.g. SIPvicious.org / friendly-scanner) may become a DoS attack.
Attacked SIP devices can simply choke from overload, when requesting authentication
Or SMB with limited IP bandwidth can have that consumed
Communication Servers have direct relationships with revenue and should be isolated from DoS 69

70. SIP DoS Detection and Prevention
Intrusion Detection System (IDS) for SIP
Intrusion Prevention System (IPS) for SIP
Ingate has an IDS / IPS system that identifies intrusions by examining network traffic.
Ingate is located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders/edges.
Ingate captures all SIP traffic and analyzes the content of individual packets for malicious traffic, that will be stopped. 70

71. Ingate SIP IDS/IPS: Attack Recognition
IDS/IPS - Rule Packs
Predefined Rule Packs (signatures) for filtering known industry DoS patterns specific for SIP applications 71

72. Ingate SIP IDS/IPS: Rate Limiting
SIP signaling late limiting is generally effective
SIP Protocol Method, Response Code Matching/Filtering
Untrusted Network
Traffic Rate
Blacklist Policy 72

73. IX78 Preventing SIP DoS Attack
Signature Recognition
If the internal SIP proxy detects known signatures in SIP headers from attackers, it instructs the internal firewall to block attacking IP address for 60 seconds. New signatures can be added manually or provisioned automatically.
SIP Rate Limiting:
If there are more than 20 SIP packets/seconds from the same IP-address, the internal firewall blocks that IP-address for 20 seconds and does not respond to that IP address until the SIP packed rate is below 3 packets/seconds.
So we need to address problems existing today with the technology generally available.
Authentication is today supported and used by more or less every SIP client and service provider. This should be used to dynamically allow only authenticated uses access to the corporate network and this filtering should be done as early as possible, preferably in the edge device.
By doing this unauthenticated users, like SPAMers, will not be able to access the enterprise VoIP system.
Then, on top of this, we can also add some traffic monitoring to detect virus infected or hijacked clients, by monitoring the traffic with a IDS/IPS type of system un-normal and un-expected traffic patterns can be detected and actions can be taken to prevent an specific user access to the system. Providing yet another level of security.
So to summarize I think an enterprise today can achieve pretty good security for a VoIP installation using the fundamental principal for network and software security in general plus a good edge device that works as a shield against various VoIP attacks by applying filtering and a IDS/IPS system as described in this picture to protection against unwanted calls (SPIT) as well as protection against client that are virus infected of for any other reason misuse the VoIP system.

74. Protecting the PBX and Carrier
SIP Protocol Packet Error Detection and Correction
SIP Signaling are only passed through the Internal SIP proxy in Ingate and Intertex products.
Malformed SIP Packets will not reach the PBXs or Service Providers from our side.
Standardized SIP Interface in both directions 74

75. 6. Generating Revenue from HD Video
5:30pm-6:30pm Moderator: Maloff NetResults
5:30-5:35 Moderator
5:35-6:00 UCIF – Polycom
6:00-6:30 Intertex Data AB – Reusing the E-SBC SIP trunking infrastructure.

76. Global Video Calling Using the E-SBC
Telco Opportunity
Video Calling
High Quality, Chargeable, Global Video Calling
Ready to go, using SIP Trunking Infrastructure
High Quality (Telepresence) Video Calling
Routed and Billed (CDRs produced) by the E-SBC
Simple settlement free IP Peering between Telcos

77. What’s Special About Video Calling?
We have been building islands – again…
But there is no old Video PSTN to connect those together
However, there is a standard (SIP) and a network (Internet)
We have seen such video calls for a long time
What more is needed?
High quality – Teleprecense; Guaranteed bandwidth and QoS?
Global; Not only within a company and not only within one carrier’s network
Telephone numbers (in addition to sip addresses)
Allow Telcos to Bill (being more than just Bandwidth Providers)? 77

78. There is a Solution! Do More at the Enterprise Edge!
We can route here – The earlier the better
We can produce CDR’s for billing here
We can do number resolution here (or the ITSP can do it)
The Good News:
Reuse the SIP Trunking infrastructure (using E-SBCs)
Simple peering between carriers 78

79. Reusing the SIP Trunking E-SBC
Telco owned E-SBCs are already used for (voice) SIP Trunking
Full operator control
Service provider’s demarcation point
Enables the SIP Trunking – Video is not different from voice for:
NAT/Firewall traversal, PBX interoperability and Security
Reuse the same E-SBC for Video Calling!
In the Ingate and Intertex E-SBCs, it is all there:
Classify outgoing calls (as Video, HD voice or plain voice)
Assure right quality pipe and/or quality marking is used
Route the call directly to the other party (or
Use ENUM (public or private) for E.164 number to SIP address resolution
Only settlement free IP peering between operators required
Can fallback to best effort IP peering (Internet) in operator network
Produce and deliver CDRs for each call
Report Minutes and Data used
Include video and voice quality metrics (including MOS scores)
Deliver via Radius, Syslog, Management system (TR-069 informs) or method by choice 79

80. Simple For the Carrier Qwest Internet AT&T Internet SIParator IX78
MPLS
QoS IP Network
QoS IP Network
MPLS
ENUM
CDR
CDR
SIParator
IX78

81. The Intertex IX78 Supports All of these Architectures!
Quality Separated Networks Out to the Customer Edge is Not New Widely Used for Triple Play Services
Private Virtual Circuits
E.g. Telia
Internet
ADSL
PVC1
IP-TV
VoD
IMS
VoIP
PVC2
PVC3
E.g. Telia
Internet
Ethernet
VLAN1
IP-TV
VoD
IMS
VoIP
VLAN2
VLAN3
Virtual LANs (VLAN)
E.g. B2
Internet
Ethernet
WAN1
IP-TV
VoD
IMS
VoIP
WAN2
WAN3
IP QoS Separated Subnets
IP Level QoS
E.g. BT
Internet
ADSL or Ethernet
Priority3
Priority2
Priority1
IMS
VoIP
IP-TV
VoD
The Intertex IX78 Supports All of these Architectures! 81

82. iEMS – CDRs with Call Quality Metrics

83. For the Telcos To Do
Provide high quality IP pipes for Video and HD Voice (e.g. MPLS)
If on separate layer 2 networks for quality, still make them routable to the Internet (for fallback to “best effort peered” = Internet)
Enter users in ENUM (public or private)
E.164 numbers to SIP address resolution
Settlement Free Peering between carriers for high QoS IP networks
Just like for the Internet - Now also for high quality IP network (e.g. by MPLS)
Deploy same CPEs (E-SBCs) as for SIP Trunking
Can also be general SIP enablers (at least Intertex’ and Ingate’s) for offering all types of SIP based services
Process the CDRs from the E-SBC as usual for Billing 83

84. What’s out there 1? - Cisco TIP
Telepresence Interoperability(?) Protocol (TIP)
“Cisco already supports H.323, which allows Cisco…”
Don’t we already have SIP, SDP, RTP, RTCP and Codec standards? …
And don’t they define interoperability far beyond Cisco?
Is there more than how to transfer to several screens? 84

85. What’s out there 2? – The IMS World
Fine – But when?
Stuck in its own complexity… Where is the Multimedia and Interoperability?
And the IMS world still has to find out how reach the users on the fixed network - the LANs behind NATs and Firewalls – Or stay with POTSoIP on FXS-ports
A “OneVoice” initiative to create VoLTE
AT&T, Bell Canada, China Mobile, Deutsche Telekom/T-Mobile,
KDDI, mobilkom austria, MTS, NTT DoCoMo, Orange, SKT,
SoftBank, Telecom Italia, Telecom New Zealand, Telefónica,
Telenor, TeliaSonera, Verizon Wireless, Vodafone, Acme Packet,
Alcatel-Lucent, Aylus, Camiant, Cisco, Colibra, Communigate,
Comneon, Ericsson, Fujitsu, Genband, Huawei, LG, Motorola,
Movial, Mu, NEC, Nokia, Nokia Siemens Networks, Qualcomm,
RADVISION, Samsung, Sony Ericsson and Tekelec
Isn’t VoIP already invented?
“OneVideo” initiative can be expected…
Until then: Route at the edge by the E-SBC!
E-SBC still needed to reach users on LAN and for UC PBX interoperability
The IMS can still be the SIP registrar and billing server… 85

86. What’s out there 3? Juniper, Polycom...
Juniper, Polycom forge telepresence, video conferencing alliance
“a counterweight to Cisco Systems and its recent acquisition of Tandberg”
“optimize their platforms so service providers can offer video and telepresence cheaply. The argument: It’s cheaper for enterprises to deploy telepresence as a service from their network providers instead of building out their own networks.”
Sure!
About pre-reservation of capacity for high bandwidth calls 86

87. SIP Capable Firewalls and SIParators®
Thank You!
Ingate Systems Inc.
Contact: Steve Johnson
Tel:
Mob:
Intertex Data AB
Contact: Karl Stahl
Tel:
Mob: