The leader in session border control for trusted, first class interactive communications
SIP trunking & enterprise SBCs
Positive outlook for SIP trunking and SBCs through 2013 2008-2013 CAGR of 91% Still in early stages CY08, $130M in revenue, 208.5K SIP trunks North America driving SIP trunking 74% total trunk shipments in CY08 Two dominant SBC players – Acme Packet and Cisco Systems 68% of enterprise SBC revenue from NA in 2008 Session Border Controller 2008-2013 CAGR of 49% Infonetics: June 2009
Acme Packet is leader in delivering SIP trunking services SIP trunking availability from APKT service providers exploding 80 deployments and trials today 30 countries Many different IP PBX/UC environments supported APKT in service provider network + APKT in enterprise network = guaranteed interoperability and faster time-to-trunk Same border controls for service provider & enterprise Security SLA assurance Service reach/interoperability All IP trunking protocols supported – RFC 3261 SIP, SIP-I, SIP-T and H.323
Why do you need an enterprise SBC? Many PBX and UC vendors have SIP interfaces or other methods for connecting PBX and UC elements to a carrier SIP trunk service This causes some enterprise telephony and UC managers to ask: If my PBX or UC platform supports a native SIP trunk interface, why can’t I just connect this interface directly to the carrier SIP trunk service? This presentation will address this question and others such as: Why do I need an enterprise SBC for SIP trunking interoperability? Why do I need an enterprise SBC for SIP trunking security? Why do I need an enterprise SBC for SIP trunking control? How does using an enterprise SBC enhance my disaster recovery, troubleshooting, and monitoring capabilities? How is the Acme Packet solution packaged? 5
Acme Packet enterprise SBC solution controls four IP network borders VoIP & UC security SIP trunking SIP & H.323 interoperability Data center disaster recovery Remote site survivability Contact center virtualization Remote site & worker connectivity via the Internet Regulatory compliance – recording & privacy Data centers Contact center, audio/video conferencing, IP Centrex, etc. PSTN Service providers SIP IP subscribers Internet Tele- worker Nomadic/ mobile user H.323 Regional site Remote Private network 1. SIP trunking border 4. Hosted services border 2. Private network border 3. Internet border HQ/ campus IP PBX UC Security – protecting UC resources Service reach maximization – connecting UC islands SLA assurance – guaranteeing capacity and quality Secure connectivity Dynamically defining trusted users/devices Containing unidentified/untrusted users/devices Protecting PBX and HQ/data center core Encryption and privacy Service reach maximization Interworking between H.323/SIP Hosted NAT traversal Normalizing protocol variations – misformed or non-compliant headers Transcoding SLA assurance Call admission control QoS marking/VLAN mapping QoS reporting, bandwidth policing Revenue & cost optimization Increased session control Unified dial plan - DNS, ENUM, LDAP, Local Route Tables (LRT) Policy-based session routing -ToD/DoW, cost, media, etc. Reduced time to deployment 6
SIPconnect - enterprise SIP trunking profile accelerates time-to-trunk SIP Forum spec ratified August 2006, now V1.13 Specifies RFCs that must be supported for SIP trunking SIP, TCP, TLS, RFC 4733 DTMF, G.711 20ms, E.164 & URI addresses, SIP server discovery, response codes, IPv4 addresses Service provider Enterprise This SIP Forum document aims to address this issue. In short, this document defines the protocol support, implementation rules, and features required for a predictable interoperable scenario between SIP-enabled IP PBXs and SIP-enabled Service Providers. SIP signaling RFC 3261, Session Initiation Protocol (SIP) Signaling encryption RFC 2246 and 3261, Transport Layer Security (TLS) Media encryption None specified SIP addresses ITU-T recommendation E.164, The international public telecommunications numbering plan DTMF tones RFC 2833, RTP payload for DTMF digits, telephony tones and signals NAT traversal RFC 3489, Simple Traversal of UDP through NAT (STUN) SIP server discovery RFC 3263, Session Initiation Protocol (SIP): Locating SIP servers RFC 2782, DNS RR for specifying the location of services (DNS SRV) PSTN SIP RFC 3261 Media G.711, 20ms TLS
SBCs assure service availability & quality Session admission control – signaling element, network, user Signaling-based – number of call /sessions, signaling rates Media (bandwidth)-based Overload control Non-malicious – load balancing, SIP registration avalanches, mass calling rejection/diversion Malicious Failure detection & recovery - data center redundancy, remote site survivavbility L3 router IP PBX or UC server Service provider SIP trunk/SBC Transport control Packet marking and mapping Media release peer-peer Quality of Experience (QoE) QoS & ASR monitoring, reporting & routing 1. SIP trunking border 4. Hosted services border Contact center, audio/video conferencing, IP Centrex, etc. IP subscribers PSTN Service providers Data centers IP PBX UC Private network Internet H.323 SIP Remote site HQ/ campus SIP Remote site Nomadic/ mobile user Tele- worker Regional site 2. Private network border 3. Internet border
SBCs enable regulatory compliance Call and session recording Replicate session (signaling and media) for recording Session privacy Secure signaling and/or media Emergency calls E-9-1-1 Retrieve location information, add to signaling Route based upon location Prioritize routing (SIP RPH) & IP transport Exempt from admission control polices Data centers Contact center, audio/video conferencing, IP Centrex, etc. PSTN Service providers SIP IP subscribers Internet Tele- worker Nomadic/ mobile user H.323 Regional site Remote Private network 1. SIP trunking border 4. Hosted services border 2. Private network border 3. Internet border HQ/ campus IP PBX UC
Contact center, audio/video conferencing, IP Centrex, etc. SBCs control costs Least cost routing Accounting Fraud prevention Encryption off-load – TLS, IPsec Data centers Contact center, audio/video conferencing, IP Centrex, etc. PSTN Service providers SIP IP subscribers Internet Tele- worker Nomadic/ mobile user H.323 Regional site Remote Private network 1. SIP trunking border 4. Hosted services border 2. Private network border 3. Internet border HQ/ campus IP PBX UC
Why use SBC for enterprises & contact centers? Real-time IP communications is different Sessions initiated from inside or outside of firewall Continuous stream vs. traffic bursts, 2-way flows Latency & jitter very important, loss not so important Security is paramount Multi-protocol and real-time nature of VoIP demands sophisticated stateful defense strategy Signaling overloads occur with network outages, attacks simple to launch Today’s firewalls are insufficient, unable to: Protect themselves or IP PBX/UC resources Open / close RTP media ports in sync with SIP signaling Perform VoIP signaling deep packet inspection Track session state and provide uninterrupted service upon failure Enable VoIP interoperability for all layers/protocols SBCs deliver more than security using back-to-back user agent approach vs. ALG Service reach maximization SLA assurance Regulatory compliance Cost control Traditional firewalls cannot: Prevent SIP-specific overload conditions and malicious attacks Open / close RTP media ports in sync with SIP signaling Track session state and provide uninterrupted service Perform interworking or security on encrypted sessions Scale to handle many 1000s of real-time sessions Provide carrier class availability InfoSec deploy defense-in-depth model with application-level security proxies for email and web applications Same model applies for IP telephony, UC and IP contact center applications
Summary comparison: SBC vs. firewall with SIP ALGs SBC (B2BUA) Firewall with SIP ALG SIP trunk IP PBX UC server Data center SIP trunk IP PBX UC server Data center Terminates, re-initiates and initiates signaling & SDP Two sessions - one on each side of system Layer 2-7 state aware Inspects and modifies any application layer header info (SIP, SDP, etc.) Static & dynamic ACLs Unable to terminate, initiate, re-initiate signaling & SDP Single session across system Layer 2-4 state aware Inspects and modifies only application layer addresses (SIP, SDP, etc.) Static ACLs only Acme Packet 12
Why use SBC for enterprises & contact centers? Real-time IP communications is different Sessions initiated from inside or outside of firewall Continuous stream vs. traffic bursts 2-way flows Security is paramount Multi-protocol and real-time nature of VoIP demands sophisticated stateful defense strategy Signaling attacks are simplest to launch Today’s data focused solutions are not enough Lack ability to dynamically correct VoIP connectivity issues Unable to perform VoIP signaling/media deep packet inspection Inability to track session state and provide uninterrupted service Firewalls and routers cannot protect UC resources Back-to-back user agent proven superior to ALG SBCs deliver more than security Service reach maximization SLA assurance Cost optimization
SBC vs. alternative approaches Function & feature examples Acme Packet SBC Firewall w/ SIP ALG IP PBX SIP proxy Router Security DoS/DDoS self-protection √ IP PBX/SIP proxy DoS prevention Access control-dynamic & static Static only Topology hiding NAT leaks Encryption – signaling & media IPSec tunnels only Software-based signaling only IPSec tunnels Malware & SPIT mitigation Application reach maximization Remote NAT traversal L3 & 5 OLIP/VPN bridging, IPv4-v6 interworking L3 only Interworking; signaling, transport & encryption protocols Overlapping dial plan translations SLA assurance Admission control – signaling resource & bandwidth Call counting only Signaling resource load balancing; QoS/ASR routing Signaling overload control QoS marking and reporting No L5 awareness
La Quinta & Extended Stay hotels – SIP trunking and session routing Application SIP trunking for analog PBXs to reduce PSTN costs Interconnect over 1,000 hotel properties Problems overcome High costs and inefficient PRIs for individual hotels Protect data center VoIP infrastructure NATs block remote worker IP phone calls Inbound call routing & outbound load balancing Remote worker IP phones PSTN Internet Service providers Data center MPLS backbone VM Guest phones Guest phones Guest phones Hotel properties
Hanjin – SIP trunking & unified communications Application SIP trunking to service provider Unified communications across Hanjin Group companies Problems overcome Protect UC and VoIP infrastructure Interoperability with Microsoft Solution for Enhanced VoIP Services using Sylantro’s Synergy Unify offices, reduce complexity Hanjin offices MPLS WAN Uniconverse data center AS AS AS MS PSTN Local service provider
Insurance – SIP trunking & Internet access Application Interconnection of HQ data center to remote sites and agents over Internet SIP trunking to rest of world Problems overcome Protecting core IPT infrastructure Mediation of network differences - overlapping IP addresses and differing protocols Firewall/NAT traversal Privacy for Internet-transported calls Data centers PSTN Service providers SIP Internet Tele- worker Nomadic/ mobile user 1. SIP trunking border 3. Internet border Remote site IP PBX
Financial services – SIP trunking & remote worker Application Connect 40 locations via SIP trunking Multivendor IP-PBX interoperability Support nomadic mobile worker Problems overcome Security on SIP trunks Reduce access & toll costs by changing TDM trunking to SIP SIP-H.323 interoperability NAT traversal for remote workers SIP trunking border PSTN Service providers Data centers IP PBX UC Company overview 600+ PBXs, 800+ voicemails, 60+ contact centers worldwide 80,000+ endpoints Multiple IP-PBX vendors $160M+ annual trunking, LD & local calling charges Private network Internet H.323 SIP Remote site HQ/ campus SIP Remote site Nomadic/ mobile user Tele- worker Regional site Private network border Internet border
Financial services – SIP trunking & remote worker Application Connect 40 locations via SIP trunking Multivendor IP-PBX interoperability Support nomadic mobile worker Problems overcome Reduce access & toll costs by changing TDM trunking to SIP Security on SIP trunks SIP-H.323 interoperability NAT traversal for remote workers SIP trunking border PSTN Service providers Data centers IP PBX UC Private network Internet H.323 SIP Remote site HQ/ campus SIP Remote site Nomadic/ mobile user Tele- worker Regional site Private network border Internet border
SIP trunking savings spans access, local and long distance costs PRI trunking SIP trunking Savings
Net-Net Enterprise and contact center are transitioning to IP trunking and unified communications Driving need for increased security and connectivity Users pushing boundaries, creating need for increased control Security, service reach and SLA assurance are major issues Voice is mission critical, solution must meet demands Intelligent, dynamic solution required to protect real-time communications services – only SBCs provide this Acme Packet is leading the way Category creator and industry leader Feature rich products led by real-world experience Channel and interop partners in place
The leader in session border control for trusted, first class interactive communications