1. Quintum Confidential and Proprietary 1 Quintum Technologies, Inc. Session Border Controller and VoIP Devices Behind Firewalls Tim Thornton, CTO

2. Quintum Confidential and Proprietary 2 Firewalls Not Designed for Voice Applications Voice and data are separate networks Firewalls provide a barrier between data networks Firewall controls inside-out data flow Headquarters PBX WAN Branch Office PSTN LAN PBX

3. Quintum Confidential and Proprietary 3 VoIP Introduces Application Level Issues with Firewalls VoIP works inside the LAN but has problems across the WAN Any to Any connectivity means all devices must be on the same network H.323 and SIP require application intelligence at firewall Headquarters PBX Branch Office PSTN LAN PBX Tenor Gateway IP Phone WAN Signaling Media ?

4. Quintum Confidential and Proprietary 4 Solutions Using Existing Firewalls Compromise Network Security Problems: Two way voice applications require access from outside Each VoIP endpoint requires numerous port to be open through firewall Devices in DMZ compromise security policies Open ports increase vulnerability & allows access into the network topology Internet Gateway IP Phone DMZ

5. Quintum Confidential and Proprietary 5 Session Border Controllers Address the VoIP Security Issues VoIP Network Security Provides a single demarcation point for access through the firewall Acts as a firewall proxy for VoIP devices inside the LAN Allows security policies to remain intact Can provide application level control for access (AAA) Additional Administration Benefits Single point at network edge for call routing and call detail recording.

6. Quintum Confidential and Proprietary 6 The Session Border Controller Becomes the VoIP Firewall There are two approaches to supporting VoIP through firewalls: Application Aware solutions Session Border Controller acts as VoIP firewall to modify signaling before passing through firewall Integrated Applications-Level firewalls that understand VoIP protocol issues Firewall Transparent solution Session Border Controller handles media routing VoIP Endpoints create a signaling tunnel through existing firewall

7. Quintum Confidential and Proprietary 7 Application Aware Works with Existing Firewall to Modify VoIP Addressing Obtains external addressing information through configuration or discovery NatAccess requires port mapping in the firewall and the external address is configured. STUN uses external address obtained from a public server Headquarters PBX WAN PSTN Session Border Controller Gateway Stun Server NATAccess™

8. Quintum Confidential and Proprietary 8 Firewall Transparent Session Border Controller Works Independent of Existing Firewall Obtains address information through packet inspection Endpoints establish a tunnel to SBC Media is switched through the SBC Headquarters PBX WAN PSTN Gateway Session Border Controller Signaling Media

9. Quintum Confidential and Proprietary 9 Case Study An International NextGen carrier is using Session Border Controllers at the edge of their network to deploy services to Enterprise customers. Tenor PBX Tenor CMS Kuangdong Beijing Internet Tenor SBC Tenor CMS Tenor SBC Beijing Tenor PBX Tenor SBC IP Phone

10. Quintum Confidential and Proprietary 10 Session Border Controllers at the Edge of the Enterprise Offer Other Opportunities Configure, manage, and support devices behind the firewall Troubleshooting and diagnostics Demarcation points for Service Providers Headquarters PBX WAN PSTN LAN Gateway Network Management Session Border Controller

11. Quintum Confidential and Proprietary 11 Summary Advances in VoIP deployment has raised serious concerns that are addressed with Session Border Controllers There are variety of Session Border Controller implementation choices: Application Aware Firewall Transparent Session Border Controllers are in the early stages of developments and will offer opportunities to provide edge support for network configuration and management

12. Quintum Confidential and Proprietary 12 END