What does an SBC do? 1. © 2012 Avaya Inc. All rights reserved. 2 Carrier SBC’s Carrier SBC IP PBX...
-
Upload
marlee-gallegos -
Category
Documents
-
view
227 -
download
5
Transcript of What does an SBC do? 1. © 2012 Avaya Inc. All rights reserved. 2 Carrier SBC’s Carrier SBC IP PBX...
What does an SBC do?
1
© 2012 Avaya Inc. All rights reserved. 22
Carrier SBC’s
Carrier SBC
IP PBX
Intranet
FW
Carrier SBC• Historically designed to sit at the SP’s edge to protect the carrier.• Complex to use command-line devices• Provides a distinct separation between networks while providing a means of
transporting signaling and media• Perform topology hiding for the SP• Tracking calls (CDR) for billing• Act as a Network Address Translator (NAT) for the SP• Provides admission control to limit calls from customer (and insure SLA)• Protocol Internetworking for H.323 and SIP
Enterprise Network
11/26/2012
SP Network
© 2012 Avaya Inc. All rights reserved. 33
Enterprise SBC
Internet
IP PBX
Intranet
DMZ
Avaya SBCE
InternalFW
ExternalFW/NAT
Mobile Users,Telecommuters
SRTP/RTP
Remote Worker
Avaya SBCE
Encryption• TLS proxy• SRTP proxy
Enablement• FW / NAT traversal• Call admission control• Signaling and media firewall
Enterprise Network
Security• Floods and fuzzing prevention• Spoofing prevention (fingerprint verification)• Media anomaly prevention• Stealth attack prevention• Tollfraud Prevention
Anti-spam• Whitelist/Blacklist• Behavior learning
06/01/2012© 2012 Avaya, Inc. All Rights Reserved.
SIP Trunking
© 2012 Avaya Inc. All rights reserved. 44
Avaya SBCE: SIP Trunking Architecture Use Case: SIP Trunking to Carrier
Carrier offering SIP trunks as lower-cost alternative to TDM Heavy driver for Enterprise adoption of SBC Support Aura, IPO and CS1K From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ
Carrier SIP trunks to the Avaya Session Border Controller for Enterprise Avaya SBCE is located in a DMZ behind the Enterprise firewall Services: security and demarcation device between the IP-PBX and the Carrier
− NAT traversal,− Securely anchors signaling and media, and can− Normalize SIP protocol
Firew
all
InternetEnterprise
Avaya SBCE
DMZ
SIP TrunksFirew
all
Carrier
CS1000
© 2012 Avaya Inc. All rights reserved. 55
NAT Traversal
Enterprise
IP PBX
Internet or Provider Network
FW IP Address 96.54.23.10
SBC External IP Address
192.168.45.4
• At a basic level think of it this way: If the SBC sends an INVITE message to the carrier, can the carrier reply and reach IP address 192.168.45.4? No.
• The SBC facilitates NAT Traversal by making sure all signaling messages have a REACHABLE return address. In this example, the INVITE would have a source address of 96.54.23.10.
• When a reply is sent it reaches the firewall which forwards to external IP Address.
© 2012 Avaya Inc. All rights reserved. 66
Understanding Toll Fraud
Toll fraud can only be prevented by a holistic approach involving best practice configuration of many elements in a UC environment.
Examples include:– Customized tuning of SBC to set intelligent call thresholds
for outbound and inbound traffic (based on time of day for optimal fine-tuning)
– Enable short-call toll fraud duration
– Limit international calls to only valid destinations for needed countries
© 2012 Avaya Inc. All rights reserved. 77
DoS and Toll Fraud Protection
Single Source DoS
Any type of DoS attack that is directed against one or more enterprise endpoints that originate from a single source (normally spoofed).
Stealth DoS/DDoS
A type of low‐volume DoS attack that is directed against an endpoint where the source of the call is constantly changed.
Call Walking
A type of DoS attack whereby serial calls originating from a single source (normally spoofed) are directed against a sequential group of end‐points.
Toll FraudRefers to internal or external users using the corporate phone system to place unauthorized toll calls.
Phone DoS/DDoSA type of DoS attack that is directed against a single enterprise end‐point.
© 2012 Avaya Inc. All rights reserved. 88
DoS and Toll Fraud Protection
DoS settings can be customized
Time-of-Day can be used to refine DoS settings
Specific protection exist for ‘Short Duration Toll Fraud’ as well:– Short call duration toll fraud is where a large number of
short calls (less than 1-2 seconds) are made to make money on the ‘connect’ fees.
© 2012 Avaya Inc. All rights reserved. 9
© 2012 Avaya Inc. All rights reserved. 10
© 2012 Avaya Inc. All rights reserved. 1111
Avaya SBCE: Remote Worker Architecture Use Case: Remote Worker
Extend UC to SIP users remote to the Enterprise Solution not requiring VPN for UC/CC SIP endpoints From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ
Remote Worker are external to the Enterprise firewall Avaya Session Border Controller for Enterprise
− Authenticate SIP-based users/clients to the enterprise
− Securely proxy registrations and client device provisioning
− Securely manage communications without requiring a VPN
Firew
all
InternetEnterprise
Avaya SBCE
DMZ
Firew
all
Remote Workers
© 2012 Avaya Inc. All rights reserved. 12
Remote Worker: VPN vs VPNless Endpoints
VPN Endpoint VPN Headers add additional
size to traffic. In aggregate reduces bandwidth.
Encrypts traffic, yet does not validate it. (Encrypting and distributing a virus isn’t helpful)
No ability at VPN head-end to distinguish between voice and data traffic. Ultimately voice quality suffers.
Cumbersome user experience for real-time communication application
VPNless Endpoint TLS/SRTP encrypts the traffic
with a smaller bandwidth footprint than VPN
Signaling and media are unencrypted at the SBC and inspected at Layer 7 to validate the traffic before it is allowed through
Numerous policies allow Enterprise control of endpoints.
Consistent user experience for applications
© 2012 Avaya Inc. All rights reserved. 1313
Call Servers
For SIP Trunking, an accepted architecture is:– Call Server + SBC
– Call Server + SM + SBC
A valid call server is– CS1k 7.5
– CM 5.2.1
– IPO 8.x
SM must be 6.x
For SIP Trunking if these basic requirements are not met there is no opportunity with this customer UNTIL these elements are there.
Session Manager is NOT required for SIP Trunking
© 2012 Avaya Inc. All rights reserved. 1414
Avaya SBCE 4.0.5 and 6.2 Interoperability MatrixAll Tests performed in the SIL Labs
Platform No SM SM 6.1 SM 6.2
CS1K R7.5 R4.0.5/R6.2 R4.0.5/R6.2 R4.0.5/R6.2
IPO R8.0 R4.0.5/R6.2 NA NA
CM R5.2.1 R4.0.5/R6.2 R4.0.5/R6.2 R4.0.5/R6.2
CM 6.0.1 R4.0.5/R6.2 R4.0.5/R6.2 NA
CM R6.2 R4.0.5/R6.2 R4.0.5/R6.2 R4.0.5/R6.2
Supported - Tested
NA Not Supproted or Tested.
© 2012 Avaya Inc. All rights reserved. 1515
IPO 8.x
ONLY supports SIP Trunking
ONLY certified with AT&T at the moment
A generic app note is in the works to accommodate additional carriers
© 2012 Avaya Inc. All rights reserved. 1616
Carriers Tested as of November 10th, 2013.Alestra
AT&T
AT&T Puerto Rico
Belgacom
Bell Canada
Broad-Connect
Broadview
BT Global Services
BT HIPCOM
BT Italia
BT Wholesale
Cable & Wireless
CenturyLink
TeliasoneraTELUST-Mobile NLUPCVamoin1/KPNVerizon BusinessVirgin MediaVodafone DEVodafone NLVoicePulseWindstreamWorldnet P. RicoXO
ColtEtisalatFastweb SPAFrontierGammaIntelePeerKPNLevel 3MTSAllStreamPAETECPhonectQSCSprintSwisscomTele2Telefonica del PeruTelenor
Find App Notes Here:https://devconnect.avaya.com/public/dyn/d_dyn.jsp?fn=103
© 2012 Avaya Inc. All rights reserved. 1717
SIP Trunking Qualification
Must include supported call servers (CS1, CM, SM, IPO)
Must be explicitly tested with that given configuration with the carrier. – Example: If CMSBC->Service Provider ‘A’ is tested, that
does NOT mean CMSM->Service Provider “A’ is tested. Make sure the specific configuration is documented with an App Note.
– If the architecture is valid, but it is not tested, then escalate through Jack Rynes
© 2012 Avaya Inc. All rights reserved. 1818
SIP Trunking with AACC
AACC – If this is a basic SIP Trunking deployment involving:
Service Provider - SBC SMCM
There may be a valid solution for the SBC but all call flows should be vetted with the CSE’s.
© 2012 Avaya Inc. All rights reserved. 1919
SIP Trunking with Call Center Elite
CC Elite – If this is a basic SIP Trunking deployment involving:
Service Provider - SBC SMCM
-and-
Avaya Experience Portal is NOT part of the call flow
There may be a valid solution for the SBC but all call flows should be vetted with the CSE’s.
Avaya SBCE Key Features
20
© 2012 Avaya Inc. All rights reserved. 21
Avaya SBCAE
RemoteEnterprise
Intranet
The Unique Avaya Solution forUC Application Security
Internet
Avaya Session Manager (SIP)
Internal Phone (RTP)
Remote Phone Configuration (HTTPS)
Certificate Authority (SCEP)
Personal Profile Manager (SOAP)
Directory Server (LDAP)
Web Server (HTTP)
Presence and IM (XMPP)
Enterprise DMZFirewalls
Remote NAT & Firewall
SecurityUC Policy, Access control, & Authentication
Privacy (encryption) with TLS, SRTPUC Threat protection
Comprehensive ServicesDirectory, Web applications, Login profiles
Remote ManagementConfiguration management, Certificate, PKI management
EncryptedSessions
Hi
AuthenticatedEndpoints
Allow supporting protocolswith full NAT
Giving youFull Features
© 2012 Avaya Inc. All rights reserved. 2222
Session Border Controller capacities are rated in Simultaneous Sessions
– A simultaneous session = a communication session between 2 SIP endpoints
– Can think of it as analogous to a DSO in the ‘old world’
– Key for engineering is to understand the numbers of sessions required in the solution
For Secure SIP trunking, look at the number of TDM DSOs required
For Remote Worker, calculate required call volumes
ASBCE 6.2 System Capacity
22
Portwell CAD-0208
Max CapacityW/out Encrypt
Max CapacityWith Encrypt
HA
SA
SA
1000
1000
250
2000
2000
500
Capacity in Simultaneous Sessions
‘Rules of Thumb’• SIP trunking usually 5 users per ‘SS’
• Must account for higher ratio in small• Remote Worker must consider both
On-net and off-net requirements• Remember, in Dell configs, Encryption
Services impact capacity