What does an SBC do? 1. © 2012 Avaya Inc. All rights reserved. 2 Carrier SBC’s Carrier SBC IP PBX...

What does an SBC do?

1

© 2012 Avaya Inc. All rights reserved. 22

Carrier SBC’s

Carrier SBC

IP PBX

Intranet

FW

Carrier SBC• Historically designed to sit at the SP’s edge to protect the carrier.• Complex to use command-line devices• Provides a distinct separation between networks while providing a means of

transporting signaling and media• Perform topology hiding for the SP• Tracking calls (CDR) for billing• Act as a Network Address Translator (NAT) for the SP• Provides admission control to limit calls from customer (and insure SLA)• Protocol Internetworking for H.323 and SIP

Enterprise Network

11/26/2012

SP Network


Enterprise SBC

Internet

IP PBX

Intranet

DMZ

Avaya SBCE

InternalFW

ExternalFW/NAT

Mobile Users,Telecommuters

SRTP/RTP

Remote Worker

Avaya SBCE

Encryption• TLS proxy• SRTP proxy

Enablement• FW / NAT traversal• Call admission control• Signaling and media firewall

Enterprise Network

Security• Floods and fuzzing prevention• Spoofing prevention (fingerprint verification)• Media anomaly prevention• Stealth attack prevention• Tollfraud Prevention

Anti-spam• Whitelist/Blacklist• Behavior learning

06/01/2012© 2012 Avaya, Inc. All Rights Reserved.

SIP Trunking


Avaya SBCE: SIP Trunking Architecture Use Case: SIP Trunking to Carrier

Carrier offering SIP trunks as lower-cost alternative to TDM Heavy driver for Enterprise adoption of SBC Support Aura, IPO and CS1K From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ

Carrier SIP trunks to the Avaya Session Border Controller for Enterprise Avaya SBCE is located in a DMZ behind the Enterprise firewall Services: security and demarcation device between the IP-PBX and the Carrier

− NAT traversal,− Securely anchors signaling and media, and can− Normalize SIP protocol

Firew

all

InternetEnterprise

Avaya SBCE

DMZ

SIP TrunksFirew

all

Carrier

CS1000


NAT Traversal

Enterprise

IP PBX

Internet or Provider Network

FW IP Address 96.54.23.10

SBC External IP Address

192.168.45.4

• At a basic level think of it this way: If the SBC sends an INVITE message to the carrier, can the carrier reply and reach IP address 192.168.45.4? No.

• The SBC facilitates NAT Traversal by making sure all signaling messages have a REACHABLE return address. In this example, the INVITE would have a source address of 96.54.23.10.

• When a reply is sent it reaches the firewall which forwards to external IP Address.


Understanding Toll Fraud

Toll fraud can only be prevented by a holistic approach involving best practice configuration of many elements in a UC environment.

Examples include:– Customized tuning of SBC to set intelligent call thresholds

for outbound and inbound traffic (based on time of day for optimal fine-tuning)

– Enable short-call toll fraud duration

– Limit international calls to only valid destinations for needed countries


DoS and Toll Fraud Protection

Single Source DoS

Any type of DoS attack that is directed against one or more enterprise endpoints that originate from a single source (normally spoofed).

Stealth DoS/DDoS

A type of low‐volume DoS attack that is directed against an endpoint where the source of the call is constantly changed.

Call Walking

A type of DoS attack whereby serial calls originating from a single source (normally spoofed) are directed against a sequential group of end‐points.

Toll FraudRefers to internal or external users using the corporate phone system to place unauthorized toll calls.

Phone DoS/DDoSA type of DoS attack that is directed against a single enterprise end‐point.


DoS and Toll Fraud Protection

DoS settings can be customized

Time-of-Day can be used to refine DoS settings

Specific protection exist for ‘Short Duration Toll Fraud’ as well:– Short call duration toll fraud is where a large number of

short calls (less than 1-2 seconds) are made to make money on the ‘connect’ fees.


Avaya SBCE: Remote Worker Architecture Use Case: Remote Worker

Extend UC to SIP users remote to the Enterprise Solution not requiring VPN for UC/CC SIP endpoints From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ

Remote Worker are external to the Enterprise firewall Avaya Session Border Controller for Enterprise

− Authenticate SIP-based users/clients to the enterprise

− Securely proxy registrations and client device provisioning

− Securely manage communications without requiring a VPN

Firew

all

InternetEnterprise

Avaya SBCE

DMZ

Firew

all

Remote Workers


Remote Worker: VPN vs VPNless Endpoints

VPN Endpoint VPN Headers add additional

size to traffic. In aggregate reduces bandwidth.

Encrypts traffic, yet does not validate it. (Encrypting and distributing a virus isn’t helpful)

No ability at VPN head-end to distinguish between voice and data traffic. Ultimately voice quality suffers.

Cumbersome user experience for real-time communication application

VPNless Endpoint TLS/SRTP encrypts the traffic

with a smaller bandwidth footprint than VPN

Signaling and media are unencrypted at the SBC and inspected at Layer 7 to validate the traffic before it is allowed through

Numerous policies allow Enterprise control of endpoints.

Consistent user experience for applications


Call Servers

For SIP Trunking, an accepted architecture is:– Call Server + SBC

– Call Server + SM + SBC

A valid call server is– CS1k 7.5

– CM 5.2.1

– IPO 8.x

SM must be 6.x

For SIP Trunking if these basic requirements are not met there is no opportunity with this customer UNTIL these elements are there.

Session Manager is NOT required for SIP Trunking


Avaya SBCE 4.0.5 and 6.2 Interoperability MatrixAll Tests performed in the SIL Labs

Platform No SM SM 6.1 SM 6.2

CS1K R7.5 R4.0.5/R6.2 R4.0.5/R6.2 R4.0.5/R6.2

IPO R8.0 R4.0.5/R6.2 NA NA

CM R5.2.1 R4.0.5/R6.2 R4.0.5/R6.2 R4.0.5/R6.2

CM 6.0.1 R4.0.5/R6.2 R4.0.5/R6.2 NA

CM R6.2 R4.0.5/R6.2 R4.0.5/R6.2 R4.0.5/R6.2

Supported - Tested

NA Not Supproted or Tested.


IPO 8.x

ONLY supports SIP Trunking

ONLY certified with AT&T at the moment

A generic app note is in the works to accommodate additional carriers


Carriers Tested as of November 10th, 2013.Alestra

AT&T

AT&T Puerto Rico

Belgacom

Bell Canada

Broad-Connect

Broadview

BT Global Services

BT HIPCOM

BT Italia

BT Wholesale

Cable & Wireless

CenturyLink

TeliasoneraTELUST-Mobile NLUPCVamoin1/KPNVerizon BusinessVirgin MediaVodafone DEVodafone NLVoicePulseWindstreamWorldnet P. RicoXO

ColtEtisalatFastweb SPAFrontierGammaIntelePeerKPNLevel 3MTSAllStreamPAETECPhonectQSCSprintSwisscomTele2Telefonica del PeruTelenor

Find App Notes Here:https://devconnect.avaya.com/public/dyn/d_dyn.jsp?fn=103


SIP Trunking Qualification

Must include supported call servers (CS1, CM, SM, IPO)

Must be explicitly tested with that given configuration with the carrier. – Example: If CMSBC->Service Provider ‘A’ is tested, that

does NOT mean CMSM->Service Provider “A’ is tested. Make sure the specific configuration is documented with an App Note.

– If the architecture is valid, but it is not tested, then escalate through Jack Rynes


SIP Trunking with AACC

AACC – If this is a basic SIP Trunking deployment involving:

Service Provider - SBC SMCM

There may be a valid solution for the SBC but all call flows should be vetted with the CSE’s.


SIP Trunking with Call Center Elite

CC Elite – If this is a basic SIP Trunking deployment involving:

Service Provider - SBC SMCM

-and-

Avaya Experience Portal is NOT part of the call flow

There may be a valid solution for the SBC but all call flows should be vetted with the CSE’s.

Avaya SBCE Key Features

20


Avaya SBCAE

RemoteEnterprise

Intranet

The Unique Avaya Solution forUC Application Security

Internet

Avaya Session Manager (SIP)

Internal Phone (RTP)

Remote Phone Configuration (HTTPS)

Certificate Authority (SCEP)

Personal Profile Manager (SOAP)

Directory Server (LDAP)

Web Server (HTTP)

Presence and IM (XMPP)

Enterprise DMZFirewalls

Remote NAT & Firewall

SecurityUC Policy, Access control, & Authentication

Privacy (encryption) with TLS, SRTPUC Threat protection

Comprehensive ServicesDirectory, Web applications, Login profiles

Remote ManagementConfiguration management, Certificate, PKI management

EncryptedSessions

Hi

AuthenticatedEndpoints

Allow supporting protocolswith full NAT

Giving youFull Features


Session Border Controller capacities are rated in Simultaneous Sessions

– A simultaneous session = a communication session between 2 SIP endpoints

– Can think of it as analogous to a DSO in the ‘old world’

– Key for engineering is to understand the numbers of sessions required in the solution

For Secure SIP trunking, look at the number of TDM DSOs required

For Remote Worker, calculate required call volumes

ASBCE 6.2 System Capacity

22

Portwell CAD-0208

Max CapacityW/out Encrypt

Max CapacityWith Encrypt

HA

SA

SA

1000

1000

250

2000

2000

500

Capacity in Simultaneous Sessions

‘Rules of Thumb’• SIP trunking usually 5 users per ‘SS’

• Must account for higher ratio in small• Remote Worker must consider both

On-net and off-net requirements• Remember, in Dell configs, Encryption

Services impact capacity

What does an SBC do? 1. © 2012 Avaya Inc. All rights reserved. 2 Carrier SBC’s Carrier SBC IP PBX...

Documents

Transcript of What does an SBC do? 1. © 2012 Avaya Inc. All rights reserved. 2 Carrier SBC’s Carrier SBC IP PBX...