P. 1
Acme Packet Session Border Controller

Acme Packet Session Border Controller

|Views: 86|Likes:
Published by Manuel Eliseo

More info:

Published by: Manuel Eliseo on Feb 17, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PPT, PDF, TXT or read online from Scribd
See more
See less






Session Border Controllers
Connecting the IP World

Acme Packet and Avaya Lead The Way
April 9, 2009
Neil Segall, Business Development Margie Frasier, Channel Development


Why should I care about SBCs?  What is an SBC?  Product Overview  Working together



We are not Bugs Bunny!!


Beep Beep


EMEA TECHSHARE 2009 THE FUTURE BEGINS Why should I care about SBCs? Reduce cost Deliver business agility Secure loyal customers .

trust and security as critical to UC success ± Dealing with interworking and regulatory concerns .EMEA TECHSHARE 2009 Market Trends  Service providers ± Making SIP value available to enterprises ± Relying on SBCs for peering and secure access THE FUTURE BEGINS ± Reselling or recommending CPE SBCs for security and interworking  Enterprises and contact centres ± Embracing converged voice/data for UC. CC. & CEBP ± Migrating increasingly to SIP ± Moving to SIP trunking for lower costs & power consumption ± Recognizing identity.

EMEA TECHSHARE 2009 THE FUTURE BEGINS Future of interactive communications? The Internet The Federnet I F F F F F .

2. 3. 6. 7. 5. 4.EMEA TECHSHARE 2009 THE FUTURE BEGINS Federnet: The eight driving factors 1. QoS and signaling resources will forever be a myth Some sessions are more valuable than others IP IC regulation will increase Business models will never be homogenous . we trust no one Addresses will forever be a collection of heterogeneous schemes SIP is not the only signaling protocol Codecs will never converge to a couple . 8. In IP.audio & video Unlimited bandwidth.

EMEA TECHSHARE 2009 Next Generation Communications Application App System Manager App Application Platform MM MX VP THE FUTURE BEGINS App Application Platform CM Media Servers Connection Communication Manager Core SM TDM Trunks PSTN Providers Outsourcers Federated SM SM SIP Trunks Acme Packet SBC Avaya one-X® endpoints ooo Internet Avaya CM Branch / Stand alone Access 3rd Party PBXs 3rd Party endpoints G860 ooo Remote workers Over Internet .

EMEA TECHSHARE 2009 Joint Value Proposition  Acme Packet SBCs augment Avaya solutions for UC and CC THE FUTURE BEGINS ± Defend SIP signaling elements against security threats. overloads ± Eliminate border signaling and many other interoperability issues ± Preserve session quality under load and adverse conditions ± Extend Avaya application reach across IP network borders ± Support regulatory compliance  Key Benefits ± Faster Avaya solutions deployment at lower risk and cost ± Safe use of cost-effective SIP trunks ± High-quality session delivery to workers across the enterprise ± Improves customers options for customizing their networks .


interactive communications ± voice.using SIP. H. Interconnect/peering: between service providers Subscriber access: enterprise.323.248  Border ± IP-IP network borders ± ± PSTN THE FUTURE BEGINS  Session ± real-time.& extra-enterprise Security Service reach maximization SLA assurance Revenue & cost optimization Regulatory compliance Large enterprise Mobile services Residential & business services PSTN origination & termination IP transit IP contact center Directory services PSTN termination ± ±  Control ± ± ± ± ± .EMEA TECHSHARE 2009 What is a Session Border Controller? H. MGCP/NCS. residential or mobile services Data center: retail or wholesale services Enterprise: intra. video & multimedia .

EMEA TECHSHARE 2009 Why SBCs Instead of Firewalls?  Because traditional firewalls cannot: THE FUTURE BEGINS ± Prevent SIP-specific overload conditions and malicious attacks ± Open / close RTP media ports in sync with SIP signaling ± Track session state and provide uninterrupted service ± Perform interworking or security on encrypted sessions ± Scale to handle many 1000s of real-time sessions ± Provide carrier class availability  InfoSec deploy defence-in-depth model with application-level security proxies for email and web applications ± Same model applies for IP telephony. UC and IP contact center applications .

SIP trunking border EMEA TECHSHARE 2009 THE FUTURE BEGINS 2.323 SIP Internet APKT SIP Regional site Remote site HQ/ campus Nomadic/ mobile user Teleworker Remote site 3. audio/video conferencing.  Completes Avaya¶s cost effective end-to-end SIP architecture ± SIP trunking and border interworking ± Remote site & worker connectivity ± Reduced maintenance costs Federated partners APKT To PSTN APKT APKT APKT  Provides best-in-class VoIP & UC security Redundant data centers UC ASM CC APKT ± Integrated with Avaya Session Manager. Internet border . Hosted services border Contact center.Acme Packet SBC secures & assures Avaya unified communications 1. privacy. Communication Manager and Voice Portal  Assures quality and high availability ± Disaster recovery and survivability  Helps achieve regulatory compliance ± Emergency calls. IP Centrex. recording APKT Private network H. etc.


000-80.Acme Packet Products Size Medium Data Center / branch office Data Center EMEA TECHSHARE 2009 THE FUTURE BEGINS Large Data Center Data Center (w/transcoding) UC CC # lines # agents # sessions 750-2.000 125-4.000 150-500 250-8.000-360.000-16.000 20.000 500-8.000-36.000 2.000 Net-Net 9200 Net-Net 4500 Net-Net 4250 Net-Net 3800 .000 1.000-72.500 75-250 1.000 4.000 5.250-40.

EMEA TECHSHARE 2009 Net-SAFE Security Framework  SBC DoS/DDoS protection ± THE FUTURE BEGINS Protect against SBC DoS/DDoS attacks & overloads  Access control & VPN separation ± ± Dynamic. IPSEC. malware & SPIT mitigation ± Deep packet inspection enables protection against malicious or annoying traffic  Encryption and Authentication ± Topology hiding & privacy TLS. session-aware access control for signaling & media Support for L2 and L3 VPN services & traffic separation SBC DoS protection Fraud prevention Service infrastructure DoS prevention Access control  Topology hiding & privacy ± Complete service infrastructure hiding & user privacy support  Viruses. SRTP  Monitoring and reporting ± ± Record attacks & attackers Provide audit trails Viruses malware & SPIT mitigation .

EMEA TECHSHARE 2009 Dynamic ACLs and Hardware Based Security  All Unauthorized traffic rejected by Hardware Authentication Dropped at Wire Speed!! THE FUTURE BEGINS HARDWARE BASED AUTH: Authorized Traffic Flows are based on: NN-SD Http Request ‡Source ‡Source IP address/range IP Port X X X ‡Protocol Unuauthorized Protocol or Destination port ‡Destination ‡Destination ‡VLAN IP address IP port + Physical Port SIP Invite Blacklisted User Other Authorizations at Wire Speed: ‡DoS Software Based SBCs cannot provide this! Blacklisted Users Rejected (matched on above Flow Definitions) .

e. Avaya SM) constraints exceeded Filters based on SIP header content ‡Source ‡Traffic or Destination URI format SIP Invite Reject with 503 Unavailable (configurable response) Bandwidth Exceeds Allowed LImit ‡Codec type X ‡Bandwidth or Session Admission Control ‡Overload constraints (CPU and Rate Limit Next hop) ‡Signaling .EMEA TECHSHARE 2009 Signaling Based Security measures a FW cannot provide: SIP Invite THE FUTURE BEGINS  Stateful awareness of SIP sessions allows for fine-tuned security X Reject with 4xx Unauthorized Unregistered Users (Rejected at SIP level) NN-SD SOFTWARE/SIGNALING BASED AUTHORIZATION : Authorized Traffic Flows can be based on: ‡User ‡SIP Registration Status packet format (Legal?) SIP Invite X Reject with 4xx Unauthorized Next Hop Device (i.

1:1046.1.2. Remember mapping from 192. port 49152 200OK SDP C= (Source): UDP Ports: 49152-65535 (Pool ³Y´) X) to 136.2. port 49152 200OK SDP C= (Source): 10. port 4300 Open a media port from pool X.0. BYE 200 OK X Close Media Ports and Removed from SBC cache .168.100 UDP Ports: 49152-65535 (Pool ³X´) Net-Net (Pool Y) to 10.1 10. Remember mapping from 10.11.0.Handling of Ports for Media  VoIP often requires a different media port per source for RTP flows EMEA TECHSHARE 2009 THE FUTURE BEGINS  Net-Net SD Dynamically Opens ports for RTP/RTCP (Media streams) ± Secure Latching FW Must Keep ports open at all Times : port 1046 INVITE SDP C= (Source): Open media port from ³Pool Y´.11.11.100 INVITE SDP C= (Source): 10.

EMEA TECHSHARE 2009 It¶s not just about security  Legacy data infrastructure is not enough ± Signalling protocol interworking ± Service reach maximization ± QoS / Accounting ± Session replication ± High availability THE FUTURE BEGINS .

g. SIP-T) . e. SIP-I.EMEA TECHSHARE 2009 Header Manipulation Rules on regular expressions THE FUTURE BEGINS  Benefit ± allows SBC to perform SIP header/parameter manipulation based  Problem overcome ± interoperability issues. SDP ± Allows codec re-ordering & stripping ± Ability to insert information into Call Detail Record VSAs ± HMR for ISUP (conversion between any variation of SIP. unique routing needs. protocol normalization and fix-up  Details ± Regular expression search and store capability ± Ability to do repetitive search and replace ± Boolean logic support ± Supports operations on MIME body.

EMEA TECHSHARE 2009 Hosted NAT traversal (HNT)  Problem: remote-user NAT traversal ± THE FUTURE BEGINS Inbound VoIP/UC can¶t get through DSL/cable modem firewall / NAT Home worker can¶t reconfigure FW/NAT NAT-T techniques (STUN / TURN / ICE) are limited and vary widely by device: an IT support headache ± ± CPE NAT/FW messes up secure VoIP Remote User  Solution: host NAT traversal in SBC ± ± ± Internet Standardizes NAT methodology Proven solution: globally deployed Scalable with very low latency  Benefit: lower cost. complexity of deployment. support ± ± ± IPT UC CC No end-user action required One centralized box to manage One methodology for NAT traversal Enterprise Data Centre .

latency. byte and packet counters ± Hardware based RTP/RTCP header inspection ± no performance impact ± Reported through call accounting interface (Radius) or via FTP ± .EMEA TECHSHARE 2009 QoS measurement & reporting THE FUTURE BEGINS Segment A  Benefits Segment B Enables real-time evaluation of network & route performance ± Enables Enterprises to validate SLAs from their service providers ± QoS based call admission control ±  Capabilities Per-flow statistics including jitter. packet loss.

EMEA TECHSHARE 2009 IP Session Replication  Benefit ± reduces costs and decreases THE FUTURE BEGINS complexity  Problem overcome ± reduces the number of devices/interfaces involved in call capture and replication. SBC scales better than alternative methods provisioned per ingress realm ± SBC replicates and forwards signaling and media ± SBC load balances session across recording servers Avaya PBX ACM/ASM  Call recording servers (CRS) are .

EMEA TECHSHARE 2009 High Availability  No loss of active sessions (media sd0.1  Preserves CDRs on failover  Shared virtual IP/MAC addresses New call All sessions stay up.0. Process new sessions immediately .jp Active 10.0.co.0. network failure.0. Find SD through DNS round-robin or configured proxy poor health.1 Standby THE FUTURE BEGINS and signaling)  Supports new calls  1:1 Active Standby architecture  Failover for ± Node failure. media & signaling state X sd0.co. manual intervention ± 40 ms failover time  Checkpointing of configuration.fc.jp Active 10.


EMEA TECHSHARE 2009 UC Reference Architecture SIP Trunking Service Remote clients THE FUTURE BEGINS Internet SIP SIP RTP Analog. no survivability  Avaya Session Manager implements session routing for inter-branch and branch to HQ. manages centralized dial plan  Mini Border Element provides secure access to distributed SIP trunking services for branch/remote locations  SBC provides secure access to centralized SIP trunking services for HQ/regional centers 27 . Digital SIP PBX ACM / DO SIP SIP SIP PBX Router PBX Avaya SM SIP SIP SIP SIP Trunking Services Branch Office PBX Avaya CM HQ/Regional Data Center  Customer choice of complete local call processing intelligence in branch or if desired.

EMEA. CALA. NN4500 and NN3800 in progress ± AVP/ICR: NN4250. NN3800 in progress ± ASM: NN4250. and APAC . NN4500 and NN3800 in progress THE FUTURE BEGINS ‡ Online Application Notes and configuration guides ± SITL will certify SIP trunks ‡ Testing ongoing in NA.Acme Packet is a Platinum partner ‡ Peering and Access ± ACM: NN4250 & NN4500 complete.EMEA TECHSHARE 2009 Avaya / Acme Packet Interop  Acme Packet part of Avaya Development and SV models ± Acme Packet equipment in Avaya R&D & Services labs ± Avaya equipment in Acme Packet labs  Formal Interop Testing and Documentation ± DevConnect .

EMEA TECHSHARE 2009 Acme Packet at a glance  Session Border Control (SBC) category creator & leader THE FUTURE BEGINS with 50-60% market share.company overview ± Q3 2008 29 . Burlington. profits & balance sheet Healthy. Profitable.4 $113.1  400+ employees in 25 countries.1  Market focus: enterprise.3  Public company (NASDAQ: APKT) 2003 2004 2005 2006 2007 2008 w/ strong revenue growth. Leading. founded August 2000  Top tier customers worldwide ± 600+ customers in 92 countries ± 29 of top 30. 89 of the top 100 service providers Revenue ($M) $84. contact centre.0 $3. MA headquarters $16.1 $116. Growing Acme Packet . and service provider $36.

low performance ± Lacks DoS protection.EMEA TECHSHARE 2009 Competition  Primary competitive threat: customer inertia ± Ignorance of need for SBCs ± IT security staffs must be educated THE FUTURE BEGINS  Next-best threat: Cisco Unified Border Element (CUBE) ± All software: small scale. advanced routing. high availability ± Years behind on features and protocol support ± Very limited non-Cisco product interoperability .

Italian. Russian. USA headquarters ± ± ± Protocol and platform focus areas Telephone hotline for critical problems Web portal  Training ± ± Configuration and troubleshooting courses Boston. MA. Spanish.EMEA TECHSHARE 2009 Go-to-market strategy  Channel focus in EMEA . Portuguese .24x7x365 from Burlington. informal training  Technical support . Moscow. Madrid.over 60 people ± ± ± ± THE FUTURE BEGINS Business and channel development provide commercial and technical support Direct touch Sales and Engineering team directly supports opportunities EMEA HQ in Madrid has training and lab facilities Field systems engineering supports evaluations & trials. French. German. or at customer site ‡ English. Dutch.

Acme Packet helps close more Avaya business faster  Minimize risk for migration to Avaya ± Interworking and compliance / security / service quality EMEA TECHSHARE 2009 THE FUTURE BEGINS  Reduce cost and increases value of Avaya solution ± Enables secure use of cost-effective SIP trunks ± Supports Flatten Consolidate & Extend (FCE) model  Provide a competitive advantage over Cisco ± Superior SBC solution ± Strong relationships with service providers ± Prevent Cisco from getting more foothold .

EMEA TECHSHARE 2009 The Managed Services Opportunity THE FUTURE BEGINS  Managed CPE SBCs enable multiple services to be safely delivered through SIP Trunks ± IP Contact Centres ± Unified Communications Services ± IP PBX connectivity  Business partner managed SBCs mean: ± Annuity revenue ± Account Control and opportunity to sell multiple services ± Services Revenue Opportunity Acme Packet confidential 33 .

EMEA TECHSHARE 2009 Value proposition The: is for: who need to: in order to: THE FUTURE BEGINS Acme Packet SBC solutions Mid. and support Remote / Mobile Workers Reduce cost Deliver business agility Secure loyal customers Meet regulatory compliance mandates .to large-size enterprises and contact centres across all vertical markets and geographies Connect to public/private SIP Trunk Services.

maglietti@acmepacket. gevans@acmepacket.com (UK) HEADQUARTERS Relationship Manager: Neil Segall nsegall@acmepacket.com (Germany)  Margie Frasier. rdequiroz@acmepacket.com Technical Director: Ray DeQuiroz.com Chief Engineer: Mike Aglietti. Channel Development Manager.EMEA TECHSHARE 2009 Acme Packet Contacts . awaechter@acmepacket.com (Italy)  Geraint Evans. Sales Director. Enterprise.com Channel Development: Laurie Coppola lcoppola@acmepacket.com .EMEA THE FUTURE BEGINS  Andreas Waechter. mfrasier@acmepacket. Technical Director.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->