EMEA TECHSHARE 2009 THE FUTURE BEGINS

Session Border Controllers

Connecting the IP World

Acme Packet and Avaya Lead The Way

April 9, 2009
Neil Segall, Business Development Margie Frasier, Channel Development

EMEA TECHSHARE 2009

Agenda
 Why should I care about SBCs?  What is an SBC?  Product Overview  Working together

THE FUTURE BEGINS

EMEA TECHSHARE 2009

We are not Bugs Bunny!!

THE FUTURE BEGINS

Beep Beep

Argh!~

EMEA TECHSHARE 2009 THE FUTURE BEGINS

Why should I care about SBCs? Reduce cost Deliver business agility Secure loyal customers

EMEA TECHSHARE 2009

Market Trends
 Service providers Making SIP value available to enterprises Relying on SBCs for peering and secure access

THE FUTURE BEGINS

Reselling or recommending CPE SBCs for security and interworking

 Enterprises and contact centres Embracing converged voice/data for UC, CC, & CEBP Migrating increasingly to SIP Moving to SIP trunking for lower costs & power consumption Recognizing identity, trust and security as critical to UC success Dealing with interworking and regulatory concerns

EMEA TECHSHARE 2009 THE FUTURE BEGINS

Future of interactive communications?

The Internet

The Federnet

F F F

EMEA TECHSHARE 2009 THE FUTURE BEGINS

Federnet: The eight driving factors

1. 2. 3. 4. 5. 6. 7. 8.

In IP, we trust no one Addresses will forever be a collection of heterogeneous schemes SIP is not the only signaling protocol Codecs will never converge to a couple - audio & video Unlimited bandwidth, QoS and signaling resources will forever be a myth Some sessions are more valuable than others IP IC regulation will increase Business models will never be homogenous

EMEA TECHSHARE 2009

Next Generation Communications

Application App System Manager App Application Platform MM MX VP

THE FUTURE BEGINS

App Application Platform

CM

Media Servers Connection

Communication Manager Core

SM
TDM Trunks

PSTN Providers Outsourcers Federated

SM

SM

SIP Trunks

Acme Packet SBC

Avaya one-X endpoints

ooo

Internet Avaya CM
Branch / Stand alone

Access

3rd

Party PBXs

3rd Party endpoints

G860

ooo

Remote workers Over Internet

EMEA TECHSHARE 2009

Joint Value Proposition

 Acme Packet SBCs augment Avaya solutions for UC and CC

THE FUTURE BEGINS

Defend SIP signaling elements against security threats, overloads Eliminate border signaling and many other interoperability issues Preserve session quality under load and adverse conditions Extend Avaya application reach across IP network borders Support regulatory compliance  Key Benefits Faster Avaya solutions deployment at lower risk and cost Safe use of cost-effective SIP trunks High-quality session delivery to workers across the enterprise Improves customers options for customizing their networks

EMEA TECHSHARE 2009 THE FUTURE BEGINS

What is an SBC?

EMEA TECHSHARE 2009

What is a Session Border Controller?

H.323, MGCP/NCS, H.248
 Border IP-IP network borders
PSTN

THE FUTURE BEGINS

 Session real-time, interactive communications voice, video & multimedia - using SIP,

Interconnect/peering: between service providers Subscriber access: enterprise, residential or mobile services Data center: retail or wholesale services Enterprise: intra- & extra-enterprise Security Service reach maximization SLA assurance Revenue & cost optimization Regulatory compliance
Large enterprise Mobile services Residential & business services PSTN origination & termination IP transit
IP contact center Directory services

PSTN termination

 Control

EMEA TECHSHARE 2009

Why SBCs Instead of Firewalls?

 Because traditional firewalls cannot:

THE FUTURE BEGINS

Prevent SIP-specific overload conditions and malicious attacks Open / close RTP media ports in sync with SIP signaling Track session state and provide uninterrupted service Perform interworking or security on encrypted sessions Scale to handle many 1000s of real-time sessions Provide carrier class availability

 InfoSec deploy defence-in-depth model with application-level security

proxies for email and web applications

Same model applies for IP telephony, UC and IP contact center

applications

Acme Packet SBC secures & assures Avaya unified communications

1. SIP trunking border

EMEA TECHSHARE 2009 THE FUTURE BEGINS 2. Hosted services border

Contact center, audio/video conferencing, IP Centrex, etc.

 Completes Avayas cost effective

end-to-end SIP architecture

SIP trunking and border interworking Remote site & worker connectivity Reduced maintenance costs

Federated partners
APKT

To PSTN

APKT APKT

APKT

 Provides best-in-class VoIP &

UC security

Redundant data centers

UC ASM CC
APKT

Integrated with Avaya Session Manager,

Communication Manager and Voice Portal

 Assures quality and high availability Disaster recovery and survivability  Helps achieve regulatory compliance Emergency calls, privacy, recording
APKT

Private network
H.323 SIP

Internet
APKT

SIP

Regional site

Remote site

HQ/ campus

Nomadic/ mobile user

Teleworker

Remote site

3. Internet border

EMEA TECHSHARE 2009 THE FUTURE BEGINS

Product Overview

Acme Packet Products

Size Medium
Data Center / branch office Data Center

EMEA TECHSHARE 2009 THE FUTURE BEGINS

Large
Data Center Data Center (w/transcoding)

UC CC

# lines # agents # sessions

750-2,500 75-250

1,250-40,000 125-4,000

5,000-80,000 500-8,000

20,000-360,000 2,000-36,000

150-500

250-8,000

1,000-16,000

4,000-72,000

Net-Net 9200 Net-Net 4500

Net-Net 4250 Net-Net 3800

EMEA TECHSHARE 2009

Net-SAFE Security Framework

 SBC DoS/DDoS protection

THE FUTURE BEGINS

Protect against SBC DoS/DDoS attacks & overloads

 Access control & VPN separation

Dynamic, session-aware access control for signaling & media Support for L2 and L3 VPN services & traffic separation SBC DoS protection Fraud prevention Service infrastructure DoS prevention Access control

 Topology hiding & privacy

Complete service infrastructure hiding & user privacy support

 Viruses, malware & SPIT mitigation

Deep packet inspection enables protection against malicious or annoying traffic

 Encryption and Authentication

Topology hiding & privacy

TLS, IPSEC, SRTP

 Monitoring and reporting

Record attacks & attackers Provide audit trails

Viruses malware & SPIT mitigation

EMEA TECHSHARE 2009

Dynamic ACLs and Hardware Based Security

 All Unauthorized traffic rejected by Hardware Authentication
Dropped at Wire Speed!!

THE FUTURE BEGINS

HARDWARE BASED AUTH: Authorized Traffic Flows are based on:

NN-SD
Http Request

Source Source

IP address/range IP Port

X X X

Protocol

Unuauthorized Protocol or Destination port

Destination Destination VLAN

IP address IP port

+ Physical Port

SIP Invite Blacklisted User

Other Authorizations at Wire Speed:

DoS

Software Based SBCs cannot provide this!

Blacklisted Users Rejected (matched on above Flow Definitions)

EMEA TECHSHARE 2009

Signaling Based Security

measures a FW cannot provide:
SIP Invite

THE FUTURE BEGINS

 Stateful awareness of SIP sessions allows for fine-tuned security

X Reject with 4xx Unauthorized

Unregistered Users (Rejected at SIP level)

NN-SD

SOFTWARE/SIGNALING BASED AUTHORIZATION : Authorized Traffic Flows can be based on:

User SIP

Registration Status

packet format (Legal?)

SIP Invite

X Reject with 4xx Unauthorized

Next Hop Device (i.e. Avaya SM) constraints exceeded

Filters based on SIP header content

Source

Traffic

or Destination URI

format
SIP Invite Reject with 503 Unavailable (configurable response) Bandwidth Exceeds Allowed LImit
Codec

type

Bandwidth

or Session Admission Control

Overload

constraints (CPU and Rate Limit

Next hop)
Signaling

Handling of Ports for Media

 VoIP often requires a different media port per source for RTP flows

EMEA TECHSHARE 2009 THE FUTURE BEGINS

 Net-Net SD Dynamically Opens ports for RTP/RTCP (Media streams) Secure Latching
FW Must Keep ports open at all Times

10.0.0.1

10.100.1.100 UDP Ports: 49152-65535 (Pool X)

Net-Net

192.168.11.101 UDP Ports: 49152-65535 (Pool Y)

136.2.7.100

INVITE SDP C= (Source): 10.0.0.1, port 1046

INVITE SDP C= (Source): 192.168.11.101, port 49152

200OK SDP C= (Source): 10.100.1.100, port 49152

200OK SDP C= (Source): 136.2.7.100, port 4300

Open a media port from pool X. Remember mapping from 10.100.1.100(Pool X) to 136.2.7.100:4300

Open media port from Pool Y. Remember mapping from 192.168.11.101 (Pool Y) to 10.0.0.1:1046;

BYE 200 OK

X
Close Media Ports and Removed from SBC cache

EMEA TECHSHARE 2009

Its not just about security

 Legacy data infrastructure is not enough
Signalling protocol interworking Service reach maximization QoS / Accounting Session replication High availability

THE FUTURE BEGINS

EMEA TECHSHARE 2009

Header Manipulation Rules

on regular expressions

THE FUTURE BEGINS

 Benefit allows SBC to perform SIP header/parameter manipulation based

 Problem overcome interoperability issues, unique routing needs, protocol

normalization and fix-up

 Details Regular expression search and store capability Ability to do repetitive search and replace Boolean logic support Supports operations on MIME body, e.g. SDP Allows codec re-ordering & stripping Ability to insert information into Call Detail Record VSAs HMR for ISUP (conversion between any variation of SIP, SIP-I, SIP-T)

EMEA TECHSHARE 2009

Hosted NAT traversal (HNT)

 Problem: remote-user NAT traversal

THE FUTURE BEGINS

Inbound VoIP/UC cant get through DSL/cable modem firewall / NAT Home worker cant reconfigure FW/NAT NAT-T techniques (STUN / TURN / ICE) are limited and vary widely by device: an IT support headache

CPE NAT/FW messes up secure VoIP

Remote User

 Solution: host NAT traversal in SBC

Internet

Standardizes NAT methodology Proven solution: globally deployed Scalable with very low latency

 Benefit: lower cost, complexity of deployment, support

IPT

UC

CC

No end-user action required One centralized box to manage One methodology for NAT traversal

Enterprise Data Centre

EMEA TECHSHARE 2009

QoS measurement & reporting

THE FUTURE BEGINS

Segment A
 Benefits

Segment B

Enables real-time evaluation of network & route performance Enables Enterprises to validate SLAs from their service providers QoS based call admission control
 Capabilities

Per-flow statistics including jitter, latency, packet loss, byte and packet counters Hardware based RTP/RTCP header inspection no performance impact Reported through call accounting interface (Radius) or via FTP

EMEA TECHSHARE 2009

IP Session Replication
 Benefit reduces costs and decreases

THE FUTURE BEGINS

complexity

 Problem overcome reduces the

number of devices/interfaces involved in call capture and replication; SBC scales better than alternative methods provisioned per ingress realm SBC replicates and forwards signaling and media SBC load balances session across recording servers
Avaya PBX ACM/ASM

 Call recording servers (CRS) are

EMEA TECHSHARE 2009

High Availability
 No loss of active sessions (media
sd0.co.jp Active 10.0.0.1 Standby

THE FUTURE BEGINS

and signaling)

 Supports new calls  1:1 Active Standby architecture  Failover for Node failure, network failure,

Find SD through DNS round-robin or configured proxy

poor health, manual intervention

40 ms failover time  Checkpointing of configuration,

media & signaling state

sd0.fc.co.jp Active 10.0.0.1

 Preserves CDRs on failover  Shared virtual IP/MAC addresses

New call

All sessions stay up. Process new sessions immediately

EMEA TECHSHARE 2009 THE FUTURE BEGINS

Working together

EMEA TECHSHARE 2009

UC Reference Architecture
SIP Trunking Service
Remote clients

THE FUTURE BEGINS

Internet
SIP

SIP

RTP

Analog, Digital SIP

PBX ACM / DO
SIP

SIP SIP

PBX Router

PBX Avaya SM
SIP

SIP

SIP

SIP Trunking Services

Branch Office

PBX Avaya CM
HQ/Regional Data Center

 Customer choice of complete local call processing intelligence in branch or if desired, no survivability  Avaya Session Manager implements session routing for inter-branch and branch to HQ; manages

centralized dial plan

 Mini Border Element provides secure access to distributed SIP trunking services for branch/remote

locations
 SBC provides secure access to centralized SIP trunking services for HQ/regional centers
27

EMEA TECHSHARE 2009

Avaya / Acme Packet Interop

 Acme Packet part of Avaya Development and SV models Acme Packet equipment in Avaya R&D & Services labs Avaya equipment in Acme Packet labs  Formal Interop Testing and Documentation DevConnect - Acme Packet is a Platinum partner Peering and Access
ACM: NN4250 & NN4500 complete, NN3800 in progress ASM: NN4250, NN4500 and NN3800 in progress AVP/ICR: NN4250, NN4500 and NN3800 in progress

THE FUTURE BEGINS

Online Application Notes and configuration guides

SITL will certify SIP trunks Testing ongoing in NA, CALA, EMEA, and APAC

EMEA TECHSHARE 2009

Acme Packet at a glance

 Session Border Control (SBC) category creator & leader

THE FUTURE BEGINS

with 50-60% market share, founded August 2000

 Top tier customers worldwide 600+ customers in 92 countries 29 of top 30, 89 of the top 100 service providers

Revenue ($M)
$84.1

$116.4 $113.1

 Market focus: enterprise, contact centre, and service provider

$36.1

 400+ employees in 25 countries,

Burlington, MA headquarters

$16.0 $3.3

 Public company (NASDAQ: APKT)

2003

2004

2005

2006

2007

2008

w/ strong revenue growth, profits & balance sheet

Healthy, Profitable, Leading, Growing

Acme Packet - company overview Q3 2008 29

EMEA TECHSHARE 2009

Competition
 Primary competitive threat: customer inertia Ignorance of need for SBCs IT security staffs must be educated

THE FUTURE BEGINS

 Next-best threat: Cisco Unified Border Element (CUBE) All software: small scale, low performance Lacks DoS protection, advanced routing, high availability Years behind on features and protocol support Very limited non-Cisco product interoperability

EMEA TECHSHARE 2009

Go-to-market strategy
 Channel focus in EMEA - over 60 people

THE FUTURE BEGINS

Business and channel development provide commercial and technical support Direct touch Sales and Engineering team directly supports opportunities EMEA HQ in Madrid has training and lab facilities Field systems engineering supports evaluations & trials, informal training

 Technical support - 24x7x365 from Burlington, MA, USA headquarters

Protocol and platform focus areas Telephone hotline for critical problems Web portal

 Training

Configuration and troubleshooting courses Boston, Madrid, Moscow, or at customer site

English, Spanish, Italian, French, German, Russian, Dutch, Portuguese

Acme Packet helps close more Avaya business faster

 Minimize risk for migration to Avaya Interworking and compliance / security / service quality

EMEA TECHSHARE 2009 THE FUTURE BEGINS

 Reduce cost and increases value of Avaya solution Enables secure use of cost-effective SIP trunks Supports Flatten Consolidate & Extend (FCE) model

 Provide a competitive advantage over Cisco Superior SBC solution Strong relationships with service providers Prevent Cisco from getting more foothold

EMEA TECHSHARE 2009

The Managed Services Opportunity

THE FUTURE BEGINS

 Managed CPE SBCs enable multiple services to be safely

delivered through SIP Trunks

IP Contact Centres Unified Communications Services IP PBX connectivity  Business partner managed SBCs mean: Annuity revenue Account Control and opportunity to sell multiple services Services Revenue Opportunity

Acme Packet confidential

33

EMEA TECHSHARE 2009

Value proposition
The: is for: who need to: in order to:

THE FUTURE BEGINS

Acme Packet SBC solutions Mid- to large-size enterprises and contact centres across all vertical markets and geographies Connect to public/private SIP Trunk Services, and support Remote / Mobile Workers Reduce cost Deliver business agility Secure loyal customers Meet regulatory compliance mandates

EMEA TECHSHARE 2009

Acme Packet Contacts - EMEA

THE FUTURE BEGINS

 Andreas Waechter, Sales Director, Enterprise, awaechter@acmepacket.com (Germany)  Margie Frasier, Channel Development Manager, mfrasier@acmepacket.com (Italy)  Geraint Evans, Technical Director, gevans@acmepacket.com (UK)
HEADQUARTERS

Relationship Manager: Neil Segall nsegall@acmepacket.com Technical Director: Ray DeQuiroz, rdequiroz@acmepacket.com Chief Engineer: Mike Aglietti, maglietti@acmepacket.com Channel Development: Laurie Coppola lcoppola@acmepacket.com