Transcript Intertex Data AB, Sweden

Mobility: Connecting Remote Workers
TeliaSonera SIP Trunking Deployment
Prepared for:
Ingate Systems 3 Day Seminar
Unified Communications:
SIP Trunking, Video, Collaboration and More
ITEXPO Conference, Austin, September 2011
By:
Karl Erik Ståhl
President Intertex Data AB
CEO and Chairman Ingate Systems AB
[email protected]
Also see Live Demo Presentation from ITEXPO SIP Trunking Summit Miami, February 2011!
http://www.ingate.com/files/ITEXPO_Miami_2011_Presentations/Intertex%20-%20UC%20Across%20the%20Borders.pps
© 2011 Intertex Data AB
What are Mobility and Remote Users?
2 slides from Live Demo Presentation from ITEXPO SIP Trunking Summit Miami, February 2011!
http://www.ingate.com/files/ITEXPO_Miami_2011_Presentations/Intertex%20-%20UC%20Across%20the%20Borders.pps
We certainly want our home workers connected to the company PBX
And the same goes for our road warriors
-
at the hotel
at public WiFi
All should have all PBX services
-
Reached by extension number or DID
Place PSTN calls (displaying correct CallerID)
Voice mail, conferencing etc.
Presence, IM, video if supported by the PBX
Call me on my Swedish office
number +46 8 12345629 now!
© 2011 Intertex Data and Ingate Systems
Japan
Internet
US, Miami
PSTN
Sweden
[email protected]
SIP/PSTN
Gateway
SIP Trunk SIP Trunk Provider 2
Provider 1
PSTN
SIP/PSTN
Gateway
CELL
ingate.com
PSTN
THIS LAN, SIP Trunk-UC Summit
INGATE LAN
3G
intertex.se
([email protected])[email protected] [email protected]
[email protected]
INTERTEX LAN
We Saw Mobility and Beyond POTS
Ordinary phone calls
reach my laptop across
the Ocean!
I can also:
 Call Sophie in another
domain (federate)
 … even with Video
 … even though, she is
also remote from the
Ingate office (Actually
she is in the room.)
 … with media going the
shortest way (here on
the LAN) while
signaling goes back to
Sweden!
I can use extension number as
connected to the home PBX
And I see presence and can
put calls into conference…
We Saw Mobility and Beyond POTS
 All other PBX functionality also works remotely
E.g. IM (Instant Messaging)
And voice mail comes via email, and can be played by a click here.
© 2011 Intertex Data AB
5
But Why are NATs and Firewalls Such Obstacles
Typical Internet protocol (SMTP, HTTP…)
SERVER
HOST
Internet
SIP (and H.323…) connects Person-to-Person
PERSON
PERSON
Internet
Locate the person
+ Set up a session + Open real time media streams
© 2011 Intertex Data AB
6
SIP Does It! – But a Very General Solution is Required
DNS
Public
Internet
intertex.se
SIP Trunking
Provider
PSTN
SIP System
Remote User
[email protected]
Intertex IX78 E-SBC
The SIP Proxy in the E-SBC
forwards and rewrites the SIP
signaling and controls media
through its NAT/Firewall.
IP-PBX
Data & VoIP LAN
Soft Clients and Multimedia Terminals
© 2011 Intertex Data AB
7
And there May be More to Consider (Telia Network)…
NAT
FW
Remote
User
Internet
The remote user is often
behind a remote NAT/FW
– SIP Traversal needed.
Far End NAT Traversal
(FENT) can be enabled in
the IX78 E-SBC.
TR-069
VoIP
IP-TV
SIP on different WAN
pipes must be handled
IMS
VoD
SIP Trunk
VLANs or ADSL
Virtual Circuits
WiFi
The Multimedia LAN
IPPBX
PDA
IX78 E-SBC is a SIP Proxy based Firewall Controlling SIP Signaling and Media
© 2011 Intertex Data AB
8
Remote Users Require More Security Measures
Remote users to the PBX can be authenticated by the IX78 (also)
Brute Force Attack Protection
Attackers are nowadays trying to find simple passwords by brute force testing. 10 – 100
trials/second have been seen (e.g. SipVicious / friendli-scanner). After 3 trial we pretend
all attempts are wrong, so the correct one is never found.
© 2011 Intertex Data AB
9
…in Addition to e.g. Preventing SIP DoS Attack
 Signature Recognition
If the internal SIP proxy detects known
signatures in SIP headers from attackers, it
instructs the internal firewall to block attacking
IP address. New signatures can be added
manually or provisioned automatically.
 SIP Rate Limiting:
If there are more than 20 SIP packets/seconds from the same IP address, the
internal firewall blocks that IP address for 20 seconds and does not respond to that
IP address until the SIP packet rate is below 3 packets/seconds.
© 2011 Intertex Data AB
10
Different Types of PBXs are SIP Trunked
PSTN
A Good E-SBC Should Provide:
But they may not
1) NAT/Firewall Traversal – Must NAT to same address space!
have SIP Phones...
2) Basic SIP and Network Interoperability - E.g.
 SIP Trunking
Provider Network
Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
SIP System
3) SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc.
4) Features - E.g. Remote Users, Administration (remote and local)
5) Security - LAN/PBX/VoIP network protection, Service attack protection
SIP Trunk
1) 2) 3) 4) 5)
IX78

IPPBX
2) 3) 4) 5)
2) 3) 4) 5)
 SIP Trunk Interface 
Modern IP-PBXs are of
this type. Media goes
directly between phone
and SIP Trunk.
PBX with
system
phones
IPPBX
Few PBXs are of this type.
Asterisk with firewall
(IPtables /NETfilter) can be
compiled and configured
this way, but requires a lot.
VoIP & Data LAN
VoIP & Data LAN
Data LAN only
PBX Type 1
Signaling:
Media:
PBX Type 1.5
PBX Type 2
11
Remote Users Supported
 If the PBXs uses SIP compliant phones




IX78 E-SBC set up to forward incoming SIP to the PBX
Can use WAN IP address or domain name in the SIP address.
The E-SBC can authenticate the users
Remote users should preferably also be behind an Intertex/Ingate E-SBC for
automatic NAT/Firewall traversal
 If the remote user is behind an ordinary NAT/Firewall (non SIP aware),
FENT (Far End Nat Traversal) can be enabled in the IX78 E-SBC
 If non-SIP IP phones are used, the PBX vendor may have some
tunneling solution for remote workers
 The IX78 not involved
 Standard SIP phones (local or remote) can also be registered
directly to the IX78 E-SBC




Directly ready for remote users
The E-SBC will authenticate the users
Extension numbers can be integrated
Not all PBX features will be available to such phones
© 2011 Intertex Data and Ingate Systems
12
SIP Clients Can be Registered Directly to the IX78 E-SBC
There are many PBXs out there that do not allow Soft Clients,
Remote Users or Standard SIP Phones.
Registrar
Remote Users
PBX with
non-SIP
phones
Soft Client
© 2011 Intertex Data AB
WiFi Mobile
13
E-SBCs & SIP Capable Firewalls
See us at ITEXPO Room 9C!
Intertex Data AB
Ingate Systems Inc.
www.intertex.se
[email protected]
Rissneleden 45
SE-174 44 Sundbyberg
Sweden
sip:[email protected]
Tel: +46 8 6282828
www.ingate.com
[email protected]
7 Farley Road
Hollis, NH 03049
United States
Ph: +1 (603) 883-6569
Tel sv: +46 8 6007750
14
Ordinary Voice IADs – Good for Telephony Replication…
Telephone ports (FXS) on the CPE is a popular
way to deploy IP telephony. By logically placing
the SIP clients on the outside of the NAT/Firewall,
unreliable work-around methods like STUN,
TURN and ICE become unnecessary. However,
this only gives POTS replication, often even
stopping general SIP based services!
Internet
The 5060 SIP-port is just grabbed on the
outside to the FXS ports!
Lower level SIP ALGs often cause problems
and do not handle more than basic scenarios.
Often problems with, or total lack of:
• SIP to the LAN or WiFi
• Calls between SIP clients on LAN
• Calls between internal ATA ports and LAN clients
• Call transfers, 3-party calls, etc.
• Using SIP generally over the Internet (Operator “took all the SIP”)
(Users must not be deprived of general SIP-functionality!)
© 2011 Intertex Data AB
15
Our CPEs are SIP Capable NAT/Router/Firewalls
IMS
Internet
SIP
No battery draining of WiFi mobile phones, otherwise
caused by keep-alive packets* inhibiting sleep mode.
* Work-around methods for SIP NAT-traversal like STUN, TURN, ICE and Far End NAT
Traversal use frequent keep-alive packets to keep holes in the NAT/Firewall open.

Problems solved where they occur

Wired or wireless SIP clients (phones, soft clients, PDAs)

No special requirements on the SIP Client – Just standard SIP
All Intertex CPEs have a SIP Proxy based SIP aware Firewall/NAT

General, can handle complex call scenarios and all SIP services

Additional functionality available (SIP server, PBX functionality etc.)
© 2011 Intertex Data AB
16