SBCs vs Firewalls

Download Report

Transcript SBCs vs Firewalls

The leader
in session border control
for trusted, first class
interactive communications
Comparison of SBCs
to SIP firewall/ALGs
Summary comparison:
SBCs vs. Firewalls with SIP ALGs
SBC
Firewall with SIP ALG
Back-to-back user agent
Maintains single session
– Fully state-aware at
layers 2-7
– Fully state-aware at
layers 3 & 4 only
– Inspects and modifies any
application layer header info
(SIP, SDP, etc.)
– Inspects and modifies only
application layer addresses
(SIP, SDP, etc.)
– Can terminate, initiate,
re-initiate signaling & SDP
– Unable to terminate, initiate,
re-initiate signaling & SDP
– Static & dynamic ACLs
– Static ACLs only
Data center
SIP trunking
Data center
IP PBX
UC server
SIP trunking
Acme Packet
IP PBX
UC server
3
SBC vs. firewall w/ SIP ALG comparison
Security scenarios
Use case
scenario
SBC/FW
DoS/DDoS
self-protection
Business challenge
Technical requirements
Prevent malicious or
non-malicious SIP
signaling or media
attacks & overloads
from making the SBC
or FW non-responsive
* Dynamically block attacks
* Detect/reject non-compliant
*
*
Network abuse
control
Prevent unauthorized
or fraudulent network
usage
(signaling, protocol, traffic
levels) SIP sessions
Initiate SIP BYEs to tear
down core-side sessions
Statefully control legitimate
SIP registrations during
overloads
SBC
FW w/
ALG

* Control number & bandwidth
*
*
of simultaneous sessions
Strip unauthorized codecs
from SDP headers
Scan SIP header
attachments for
unauthorized content
Acme Packet

4
SBC vs. firewall w/ SIP ALG comparison
Application reach, regulatory scenarios
Use case
scenario
IP PBX and
UC protocol
interworking
Business challenge
Technical requirements
Translate dissimilar
signaling (SIP, H.323),
transport (UDP, TCP,
SCTP) & encryption
(none, TLS, SRTP,
IPsec)
* Terminate SIP sessions
Enable users behind
Remote site
NAT traversal FW/NATs to originate
*
* Keep FW pinholes open by
resetting SIP registration
interval to less than FW
port TTL and caching SIP
registrations by FW IP/port
and receive VoIP calls
and UC sessions
Session
replication
for recording
Comply with regulatory
requirements and
maximize customer
service quality
and translate layer 2-7
protocol information
Fix protocol anomalies &
inconsistencies
SBC
FW w/
ALG


* Replicate all SIP signaling
*
and media to recording
server(s) in addition to
intended recipient
Replicate selective or all
sessions
Acme Packet

5
SBC vs. firewall w/ SIP ALG comparison
Availability scenarios
Use case
scenario
Data center
disaster
recovery
Business challenge
Technical requirements
Assure constant service
availability and quality
* Network SBC – detect
*
Remote site
survivability
Provide alternative path
for VoIP/UC traffic when
primary path becomes
unavailable
Ensure no loss of active
sessions or session state
during failover
FW w/
ALG

* Monitor link and routing
*
High
availability
operation
failure of datacenter SIP
session agents and reroute SIP sessions
Datacenter SBC – translate
phone numbers in SIP
headers for SIP trunk
geo-redundancy
SBC
state of upstream router &
SIP registration state of
remote IP PBX/UC server
Re-route SIP signaling and
media to alternative
trunking provider, PSTN
media gateway or Internet
* Checkpointing of SIP
signaling, media and
configuration state between
active & standby elements
Acme Packet


6
SBC vs. firewall w/ SIP ALG comparison
SLA assurance scenarios
Use case scenario
QoE-based
routing
Business
challenge
Technical requirements
Maximize voice
quality and reliability
of services and
applications
Ensure continuous
service availability
and quality, even
under adverse traffic
loads and/or attack
FW w/
ALG
* Actively monitor voice QoS
*
*
IP PBX/UC
server session
admission &
overload control
SBC
thresholds and ASR
Re-route or redistribute
traffic as needed
Release media within
access network to optimize
quality
* Dynamically monitor server
status and control SIP
signaling flows to IP
PBX/UC servers accordingly
Acme Packet


7
The leader
in session border control
for trusted, first class
interactive communications