Avaya SBCE: SIP Trunking Architecture
Download
Report
Transcript Avaya SBCE: SIP Trunking Architecture
What does an SBC do?
Carrier SBC’s
SP Network
Enterprise Network
IP PBX
FW
Intranet
Carrier SBC
Carrier SBC
•
•
•
•
•
•
•
•
Historically designed to sit at the SP’s edge to protect the carrier.
Complex to use command-line devices
Provides a distinct separation between networks while providing a means of
transporting signaling and media
Perform topology hiding for the SP
Tracking calls (CDR) for billing
Act as a Network Address Translator (NAT) for the SP
Provides admission control to limit calls from customer (and insure SLA)
Protocol Internetworking for H.323 and SIP
© 2012 Avaya Inc. All rights reserved.
11/26/2012
2
Enterprise SBC
Mobile Users,
Telecommuters
Enterprise Network
IP PBX
DMZ
Internal
FW
Avaya External
SBCE FW/NAT
Intranet
Avaya SBCE
Encryption
• TLS proxy
• SRTP proxy
Enablement
• FW / NAT traversal
• Call admission control
• Signaling and media firewall
© 2012
2012 Avaya,
Avaya Inc.
©
Inc.All
Allrights
Rightsreserved.
Reserved.
SRTP/
RTP
Remote Worker
Internet
SIP Trunking
Security
• Floods and fuzzing prevention
• Spoofing prevention (fingerprint verification)
• Media anomaly prevention
• Stealth attack prevention
• Tollfraud Prevention
Anti-spam
• Whitelist/Blacklist
• Behavior learning
06/01/2012
3
Avaya SBCE: SIP Trunking Architecture
Use Case: SIP Trunking to Carrier
Carrier offering SIP trunks as lower-cost alternative to TDM
Heavy driver for Enterprise adoption of SBC
Support Aura, IPO and CS1K
From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ
CS1000
Enterprise
Internet
DMZ
Firewall
Firewall
Avaya
SBCE
SIP Trunks
Carrier
Carrier SIP trunks to the Avaya Session Border Controller for Enterprise
Avaya SBCE is located in a DMZ behind the Enterprise firewall
Services: security and demarcation device between the IP-PBX and the Carrier
− NAT traversal,
− Securely anchors signaling and media, and can
− Normalize SIP protocol
© 2012 Avaya Inc. All rights reserved.
4
NAT Traversal
SBC External IP
Address
192.168.45.4
IP PBX
Enterprise
FW IP Address
96.54.23.10
Internet or Provider
Network
• At a basic level think of it this way: If the SBC sends an INVITE
message to the carrier, can the carrier reply and reach IP address
192.168.45.4? No.
• The SBC facilitates NAT Traversal by making sure all signaling
messages have a REACHABLE return address. In this example, the
INVITE would have a source address of 96.54.23.10.
• When a reply is sent it reaches the firewall which forwards to external
IP Address.
© 2012 Avaya Inc. All rights reserved.
5
Understanding Toll Fraud
Toll fraud can only be prevented by a holistic approach
involving best practice configuration of many elements in
a UC environment.
Examples include:
– Customized tuning of SBC to set intelligent call thresholds
for outbound and inbound traffic (based on time of day for
optimal fine-tuning)
– Enable short-call toll fraud duration
– Limit international calls to only valid destinations for
needed countries
© 2012 Avaya Inc. All rights reserved.
6
DoS and Toll Fraud Protection
Single Source DoS
Any type of DoS attack that is
directed against one or more
enterprise endpoints that originate
from a single source (normally
spoofed).
Stealth DoS/DDoS
A type of low‐volume DoS attack
that is directed against an endpoint
where the source of the call is
constantly changed.
Call Walking
A type of DoS attack whereby serial
calls originating from a single
source (normally spoofed) are
directed against a sequential group
of end‐points.
Toll Fraud
Refers to internal or external users
using the corporate phone system
to place unauthorized toll calls.
Phone DoS/DDoS
A type of DoS attack that is directed
against a single enterprise
end‐point.
© 2012 Avaya Inc. All rights reserved.
7
DoS and Toll Fraud Protection
DoS settings can be customized
Time-of-Day can be used to refine DoS settings
Specific protection exist for ‘Short Duration Toll Fraud’ as
well:
– Short call duration toll fraud is where a large number of
short calls (less than 1-2 seconds) are made to make
money on the ‘connect’ fees.
© 2012 Avaya Inc. All rights reserved.
8
© 2012 Avaya Inc. All rights reserved.
9
© 2012 Avaya Inc. All rights reserved.
10
Avaya SBCE: Remote Worker Architecture
Use Case: Remote Worker
Extend UC to SIP users remote to the Enterprise
Solution not requiring VPN for UC/CC SIP endpoints
From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ
Enterprise
Internet
DMZ
Firewall
Firewall
Avaya
SBCE
Remote Workers
Remote Worker are external to the Enterprise firewall
Avaya Session Border Controller for Enterprise
− Authenticate SIP-based users/clients to the enterprise
− Securely proxy registrations and client device provisioning
− Securely manage communications without requiring a VPN
© 2012 Avaya Inc. All rights reserved.
11
Remote Worker: VPN vs VPNless Endpoints
VPN Endpoint
VPNless Endpoint
VPN Headers add additional
size to traffic. In aggregate
reduces bandwidth.
TLS/SRTP encrypts the
traffic with a smaller
bandwidth footprint than
VPN
Signaling and media are
unencrypted at the SBC
and inspected at Layer 7 to
validate the traffic before it
is allowed through
Numerous policies allow
Enterprise control of
endpoints.
Consistent user experience
for applications
Encrypts traffic, yet does not
validate it. (Encrypting and
distributing a virus isn’t helpful)
No ability at VPN head-end to
distinguish between voice and
data traffic. Ultimately voice
quality suffers.
Cumbersome user experience
for real-time communication
application
© 2012 Avaya Inc. All rights reserved.
12
Call Servers
For SIP Trunking, an accepted architecture is:
– Call Server + SBC
– Call Server + SM + SBC
A valid call server is
– CS1k 7.5
– CM 5.2.1
– IPO 8.x
Session Manager is NOT required
for SIP Trunking
SM must be 6.x
For SIP Trunking if these basic requirements are not met there is no opportunity
with this customer UNTIL these elements are there.
© 2012 Avaya Inc. All rights reserved.
13
Avaya SBCE 4.0.5 and 6.2 Interoperability Matrix
Platform
All Tests performed in the SIL Labs
No SM
SM 6.1
SM 6.2
CS1K R7.5
R4.0.5/R6.2
R4.0.5/R6.2
R4.0.5/R6.2
IPO R8.0
R4.0.5/R6.2
NA
NA
CM R5.2.1
R4.0.5/R6.2
R4.0.5/R6.2
R4.0.5/R6.2
CM 6.0.1
R4.0.5/R6.2
R4.0.5/R6.2
NA
CM R6.2
R4.0.5/R6.2
R4.0.5/R6.2
R4.0.5/R6.2
Supported - Tested
NA
Not Supproted or Tested.
© 2012 Avaya Inc. All rights reserved.
14
IPO 8.x
ONLY supports SIP Trunking
ONLY certified with AT&T at the moment
A generic app note is in the works to accommodate
additional carriers
© 2012 Avaya Inc. All rights reserved.
15
Carriers Tested as of November 10th, 2013.
Alestra
AT&T
AT&T Puerto Rico
Belgacom
Bell Canada
Broad-Connect
Broadview
BT Global Services
BT HIPCOM
BT Italia
BT Wholesale
Cable & Wireless
CenturyLink
© 2012 Avaya Inc. All rights reserved.
Colt
Etisalat
Fastweb SPA
Frontier
Gamma
IntelePeer
KPN
Level 3
MTSAllStream
PAETEC
Phonect
QSC
Sprint
Swisscom
Tele2
Telefonica del Peru
Telenor
Teliasonera
TELUS
T-Mobile NL
UPC
Vamoin1/KPN
Verizon Business
Virgin Media
Vodafone DE
Vodafone NL
VoicePulse
Windstream
Worldnet P. Rico
XO
Find App Notes Here:
https://devconnect.avaya.com/public/dyn/d_dyn.jsp?fn=103
16
SIP Trunking Qualification
Must include supported call servers (CS1, CM, SM, IPO)
Must be explicitly tested with that given configuration
with the carrier.
– Example: If CMSBC->Service Provider ‘A’ is tested, that
does NOT mean CMSM->Service Provider “A’ is tested.
Make sure the specific configuration is documented with an
App Note.
– If the architecture is valid, but it is not tested, then escalate
through Jack Rynes
© 2012 Avaya Inc. All rights reserved.
17
SIP Trunking with AACC
AACC – If this is a basic SIP Trunking deployment
involving:
Service Provider - SBC SMCM
There may be a valid solution for the SBC but all call flows
should be vetted with the CSE’s.
© 2012 Avaya Inc. All rights reserved.
18
SIP Trunking with Call Center Elite
CC Elite – If this is a basic SIP Trunking deployment
involving:
Service Provider - SBC SMCM
-andAvaya Experience Portal is NOT part of the call flow
There may be a valid solution for the SBC but all call flows
should be vetted with the CSE’s.
© 2012 Avaya Inc. All rights reserved.
19
Avaya SBCE Key Features
The Unique Avaya Solution for
UC Application Security
Authenticated
Endpoints
Allow supporting protocols
with full NAT
Enterprise
Remote
Giving you
Full Features
Avaya Session Manager (SIP)
Enterprise DMZ
Firewalls
Internal Phone (RTP)
Intranet
Encrypted
Sessions
Remote NAT &
Firewall
Internet
Avaya SBCAE
Remote Phone Configuration (HTTPS)
Certificate Authority (SCEP)
Security
UC Policy, Access control, & Authentication
Privacy (encryption) with TLS, SRTP
UC Threat protection
Personal Profile Manager (SOAP)
Directory Server (LDAP)
Comprehensive Services
Directory, Web applications, Login profiles
Web Server (HTTP)
Presence and IM (XMPP)
© 2012 Avaya Inc. All rights reserved.
Hi
Remote Management
Configuration management,
Certificate, PKI management
21
ASBCE 6.2 System Capacity
Capacity in Simultaneous Sessions
Max Capacity
W/out Encrypt
HA
2000
SA
2000
SA
500
Portwell CAD-0208
Session Border Controller
capacities are rated in
Simultaneous Sessions
– A simultaneous session =
Max Capacity
a communication session
With Encrypt
between 2 SIP endpoints
– Can think of it as
1000
analogous to a DSO in the
‘old world’
– Key for engineering is to
1000
understand the numbers
of sessions required in the
solution
250
‘Rules of Thumb’
•SIP trunking usually 5 users per ‘SS’
• Must account for higher ratio in small
• Remote Worker must consider both
On-net and off-net requirements
• Remember, in Dell configs, Encryption
Services impact capacity
© 2012 Avaya Inc. All rights reserved.
For Secure SIP trunking,
look at the number of TDM
DSOs required
For Remote Worker,
calculate required call
volumes
22
22