Transcript SIP Trunking As a Managed Service

SIP Trunking As a Managed Service
Why an E-SBC Matters
By: Alon Cohen, CTO Phone.com
Agenda
• Network Topology (Firewall, SBC, PBX)
• SBC as an abstraction Layer
• SBC Security
– Fire Wall
– Fraud protection
– Encryption
• SBC Utility
–
–
–
–
–
–
Protocol conversion
Transcoding
Data capture
LCR
HA / Load Balancing
Statistics
Connecting a SIP Trunk and an SBC
Internet
Router
Firewall
Switch
SIP Trunk Vendor
SBC
IP PBX
Connecting a SIP Trunk and an SBC
SBC as an Abstraction Layer
• Hides the implementation details of the PBX
– Easy to replace vendors without touching the PBX
– Easy to replace PBX without vendor coordination
• In simple words:
– Easy to move forward
– Easy to save money
Attacks on IP PBX (DOS/TDOS)
• IP PBX requires wide range of open ports
–
–
–
–
For the RTP media of the SIP Trunk
For external IP Phones registration
Hence it is open to DOS attacks
As well as TDOS (Telephony Denial of Service)
• TDOS Attacks have different attack vectors
–
–
–
–
SIP Registration flood
SIP Invite flood
Fraud (Make calls on your company’s dime)
Eavesdrop
SBC T/DOS Mitigation
• SBC can handle larger amounts of registrations
and shield the PBX
– Good for normal operations as well where you have
large numbers of clients outside the enterprise
• SBC can ignore false or incomplete registrations
or invites better than the PBX can
• Enforce IP blacklist, with variable blocking periods
for Registrations, Subscribes, Option Pulls and
protocol errors
Encryption
• Most UDP SIP Trunks installations today are
non-encrypted
• SRTP = Secure RTP (Real Time Protocol) - UDP
• TLS = Transport Layer Security – TCP/IP
• An SBC will let you use encryption in the LAN
regardless of vendor capabilities.
So far we saw that SBC can
protect your infrastructure
• Let’s see what else the SBC is good for
Data Capture
• Important during installation
• Important when you encounter problems
– Calls disconnect
– QOS
• Simplify SIP packet analysis
• We mentioned Registration Cache-ing
Codec & Transcoding
• Most VOIP devices/trunks support G.711 (uLaw)
• G.711 is good over good networks
• What if you do not have a good network?
– Transcode to G.729
– Transcode to OPUS
•
•
•
•
•
Constant and variable bitrate
From 6 kbit/s to 510 Kbit/s,
Frame sizes from 2.5 ms to 60 ms,
Sampling rates from 8 kHz to 48Khz (CD Quality)
Packet loss concealment
• Fax T.38 translation
• DTMF Translations (if needed)
• Sometimes Video transcoding
Transcoding
Protocol Conversion
•
•
•
•
•
UDP SIP / TCP SIP (Non Secure)
UDP SIP / TCP SIP TLS & SRTP (Secure)
Different variants of SDP
UDP Fragmentation
SIP / H.323 (Conversion)
SBC as Glue Logic
• Lync / SfB
– Requires SIP over TCP
– SRTP / TLS
SfB & SBC
LCR – Least Cost Routing
• An SBC with an LCR can provide major cost
savings
– Some vendors will pay you to terminate Toll Free
– Local vendors have very low costs on their local
footprint
– International termination vary in cost and quality
• QOS Management by Managing the LCR
– Increasing cost of low QOS routs
HA – High Availability
• Redundancy Modes
– Hardware
• support HA pair
– Vendor Termination Level
• Re-rout calls to other vendors
– PSTN Backup
• T1 line, or Analog as alternate vendor
– IP PBX Redundancy
Load Balancing
• Enterprises can stack IP PBXs.
– HA
– Capacity
CDR Generation
• In installations with multiple IP PBX systems,
consolidating CDRs can become a pain
• The SBC as an aggregator of all in and
outbound calls can act as CDR generator or
collection point
Statistics & Monitoring
• Most measurable parameters let you set
thresholds that trigger an alarm.
• Things you can measure vary and may include
• QOS: (Jitter, Packet Loss)
• CPS (Calls Per Second)
• Call Fail Rate
• Fraud Alarms
– Usually triggered by velocity
Cost Considerations
• Could be high for a very small business
• If fitted correctly
– Pays for itself via
• Uptime
• LCR
• CIO Reputation
Conclusions
• SBC provided the following benefits
– Topology hiding
• Ability to keep improving (abstraction layer)
–
–
–
–
–
–
–
Reliability (vendor redundancy)
Cost reduction (LCR)
Protocol matching (SIP over TCP vs. UDP, H.323)
DOS Protection (Protect the PBX)
Data Security (using SRTP/TLS on the trunk)
QOS (by using better codecs and monitoring)
Even more….
• NAT Traversal tools, FAX, CDR Collection
• CALEA, For Vendors – See FBI Booth
SIP Trunking As a Managed Service
WhyCohen,
an E-SBC
Matters
By: Alon
CTO,
Phone.com
[email protected]
By: Alon Cohen, CTO Phone.com