SIP Trunking - Ingate Systems

Download Report

Transcript SIP Trunking - Ingate Systems

SIP Trunking Workshop
for Service Providers
With real life considerations and practical solutions for
offering SIP Trunks using Ingate and Intertex E-SBCs
The Ingate SIP Trunk-Unified Communications Summit
Karl Erik Ståhl
President and CTO, Intertex
Chairman and CTO, Ingate
© Intertex Data AB, Ingate Systems, February 2011
1
1.
The Case for SIP Trunking
 1:00pm-1:30pm
Moderator: None
 Opening remarks and overview of the benefits of SIP trunking
and UC for service providers, by Ingate Systems.
© 2011 Intertex Data and Ingate Systems
2
2.
Delivering SIP to the Enterprise
 1:30pm-2:30pm
Moderator: Maloff NetResults
 1:30-1:35
Moderator
 1:35-2:00
Broadvox
 2:00-2:30
Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems
3
There is more to it…
PSTN
 Voice only, or Voice & Data on the pipe?
 Internet or Private Pipe?
 Quality Measures on the Pipe?
SIP Trunking
Provider
SIP System
 Delivery to just a PBX?
… or to a UC LAN
 Is an E-SBC required? When?
 Who provides/owns the E-SBC?
 Just SIP Trunking of PBXs or also
 Remote users
 Hosted services
© 2011 Intertex Data and Ingate Systems
SIP Trunk
Interface 
 Is there a (data) Firewall in the way?
PBX with
system
phones
4
This Would be Simple
Public
Internet
SIP Trunking
Provider Network
PSTN
SIP System
SIP Trunk
IP-PBX
Data LAN
VoIP LAN
5
But This is What We Want
Public
Internet
SIP Trunking
Provider
PSTN
SIP System
Remote
Users
Intertex IX78
Demarcation point of
service and bringing SIP
communication to the LAN
IP-PBX
Data & VoIP LAN
Soft Clients and Multimedia Terminals
© 2011 Intertex Data and Ingate Systems
6
So this is Not a Good Solution,
at least not for a General Service
Public
Internet
SIP Trunking
Provider Network
PSTN
SIP System
No Remote
Users!
Managed
SIP Trunk
Enterprise:
Security
Warning!
IP-PBX
Will Service
Provider issue
IP addresses to
every Phone?
Provider:
Security
Warning!
Data LAN
VoIP LAN
?
?
No Soft or Multimedia Clients!
UC?
7
And there is Often a Non SIP Capable Firewall in Place
SIP Trunking
Provider
PSTN
SIP System
Remote
Users
Ingate/Intertex E-SBCs
enable SIP based Live
UC Across the Borders!
SIParator®
IP-PBX
(SIP does not traverse
ordinary NAT/Firewalls.)
Data & VoIP LAN
Soft Clients and Multimedia Terminals
8
And There are Different Types of PBXs to Consider
PSTN
A Good E-SBC Should Provide:
1) NAT/Firewall Traversal – Must NAT to same address space!
2) Basic SIP and Network Interoperability - E.g.
 SIP Trunking
Provider Network
Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
SIP System
3) SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc.
4) Features - E.g. Remote Users, Administration (remote and local)
5) Security - LAN/PBX/VoIP network protection, Service attack protection
SIP Trunk
1) 2) 3) 4) 5)
IX78

IPPBX
2) 3) 4) 5)
2) 3) 4) 5)
 SIP Trunk Interface 
Modern IP-PBXs are of
this type. Media goes
directly between phone
and SIP Trunk.
PBX with
system
phones
IPPBX
Few PBXs are of this type.
Asterisk with firewall
(IPtables /NETfilter) can be
compiled and configured
this way, but requires a lot.
VoIP & Data LAN
VoIP & Data LAN
Data LAN only
PBX Type 1
Signaling:
Media:
PBX Type 1.5
PBX Type 2
9
NAT & Firewalls are a Severe Infrastructure Problem…
A common Network and common Protocols changed our lives:
SMTP gave us global email!
HTTP gave us the Web!
IMS
NATs and Firewalls were
designed to allow such
protocols.
What about SIP for Live
Person-to-Person
Communication?
(SIP based)
Internet
email
FW
SIP does not traverse the
common NATs and
firewalls protecting the
LANs .
© 2010 Intertex Data AB
web
FW FW
FW
LAN
LAN
10
Why are NATs and Firewalls Such Obstacles
Typical Internet protocol (SMTP, HTTP…)
SERVER
HOST
Internet
SIP is the Protocol for IP Communication
Person-to-Person,
BUT IT DOES NOT REACH THE USER’s!
SIP (and H.323…) connects Person-to-Person
PERSON
PERSON
Internet
Locate the person
+ Set up a session + Open real time media streams
© 2010 Intertex Data AB
11
Ordinary Voice IADs – Good for Telephony Replication…
Telephone ports (FXS) on the CPE is a popular
way to deploy IP telephony. By logically placing
the SIP clients on the outside of the NAT/Firewall,
unreliable work-around methods like STUN,
TURN and ICE become unnecessary. However,
this only gives POTS replication, often even
stopping general SIP based services!
Internet
The 5060 SIP-port is just grabbed on the
outside to the FXS ports!
Lower level SIP ALGs often cause problems
and do not handle more than basic scenarios.
Often problems with, or total lack of:
• SIP to the LAN or WiFi
• Calls between SIP clients on LAN
• Calls between internal ATA ports and LAN clients
• Call transfers, 3-party calls, etc.
• Using SIP generally over the Internet (Operator “took all the SIP”)
(Users must not be deprived of general SIP-functionality!)
© 2011 Intertex Data AB
12
Our CPEs are SIP Capable NAT/Router/Firewalls
IMS
Internet
SIP
No battery draining of WiFi mobile phones, otherwise
caused by keep-alive packets* inhibiting sleep mode.
* Work-around methods for SIP NAT-traversal like STUN, TURN, ICE and Far End NAT
Traversal use frequent keep-alive packets to keep holes in the NAT/Firewall open.

Problems solved where they occur

Wired or wireless SIP clients (phones, soft clients, PDAs)

No special requirements on the SIP Client – Just standard SIP
All Intertex CPEs have a SIP Proxy based SIP aware Firewall/NAT

General, can handle complex call scenarios and all SIP services

Additional functionality available (SIP server, PBX functionality etc.)
© 2011 Intertex Data AB
13
QoS: Common VoIP and Data Pipe
Public
Internet
SIP Trunking
Provider
PSTN
SIP System
E-SBC also Data Firewall
Demarcation point of
service and bringing SIP
communication to the LAN
IP-PBX
Data & VoIP LAN
Using the Ingate or Intertex
as the enterprise firewall
allows both prioritization and
traffic shaping.
© 2011 Intertex Data and Ingate Systems
14
14
QoS: Separate VoIP Pipe in Parallel with Data
Public
Internet
SIP Trunking
Provider
PSTN
SIP System
E-SBC SIParator®
Demarcation point of
service and bringing SIP
communication to the LAN
IP-PBX
Data & VoIP LAN
No prioritization or traffic
shaping to be done by the ESBC. But get a good pipe!
© 2011 Intertex Data and Ingate Systems
15
QoS: Common VoIP and Data Pipe with Firewall
PSTN
Public
Internet
SIP Trunk
Provider
SIP System
PSTN
Public
Internet
SIP Trunk
Provider
SIP System
Bridge for Existing
NAT/ Firewall
(non SIP aware)
IPPBX
SIParator®
IPPBX
WAN
SIParator®
Data & VoIP LAN
Data & VoIP LAN
If common IP pipe, the existing
firewall must restrict bandwidth
usage to allow sufficient voice
bandwidth. Often problematic.
WAN SIParator mode allows the
Ingate or Intertex to control data
usage on the Pipe to assure
sufficient voice bandwidth!
16
16
Advanced QoS Configurations for Ingate
At a detailed level, for SIP and other traffic
17
Intertex IX78 Smart QoS Defaults
For traffic shaping, just fill in your
bandwidth!
(For internal ADSL it is mostly automatic.)
Data will be pushed back in favor of voice to
keep the used bandwidth within the limit.
And for a specific SIP Trunk provider one can select for the voice:
© 2011 Intertex Data AB
18
Carriers having Quality Separated Triple Networks can Preferably Reuse
Those for SIP Trunking. Clouds may be Private or Globally Routable.
E.g. Telia
E.g. Telia
Internet
IP-TV
VoD
Internet
IMS
IP-TV
VoIP
VoD
IMS
VoIP
PVC1
VLAN1
PVC3
PVC2
ADSL
Private Virtual Circuits
E.g. B2
VLAN3
VLAN2
Virtual LANs (VLAN)
Ethernet
E.g. BT
Internet
IMS
IP-TV
VoIP
VoD
IP-TV
VoD
Internet
Priority2
Priority3
IMS
VoIP
Priority1
WAN1
WAN2
Ethernet
WAN3
IP QoS Separated Subnets
ADSL or Ethernet
IP Level QoS
The Intertex IX78 Supports All of these Architectures!
© 2011 Intertex Data AB
19
On Telia’s (Sweden’s Incumbent Telco) Network, the IX78 Delivers a Multimedia
LAN, Ready for UC PBXs, Hosted Services and End-to-End SIP Services
The Multimedia LAN
Internet
IMS
TR-069
VoIP
IP-TV
All services must be available to
multimedia terminals! – Over
controlled high QoS pipes as well
as over the Internet.
Application Innovation Requires it!
VoD
VLANs or ADSL
Virtual Circuits
WiFi
Internet
The Multimedia LAN
IPPBX
     
Telepresence
PDA
20
3.
The Value of a Service Provider Demarcation Point
 2:30pm-3:30pm
Moderator: Maloff NetResults
 2:30-2:35
Moderator
 2:35-3:00
EarthLink Business
 3:00-3:30
Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems
21
Service Provider Demarcation Point
PSTN
Public
Internet
SIP Trunk
Provider
SIP System
IP Access
IPPBX
Service
Provider’s
Demarcation
Point
THE POINTS
Delivery of Service:
To a PBX or UC LAN
Provisioning, Definition of Service:
Installation, Configuration, CAC
Monitoring:
Network performance, QoS MOS
Management:
Support, Debugging, Upgrade
Data & VoIP LAN
Billing - Why not?
Here we know what is going on!
22
The Role of the E-SBC
To get SIP Trunking working:
 SIP NAT/Firewall Traversal
 Must NAT SIP to the protected private address space!
 Basic SIP and Network Interoperability
 E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
 SIP Repair
 E.g. Call Transfer, Fragmented packets, Bugs, etc.
But don’t forget:
 Security
 LAN/PBX/VoIP network protection, Service attack protection
 QoS – Quality of Services
 Requirements depending on IP delivery and firewall
 Features
 E.g. Remote Users, Administration (remote and local)
 Provisioning, Monitoring, Management
© 2011 Intertex Data and Ingate Systems
23
All Types of PBXs has to be Supported
PSTN
A Good E-SBC Should Provide:
1) NAT/Firewall Traversal – Must NAT to same address space!
2) Basic SIP and Network Interoperability - E.g.
 SIP Trunking
Provider Network
Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
SIP System
3) SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc.
4) Features - E.g. Remote Users, Administration (remote and local)
5) Security - LAN/PBX/VoIP network protection, Service attack protection
SIP Trunk
1) 2) 3) 4) 5)
IX78

IPPBX
2) 3) 4) 5)
2) 3) 4) 5)
 SIP Trunk Interface 
Modern IP-PBXs are of
this type. Media goes
directly between phone
and SIP Trunk.
PBX with
system
phones
IPPBX
Few PBXs are of this type.
Asterisk with firewall
(IPtables /NETfilter) can be
compiled and configured
this way, but requires a lot.
VoIP & Data LAN
VoIP & Data LAN
Data LAN only
PBX Type 1
Signaling:
Media:
PBX Type 1.5
PBX Type 2
24
Also Important to Support Multimedia and UC Terminals and
Remote Users in a Modern UC PBX Environment
Public
Internet
SIP Trunking
Provider
PSTN
SIP System
Remote
Users
Intertex IX78
Demarcation point of
service and bringing SIP
communication to the LAN
IP-PBX
Data & VoIP LAN
Soft Clients and Multimedia Terminals
© 2011 Intertex Data AB
25
Creating an Interface for ALL PBXs
 Proxy Mode
 IP-PBX talks to SIP System
 Registration/Authentication model must match
 Little configuration in the IX78
 Service credentials in the PBX
IPPBX
 B2BUA Mode (Proxy still doing the basics)
 IP-PBX only talks to the IX78
 Wider separation between PBX and SIP System
 Service Credentials only in the IX78
 More SIP Normalization possibilities (e.g. REFER)
 Any new operator service platform only requires IX78
reconfiguration (the PBX configuration can remain)
IPPBX
26
Trunk-side Parameters
SIP Connect 1.1
can be setup
(for any PBX)
Read-only value set by Service
Provider (in some cases).
Regulates customer’s monthly fee!
27
PBX-side Parameters
28
28
Registration, Call Routing, CallerID
SIP Connect 1.1
Setup
29
Trouble Shooting & Debugging – Network Status
30
Trouble Shooting & Debugging – Logging!
31
Trouble Shooting & Debugging – Internal SIP Log
32
Packet Captures
 Creates a WireShark
PCAP network trace
 Network Interface
Selection – All
Interfaces
 Start – Stop - Download
33
Monitoring - Call Quality Statistics
Internal Call Log, containing CDRs with Quality Statistics. Can be output via
SYSLOG, RADIUS (Ingate) or to the management system iEMS (see later).
© 2011 Intertex Data and Ingate Systems
34
Management of the CPE / E-SBC
Provisioning, Configuration, Monitoring, Reporting,
Upgrade, Logging, Debugging, Diagnostics, Support…
 Experience:
 Existing management systems often difficult to change
•
Resistance against touching what has been built over the years
 Remote GUI access to CPE often used
 Requirements
•
•
•
Quite few functions and possibilities are actually used
Alive, Configured, Upgrades, New configuration - A must!
Often on wish list: Bad Sound (MOS) alarm, etc.
 EMS (instead of NMS) is a trend
 Element Management System (EMS)
•
•
Specially built for the Product
Interfaces to OSS and Fault Management System at high level.
 Intertex and Ingate EMS in progress – iEMS
•
•
Easy to program and interface to
Highly scalable
© 2011 Intertex Data and Ingate Systems
35
Element Management System – The iEMS
 Functions for Provisioning, Monitoring, Reporting, Diagnostics, Logging,
Debugging, Support, Configuration and Upgrade. Available now with basic
functionality.
 Will handle both Ingate and Intertex Firewalls and SIParators.
 Highly scalable, runs on PC servers under the Linux OS.
 HTTPS/SOAP interface to the IX78. Can read and write all configuration
parameters, as well as asynchronous reporting by the device (like SNMP
traps).
 Web based secure access to the iEMS. Customized portals for operators,
installers and customers, for the purpose of administration, management
and usage.
 The iEMS has northbound interfaces for integrating with the operator’s OSS
and Fault Management systems, using XML-RPC and/or SOAP.
© 2011 Intertex Data AB
36
36
iEMS – CDRs with Call Quality Metrics
37
iEMS Interfaces
OSS, Fault Management, etc.
XML-RPC (or SOAP)
(GET/SET/EVENTS)
Northbound API
WEB GUI
DB DB DB
Southbound API
WAN
CPE
CPE
CPE
<?xml version="1.0"?>
<methodCall>
<methodName>setTrunk</methodName>
<params><param><struct>
<member><name>version</name><value>1.0</value></member>
<member><name>ems</name><value><struct>
<member><name>username</name><value>installer</value>
<member><name>password</name><value>foobar123</value></
</struct></value></member>
<member><name>service</name><value><struct>
<member><name>registrar</name><value>sip.intertex.se</
<member><name>proxy</name><value>proxy.intertex.se</value
</struct></value></member>
<member><name>trunk</name><value>
<array><data>
<value><struct>
<member><name>identity</name><value>5162809890</val
<member><name>password</name><value>foobar</value></membe
</struct></value>
<value><struct>
<member><name>identity</name><value>5162809895</val
<member><name>password</name><value>barfoo</value>
</struct></value>
</data></array>
</value></member>
CPE
</struct></param></params>
</methodCall>
CPE
CPE
CPE
© 2011 Intertex Data and Ingate Systems
38
SIP Trunking Made Easy

Installation Wizard
39
SIP Trunk-UC Workshop
Startup Tool – Network Topology
Assign IP
Addresses, the
tool will config
the Ingate.
Select the
deployment
according to the
picture
Status Information,
helpful for
troubleshooting
40
SIP Trunk-UC Workshop
Startup Tool – IP-PBX Selection
Select IP-PBX
Vendor and
Model
Assign the IPPBX IP Address
Assign the IPPBX Domain (if
required)
For every IP-PBX
vendor on the List
Ingate has captured
the programming
requirements to
ensure quick and
easy config
Status
Information,
helpful for
troubleshooting
41
SIP Trunk-UC Workshop
Startup Tool – ITSP Selection
Select ITSP Vendor
For every ITSP
vendor on the List
Ingate has captured
the programming
requirements to
ensure quick and
easy config
User Account
Information, DID
Assignment and
Registration
Authentication
Assign the ITSP IP
Address
Status Information,
helpful for
troubleshooting
42
4.
Ensuring Interoperability – The Key to Service Revenue Growth
 3:30pm-4:30pm
Moderator: Maloff NetResults
 3:30-3:35
Moderator
 3:35-3:50
Bandwidth.com
 4:00-4:30
Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems
43
PBX and ITSP Interoperability
 Large variation among PBX:s
 Even larger variation towards ITSP:s
 “SIP Connect” recommendation by SIP Forum
… helps and improves, but is not implemented yet.
 Installation tools
 Ix78 Wizard live demo
 Ingate Start UP Tool – See Provision section!
© 2011 Intertex Data and Ingate Systems
44
Confirmed Interoperability: Ingate & Intertex
SIP Trunk Providers
 360 Networks
 Airespring
 AT&T
 BandTel
 Bandwidth.com
 Broadvox
 BT (British Telecom)
 Cablecom
 Cbeyond
 Cellip
 Comm Partners
 Cordia Corporation
 Excel Switching
 Gamma Telecom
 Global Crossing
 IP-Only
Nectart
 Juma Networks
 Level 3
 Netlogic
 Nexvortex
 Nuvox
 O1
 Paetec
 Primus
 RNK Telecom
 TDC
 Telavox
 Tele2
 Tele Pacific
 Teletek
 Telia
 Toplink
Tritel
 VoEX
 Voice Flex
 VoIP Unlimited
 Voxbone
 Voxitas
 XeloQ
More in pipeline.....
Carrier Equipment
 Acme Packet
 Broadsoft
 NexPoint
More in pipeline.....
already interoperate with most
SIP Trunk
Compliant with
 Sonus
 Sylantro
 SER
© 2011 Intertex Data and Ingate Systems
IP-PBXs
 3Com
 Aastra
Aastra MX One
 Digium/Asterisk
 Avaya IP Office
 Avaya SES/CM
 Avaya QE
 Brekeke
 Broadsoft
 Cisco Call Manager
 Ericsson MX-One
 Fonality
 Innovaphone
 Interactive Intelligence
 Iwatsu
 LG Nortel
 Microsoft
 Mitel
 NEC / Sphere
 Nortel BCM
 Nortel SCS
 Objectworld
 Panasonic
 Pingtel
 Samsung
 SER
 Shoretel
 Siemens 8000
 SIP-Gear
 Sonus
 Sphere Communications
 Swyx
More in pipeline....
45
Is there a SIP Connect Compliant IP-PBX + ITSP?
 If any, the E-SBC could just be SIP proxy, with only simple network
setup, and perform:




NAT / Firewall traversal
QoS (Quality of Service)
SIP Security (Attack Protection)
Monitoring and Debugging
 Ingate & Intertex E-SBCs can be SIP Connect towards the ITSP, but
specific towards the PBXs
 Ingate & Intertex E-SBCs can be SIP Connect towards the PBXs, but
specific towards the ITSP
 But usually, we have to be specific to both the ITSP and the PBX
© 2011 Intertex Data and Ingate Systems
46
Trunk-side Parameters
SIP Connect 1.1
can be setup
(for any PBX)
47
PBX-side Parameters
48
48
Registration, Call Routing, CallerID
SIP Connect 1.1
Setup
49
If More is Required – There is plenty...
50
... ........and More
51
... and if that is not enough
 There is Generic Header Manipulation
E. g. add Diversion header:
sip:[email protected]?Diversion=%3csip%3a
$(from.user)%40192.168.1.1%3e
To cope with not foreseen behavior
 Can fix much – not all
 Needs SIP expertise
 How do we know what to configure and how to
set it up?
© 2011 Intertex Data and Ingate Systems
52
Roll-out and Maintenance
Ease and security of role out and maintenance, are
main Service Provider concerns
 Initial configuration
 SIP Trunking requires input from 3 “places”
• Numbers and credentials from Service Provider
• Information/Knowledge about the PBX and ITSP
• Information about the customer network and setup
 More complex than usual
• And all compiled at installation time
 Upgrades
 New configuration
 Exchange of hardware
© 2011 Intertex Data and Ingate Systems
53
Ingate has the Startup Tool
for a very wide variety of PBXs and ITSPs
 “Out of the Box” setup and commissioning of the
Firewall and SIParator products
 Update current configuration
 Product Registration and unit Upgrades, including
Software and Licenses.
 Automatic selection of ITSP and IP-PBX
 Backup of Startup Tool database
 Located at www.ingate.com FREE!
54
For Volume Deployment there Must be Provisioning
The IX78 has Several Provisioning Methods
 Web Wizard adapted to Provider’s Trunk Service
 No Provider integration needed
 Installer inputs trunk side and PBX side data
 Configuration fetched from Provider’s Web Server
 Configuration, Upgrades, Licenses
 At boot, by timer, or by kick (on request)
 Installer runs small Wizard for PBX side
 Via Element Management System: iEMS
 Provider inputs Trunk Data manually or
automatically via OSS (via XML-RPC or SOAP)
 IX78 connects automatically
 Installer runs small Wizard for PBX side
 Or a combination can be used (on request)
In the two latter methods, URL’s to the Provider’s
provisioning server and iEMS are preloaded in the
IX78, or fetched via DHCP.
© 2011 Intertex Data AB
55
The SIP Trunking Configuration Wizard
 jkjjk
5.
Addressing Security Issues
 4:30pm-5:30pm
Moderator: Maloff NetResults
 4:30-4:35
Moderator
 4:35-5:00
Ingate – Presenting a case study.
 5:00-5:30
Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems
57
Security
 Privacy – little concern today
 Theft of Service & Toll Fraud
 Denial of Service (DoS)
 Protecting the PBX
 Protecting the Service Provider
© 2011 Intertex Data and Ingate Systems
58
Privacy – Similar to PSTN
 SIP Trunking and SIP UC can be more private than
traditional PSTN solutions (POTS and PRI)
 Compromising Privacy of POTS and PRI requires
physical presence, and these are never encrypted
 SIP signalling and media rarely encrypted, but can be
59
Signaling Encryption
TLS is Transport Layer encryption and certificate check
Both Ingate and Intertex E-SBCs can transcode
between UDP, TCP and TLS for any call
60
Privacy - Media
SRTP is encryption of the media (voice)
The Ingate E-SBCs can transcode between RTP (in the
clear) and SRTP (encrypted) media
61
Theft of Service & Toll Fraud
 What is Theft of Service? (or Intrusion of Service)
 A Third Party attempting to defraud either the

Enterprise or the Carrier
Devices attempting “Spoof” a Client device in an
attempt to look like an extension (or enterprise)
and gain services directly
62
Theft of Service & Toll Fraud
 Now a Real World Problem
 But only a Problem when:
 Authentication is not used. There are:
 Digest Authentication (password)
 IP address
 Relies on that packets must return to the caller
 MTLS (TLS is not sufficient)
 The Caller must be authenticated
 Too weak passwords are used
 Most common cause!
 Typical 1234, admin, demo, test or the extension number
The methods are good – The usage may be poor..
63
Trend for Theft Protection
 Service providers provision the credentials for
their service, so the customer never sees them.
 Service Providers are starting to own CPE edge
equipment (E-SBCs) and provision the security
credentials for their own access to that CPE.
64
IX78 Preventing Unauthorized Usage
Simple General Default Configuration in the Intertex IX78
Remote users to the
PBX can be
authenticated by the
IX78 (also)
© 2011 Intertex Data AB
65
Allowed Usage of the SIP Trunk
© 2011 Intertex Data AB
66
Protection Against Password Guessing
Brute Force Attack Protection
Attackers are nowadays trying to find simple passwords by brute force testing.
10 – 100 trials/second have been seen (e.g. SipVicious / friendli-scanner).
After 3 trial we pretend all attempts are wrong, so the correct one is never
found.
© 2011 Intertex Data AB
67
Denial of Service (DoS)
 What is Denial of Service?
 A Third Party makes a communications resource unavailable
to its intended users
 Generally consists of the concerted efforts to prevent SIP
communications service from functioning efficiently or at all,
temporarily or indefinitely
 One common method of attack involves saturating the target
(victim) IP-PBX with external communications requests, such
that it cannot respond to legitimate traffic, or responds so
slowly as to be rendered effectively unavailable
68
Denial of Service
 Nowadays Real DoS Attacks are Occurring
 Few pure DoS attacks, but scanning for open SIP



servers and trying passwords (e.g. SIPvicious.org
/ friendly-scanner) may become a DoS attack.
Attacked SIP devices can simply choke from
overload, when requesting authentication
Or SMB with limited IP bandwidth can have that
consumed
Communication Servers have direct relationships
with revenue and should be isolated from DoS
69
SIP DoS Detection and Prevention
 Intrusion Detection System (IDS) for SIP
 Intrusion Prevention System (IPS) for SIP
 Ingate has an IDS / IPS system that identifies
intrusions by examining network traffic.
 Ingate is located at choke points in the network to
be monitored, often in the demilitarized zone
(DMZ) or at network borders/edges.
 Ingate captures all SIP traffic and analyzes the
content of individual packets for malicious traffic,
that will be stopped.
70
Ingate SIP IDS/IPS: Attack Recognition
 IDS/IPS - Rule Packs
 Predefined Rule Packs (signatures) for
filtering known industry DoS patterns
specific for SIP applications
71
Ingate SIP IDS/IPS: Rate Limiting
 SIP signaling late limiting is generally effective
Untrusted
Network
SIP Protocol Method,
Response Code
Matching/Filtering Traffic Rate
Blacklist
Policy
72
IX78 Preventing SIP DoS Attack
 Signature Recognition
If the internal SIP proxy detects known
signatures in SIP headers from
attackers, it instructs the internal firewall
to block attacking IP address for 60
seconds. New signatures can be added
manually or provisioned automatically.
 SIP Rate Limiting:
If there are more than 20 SIP packets/seconds from the same IP-address,
the internal firewall blocks that IP-address for 20 seconds and does not
respond to that IP address until the SIP packed rate is below 3
packets/seconds.
© 2011 Intertex Data AB
73
Protecting the PBX and Carrier
 SIP Protocol Packet Error Detection and Correction
 SIP Signaling are only passed through the Internal


SIP proxy in Ingate and Intertex products.
Malformed SIP Packets will not reach the PBXs or
Service Providers from our side.
Standardized SIP Interface in both directions
74
6.
Generating Revenue from HD Video
 5:30pm-6:30pm
Moderator: Maloff NetResults
 5:30-5:35
Moderator
 5:35-6:00
UCIF – Polycom
 6:00-6:30
Intertex Data AB – Reusing the E-SBC SIP trunking
infrastructure.
© 2011 Intertex Data and Ingate Systems
75
Global Video Calling Using the E-SBC
Telco Opportunity
Video Calling
High Quality, Chargeable, Global Video Calling
Ready to go, using SIP Trunking Infrastructure
•
•
•
High Quality (Telepresence) Video Calling
Routed and Billed (CDRs produced) by the E-SBC
Simple settlement free IP Peering between Telcos
© 2011 Intertex Data AB
76
What’s Special About Video Calling?
 We have been building islands – again…
 But there is no old Video PSTN to connect those together
 However, there is a standard (SIP) and a network (Internet)
 We have seen such video calls for a long time
 What more is needed?
 High quality – Teleprecense; Guaranteed bandwidth and QoS?
 Global; Not only within a company and not only within one carrier’s
network
 Telephone numbers (in addition to sip addresses)
 Allow Telcos to Bill (being more than just Bandwidth Providers)?
© 2011 Intertex Data AB
77
There is a Solution!
 Do More at the Enterprise Edge!
 We can route here – The earlier the better
 We can produce CDR’s for billing here
 We can do number resolution here (or the ITSP can do it)
 The Good News:
 Reuse the SIP Trunking infrastructure (using E-SBCs)
 Simple peering between carriers
© 2011 Intertex Data AB
78
Reusing the SIP Trunking E-SBC
 Telco owned E-SBCs are already used for (voice) SIP Trunking
 Full operator control
 Service provider’s demarcation point
 Enables the SIP Trunking – Video is not different from voice for:
NAT/Firewall traversal, PBX interoperability and Security
 Reuse the same E-SBC for Video Calling!
 In the Ingate and Intertex E-SBCs, it is all there:
 Classify outgoing calls (as Video, HD voice or plain voice)
 Assure right quality pipe and/or quality marking is used
 Route the call directly to the other party (or
• Use ENUM (public or private) for E.164 number to SIP address resolution
• Only settlement free IP peering between operators required
• Can fallback to best effort IP peering (Internet) in operator network
 Produce and deliver CDRs for each call
• Report Minutes and Data used
• Include video and voice quality metrics (including MOS scores)
• Deliver via Radius, Syslog, Management system (TR-069 informs) or method by choice
© 2011 Intertex Data AB
79
Simple For the Carrier
AT&T Internet
Qwest Internet
QoS IP Network
QoS IP Network
MPLS
MPLS
ENUM
C
D
R
C
D
R
SIParator
IX78
© 2011 Intertex Data AB
80
Quality Separated Networks Out to the Customer Edge is Not New
Widely Used for Triple Play Services
E.g. Telia
E.g. Telia
Internet
IP-TV
VoD
Internet
IMS
IP-TV
VoIP
VoD
IMS
VoIP
PVC1
VLAN1
PVC3
PVC2
ADSL
Private Virtual Circuits
E.g. B2
VLAN3
VLAN2
Virtual LANs (VLAN)
Ethernet
E.g. BT
Internet
IMS
IP-TV
VoIP
VoD
IP-TV
VoD
Internet
Priority2
Priority3
IMS
VoIP
Priority1
WAN1
WAN2
Ethernet
WAN3
IP QoS Separated Subnets
ADSL or Ethernet
IP Level QoS
The Intertex IX78 Supports All of these Architectures!
© 2011 Intertex Data AB
81
iEMS – CDRs with Call Quality Metrics
© 2011 Intertex Data AB
82
For the Telcos To Do
 Provide high quality IP pipes for Video and HD Voice (e.g. MPLS)
 If on separate layer 2 networks for quality, still make them routable to the Internet
(for fallback to “best effort peered” = Internet)
 Enter users in ENUM (public or private)
 E.164 numbers to SIP address resolution
 Settlement Free Peering between carriers for high QoS IP networks
 Just like for the Internet - Now also for high quality IP network (e.g. by MPLS)
 Deploy same CPEs (E-SBCs) as for SIP Trunking
 Can also be general SIP enablers (at least Intertex’ and Ingate’s) for offering all
types of SIP based services
 Process the CDRs from the E-SBC as usual for Billing
© 2011 Intertex Data AB
83
What’s out there 1? - Cisco TIP
 http://newsroom.cisco.com/dlls/2010/prod_012610.html
 Telepresence Interoperability(?) Protocol (TIP)
 “Cisco already supports H.323, which allows Cisco…”
 Don’t we already have SIP, SDP, RTP, RTCP and Codec standards? …
 And don’t they define interoperability far beyond Cisco?
 Cisco, Cisco, Cisco – And what more?
© 2011 Intertex Data AB
84
What’s out there 2? – The IMS World
 Fine – But when?
 Stuck in its own complexity… Where is the Multimedia and Interoperability?
 And the IMS world still has to find out how reach the users on the fixed network the LANs behind NATs and Firewalls – Or stay with POTSoIP on FXS-ports
 A “OneVoice” initiative to create VoLTE
 AT&T, Bell Canada, China Mobile, Deutsche Telekom/T-Mobile,
KDDI, mobilkom austria, MTS, NTT DoCoMo, Orange, SKT,
SoftBank, Telecom Italia, Telecom New Zealand, Telefónica,
Telenor, TeliaSonera, Verizon Wireless, Vodafone, Acme Packet,
Alcatel-Lucent, Aylus, Camiant, Cisco, Colibra, Communigate,
Comneon, Ericsson, Fujitsu, Genband, Huawei, LG, Motorola,
Movial, Mu, NEC, Nokia, Nokia Siemens Networks, Qualcomm,
RADVISION, Samsung, Sony Ericsson and Tekelec
 Isn’t VoIP already invented?
 “OneVideo” initiative can be expected…
 Until then: Route at the edge by the E-SBC!
 E-SBC still needed to reach users on LAN and for UC PBX interoperability
 The IMS can still be the SIP registrar and billing server…
© 2011 Intertex Data AB
85
What’s out there 3? Juniper, Polycom...
 Juniper, Polycom forge telepresence, video conferencing alliance
http://www.zdnet.com/blog/btl/juniper-polycom-forge-telepresence-video-conferencing-alliance/29868
 “a counterweight to Cisco Systems and its recent acquisition of Tandberg”
 “optimize their platforms so service providers can offer video and telepresence
cheaply. The argument: It’s cheaper for enterprises to deploy telepresence as a
service from their network providers instead of building out their own networks.”
 Sure!
 http://www.juniper.net/us/en/local/pdf/solutionbriefs/3510358-en.pdf
 A Polycom – Juniper solution
© 2011 Intertex Data AB
86
SIP Capable Firewalls and SIParators®
Thank You!
Ingate Systems Inc.
Intertex Data AB
www.ingate.com
Contact: Steve Johnson
[email protected]
sip:[email protected]
Tel: +1 603 883 6569
Mob: +1603 557 7918
www.intertex.se
Contact: Karl Stahl
[email protected]
sip:[email protected]
Tel: +46 8 12205629
Mob: +46 70 7254532
87