avayasessionbordercontroller-140412190728-phpapp01

Avaya Session Border Controller for Enterprise (ASBCE) Overview

What is a Session Border Controller? 1. SIP trunking border

 Session = real-time, interactive communication session  Border = IP-IP network borders – SIP trunks to service providers – Remote worker access – Intra- & extra-enterprise

Federated partners

2. Hosted services border Contact center, audio/video conferencing, emergency services, etc.

To PSTN

Redundant data centers CC

UC ASM

 Control – Security & SLA assurance – Regulatory compliance

Private network H.323

Regional site

SIP

Remote site

Internet

SIP

HQ/ campus

Nomadic/ mobile user

Teleworker

Remote site

3. Internet border © 2012 Avaya Inc. All rights reserved.

2

Where Avaya Aura™ SBC fits in the Avaya Aura architecture Unified Communications

Collaboration Solutions

Contact Center

Interaction Solutions

Communication Manager

Application Enablement

Performance Analytics

Presence Services

Session Manager

Deskphones

© 2012 Avaya Inc. All rights reserved.

Clients

System Manager

Service Provider Network

SBC

Video Endpoints

3

Why use an SBC?  Security – Enforces a customer’s unique security policies – SIP trunk provider’s own SBC (if private SIP trunk service) focuses on the providers security concerns – Complete network topology hiding – Interoperability problems between multivendor solutions will occur  Flexibility – Provides layer of independence from Service Provider – allows enterprise to make changes more quickly vs. negotiating / relying on Service Provider if needs change – Normalization point for signaling and RTP media streams – Allows for multiple SIP trunk provider access points – Support of enterprise-specific call flows that may not be directy supported by SIP trunk provider  Accountability – Per call status – QoS, SLA monitoring – Report on intrusion attempts – Session recording © 2012 Avaya Inc. All rights reserved.

4

How are SBCs different from firewalls?  Traditional firewalls cannot: – Prevent SIP-specific overload conditions and malicious attacks – Open / close RTP media ports in sync with SIP signaling – Track session state and provide uninterrupted service – Perform interworking or security on encrypted sessions – Scale to handle thousands of real-time sessions – Provide carrier-class availability – Solve multi-vendor SIP interoperability problems  InfoSec best practice = deploy defense-in-depth model with applicationlevel security proxies for email and web applications – This means firewalls alone are not sufficient – Same model applies for IP telephony, UC and CC applications

© 2012 Avaya Inc. All rights reserved.

5

Avaya Aura® SBC Key Features Reliability and Scale

SM SBC

SP

CM

 Active/standby redundancy  Scales upto 5000 sessions  Redundant SIP connectivity to service

providers and Session Manager / Communication Manager possible

Applications  SIP trunking to PSTN providers  SIP trunking to hosted service providers

(i.e. conferencing, contact center, etc.)  SIP trunking to federated businesses  Remote worker via Internet

Security  Acme Packet’s proven SBC security

framework for DoS/DDOS protection  TLS & SRTP encryption

Service Provider Interoperability  Flexible controls to solve interop

Evolution  Deployable on Avaya Aura System

Platform  Easily add SBC to existing installations  Flexible feature set for new applications © 2012 Avaya Inc. All rights reserved.

problems  Proven configuration templates  Tested with SPs through DevConnect

7

Avaya Session Border Controller for Enterprise Deployment Models  SIP Trunking – Enforce security policies of the enterprise while solving demarcation issues

 Remote Worker – Mobile workspace security, secure distributed call centers, remote workers, teleworkers – Confidently extend UC to mobile workspaces across any network – Secure VPN’less access

 Core Security – Securely add various UC applications and devices (voice, video, IM) across the corporate network

 Compliance – Secured Media Replication/Forking for archiving, logging

© 2012 Avaya Inc. All rights reserved.

8

Secure Remote Worker with BYOD Avaya Aura Conferencing Aura Messaging

Presence Server

Session Manager

Avaya

System Manager

Communication Manager

Aura®

Personal PC, Mac or iPad devices Avaya Flare®, Avaya one-X® SIP client app App secured into the organization, not the device One number UC anywhere

Avaya SBCE

Untrusted Network (Internet, Wireless, etc.)

VPN-less Remote Worker

© 2012 Avaya Inc. All rights reserved.

9

Remote Worker: VPN vs VPNless Endpoints VPN Endpoint

VPNless Endpoint

 VPN Headers add additional size to traffic. In aggregate reduces bandwidth.

 TLS/SRTP encrypts the traffic with a smaller bandwidth footprint than VPN

 Encrypts traffic, yet does not validate it. (Encrypting and distributing a virus isn’t helpful)

 Signaling and media are unencrypted at the SBC and inspected at Layer 7 to validate the traffic before it is allowed through

 No ability at VPN head-end to distinguish between voice and data traffic. Ultimately voice quality suffers.  Cumbersome user experience for real-time communication application

© 2012 Avaya Inc. All rights reserved.

 Numerous policies allow Enterprise control of endpoints.  Consistent user experience for applications 10

Avaya SBC for Enterprise 1 Software Base: Avaya Aura SBC for Enterprise 3 HW Platforms: Dell & HP for Enterprise; Portwell CAD-0208 for IPO 2 Use Cases

SIP Trunking

Remote Worker

CS1000

SIP Trunking

Avaya SBC for Enterprise

SIP Trunking

© 2012 Avaya Inc. All rights reserved.

SIP Trunking

Avaya SBC for Enterprise

Avaya SBC for Enterprise

SIP Trunking

Avaya SBC for Enterprise

11

What’s a DMZ?  A DMZ is used to provide a controlled separation at the edge of the Enterprise network.  Our SBC can sit parallel to the FW or in the DMZ. Acme claims firewalls destroy voice quality and that they are so secure they don’t need it.  The security standard is to use a DMZ for Enterprise application access. Security is about layers of protection.

CS1000

Enterprise

Avaya SBCE

Firewall

Firewall

© 2012 Avaya Inc. All rights reserved.

Internet

DMZ

SIP Trunks Carrier

12

Avaya SBCE: SIP Trunking Architecture Use Case: SIP Trunking to Carrier Carrier offering SIP trunks as lower-cost alternative to TDM Heavy driver for Enterprise adoption of SBC Support Aura, IPO and CS1K From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ CS1000

Enterprise

Internet

DMZ

Firewall

Firewall

Avaya SBCE

SIP Trunks Carrier

Carrier SIP trunks to the Avaya Session Border Controller for Enterprise Avaya SBCE is located in a DMZ behind the Enterprise firewall Services: security and demarcation device between the IP-PBX and the Carrier − NAT traversal, − Securely anchors signaling and media, and can − Normalize SIP protocol © 2012 Avaya Inc. All rights reserved.

13

Avaya SBCE: Remote Worker Architecture

Use Case: Remote Worker Extend UC to SIP users remote to the Enterprise Solution not requiring VPN for UC/CC SIP endpoints From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ Enterprise

Internet

DMZ

Firewall

Firewall

Avaya SBCE

Remote Workers

Remote Worker are external to the Enterprise firewall Avaya Session Border Controller for Enterprise − Authenticate SIP-based users/clients to the enterprise − Securely proxy registrations and client device provisioning − Securely manage communications without requiring a VPN © 2012 Avaya Inc. All rights reserved.

14

Carrier SBC’s SP Network

Enterprise Network IP PBX

FW

Intranet

Carrier SBC

Carrier SBC • • • • • • • •

Historically designed to sit at the SP’s edge to protect the carrier. Complex to use command-line devices Provides a distinct separation between networks while providing a means of transporting signaling and media Perform topology hiding for the SP Tracking calls (CDR) for billing Act as a Network Address Translator (NAT) for the SP Provides admission control to limit calls from customer (and insure SLA) Protocol Internetworking for H.323 and SIP

© 2012 Avaya Inc. All rights reserved.

15

Enterprise SBC Mobile Users, Telecommuters

Enterprise Network IP PBX

DMZ Internal FW

Avaya External SBCE FW/NAT

Intranet

Avaya SBCE Encryption • TLS proxy • SRTP proxy Enablement • FW / NAT traversal • Call admission control • Signaling and media firewall

© 2012 Avaya Inc. All rights reserved.

SRTP/ RTP Remote Worker

SIP Trunking

Internet

Security • Floods and fuzzing prevention • Spoofing prevention (fingerprint verification) • Media anomaly prevention • Stealth attack prevention • Tollfraud Prevention Anti-spam • Whitelist/Blacklist • Behavior learning

16

NAT Transversal SBC External IP Address 192.168.45.4

IP PBX

Enterprise

FW IP Address 96.54.23.10

Internet or Provider Network

• At a basic level think of it this way: If the SBC sends an INVITE message to the carrier, can the carrier reply and reach IP address 192.168.45.4? No. • The SBC facilitates NAT Transversal by making sure all signaling messages have a REACHABLE return address. In this example, the INVITE would have a source address of 96.54.23.10. • When a reply is sent it reaches the firewall which forwards to external IP Address. © 2012 Avaya Inc. All rights reserved.

17

Avaya Session Border Controller for Enterprise 6.2 - A new but already proven solution ASBCE 6.2 is further enhancing the Sipera E-SBC with…  Substantial interoperability testing and improvements in Avaya UC environments especially for VPN’less remote worker  Testing against all Avaya UC platforms – Avaya Aura® – IP Office – CS 1000

 New hardware platform targeted at SMEs  New product structure – Separation of ordering hardware and software – Fully supported in Support Advantage (enterprise) and IPOSS (IP Office)

 Fully integrated into Avaya processes and tools – Ordering and Logistics – Services access – Available in ASD and EC (spring 2013)

 Migration path for existing Avaya Aura® SBC customers © 2012 Avaya Inc. All rights reserved.

18

Call Servers  For SIP Trunking, an accepted architecture is: – Call Server + SBC – Call Server + SM + SBC

 A valid call server is – CS1k 7.5 ++ – CM 5.2.1 ++ – IPO 8.x ++

Session Manager is NOT required for SIP Trunking

 SM must be 6.x

© 2012 Avaya Inc. All rights reserved.

19

Carriers Tested as of November 10th, 2013. Alestra AT&T AT&T Puerto Rico Belgacom Bell Canada Broad-Connect Broadview BT Global Services BT HIPCOM BT Italia BT Wholesale Cable & Wireless CenturyLink © 2012 Avaya Inc. All rights reserved.

Colt Etisalat Fastweb SPA Frontier Gamma IntelePeer KPN Level 3 MTSAllStream PAETEC Phonect QSC Sprint Swisscom Tele2 Telefonica del Peru Telenor

Teliasonera TELUS T-Mobile NL UPC Vamoin1/KPN Verizon Business Virgin Media Vodafone DE Vodafone NL VoicePulse Windstream Worldnet P. Rico XO

Find App Notes Here: https://devconnect.avaya.com/public/dyn/d_dyn.jsp?fn=103 20

ASBCE 6.2 System Capacity  Session Border Controller capacities are rated in Simultaneous Sessions – A simultaneous session = a communication session between 2 SIP endpoints – Can think of it as analogous to a DSO in the ‘old world’ – Key for engineering is to understand the numbers of sessions required in the solution

‘Rules of Thumb’ •SIP trunking usually 5 users per ‘SS’ • Must account for higher ratio in small • Remote Worker must consider both On-net and off-net requirements • Remember, in Dell configs, Encryption Services impact capacity © 2012 Avaya Inc. All rights reserved.

 For Secure SIP trunking, look at the number of TDM DSOs required  For Remote Worker, calculate required call volumes 21

Hardware Redundancy Options  SME Offer Portwell CAD-0208 – High Availability is not available

 Enterprise Offer (Dell R210-II) – High Availability is an option – Will come with a third server for the EMS – Geo-Redundancy at Layer 2