Enterprise Deployment ofConverged NetworksEnterprise Deployment ofConverged Networks

Ravi SethiPresident, Avaya Labs

April 29, 2002

2

Communication EvolutionCommunication Evolution

LegacySeparate Voiceand Data Networks

IP has wonPromise definite customerbenefits but need technologyadvances for full deployment

Converged Networks

Communication-EnabledApplicationsRich voice-data applicationsbut need new technologiesand processes

build onConverged Networks

Converged Communication

3

Communication EvolutionCommunication Evolution

LegacySeparate Voiceand Data Networks

IP has wonPromise definite customerbenefits but need technologyadvances for full deployment

• Five 9s Reliability• QoS for Voice over IP• End-to-End Security• …

Converged Networks

Communication-EnabledApplicationsRich voice-data applicationsbut need new technologiesand processes

• Multimodal Interfaces• Web and Comm Services• SIP Multimedia Sessions• …

build onConverged Networks

Converged Communication

Visionaries are here

4

Framework for classifying techniques forReliability, QoS, SecurityFramework for classifying techniques forReliability, QoS, Security

PreventionAnticipate and prevent

RedundancyProvide spare capacity

RecoveryTake corrective actionto restore service

ValidationValidate the desiredproperties bymodeling, simulationor testing

DetectionDetect and predictwhat-when-where

5

ReliabilityReliability

6

Reliability needs are at several levels: application, operating system, hardware, network

Reliability needs are at several levels: application, operating system, hardware, network

NEEDS

Survivability–Can the service be brought back on

line swiftly?

Availability– Is the service available 99.999%?

Fault Tolerance–Can the system continue operation

when faults occur?

Integrity– Is data and transaction integrity

preserved?

Application

OperatingSystem

Hardware

Network

LEVEL

7

Reliability techniques at the network levelReliability techniques at the network level

PreventionAnticipate and preventfaults�e.g., overengineer thenetwork

RedundancyProvide hot spares� e.g., alternative paths

in a network

RecoveryTake corrective actionto restore service� e.g., expert systems

repair network faultsValidationValidate the desiredproperties bymodeling, simulationor testing�e.g., protocol testing

DetectionDetect and predictwhat-when-where offaults�e.g., timeouts signal

loss of connectivity

8

Distributed servers and gateways enhancesurvivability when network failures occurDistributed servers and gateways enhancesurvivability when network failures occur

Main LocationMain Location

IPIPScreenphoneScreenphone

Media GatewayMedia Gateway

LANMedia ServerMedia Server

9

Remote UsersRemote UsersOn IPOn IP Softphones Softphones

Distributed servers and gateways enhancesurvivability when network failures occurDistributed servers and gateways enhancesurvivability when network failures occur

Main LocationMain Location

IPIPScreenphoneScreenphone

Media GatewayMedia Gateway

LANMedia ServerMedia Server

WAN

RemoteRemoteUserUserMobileMobile

PSTNPSTN

Internet

10

Remote UsersRemote UsersOn IPOn IP Softphones Softphones

Distributed servers and gateways enhancesurvivability when network failures occurDistributed servers and gateways enhancesurvivability when network failures occur

Main LocationMain Location

IPIPScreenphoneScreenphone

Media GatewayMedia Gateway

LANMedia ServerMedia Server

SurvivableSurvivable Media Gateway Media Gateway

Remote LocationRemote Location

IP PhoneIP Phone

LAN

WAN

RemoteRemoteUserUserMobileMobile

PSTNPSTN

Internet

11

QoSQoS

12

Control/Signals

QoS management applies to networkinfrastructure and to applicationsQoS management applies to networkinfrastructure and to applications

QoS includes Voice Quality, Response Time,Delay, Jitter, Loss, Throughput

QoSManagementServer

InfrastructureInfrastructure

Applications ApplicationsQoSGoals

– Specify per-user/application-level QoS goals

– Measure QoS conformance

– (Re)Configure network and servers to achieve QoS goals

Status/Events

13

QoS techniques at the network layerQoS techniques at the network layer

PreventionAnticipate and preventcongestion�e.g., priority levels,drop packets

RedundancyProvide hot sparecapacity� e.g., overprovisioning

RecoveryTake corrective actionto restore service� e.g., reroute traffic,

load balancingValidationValidate desiredproperties by modeling,simulation or testing�e.g., network

assessment for VoIP

DetectionDetect and predictwhat-when-where ofcongestion�e.g., network

monitoring

14

QoS-Enabled Networks – ChallengesQoS-Enabled Networks – Challenges

Network readiness– Provide for desired bandwidth, delay, jitter, loss, etc.

QoS policies– Determine QoS goals and granularity (per flow type, per

application, per user, etc.)– Map goals to network/application mechanisms

Heterogeneity– Non-uniform implementation of QoS mechanisms across

vendors, domains, systems and layers– Bandwidth in different segments– Common management schema/standards

Dynamic conditions– Load, applications, network conditions and users– Correctness of network data in face of constant change

15

Assess network readiness for voice over IPand propose changes to ensure QoSAssess network readiness for voice over IPand propose changes to ensure QoS

–Automatically discoverrouters and switchesfrom route tables,Layer 2 forwarding tables, and VLAN info

–Based on topology,synthesize VoIP traffic

–Monitor network devicestatus and correlatewith VoIP QoS on exact call paths

150 <--> 211150 <--> 233211 <--> 233233 <--> 233211 <--> 211150 <-> 150

1 2 3 4

work150 <--> 211150 <--> 233211 <--> 233233 <--> 233211 <--> 211150 <-> 150

non-work150 <--> 211150 <--> 233211 <--> 233233 <--> 233211 <--> 211150 <-> 150

weekend

MOS

����

���� Network-wide summary

MOS

16

Assess network readiness for voice over IPand propose changes to ensure QoSAssess network readiness for voice over IPand propose changes to ensure QoS

–Use statistical methods to assign poor QoS to specific networkdevices

–Produce dynamic graphical/visual displays of data

���� Network-wide summaries

���� Coded network diagrams

���� Drill-down on paths and elements

A B

COver-utilized link

����

020406080

09/14 09/16 09/18 09/20 09/22 09/24 09/26

198.152.3.40:18 ifInOctets020406080

198.152.3.40:18 ifOutOctets

����

17

SecuritySecurity

18

Security Attacks: frequency rapidlyescalating, types constantly changingSecurity Attacks: frequency rapidlyescalating, types constantly changing

Data from Carnegie Mellon Computer Emergency Response Team* Global Information Security Survey (InformationWeek and Price Waterhouse Coopers)

•150 to 200 new viruses per month

•60-70% of security breaches are internal

•Viruses and hacking cost $266 billion in US last year*

0

10000

20000

30000

40000

50000

60000

1988 1991 1994 1997 2000

CERT Security Reports 1988-2001

Incident count Vulnerability count

0

500

1000

1500

2000

2500

1995 1997 1999 2001

CERT Vulnerabilities 1995-2001

19

Extended Perimeter

Perimeter

Firewalls

Firewalls

Control Domain

VPN

OS, applications, data

Resource DomainIdentity and

Access Mgmt

SecurityManagement

Security policies andprocedures beyond thephysical perimeter ofthe enterprise: remoteworkers, B2B partners &suppliers, extranets etc.

Network level controlsto filter traffic and manage access;Encryption

Security monitoring;Enterprise-wide Authentication; &Data protection

Application level access,authentication& authorization;Data Protection &Encryption

Security domains overlayapplications and infrastructureSecurity domains overlayapplications and infrastructure

20

Security measures includeSecurity measures include

• Encrypt voice so sniffers hear only white noise

• Filter packets based on addresses, port numbers

• Eliminate common attacks by disabling un-neededservices; e.g. NFS, X-windows, rexec, …

• Protect network servers against viruses by eliminatingincoming e-mail, web browsers, shared drives

• Defend against denial-of-service attacks by discardingsuspicious packets

• Set, communicate, and enforce security policies

• Make it convenient: if it’s too hard, it’ll be circumvented

Security begins with thepeople and organizationsthat operate and use the system

21

Security techniques at the network levelSecurity techniques at the network level

PreventionAnticipate and preventattacks�e.g., authentication,firewalls, encryption

RedundancyProvide spare capacityready for deployment� e.g., backups,

alternative sites

RecoveryTake corrective actionto restore service� e.g., attention by

network administratorValidationValidate desiredproperties by modeling,simulation or testing�e.g., digital signatures,

network discovery

DetectionDetect and predictwhat-when-where ofattacks�e.g., intrusion

detection

22

Securing Converged Networks and BusinessSystems – ChallengesSecuring Converged Networks and BusinessSystems – Challenges

Keeping current–New forms of attacks

–Attacks increasing: data and service theft; spoofing; denial ofservice; viruses and vandalism; eavesdropping

–Security patches from vendors

User and operations staff education and training–Security awareness

–Following good security practices: strong passwords, regularvirus checker updates etc.

–Security intrusion detection and response processes

Incorporating secure programming practices–By vendors

–By in-house programming staff

23

Libsafe 2.0 protects against common securityattacks: “buffer overflow” and “format string”Libsafe 2.0 protects against common securityattacks: “buffer overflow” and “format string”

– Proactively detect and terminatesecurity attacks, even unknown ones

– Libsafe is a protection library that canbe linked to any binary without accessto its source code

– Instrumentation restricted to “unsafe”functions to minimize performanceoverhead (usually ~1%)

– Platforms supported: Linux, WindowsNT/2000

– 6 committed Linux distributors: RedHat, Debian, TurboLinux, Mandrake,Slackware, Yggdrasil

– Improved version Libverify detectsmore buffer overflow attacks

Available fromhttp://www.research.avayalabs.com/project/libsafe

24

Firedoors are transparent bridges that canbe triggered to isolate “dirty” machinesFiredoors are transparent bridges that canbe triggered to isolate “dirty” machines

Router, Firewallor a Switch

Door Keeper

Firedoors

Switched VLANSegment or VPN

Inside an enterpriseSwitched VLAN

Segment

Enterprise Network

Partition a network to fightviruses and worms– Firewalls are useless once a

network is breached

– Block traffic only to attackingnetwork segment; e.g. port 25from a certain VLAN

– Isolate data while voice goes through

Operates in 3 modes– Transparent: pass all packets

with no interference

– Hunting: pass packets onlyfrom clean segments

– Opaque: pass no packetsexcept Firedoor controls

Firedoor can be controlled viaencrypted messages from DoorKeeper (FireDoor Manager) to changemode, download updated access listsonto the router/switch to block traffic,…

25

Trend:Communication isintegrating intoapplications andbusiness processes

Trend:Communication isintegrating intoapplications andbusiness processes

Communication-EnabledApplications

Rich voice-data applicationsbut need new technologiesand processes

• Multimodal Interfaces• Web and Comm Services• SIP Multimedia Sessions• …

build onConverged Networks

Converged Communication

26

Fail Safe enables the right people, with theright tools to respond rapidly to a crisisFail Safe enables the right people, with theright tools to respond rapidly to a crisis

Dynamically Changing Configurations

Fail Safe enables the right people, with theright tools to respond rapidly to a crisisFail Safe enables the right people, with theright tools to respond rapidly to a crisis

Supply ChainEvent Manager

Exceptional Event(requires crisis conference)

Supply ChainRules EngineDecision Team

(people/roles needed)

Decision Team(people/roles needed)

Fail SafeApplication

PresenceService

AudioConferencing

Notification-Response

NotifyMembers who

are Present

Find and NotifyNon-Present

Members

Audio ConferenceMembers

who Accept

WebServer

Call FeatureServer

MessagingServer

PC Only orPC/Softphone

PC andDesk Phone

PDA andMobile Phone

MobilePhone

. . .

Overheating Engines

27

28

SIP (Session Initiation Protocol) OverviewSIP (Session Initiation Protocol) Overview

SIP is a simple signaling protocol–Small set of required messages and responses

– Internet philosophy

–Borrows heavily from existing Internet paradigms

Invite + SDP

OK + SDP

Ack

Media Session

Bye

OK

Ringing

–Session parameters negotiated using SDP (Session Description Protocol)

–Media sessions typically use RTP (Real Time Protocol)

29

Migration to SIP-Based Enterprise TelephonyMigration to SIP-Based Enterprise Telephony

TelephonyApplication

Server

TelephonyApplication

ServerTDM, H.323, SIP

PSTN/Internet

LocationServices

PresenceServices

New Communication Apps•Presence-enabled apps•Web-&voice-enabled apps• IM

RegistrarSIP Proxy Redirect

SIP

SIP User AgentsIPPhone

TDMPhone

DNS,DirectoriesCommunication Apps

•Voice Mail•CTI•Call Center

AnalogPhone

Business App. Platform

Communication App. Platform

30

Synopsis of SIP ScenariosSynopsis of SIP Scenarios

Avaya Labs tradeshow demos

–Networld+Interop (9/01), SIPIT (12/01), SIP 2002 (1/02)

Scenarios

– Interoperability between SIP Phones and ‘traditional’ phones

– Interoperability across SIP end-points from multiple vendors

–Bridging SIP Instant Messaging capabilities into voiceenvironment

–Presence and Rules-based Call and Instant Message routing

– Innovative end-point features; e.g., PDA interworking usinginfrared ports

–Multimedia features: video and app sharing

–Presence monitoring for each supported end-point

31

Intra-Enterprise SIP Communications DemoIntra-Enterprise SIP Communications Demo

DigitalPhone

CellPhone

H.323Phone

SIPScreenPhone

MessagingSystem

SIP IP600SIP Authority

+ VxML ServerDNS

SIPPhone+ Palm

SIP Phone3rd Party

LAN PSTN

RTCClients

AnalogInterface

E1

32

SIP implications forconvergedcommunication

SIP implications forconvergedcommunication

• Standardized personal address means there’s one wayto “place the call” regardless of recipient’s device

• Supports multi-modal communications and devices

• Equalizes real-time and near-real-time communicationsinto a session, and thus changing the focus ofcommunication from mode to user

• Enables rapid creation of communication-enabledenterprise applications from standardized components

• Services-based environment accommodates both peer-to-peer and client-server apps

SIP is to Real-Time People-to-People Communications what

HTTP was to Information Exchangeon the World Wide Web.

33

PresencePresence

Presence–Dynamic information about an individual's existence, status,

location, and accessibility.

Presence is the enabler for intelligent user centriccommunications–Build new context-sensitive applications so that “who, where,

when, and how” all make a difference

–Empower the user with more information, better choices basedon the particular situation

Beyond: “anyone, anywhere, anytime, anyhow”To: “the Right person, in the Right place,

at the Right time, the Right way”

34

Migrating toConverged CommunicationMigrating toConverged Communication

LegacySeparate Voiceand Data Networks

IP has won

Promise definite customerbenefits but need technologyadvances for full deployment

Converged Networks

Communication-EnabledApplications

Rich voice-data applicationsbut need new technologiesand processes

build onConverged Networks

Converged Communication