sip trunking as a managed service why an e-sbc matters by: alon cohen, cto phone.com
TRANSCRIPT
SIP Trunking As a Managed ServiceWhy an E-SBC Matters
By: Alon Cohen, CTO Phone.com
Agenda• Network Topology (Firewall, SBC, PBX)• SBC as an abstraction Layer• SBC Security
– Fire Wall– Fraud protection– Encryption
• SBC Utility– Protocol conversion– Transcoding– Data capture– LCR– HA / Load Balancing– Statistics
Connecting a SIP Trunk and an SBC
Internet Firewall
SBC
IP PBX
Router
Switch
SIP Trunk Vendor
Connecting a SIP Trunk and an SBC
SBC as an Abstraction Layer
• Hides the implementation details of the PBX– Easy to replace vendors without touching the PBX– Easy to replace PBX without vendor coordination
• In simple words: – Easy to move forward– Easy to save money
Attacks on IP PBX (DOS/TDOS)
• IP PBX requires wide range of open ports– For the RTP media of the SIP Trunk– For external IP Phones registration– Hence it is open to DOS attacks – As well as TDOS (Telephony Denial of Service)
• TDOS Attacks have different attack vectors– SIP Registration flood– SIP Invite flood– Fraud (Make calls on your company’s dime)– Eavesdrop
SBC T/DOS Mitigation
• SBC can handle larger amounts of registrations and shield the PBX– Good for normal operations as well where you have
large numbers of clients outside the enterprise• SBC can ignore false or incomplete registrations
or invites better than the PBX can• Enforce IP blacklist, with variable blocking
periods for Registrations, Subscribes, Option Pulls and protocol errors
Encryption
• Most UDP SIP Trunks installations today are non-encrypted
• SRTP = Secure RTP (Real Time Protocol) - UDP• TLS = Transport Layer Security – TCP/IP
• An SBC will let you use encryption in the LAN regardless of vendor capabilities.
So far we saw that SBC can protect your infrastructure
• Let’s see what else the SBC is good for
Data Capture
• Important during installation• Important when you encounter problems– Calls disconnect– QOS
• Simplify SIP packet analysis• We mentioned Registration Cache-ing
Codec & Transcoding• Most VOIP devices/trunks support G.711 (uLaw)• G.711 is good over good networks• What if you do not have a good network?
– Transcode to G.729– Transcode to OPUS
• Constant and variable bitrate• From 6 kbit/s to 510 Kbit/s, • Frame sizes from 2.5 ms to 60 ms, • Sampling rates from 8 kHz to 48Khz (CD Quality)• Packet loss concealment
• Fax T.38 translation• DTMF Translations (if needed)• Sometimes Video transcoding
Transcoding
Protocol Conversion
• UDP SIP / TCP SIP (Non Secure)• UDP SIP / TCP SIP TLS & SRTP (Secure)• Different variants of SDP• UDP Fragmentation• SIP / H.323 (Conversion)
SBC as Glue Logic• Lync / SfB– Requires SIP over TCP– SRTP / TLS
SfB & SBC
LCR – Least Cost Routing
• An SBC with an LCR can provide major cost savings– Some vendors will pay you to terminate Toll Free– Local vendors have very low costs on their local
footprint– International termination vary in cost and quality
• QOS Management by Managing the LCR– Increasing cost of low QOS routs
HA – High Availability
• Redundancy Modes– Hardware• support HA pair
– Vendor Termination Level• Re-rout calls to other vendors
– PSTN Backup• T1 line, or Analog as alternate vendor
– IP PBX Redundancy
Load Balancing• Enterprises can stack IP PBXs.
– HA– Capacity
CDR Generation
• In installations with multiple IP PBX systems, consolidating CDRs can become a pain
• The SBC as an aggregator of all in and outbound calls can act as CDR generator or collection point
Statistics & Monitoring
• Most measurable parameters let you set thresholds that trigger an alarm.
• Things you can measure vary and may include• QOS: (Jitter, Packet Loss)• CPS (Calls Per Second)• Call Fail Rate• Fraud Alarms– Usually triggered by velocity
Cost Considerations
• Could be high for a very small business• If fitted correctly– Pays for itself via• Uptime• LCR• CIO Reputation
Conclusions
• SBC provided the following benefits– Topology hiding
• Ability to keep improving (abstraction layer)
– Reliability (vendor redundancy)– Cost reduction (LCR)– Protocol matching (SIP over TCP vs. UDP, H.323)– DOS Protection (Protect the PBX)– Data Security (using SRTP/TLS on the trunk)– QOS (by using better codecs and monitoring)– Even more….
• NAT Traversal tools, FAX, CDR Collection• CALEA, For Vendors – See FBI Booth
SIP Trunking As a Managed ServiceWhy an E-SBC Matters
By: Alon Cohen, CTO Phone.com
By: Alon Cohen, CTO, [email protected]