Upload
michael-graves
View
4.829
Download
3
Embed Size (px)
DESCRIPTION
Acme Packet Presentation Materials for VUC June 18th 2010
Citation preview
Voip and Telephony User ConferenceSolution Brief June 18, 2010
2
Data centers
VoIP & UC security
SIP trunking
SIP & H.323 interoperability
Data center disaster recovery
Remote site survivability
Contact center virtualization
Remote site & worker connectivity via the Internet
Regulatory compliance – recording & privacy
Acme Packet enterprise SBC solutionscontrols four IP network borders
Contact center, audio/video conferencing,
IP Centrex, etc.PSTN
Serviceproviders
SIP
IPsubscribers
Internet
Tele-worker
Nomadic/mobile user
H.323
Regionalsite
SIP
Remotesite
Private network
1. SIP trunking border 4. Hosted services border
2. Private network border 3. Internet border
HQ/campus
Remotesite
IP PBX UC
Proprietary and Confidential
3
Multiservice security gateway
SLA assuranceRegulatory compliance
High availabilityMulti-protocol
SecurityRevenue & cost optimization
Acme Packet market-leadingNet-Net product family
Service reachmaximization
Net-Net OS
Session border controller
Session routing proxy
Net-Net EMS & SAS
Net-Net 3800
Net-Net 4250 &Net-Net 4500 &Net-Net ATCA
Net-Net 9200
Net-Net 2600Net-Net OS-E
(software-only)
Proprietary and Confidential
44
Licensed session capacity range
NN2600: 150 – 4KNNOS-E: 25 - 500 150 – 4K 250 – 32K 500 – 32K 4K – 128K
System Throughput 5 Gbps 5 Gbps 5 Gbps 5 Gbps 5 Gbps or
10 Gbps
Network interfaces(# active) (6) 1 Gbps (4) 1 Gbps (2) 1 Gbps (4) 1 Gbps (8) 1 Gbps or
(2) 10 Gbps
IPsec tunnel capacity n/a 5K 120K 200K 400K
Transcoding session capacity 400 Not available Not available Not available 0 – 16,000
Local route table capacity (# of routes) 1M 1M 1M 2M 1M or 2M
Net-Net platform capacity comparison
Note 1: Capacity can vary by signaling protocol, call flow, codec, configuration, feature usage and SPU and NPU optionsNote 2: Capacity of third-party platforms running Net-Net OS-E may vary depending on the server capabilities; standard NNOS-E licensing is limited to 500 sessions
Net-Net 42501
Net-Net 45001 &ATCA blade1
Net-Net 92001
Net-Net 38001Net-Net 26001 &Net-Net OS-E2
Proprietary and Confidential
5
Acme Packet Net-SAFE security framework
SBC DoS/DDoS protection– Protect against SBC DoS/DDoS attacks & overloads
Access control– Dynamic, session-aware access contro
Topology hiding & privacy – Complete service infrastructure hiding
user privacy support– Support for L2 and L3 VPN services,
traffic separation and securityViruses, malware & SPIT mitigation
– Deep packet inspection enables protection against malicious or annoying attachments / traffic
Infrastructure DoS/DDoS prevention– Prevent DoS/DDoS attack infiltration
to service infrastructure & subscribersFraud prevention
– Prevent misuse & fraud– Protect against service theft
Monitoring and reporting– Record attacks & attackers– Provide audit trails
SBC DoS protection
Fraudprevention
Accesscontrol
Topology hiding& privacy
Serviceinfrastructure
DoSprevention
Virusesmalware& SPIT
mitigation
Proprietary and Confidential
6
How an enterprise SBC helps with SIP trunk security
Although many service provider SIP trunks are delivered over private IP networks instead of public IP WANs, security issues can still ariseMost enterprise security officers will apply the “Defense in Depth” model to the SIP trunk IP flow
– Just as they do for other IP flows like email and web applicationsThe enterprise SBC acts as the Application Layer Gateway (ALG) for all SIP signaling and media traffic – similar to ALGs used for other enterprise IT applications today
– Features include dynamic port control, full SIP firewall, and DDOS protectionService Providers use SBCs to protect their network – shouldn’t enterprises do the same ?
Enterprise Infrastructure
Web TrafficSecurity Proxy
Email TrafficSecurity
Proxy
“Defense In Depth” Security Model
Service Provider SIPTrunking Infrastructure
PSTNMPLS VPNSIP TrafficSecurity
Proxy
Proprietary and Confidential
7
SBC DoS/DDoS protection
Dynamic trust management– Success based trust model protects
resources– Adjust resources based on real-time
events
Proactive threat mitigation– Drop malformed sessions– Block known malicious traffic
sources– Identify automated calling and reject
based on defined policies
Hosted services/IP contact center ASP
PSTN
Serviceproviders
SIPH.323 SIP
Other IPsubscribers
BO
MPLS VPN Internet
SOHO Mobileuser
Nomadicuser
HeadquartersCC IPTUC
RO
Zombie PCs
Spammers
Proprietary and Confidential
8
SBCs eliminate communications barriers
Session control– Unify dial plans - DNS, ENUM,
LDAP, Local Route Tables (LRT)– Route sessions – policies based
on ToD/DoW, cost, media, etc.
NAT traversal (adaptive, STUN)– Cross NAT/FW borders– Define trusted users/devices– Contain unidentified/untrusted
users/devices
Protocol interworking/correction– Interwork signaling, transport &
encryption protocols – Correct protocol variations –
malformed/non-compliant headers
– Transcode between codecs– Adapt IMS for enterprise
Hosted services/IP contact center ASP
PSTN
Serviceproviders
SIPH.323 SIP
Other IPsubscribers
Regionaloffice
Branchoffice
BO
MPLS VPN Internet
SOHO Mobileuser
Nomadicuser
HeadquartersCC IPTUC
RO
Proprietary and Confidential
9
How SBC helps with SIP trunking interoperability
PBXs are not always able to connect directly to carrier SIP trunks due to differences in SIP implementations or when H.323 is the only available IP interface
Acme Packet solves this problem by providing: – Complete SIP header manipulation rule (HMR) capabilities to interwork
different SIP dialects between PBX and carrier SIP trunking elements– Full H.323 – SIP interworking– Media transcoding & DTMF format (INFO / 2833) interworking– Signaling transport (UDP / TCP / TLS) and media encryption (RTP/SRTP)
interworking
These capabilities enable virtually any SIP or H.323 capable PBX or UC platform to talk to any carrier SIP trunk service
– Proven interoperability with all of the major PBX and UC vendors & SIP trunk carriers
SIPor
H.323
Enterprise Telephony
Infrastructure Service Provider SIPTrunking Infrastructure
PSTNMPLS VPN
OCS 2007
Proprietary and Confidential
10
How an enterprise SBC helps with SIP trunk troubleshooting
A challenge for many enterprise telephony managers is to how to apply traditional TDM troubleshooting methods to SIP trunks
The enterprise SBC helps by providing an embedded probe that allows you to monitor all SIP & H.323 signaling and media traffic
– Provides full signaling traces, ladder diagrams, and media statistics– Information is automatically collected and can be retrieved via EMS and can be
sorted based on calling or called party number, SIP call ID, time-of-call, etc.– An embedded call recording utility is also provided– EMS allows partitioned access to control who can view what information
Call Diagram = Ladder Diagram & Detailed Message Trace Statistics = Media Quality Stats with MOS, packet loss, etc.
Play = Bi-directional Media Recording Capability(on-platform Session Replication for Recording (SRR))
Proprietary and Confidential