SIP Trunking As a Managed ServiceWhy an E-SBC Matters

By: Alon Cohen, CTO Phone.com

Agenda• Network Topology (Firewall, SBC, PBX)• SBC as an abstraction Layer• SBC Security

– Fire Wall– Fraud protection– Encryption

• SBC Utility– Protocol conversion– Transcoding– Data capture– LCR– HA / Load Balancing– Statistics

Connecting a SIP Trunk and an SBC

Internet Firewall

SBC

IP PBX

Router

Switch

SIP Trunk Vendor

Connecting a SIP Trunk and an SBC

SBC as an Abstraction Layer

• Hides the implementation details of the PBX– Easy to replace vendors without touching the PBX– Easy to replace PBX without vendor coordination

• In simple words: – Easy to move forward– Easy to save money

Attacks on IP PBX (DOS/TDOS)

• IP PBX requires wide range of open ports– For the RTP media of the SIP Trunk– For external IP Phones registration– Hence it is open to DOS attacks – As well as TDOS (Telephony Denial of Service)

• TDOS Attacks have different attack vectors– SIP Registration flood– SIP Invite flood– Fraud (Make calls on your company’s dime)– Eavesdrop

SBC T/DOS Mitigation

• SBC can handle larger amounts of registrations and shield the PBX– Good for normal operations as well where you have

large numbers of clients outside the enterprise• SBC can ignore false or incomplete registrations

or invites better than the PBX can• Enforce IP blacklist, with variable blocking

periods for Registrations, Subscribes, Option Pulls and protocol errors

Encryption

• Most UDP SIP Trunks installations today are non-encrypted

• SRTP = Secure RTP (Real Time Protocol) - UDP• TLS = Transport Layer Security – TCP/IP

• An SBC will let you use encryption in the LAN regardless of vendor capabilities.

So far we saw that SBC can protect your infrastructure

• Let’s see what else the SBC is good for

Data Capture

• Important during installation• Important when you encounter problems– Calls disconnect– QOS

• Simplify SIP packet analysis• We mentioned Registration Cache-ing

Codec & Transcoding• Most VOIP devices/trunks support G.711 (uLaw)• G.711 is good over good networks• What if you do not have a good network?

– Transcode to G.729– Transcode to OPUS

• Constant and variable bitrate• From 6 kbit/s to 510 Kbit/s, • Frame sizes from 2.5 ms to 60 ms, • Sampling rates from 8 kHz to 48Khz (CD Quality)• Packet loss concealment

• Fax T.38 translation• DTMF Translations (if needed)• Sometimes Video transcoding

Transcoding

Protocol Conversion

• UDP SIP / TCP SIP (Non Secure)• UDP SIP / TCP SIP TLS & SRTP (Secure)• Different variants of SDP• UDP Fragmentation• SIP / H.323 (Conversion)

SBC as Glue Logic• Lync / SfB– Requires SIP over TCP– SRTP / TLS

SfB & SBC

LCR – Least Cost Routing

• An SBC with an LCR can provide major cost savings– Some vendors will pay you to terminate Toll Free– Local vendors have very low costs on their local

footprint– International termination vary in cost and quality

• QOS Management by Managing the LCR– Increasing cost of low QOS routs

HA – High Availability

• Redundancy Modes– Hardware• support HA pair

– Vendor Termination Level• Re-rout calls to other vendors

– PSTN Backup• T1 line, or Analog as alternate vendor

– IP PBX Redundancy

Load Balancing• Enterprises can stack IP PBXs.

– HA– Capacity

CDR Generation

• In installations with multiple IP PBX systems, consolidating CDRs can become a pain

• The SBC as an aggregator of all in and outbound calls can act as CDR generator or collection point

Statistics & Monitoring

• Most measurable parameters let you set thresholds that trigger an alarm.

• Things you can measure vary and may include• QOS: (Jitter, Packet Loss)• CPS (Calls Per Second)• Call Fail Rate• Fraud Alarms– Usually triggered by velocity

Cost Considerations

• Could be high for a very small business• If fitted correctly– Pays for itself via• Uptime• LCR• CIO Reputation

Conclusions

• SBC provided the following benefits– Topology hiding

• Ability to keep improving (abstraction layer)

– Reliability (vendor redundancy)– Cost reduction (LCR)– Protocol matching (SIP over TCP vs. UDP, H.323)– DOS Protection (Protect the PBX)– Data Security (using SRTP/TLS on the trunk)– QOS (by using better codecs and monitoring)– Even more….

• NAT Traversal tools, FAX, CDR Collection• CALEA, For Vendors – See FBI Booth

SIP Trunking As a Managed ServiceWhy an E-SBC Matters

By: Alon Cohen, CTO Phone.com

By: Alon Cohen, CTO, Phone.comAcohen@phone.com