Acme Packet Session Border Controller

8/3/2019 Acme Packet Session Border Controller

1/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Session Border ControllersConnecting the IP World

Acme Packet and Avaya Lead The WayApril 9, 2009

Neil Segall, Business DevelopmentMargie Frasier, Channel Development


2/35

EMEA TECHSHARE 2009

THE FUTURE BEGINSAgenda

Why should I care about SBCs?

What is an SBC?

Product Overview

Working together


3/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

We are not Bugs Bunny!!

Beep Beep

Argh!~


4/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Why should I care about SBCs?

Reduce costDeliver business agility

Secure loyal customers


5/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Market Trends

Service providers

Making SIP value available to enterprises

Relying on SBCs for peering and secure access

Reselling or recommending CPE SBCs for security and interworking

Enterprises and contact centres

Embracing converged voice/data for UC, CC, & CEBP

Migrating increasingly to SIP

Moving to SIP trunking for lower costs & power consumption

Recognizing identity, trust and security as critical to UC success

Dealing with interworking and regulatory concerns


6/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Future of interactive communications?

The Internet

IIFF

The Federnet

FF FF

FF

FF


7/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Federnet: The eight driving factors

1. In IP, we trust no one

2. Addresses will forever be a collection of heterogeneous schemes

3. SIP is not the only signaling protocol

4. Codecs will never converge to a couple - audio & video

5. Unlimited bandwidth, QoS and signaling resourceswill forever be a myth

6. Some sessions are more valuable than others

7. IP IC regulation will increase

8. Business models will never be homogenous


8/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

MX

Application Platform

Next Generation Communications

App

3rd Partyendpoints

Avaya CMBranch /

Stand alone

o o o

Remote workersOver Internet

o o o

Application Platform

G860

3rd Party PBXs

App

Avaya one-X

endpoints

PSTN Providers

OutsourcersFederated

SystemManager

App MMVP

CM

SM

SMSM

CommunicationManagerCore

SIPTrunks

MediaServers TDM

Trunks

Access

Connection

Application

Internet

Acme PacketSBC


9/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Joint Value Proposition

Acme Packet SBCs augment Avaya solutions for UC and CC

Defend SIP signaling elements against security threats, overloads

Eliminate border signaling and many other interoperability issues

Preserve session quality under load and adverse conditions

Extend Avaya application reach across IP network borders

Support regulatory compliance

Key Benefits

Faster Avaya solutions deployment at lower risk and cost

Safe use of cost-effective SIP trunks High-quality session delivery to workers across the enterprise

Improves customers options for customizing their networks


10/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

What is an SBC?


11/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Session real-time, interactive communications voice, video & multimedia - using SIP,H.323, MGCP/NCS, H.248

Border IP-IP network borders

Interconnect/peering:between service providers

Subscriber access:enterprise, residentialor mobile services

Data center:retail or wholesale services

Enterprise: intra- &extra-enterprise

Control

Security

Service reach maximization

SLA assurance

Revenue & cost optimization

Regulatory compliance

What is a Session Border Controller?

Largeenterprise

Mobileservices

PSTN

PSTN origination& termination

Directory services

IPtransit

PSTNtermination

IP contact center

Residential& business

services


12/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Why SBCs Instead ofFirewalls?

Because traditional firewalls cannot:

Prevent SIP-specific overload conditions and malicious attacks

Open / close RTP media ports in sync with SIP signaling

Track session state and provide uninterrupted service

Perform interworking or security on encrypted sessions

Scale to handle many 1000s of real-time sessions

Provide carrier class availability

InfoSec deploy defence-in-depth model with application-level securityproxies for email and web applications

Same model applies for IP telephony, UC and IP contact centerapplications


13/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Completes Avayas cost effectiveend-to-end SIP architecture SIPtrunking and border interworking Remote site & worker connectivity Reduced maintenance costs

Provides best-in-class VoIP &UC security Integrated with Avaya SessionManager,

CommunicationManager and VoicePortal

Assures quality and high availability

Disaster recovery and survivability

Helps achieve regulatory compliance Emergency calls, privacy, recording

Acme Packet SBC secures & assuresAvaya unified communications

Redundant data centers

Contact center,audio/video conferencing,

IPCentrex, etc.

To PSTN

SIP

Tele-worker

Nomadic/mobile user

SIP

Remotesite

1. SIP

trunking border 2.H

osted services border

3. Internet border

HQ/campus

Remotesite

CCUC

H.323

Regionalsite

Federatedpartners

InternetPrivate network

ASM

APKTAPKT

APKTAPKTAPKTAPKT

APKTAPKT

APKTAPKT

APKTAPKT APKTAPKT


14/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Product Overview


15/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Acme Packet Products

4,000-72,0001,000-16,000250-8,000150-500# sessions

5,000-80,000

Data Center

LargeMediumSize

1,250-40,000

Data Center

750-2,500

Data Center /branch office

20,000-360,000# lines

# agents

Data Center

(w/transcoding)

Net-Net 4250

Net-Net 4500

Net-Net 9200

Net-Net 3800

75-250 125-4,000 500-8,000 2,000-36,000

UC

CC


16/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Net-SAFE Security Framework

SBC DoS/DDoS protection

Protect against SBC DoS/DDoS attacks & overloads

Access control & VPN separation

Dynamic, session-aware access control for signaling & media

Support for L2 and L3 VPN services & traffic separation

Topology hiding & privacy

Complete service infrastructure hiding &user privacy support

Viruses, malware & SPIT mitigation

Deep packet inspection enables protection against malicious orannoying traffic

Encryption and Authentication

TLS, IPSEC, SRTP

Monitoring and reporting

Record attacks & attackers

Provide audit trails

SBCDoS

protection

Fraudprevention

Accesscontrol

Topology hiding

& privacy

Serviceinfrastructure

DoS

preventionVirusesmalware& SPIT

mitigation


17/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Dynamic ACLs and Hardware Based Security

All Unauthorized traffic rejected by Hardware Authentication

NN-SD

XHttp Request

Dropped at WireSpeed!!

Unuauthorized Protocol or Destination port

Authorized Traffic Flows are based on:

Source IP address/range

Source IP Port

Protocol

Destination IP address

Destination IP port

VLAN + Physical Port

X

HARDWARE BASED AUTH:

Other Authorizations at WireSpeed:

DoS Blacklisted UsersRejected (matched onabove Flow Definitions)

SIP Invite

Blacklisted User

X

Software Based SBCscannot provide this!


18/35

EMEA TECHSHARE 2009

THE FUTURE BEGINSSignaling Based Security

Stateful awareness of SIP sessions allows for fine-tuned securitymeasures a FW cannot provide:

Next Hop Device (i.e. Avaya SM) constraints exceeded

SIP Invite

Reject with 4xx UnauthorizedX

NN-SD

Bandwidth Exceeds Allowed LImit

SIP Invite

Reject with 503 Unavailable (configurable response)X

SOFTWARE/SIGNALING BASEDAUTHORIZATION:

Authorized Traffic Flows can be based on:

User Registration Status

SIP packet format (Legal?)

Traffic Filters based on SIPheader content

Source or Destination URI

format

Codec type

Bandwidth or SessionAdmission Control

Overload constraints (CPU andNext hop)

Signaling Rate Limit

Unregistered Users (Rejected at SIP level)

SIP Invite

Reject with 4xx Unauthorized

X


19/35

EMEA TECHSHARE 2009

THE FUTURE BEGINSHandling of Ports forMedia

VoIP often requires a different media port per source for RTP flows

Net-Net SD Dynamically Opens ports for RTP/RTCP (Media streams) Secure Latching :

INVITESDPC= (Source): 10.0.0.1, port 1046

Open media port from Pool Y. Remember mapping from192.168.11.101 (Pool Y) to 10.0.0.1:1046;

Open a media port from pool X. Remember mapping from10.100.1.100(Pool X) to 136.2.7.100:4300

Net-Net10.100.1.100UDPPorts:

49152-65535(Pool X)

192.168.11.101UDPPorts:

49152-65535(Pool Y)

136.2.7.100

200OKSDPC= (Source): 136.2.7.100, port 4300

INVITESDPC= (Source): 192.168.11.101, port 49152

200OKSDPC= (Source): 10.100.1.100, port 49152

10.0.0.1

BYE

200OK

XClose Media Ports and Removed from SBC cache

FW MustKeep ports open at allTimes


20/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Its not just about security

Legacy data infrastructure is not enough

Signalling protocol interworking

Service reach maximization

QoS / Accounting

Session replication

High availability


21/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

HeaderManipulation Rules

Benefit allows SBC to perform SIP header/parameter manipulation basedon regular expressions

Problem overcome interoperability issues, unique routing needs, protocolnormalization and fix-up

Details

Regular expression search and store capability

Ability to do repetitive search and replace

Boolean logic support

Supports operations on MIME body, e.g. SDP Allows codec re-ordering & stripping

Ability to insert information into Call Detail Record VSAs

HMR for ISUP (conversion between any variation of SIP, SIP-I, SIP-T)


22/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Hosted NAT traversal (HNT)

Problem: remote-user NAT traversal

Inbound VoIP/UC cant get through DSL/cable

modem firewall / NAT

Home worker cant reconfigure FW/NAT

NAT-T techniques (STUN / TURN / ICE) are

limited and vary widely by device: an IT support

headache

Solution: host NAT traversal in SBC

Standardizes NAT methodology

Proven solution: globally deployed

Scalable with very low latency

Benefit: lower cost, complexity of deployment, support

No end-user action required

One centralized box to manage

One methodology for NAT traversal

Remote User

IPT UC CC

Internet

CPENAT/FWmesses up secure

VoIP

Enterprise Data Centre


23/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

QoS measurement & reporting

Benefits

Enables real-time evaluation of network & route performance

Enables Enterprises to validate SLAs from their service providers

QoS based call admission control Capabilities

Per-flow statistics including jitter, latency, packet loss, byte and packet counters

Hardware based RTP/RTCP header inspection no performance impact

Reported through call accounting interface (Radius) or via FTP

Segment A SegmentB


24/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

IP Session Replication

Benefit reduces costs and decreasescomplexity

Problem overcome reduces thenumber of devices/interfaces involved incall capture and replication; SBC scalesbetter than alternative methods

Call recording servers (CRS) areprovisioned per ingress realm

SBC replicates and forwardssignaling and media

SBC load balances session across

recording servers

PBXAvayaACM/ASM


25/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

High Availability

No loss of active sessions (mediaand signaling)

Supports new calls

1:1 Active Standby architecture

Failover for

Node failure, network failure,poor health, manualintervention

40 ms failover time

Checkpointing of configuration,media & signaling state

Preserves CDRs on failover

Shared virtual IP/MAC addresses

10.0.0.1

Find SDthrough DNS round-robin or configured proxy

sd0.co.jp

10.0.0.1

sd0.fc.co.jp

Active Standby

X

All sessions stay up. Process new sessions immediately

Active

New call


26/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Working together


27/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

PBXAvaya CMHQ/Regional Data Center

UC Reference Architecture

27

Branch Office

PBXRouter

SIPTrunkingService

PBXACM / DO PBXAvaya SM

Analog,

Digital

SIP

SIP

SIP

SIP

SIP

SIPSIP

SIP

Customer choice of complete local call processing intelligence in branch or if desired, no survivability

Avaya Session Manager implements session routing for inter-branch and branch to HQ; managescentralized dial plan

Mini Border Element provides secure access to distributed SIP trunking services for branch/remotelocations

SBC provides secure access to centralized SIP trunking services forHQ/regional centers

SIP

Internet

RTP

Remote clients

SIPTrunkingServices


28/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Avaya / Acme Packet Interop

Acme Packet part of Avaya Development and SV models

Acme Packet equipment in Avaya R&D & Services labs

Avaya equipment in Acme Packet labs

Formal Interop Testing and Documentation

DevConnect - Acme Packet is a Platinum partner Peering and Access

ACM: NN4250 & NN4500 complete, NN3800 in progress

ASM: NN4250, NN4500 and NN3800 in progress

AVP/ICR: NN4250, NN4500 and NN3800 in progress

Online Application Notes and configuration guides

SITL will certify SIP trunks Testing ongoing in NA, CALA, EMEA, and APAC


29/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

29Acme Packet - company overview Q3 2008

Revenue($M)

Revenue($M)

Acme Packet at a glance

Session Border Control (SBC) category creator & leaderwith 50-60% market share, founded August 2000

Top tier customers worldwide

600+ customers in 92 countries

29 of top 30, 89 of the top 100 service providers

Market focus: enterprise, contact centre, and service provider

400+ employees in 25 countries,

Burlington, MA headquarters

Public company (NASDAQ: APKT)w/ strong revenue growth, profits & balance sheet

Healthy, Profitable, Leading, Growing

$3.3

$16.0

$36.1

$84.1

$113.1$116.4

2003 2004 2005 2006 2007 2008


30/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Competition

Primary competitive threat: customer inertia

Ignorance of need for SBCs

IT security staffs must be educated

Next-best threat: Cisco Unified Border Element (CUBE)

All software: small scale, low performance

Lacks DoS protection, advanced routing, high availability

Years behindon features and protocol support Very limited non-Cisco product interoperability


31/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Go-to-market strategy

Channel focus in EMEA - over 60 people

Business and channel development provide commercial and technical support

Direct touch Sales and Engineering team directly supports opportunities

EMEA HQ in Madrid has training and lab facilities

Field systems engineering supports evaluations & trials, informal training

Technical support - 24x7x365 from Burlington,MA, USA headquarters

Protocol and platform focus areas

Telephone hotline for critical problems

Web portal

Training Configuration and troubleshooting courses

Boston, Madrid, Moscow, or at customer site

English, Spanish, Italian, French, German, Russian, Dutch, Portuguese


32/35

EMEA TECHSHARE 2009

THE FUTURE BEGINSAcme Packet helps close more Avayabusiness faster

Minimize risk for migration to Avaya

Interworking and compliance / security / service quality

Reduce cost and increases value of Avaya solution Enables secure use of cost-effective SIP trunks

Supports Flatten Consolidate & Extend (FCE) model

Provide a competitive advantage over Cisco

Superior SBC solution

Strong relationships with service providers

Prevent Cisco from getting more foothold


33/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

33Acme Packet confidential

The Managed Services Opportunity

Managed CPE SBCs enable multiple services to be safelydelivered through SIP Trunks

IP Contact Centres

Unified Communications Services

IP PBX connectivity

Business partner managed SBCs mean:

Annuity revenue

Account Control and opportunity to sell multiple services

Services Revenue Opportunity


34/35

EMEA TECHSHARE 2009

THE FUTURE BEGINS

Value proposition

The: Acme Packet SBC solutions

is for: Mid- to large-size enterprises and contact centres across allvertical markets and geographies

who need to: Connect to public/private SIP Trunk Services, and support Remote/ Mobile Workers

in order to: Reduce cost

Deliver business agility

Secure loyal customers

Meet regulatory compliance mandates


35/35

EMEA TECHSHARE 2009

THE FUTURE BEGINSAcme Packet Contacts - EMEA

Andreas Waechter, Sales Director, Enterprise, [email protected] (Germany)

Margie Frasier, Channel Development Manager, [email protected] (Italy)

GeraintEvans, Technical Director, [email protected] (UK)

HEADQUARTERS

RelationshipManager: Neil Segall [email protected]

Technical Director: Ray DeQuiroz, [email protected]

Chief Engineer: Mike Aglietti, [email protected]

Channel Development: Laurie Coppola [email protected]

Documents

Acme Packet Session Border Controller