Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Enterprise Deployment ofConverged NetworksEnterprise Deployment ofConverged Networks
Ravi SethiPresident, Avaya Labs
April 29, 2002
2
Communication EvolutionCommunication Evolution
LegacySeparate Voiceand Data Networks
IP has wonPromise definite customerbenefits but need technologyadvances for full deployment
Converged Networks
Communication-EnabledApplicationsRich voice-data applicationsbut need new technologiesand processes
build onConverged Networks
Converged Communication
3
Communication EvolutionCommunication Evolution
LegacySeparate Voiceand Data Networks
IP has wonPromise definite customerbenefits but need technologyadvances for full deployment
• Five 9s Reliability• QoS for Voice over IP• End-to-End Security• …
Converged Networks
Communication-EnabledApplicationsRich voice-data applicationsbut need new technologiesand processes
• Multimodal Interfaces• Web and Comm Services• SIP Multimedia Sessions• …
build onConverged Networks
Converged Communication
Visionaries are here
4
Framework for classifying techniques forReliability, QoS, SecurityFramework for classifying techniques forReliability, QoS, Security
PreventionAnticipate and prevent
RedundancyProvide spare capacity
RecoveryTake corrective actionto restore service
ValidationValidate the desiredproperties bymodeling, simulationor testing
DetectionDetect and predictwhat-when-where
5
ReliabilityReliability
6
Reliability needs are at several levels: application, operating system, hardware, network
Reliability needs are at several levels: application, operating system, hardware, network
NEEDS
Survivability–Can the service be brought back on
line swiftly?
Availability– Is the service available 99.999%?
Fault Tolerance–Can the system continue operation
when faults occur?
Integrity– Is data and transaction integrity
preserved?
Application
OperatingSystem
Hardware
Network
LEVEL
7
Reliability techniques at the network levelReliability techniques at the network level
PreventionAnticipate and preventfaults�e.g., overengineer thenetwork
RedundancyProvide hot spares� e.g., alternative paths
in a network
RecoveryTake corrective actionto restore service� e.g., expert systems
repair network faultsValidationValidate the desiredproperties bymodeling, simulationor testing�e.g., protocol testing
DetectionDetect and predictwhat-when-where offaults�e.g., timeouts signal
loss of connectivity
8
Distributed servers and gateways enhancesurvivability when network failures occurDistributed servers and gateways enhancesurvivability when network failures occur
Main LocationMain Location
IPIPScreenphoneScreenphone
Media GatewayMedia Gateway
LANMedia ServerMedia Server
9
Remote UsersRemote UsersOn IPOn IP Softphones Softphones
Distributed servers and gateways enhancesurvivability when network failures occurDistributed servers and gateways enhancesurvivability when network failures occur
Main LocationMain Location
IPIPScreenphoneScreenphone
Media GatewayMedia Gateway
LANMedia ServerMedia Server
WAN
RemoteRemoteUserUserMobileMobile
PSTNPSTN
Internet
10
Remote UsersRemote UsersOn IPOn IP Softphones Softphones
Distributed servers and gateways enhancesurvivability when network failures occurDistributed servers and gateways enhancesurvivability when network failures occur
Main LocationMain Location
IPIPScreenphoneScreenphone
Media GatewayMedia Gateway
LANMedia ServerMedia Server
SurvivableSurvivable Media Gateway Media Gateway
Remote LocationRemote Location
IP PhoneIP Phone
LAN
WAN
RemoteRemoteUserUserMobileMobile
PSTNPSTN
Internet
11
QoSQoS
12
Control/Signals
QoS management applies to networkinfrastructure and to applicationsQoS management applies to networkinfrastructure and to applications
QoS includes Voice Quality, Response Time,Delay, Jitter, Loss, Throughput
QoSManagementServer
InfrastructureInfrastructure
Applications ApplicationsQoSGoals
– Specify per-user/application-level QoS goals
– Measure QoS conformance
– (Re)Configure network and servers to achieve QoS goals
Status/Events
13
QoS techniques at the network layerQoS techniques at the network layer
PreventionAnticipate and preventcongestion�e.g., priority levels,drop packets
RedundancyProvide hot sparecapacity� e.g., overprovisioning
RecoveryTake corrective actionto restore service� e.g., reroute traffic,
load balancingValidationValidate desiredproperties by modeling,simulation or testing�e.g., network
assessment for VoIP
DetectionDetect and predictwhat-when-where ofcongestion�e.g., network
monitoring
14
QoS-Enabled Networks – ChallengesQoS-Enabled Networks – Challenges
Network readiness– Provide for desired bandwidth, delay, jitter, loss, etc.
QoS policies– Determine QoS goals and granularity (per flow type, per
application, per user, etc.)– Map goals to network/application mechanisms
Heterogeneity– Non-uniform implementation of QoS mechanisms across
vendors, domains, systems and layers– Bandwidth in different segments– Common management schema/standards
Dynamic conditions– Load, applications, network conditions and users– Correctness of network data in face of constant change
15
Assess network readiness for voice over IPand propose changes to ensure QoSAssess network readiness for voice over IPand propose changes to ensure QoS
–Automatically discoverrouters and switchesfrom route tables,Layer 2 forwarding tables, and VLAN info
–Based on topology,synthesize VoIP traffic
–Monitor network devicestatus and correlatewith VoIP QoS on exact call paths
150 <--> 211150 <--> 233211 <--> 233233 <--> 233211 <--> 211150 <-> 150
1 2 3 4
work150 <--> 211150 <--> 233211 <--> 233233 <--> 233211 <--> 211150 <-> 150
non-work150 <--> 211150 <--> 233211 <--> 233233 <--> 233211 <--> 211150 <-> 150
weekend
MOS
����
���� Network-wide summary
MOS
16
Assess network readiness for voice over IPand propose changes to ensure QoSAssess network readiness for voice over IPand propose changes to ensure QoS
–Use statistical methods to assign poor QoS to specific networkdevices
–Produce dynamic graphical/visual displays of data
���� Network-wide summaries
���� Coded network diagrams
���� Drill-down on paths and elements
A B
COver-utilized link
����
020406080
09/14 09/16 09/18 09/20 09/22 09/24 09/26
198.152.3.40:18 ifInOctets020406080
198.152.3.40:18 ifOutOctets
����
17
SecuritySecurity
18
Security Attacks: frequency rapidlyescalating, types constantly changingSecurity Attacks: frequency rapidlyescalating, types constantly changing
Data from Carnegie Mellon Computer Emergency Response Team* Global Information Security Survey (InformationWeek and Price Waterhouse Coopers)
•150 to 200 new viruses per month
•60-70% of security breaches are internal
•Viruses and hacking cost $266 billion in US last year*
0
10000
20000
30000
40000
50000
60000
1988 1991 1994 1997 2000
CERT Security Reports 1988-2001
Incident count Vulnerability count
0
500
1000
1500
2000
2500
1995 1997 1999 2001
CERT Vulnerabilities 1995-2001
19
Extended Perimeter
Perimeter
Firewalls
Firewalls
Control Domain
VPN
OS, applications, data
Resource DomainIdentity and
Access Mgmt
SecurityManagement
Security policies andprocedures beyond thephysical perimeter ofthe enterprise: remoteworkers, B2B partners &suppliers, extranets etc.
Network level controlsto filter traffic and manage access;Encryption
Security monitoring;Enterprise-wide Authentication; &Data protection
Application level access,authentication& authorization;Data Protection &Encryption
Security domains overlayapplications and infrastructureSecurity domains overlayapplications and infrastructure
20
Security measures includeSecurity measures include
• Encrypt voice so sniffers hear only white noise
• Filter packets based on addresses, port numbers
• Eliminate common attacks by disabling un-neededservices; e.g. NFS, X-windows, rexec, …
• Protect network servers against viruses by eliminatingincoming e-mail, web browsers, shared drives
• Defend against denial-of-service attacks by discardingsuspicious packets
• Set, communicate, and enforce security policies
• Make it convenient: if it’s too hard, it’ll be circumvented
Security begins with thepeople and organizationsthat operate and use the system
21
Security techniques at the network levelSecurity techniques at the network level
PreventionAnticipate and preventattacks�e.g., authentication,firewalls, encryption
RedundancyProvide spare capacityready for deployment� e.g., backups,
alternative sites
RecoveryTake corrective actionto restore service� e.g., attention by
network administratorValidationValidate desiredproperties by modeling,simulation or testing�e.g., digital signatures,
network discovery
DetectionDetect and predictwhat-when-where ofattacks�e.g., intrusion
detection
22
Securing Converged Networks and BusinessSystems – ChallengesSecuring Converged Networks and BusinessSystems – Challenges
Keeping current–New forms of attacks
–Attacks increasing: data and service theft; spoofing; denial ofservice; viruses and vandalism; eavesdropping
–Security patches from vendors
User and operations staff education and training–Security awareness
–Following good security practices: strong passwords, regularvirus checker updates etc.
–Security intrusion detection and response processes
Incorporating secure programming practices–By vendors
–By in-house programming staff
23
Libsafe 2.0 protects against common securityattacks: “buffer overflow” and “format string”Libsafe 2.0 protects against common securityattacks: “buffer overflow” and “format string”
– Proactively detect and terminatesecurity attacks, even unknown ones
– Libsafe is a protection library that canbe linked to any binary without accessto its source code
– Instrumentation restricted to “unsafe”functions to minimize performanceoverhead (usually ~1%)
– Platforms supported: Linux, WindowsNT/2000
– 6 committed Linux distributors: RedHat, Debian, TurboLinux, Mandrake,Slackware, Yggdrasil
– Improved version Libverify detectsmore buffer overflow attacks
Available fromhttp://www.research.avayalabs.com/project/libsafe
24
Firedoors are transparent bridges that canbe triggered to isolate “dirty” machinesFiredoors are transparent bridges that canbe triggered to isolate “dirty” machines
Router, Firewallor a Switch
Door Keeper
Firedoors
Switched VLANSegment or VPN
Inside an enterpriseSwitched VLAN
Segment
Enterprise Network
Partition a network to fightviruses and worms– Firewalls are useless once a
network is breached
– Block traffic only to attackingnetwork segment; e.g. port 25from a certain VLAN
– Isolate data while voice goes through
Operates in 3 modes– Transparent: pass all packets
with no interference
– Hunting: pass packets onlyfrom clean segments
– Opaque: pass no packetsexcept Firedoor controls
Firedoor can be controlled viaencrypted messages from DoorKeeper (FireDoor Manager) to changemode, download updated access listsonto the router/switch to block traffic,…
25
Trend:Communication isintegrating intoapplications andbusiness processes
Trend:Communication isintegrating intoapplications andbusiness processes
Communication-EnabledApplications
Rich voice-data applicationsbut need new technologiesand processes
• Multimodal Interfaces• Web and Comm Services• SIP Multimedia Sessions• …
build onConverged Networks
Converged Communication
26
Fail Safe enables the right people, with theright tools to respond rapidly to a crisisFail Safe enables the right people, with theright tools to respond rapidly to a crisis
Dynamically Changing Configurations
Fail Safe enables the right people, with theright tools to respond rapidly to a crisisFail Safe enables the right people, with theright tools to respond rapidly to a crisis
Supply ChainEvent Manager
Exceptional Event(requires crisis conference)
Supply ChainRules EngineDecision Team
(people/roles needed)
Decision Team(people/roles needed)
Fail SafeApplication
PresenceService
AudioConferencing
Notification-Response
NotifyMembers who
are Present
Find and NotifyNon-Present
Members
Audio ConferenceMembers
who Accept
WebServer
Call FeatureServer
MessagingServer
PC Only orPC/Softphone
PC andDesk Phone
PDA andMobile Phone
MobilePhone
. . .
Overheating Engines
27
28
SIP (Session Initiation Protocol) OverviewSIP (Session Initiation Protocol) Overview
SIP is a simple signaling protocol–Small set of required messages and responses
– Internet philosophy
–Borrows heavily from existing Internet paradigms
Invite + SDP
OK + SDP
Ack
Media Session
Bye
OK
Ringing
–Session parameters negotiated using SDP (Session Description Protocol)
–Media sessions typically use RTP (Real Time Protocol)
29
Migration to SIP-Based Enterprise TelephonyMigration to SIP-Based Enterprise Telephony
TelephonyApplication
Server
TelephonyApplication
ServerTDM, H.323, SIP
PSTN/Internet
LocationServices
PresenceServices
New Communication Apps•Presence-enabled apps•Web-&voice-enabled apps• IM
RegistrarSIP Proxy Redirect
SIP
SIP User AgentsIPPhone
TDMPhone
DNS,DirectoriesCommunication Apps
•Voice Mail•CTI•Call Center
AnalogPhone
Business App. Platform
Communication App. Platform
30
Synopsis of SIP ScenariosSynopsis of SIP Scenarios
Avaya Labs tradeshow demos
–Networld+Interop (9/01), SIPIT (12/01), SIP 2002 (1/02)
Scenarios
– Interoperability between SIP Phones and ‘traditional’ phones
– Interoperability across SIP end-points from multiple vendors
–Bridging SIP Instant Messaging capabilities into voiceenvironment
–Presence and Rules-based Call and Instant Message routing
– Innovative end-point features; e.g., PDA interworking usinginfrared ports
–Multimedia features: video and app sharing
–Presence monitoring for each supported end-point
31
Intra-Enterprise SIP Communications DemoIntra-Enterprise SIP Communications Demo
DigitalPhone
CellPhone
H.323Phone
SIPScreenPhone
MessagingSystem
SIP IP600SIP Authority
+ VxML ServerDNS
SIPPhone+ Palm
SIP Phone3rd Party
LAN PSTN
RTCClients
AnalogInterface
E1
32
SIP implications forconvergedcommunication
SIP implications forconvergedcommunication
• Standardized personal address means there’s one wayto “place the call” regardless of recipient’s device
• Supports multi-modal communications and devices
• Equalizes real-time and near-real-time communicationsinto a session, and thus changing the focus ofcommunication from mode to user
• Enables rapid creation of communication-enabledenterprise applications from standardized components
• Services-based environment accommodates both peer-to-peer and client-server apps
SIP is to Real-Time People-to-People Communications what
HTTP was to Information Exchangeon the World Wide Web.
33
PresencePresence
Presence–Dynamic information about an individual's existence, status,
location, and accessibility.
Presence is the enabler for intelligent user centriccommunications–Build new context-sensitive applications so that “who, where,
when, and how” all make a difference
–Empower the user with more information, better choices basedon the particular situation
Beyond: “anyone, anywhere, anytime, anyhow”To: “the Right person, in the Right place,
at the Right time, the Right way”
34
Migrating toConverged CommunicationMigrating toConverged Communication
LegacySeparate Voiceand Data Networks
IP has won
Promise definite customerbenefits but need technologyadvances for full deployment
Converged Networks
Communication-EnabledApplications
Rich voice-data applicationsbut need new technologiesand processes
build onConverged Networks
Converged Communication