Enterprise SBCs – A Requirement for Secure, High-Quality Delivery of Real-Time, Interactive Voice and Unified Communications
Enterprise communications networks are evolving into business-critical resources delivering real-time, unified communications and collaboration (UC&C) services and applications. This UC&C environment will extend beyond the bounds of the enterprise throughout the supply chain as well as to customers, channel partners and affiliates. The federation of presence, IM and other UC&C applications, such as multi-media conferencing, messaging, calendaring, workflow, integrated voice response (IVR) and other applications will help individuals and workgroups communicate efficiently with anyone, anywhere, anytime using application-agnostic devices over multiple wired and wireless networks. Business processes with optimally integrated UC&C applications will be leveraged for business agility, to boost employee accessibility and efficiency, improve customer service, and reduce IT capital and operating costs.
As a business-critical resource, enterprise UC&C infrastructure, services and applications must be protected both from deliberate attacks to steal sensitive information and/or disrupt UC&C services, as well as from non-malicious adverse events that can cripple these services. Take the contact center for example; here privacy is a significant issue due to regulatory constraints and/or the sensitive nature of some contact center communications (e.g., medical records, credit card numbers, etc.). As a result, contact centers will need to encrypt certain sessions (signaling, media or both) end-to-end, or at least the portions of a session that must traverse untrusted IP networks.
The ugly reality is that none of our existing data security products — firewalls/Network Address Translation (NAT) devices, IDP/IDS (Intrusion Detection/Prevention Systems) and SPAM filters — have proven to work for real-time voice, video and multimedia communications. Session border controllers (SBCs), on the other hand, uniquely provide all controls required for delivering trusted, reliable, high-quality real-time communications. In the context of an SBC a “Session" refers to any real-time, interactive voice, video or multimedia communication using IP session-layer signaling protocols such as SIP or H.323, for example. A "Border" is any IP-to-IP network border such as those between service provider and enterprise, residential or mobile customer/subscriber; or between two service providers. The "Control" functions satisfy new requirements in five major areas - security, application reach maximization, service level agreement (SLA) assurance, revenue and cost optimization and regulatory compliance. These five control functions are relevant for access to both SP and enterprise networks and on both User-to-Network Interfaces to end users and access networks, and Network-to-Network Interfaces to peer networks. The key here is that the SP utilizes an SBC on its borders to protect its own network. The enterprise needs the same SBC controls operational to secure its own boarders.
Today, many organizations are looking to outsource UC&C applications VoIP, contact centers, IVR, Microsoft OCS, audio/video conferencing and even E911 services. For example, RedSky’s E911 Anywhere Hosted service uses SIP signaling to send a 911 call over a private network in cases where a client has an IP-PBX. Those calls are processed by an Acme Packet SBC. E911 sessions are prioritized over all other traffic regardless of bandwidth utilization. The SBC also has the ability, using a feature known as a SIP response-map, to translate these SIP messages into a format that the softswitch recognizes. The softswitch can then dial out a PRI to an alternate site where the 911 call will be answered by a live operator who will then in-turn route the call to the correct Public Safety Answering Point (PSAP).
Enterprises are also deriving added value and security from implementing data center centralization of IPT/UC, conferencing, and voicemail applications with SBCs in place. For example the Delaware State Department of Technology and Information (DTI) deploy Acme Packet Net-Net 4250 SBCs in its two data centers. Through centralized SIP trunking, the DTI provides a centralized/hosted voicemail platform with unified messaging services throughout the state and eliminates the need for additional voicemail systems, maintenance and administration expenses. In the future DTI will leverage the Net-Net SBC’s proven security, interoperability and scalability to deliver integrated data, voice and video applications to various state agencies, enable connectivity to disparate PBXs in neighboring states such as Maryland, Pennsylvania and New Jersey and ease the recovery of these applications in case of a disaster.
Management is increasingly leaning on the contact center to attain higher performance targets on service quality and revenue generation, improve operating efficiency under constrained budgets and build customer loyalty and the brand. Meanwhile, user expectations of contact center service levels are rising as customers expect to be able to use whichever contact channel is most convenient to them and to get fast resolution to their issues on the first call. SBCs are increasingly being leveraged to meet both management and customer requirements in hosted and remote contact center virtualization solutions. Two of the main benefits derived by their use are: (1) Bandwidth conservation through codec renegotiation, which saves money by conserving scarce bandwidth without degrading customer quality of experience (QoE). Contact centers front-end inquiries with an IVR supporting a high quality voice codec (e.g., G.722) offering a high QoE to the calling party. However, a lower quality codec (say, toll quality G.711) is utilized upon call transfer; and (2) Use of interworking and protocol normalization allow contact centers to extend the life of legacy PBX infrastructure, enabling gradual, incremental cutover to newer technology at the same time that new real-time IP communications services are being deployed. This reduces pressure on capex and opex.
In summary, there are compelling reasons for enterprises to include session border controllers as key network elements at the borders of real-time IP communications networks to effectively and efficiently address the issues raised above and summarized below.
Business Challenge: Interoperability/Application Reach Maximization
Issue:
- Environments are not homogeneous – a lot of enterprises consist of islands of VoIP deployments with heterogeneous PBXs and endpoints
- Migration to newer technology must be managed incrementally while extending the life of existing equipment, both to maximize investments in legacy gear and to minimize the risks associated with the transition to newer technologies
- Though the enterprise must keep a tight rein on capex and opex, time to market should not be compromised
SBC resolution:
Provide signaling protocol interworking to bridge incompatibilities between enterprise IPT/UC servers and SIP trunks, including SIP to H.323 interworking, and interworking between differing vendor implementations of SIP, transport protocol interworking for TCP, UDP and SCTP; encryption protocol interworking for TLS, MTLS, SRTP, and IPsec; and response code translations. The SBC may also be needed to provide IP address translation between overlapping private IP address spaces or between IPv4 and IPv6 addresses. In sessions where each endpoint uses a different codec or frame rate, transcoding or transrating may also be necessary.
Business Challenge: Security
Issue:
- Prevent malicious or non-malicious SIP signaling or media attacks and overloads from making the SBC non-responsive
- Ensure IP PBX and UC server continuous service availability, quality and maintenance of the privacy of business and end-user information even under adverse traffic loads and/or attack
SBC resolution:
Provide intrusion monitoring and reporting capabilities to validate the SP, and enforce access control policies by limiting incoming sessions to the IP addresses of service provider peer SBCs. NAT must be employed to hide the topology of IPT/UC servers and internal endpoints, thereby defending against directed and/or reconnaissance attacks and protecting user privacy. In addition, it should inspect traffic coming from the SIP trunk to eliminate viruses, worms and SPIT, and eliminate fraud by preventing unauthorized use of the SIP trunk.
Business Challenge: Service Assurance
Issue:
- Keep the service running according to plan with regard to availability and service quality
SBC resolution:
Support policy-based admission control and load balancing for IPT and UC servers; provide transport control for incoming sessions with QoS marking and VLAN mapping to assign VoIP traffic to appropriate paths through the network; and QoE reporting (based on R-factor or MOS scoring) and answer seizure ratio (ASR) should be available for network performance monitoring, capacity planning and service provider SLA compliance validation.
Business Challenge: Cost Optimization
Issue:
- Support enterprise reduction of SP charges for VoIP and UC traffic
- Extend the usable life of legacy systems while conserving capex and opex
SBC resolution:
Help the enterprise reduce SP charges for real-time communications traffic via flexible session routing policies based on a variety of metrics, including least-cost routing, observed call quality, and bandwidth policing via codec renegotiation. In addition, use interworking and protocol normalization to allow the ongoing use of legacy equipment at the same time that new real-time IP communications services are being deployed.
Business Challenge: Regulatory Compliance
Issue:
- Migrate compliance-oriented systems and features from their TDM environments into the IP world, including privacy, call recording, emergency services, domain separation between business groups or operations such as financial services research and trading
SBC resolution:
Identify emergency sessions (E911), add location information, exempt them from admission control policies and route them with priority to the appropriate PSAP; provide a session replication mechanism to support IP call recording for compliance with regulatory agencies and mandates like the Securities and Exchange Commission (SEC), Health Insurance Portability and Accountability Act (HIPAA) and Federal Rules of Civil Procedure (FRCP). The SBC should also support domain separation (e.g., separation of investment banking from research operations) by supporting VPNs at layers 2 and 3, and the privacy of real-time communications must be protected through the use of signaling and/or media encryption.
Net-net, an SBC addresses the wide range of issues that arise when voice and real-time multimedia collaborative applications are overlaid on IP infrastructure. The five SBC control functions summarized above are relevant for access to both SP and enterprise networks and on both User-to-Network Interfaces to end users and access networks, and Network-to-Network Interfaces to peer networks. The key here is that the SP utilizes an SBC on its borders to protect its own network. The enterprise needs the same SBC operational controls to secure its own borders.
This paper is sponsored by Acme Packet.