APPLICATION NOTE. SIP Trunking Connectivity, Security and Deployment Scenarios. Introduction

Transcription

1 SIP Trunking Connectivity, Security and Deployment Scenarios Introduction Enterprises have traditionally based their voice communications on an in-premises telephony switch the PBX. Until recently, the PBX and the trunk connection used with the service provider was TDM-based. Currently, there are two trends taking place. Firstly, TDM PBXs are being swapped with IP-PBXs and, secondly, SIP trunks are gradually gaining in popularity as an IP-based alternative to TDM trunks. SIP Trunks are offered by Internet Telephony Service Providers (ITSPs) in order to connect an enterprise s IP-PBX to traditional PSTN users over an IP network, using the Session Initiation Protocol (SIP) VoIP protocol. Deploying SIP trunks enables enterprises to take full advantage of VoIP and eliminate costly TDM trunks. Enterprises route calls over the carrier s IP backbone and use the same IP connection for all of their communications. Media Gateways have played a straightforward role in IP-enabled Enterprises by providing connectivity to the PSTN. However, the use of SIP trunking is rapidly growing and instead of trunking to the PSTN for network connectivity, it is beginning to change the fundamental nature of a Media Gateway. Moving forward from a legacy of IP to TDM conversion, Media Gateways are now being called upon as a host for new roles, providing interoperability, security, network robustness, and routing control. AudioCodes Enterprises Session Border Controller (E-SBC) which is based on AudioCodes Best-of-Breed Media gateway technology, has the ability to manage and manipulate both media and signaling, based on TDM and VoIP, along with the new SBC functionality, which addresses the security, mediation and SLA requirements of the enterprise, AudioCodes Media Gateways has clear and unique advantages over other solutions. AudioCodes E-SBC product line integrates all that is required for Secured SIP Trunking connectivity in one box. It offers connectivity services, which enable transparent, redundant and feature-rich connectivity between the enterprise network and the SIP Trunking provider. In addition, the E-SBC product line supports a rich set of security services. protecting the Enterprise from attacks originating in the Service Provider network. The product line has fully featured Enterprise-class Session Border Controllers, which includes Access Control, Encryption and Authentication, Topology Hiding, VoIP firewall and deep packet inspection. This application note will outline the different connectivity and security features that are required for SIP Trunking applications, along with the different deployment options of AudioCodes products in these applications.

2 Connectivity The Service Provider Enterprise Demarcation Point Enterprises require a demarcation point between their VoIP boundary and their service provider. This demarcation point must perform all security and connectivity functions required to enforce enterprise policies, as well as QoS policies and call admission control mechanisms. Similarly, Service Providers require a clear hand-off point between their network service and the end customer. This important function delivers health and quality statistics to the service provider, also establishing a security boundary between the provider network and the customer. Fulfill the important role of Demarcation Point AudioCodes E-SBC product line fulfill the important role of a Demarcation Point in SIP Trunking solutions, controlled by the Service Provider or the Enterprise. SIP Mediation and Interoperability Session Initiation Protocol (SIP) includes a large number of options. It is quite common for an IP-PBX and a SIP Trunking Service Provider to implement a different set of options and fail to communicate. With SIP Mediation at the customer network edge, SIP Trunking Service Providers can interface with any SIP-enabled IP-PBX, eliminating the need to achieve direct interoperability with every IP-PBX vendor and, therefore, address the customer base. The SIP Mediation gateway translates between the different SIP variants implemented in the IP-PBX and the Service Provider network, allowing for a smooth and successful SIP trunk roll-out. AudioCodes products have proven seamless interoperability with leading IP-PBX vendors and major SIP Service Providers, ensuring that SIP trunks are deployed quickly and with minimal effort. Seamless interoperability with leading IP-PBX vendors and major SIP Service Providers 2

3 Legacy PBX Connectivity (Media Gateway Functionality) While the focus is on IP-enabled Enterprises that are migrating from PSTN to SIP trunks, one can not forget about the legacy PBX in Enterprises, which are migrating to SIP Trunking. In this case, a Media Gateway is still needed to perform the TDM-to-IP translation, but the security and interoperability requirements for its operation are similar to those discussed in IP-enabled Enterprises. AudioCodes products are capable of supporting IP-to-IP SIP trunking in parallel with legacy TDM-to-IP Media Gateway functionality concurrently, within the same box. IP-to-IP SIP trunking in parallel with legacy TDM-to-IP Media Gateway functionality VoIP NAT and Firewall Traversal IP addresses in SIP messages and message headers that are exchanged between the Service Provider and Enterprise network must include routable IP addresses in the Service Provider s Network. Unlike data applications, VoIP uses dynamic ports for peer-to-peer media flows. Since ordinary firewalls are unaware of SIP, SIP communication does not work between the LAN and the outside world. For SIP trunking, this issue has to be resolved to allow the SIP trunk to reach the PBX system. In addition, remote users trying to connect to the Enterprise IP-PBX system must also be supported by the Enterprise Firewall. AudioCodes E-SBC product line support a comprehensive implementation of NAT traversal features, allowing transparent connectivity between the Enterprise IP-PBX and the Service Provider SIP Trunk service, as well as remote users connectivity into the Enterprise. A comprehensive implementation of NAT traversal features 3

4 Data Routing and WAN Access Enterprises that connect to SIP Service Providers require a combination of network edge functionality. These include Media Gateways and Session Border Controllers (SBC), as well as data functionality, such as WAN access and routing. Combining the two entities of VoIP and Data into one box can save on capital and operational expenses for the Service Provider and the Enterprise. Access technologies vary among different flavors of xdsl, E1/T1, Ethernet access, and different VPN implementations. Routing includes static routing, as well as dynamic routing protocols such as RIP, OSPF and BGP. AudioCodes Multi-Service Business Gateways support the integration of VoIP and Data features into one integrated demarcation point. Integration of VoIP and Data features into one integrated demarcation point Topology Hiding Enterprises connecting to SIP Trunking Service Providers expect the same level of security and separation as the one they had when they were using traditional TDM. Using a direct SIP connection between the Enterprise and the Service Provider may expose dialing plans, network topologies and location information to the Service Provider and potentially to other enterprises and even Internet users. By using a Back-to-Back-User-Agent (B2BUA) function, the Enterprise can hide its network topology from the Service Provider and vice-versa, enabling stronger security and better flexibility increating internal overlapping dialing plans and routing tables. Full topology hiding with extensive routing capabilities AudioCodes E-SBC provides full topology hiding with extensive routing capabilities and number manipulation techniques. 4

5 Survivability Enterprise branch offices, which use a centralized IP-PBX server and remote users of a Service Provider IP Centrex service may face a survivability challenge. These remote locations may lose all voice services (including internal calls) due to the connectivity loss between the remote site and the central SIP service. This issue can challenge enterprises that deploy a distributed IP-PBX solution, based on a Service Provider SIP Trunking service. AudioCodes Stand Alone Survivability (SAS) and PSTN Fallback are supported on all of AudioCodes products. SAS backs up service for SIP clients, such as SIP IP Phones and SIP Soft Phones, in case of network failure. If the measured voice quality falls beneath a pre-defined value, or the path to the destination is dissconected, the IP-based connectivity falls back to the PSTN. This backup is performed by AudioCodes CPE products installed in the branch office. Backs up service for SIP clients in case of network failure Emergency Calling ( E.911 ) The decentralized VoIP architecture of SIP Trunking creates a significant challenge with Emergency Calls initiated from Enterprises remote branches and SOHOs. These systems may not accurately report on the geographical location of the call s origination, which could result in dispatching emergency responders to a wrong location. AudioCodes overcomes the aforementioned challenge by leveraging advanced call routing, number manipulation and PSTN breakout (FXO, BRI, PRI) capabilities implemented in its CPE products. By straight forward and intuitive configuration, AudioCodes CPE products can route national Emergency Call numbers (e.g. 911 and 112) via access towards the local PSTN, instead of the SIP Trunk Service Provider. It ensures that the call will reach its correct destination in the proper geographical area, thereby avoiding any network ambiguity. Furthermore, the call details include all the relevant information required by the emergency staff to trace the caller, if necessary. Route national Emergency Call numbers towards the local PSTN 5

6 QoS Control and Policy Enforcement In order to deploy SIP trunks without compromising on established policies, enterprises must enforce the same type of QoS and Security policies enforced on TDM trunks on their SIP Trunks. VoIP and IT administrators must control their Unified Communications applications by defining the way the applications are used and the networks, devices, and users that are authorized to interact with the applications. AudioCodes products enable flexible deployment of voice and data policies, as well as QoS mechanisms, in order to create an environment with predictable VoIP quality and performance. Flexible deployment of voice and data policies Least Cost Routing (LCR), Call Detail Records (CDR) and Billing Connecting to a SIP Trunking Service Provider using a native IP connection, immediately opens the door to more SIP Trunking connections and choosing efficient Least Cost Routing options from a number of Service Providers. This option can also mix SIP Trunking providers with traditional PSTN providers. Thus, the support of CDR export becomes a very important tool, enabling the monitoring of Enterprise telephony costs and optional departmental billing. AudioCodes products and the E-SBC product line specifically support the use of multiple SIP Trunks and PSTN Service Providers in the same box, allowing for efficient Least Cost Routing and Opex savings. CDR reporting also allows for detailed monitoring of call destinations and costs. Multiple SIP Trunks and PSTN Service Providers 6

7 Transcoding In addition to translating between different variants of SIP, customers also need to coordinate between VoIP vocoders, in order to allow successful VoIP calls over a SIP Trunk. An end-to-end VoIP call must share a vocoder for communication to occur. In most VoIP networks, the method used to coordinate between vocoders is Vocoder Negotiation. This process involves negotiating and agreeing on the best common coder between two end points. Since most VoIP systems deployed today share many of the vocoders supported by end devices, this process is acceptable. In other cases, Vocoder Negotiation is not a possibility. Therefore, a transcoding function may also be required to support the demarcation point between the Enterprise and the Service Provider. Narrowband and Wideband Transcoding AudioCodes Integral Transcoding features use integrated DSPs that allow for both Narrowband and Wideband transcoding. HD VoIP As a result of expanding IP broadband networks, wideband speech codecs (High Definition VoIP HDVoIP) can now be effectively deployed. This enables the doubling of bandwidth for voice communications, elevating the quality of daily voice communication to that of FM radio or conference room quality. SIP Trunk Service Providers are beginning to enable HD VoIP support on their connections, which allows HD VoIP-enabled Enterprises to interconnect without losing HD quality. AudioCodes products support HD VoIP services, including HD VoIP codec termination, HD VoIP transcoding, and HD VoIP conferencing. HD VoIP codec termination, HD VoIP transcoding, and HD VoIP conferencing 7

8 Hosting 3 rd Party Applications Service Providers deploying SIP Trunking Services and Enterprises connecting to SIP Trunking Service Providers often deploy Unified Communications applications working in conjunction with the SIP Trunking Service. These applications can include IP-PBX, Unified Messaging, Conferencing, a host of other off-the shelf apps, as well as specially developed applications. AudioCodes products extend the flexibility of the Enterprise Service Provider demarcation point with a built-in Intel processor-based server, called the Open Solution Network (OSN) Server, which can host the abovementioned applications. In addition, an advanced DSP farm enables media processing services such as announcements, recording, IVR, conferencing and transcoding. VoIP and Data Security VoIP and Data Firewalling and ALG When connecting to a SIP Trunk Service Provider with combined VoIP and Data services, Enterprises must support the combination of the data firewall and a VoIP SIP-aware firewall. Enabling the VoIP Security entity to handle all VoIP traffic offloads this traffic from the general purpose data firewall and frees the data firewall to handle other applications more efficiently and to maintain effective security controls for those applications. Stateful inspection of application layer data and enhanced security for VoIP and data applications AudioCodes E-SBC product line offers a complete feature-rich Enterprise-class Session Border Controller, enabling Enterprises to adopt VoIP safely and securely. The VoIP firewall (i.e. SBC) and optional Data firewall* interact, allowing for opening the right pinholes, based on the SIP session information. The Application Level Gateway functionality offers stateful inspection of application layer data and enhanced security for VoIP and data applications. *Data Firewall and ALG are supported on Mediant 800 MSBG /E-SBC and Mediant 1000 MSBG/E-SBC 8

9 Encryption (Media, Control, Management) One of the inherent features of the VoIP network is the complete separation of the call control traffic, the media streams, and the management traffic. Each has its own protocols and can actually take a different route in the IP network. Each of these protocols must be secured in order to create a fully secured network. RTP is the most commonly used protocol for VoIP media streams. Secured RTP (SRTP) is commonly used to encrypt RTP and RTCP transport. For the signaling part, SIP/TLS (also known as SIPS or Secured SIP) and MD5 Authentication are used to secure the SIP Transport. VoIP network management, like any service management across IP networks, involves many protocols and systems running in parallel. These protocols are extremely sensitive to security threats. Implementing security in the management plane must include the protection of all management-related protocols and systems in the network. This can be done using various mechanisms such as IPSec, HTTPS and more. On top of VoIP security and encryption, SIP Trunking customers should also take care of Data encryption using IPSec. Security and encryption of multimedia transport AudioCodes products support the combination of all of these protocols, allowing for full security and encryption of multimedia transport between the Enterprise branches over the Service Provider s network. Call Admission Control The demarcation point between the Enterprise and the Service Provider is the classic point of Enterprise Call Admission Control. Enterprises are required to control the number of simultaneous calls between the Enterprise branches and the PSTN. In addition, most Enterprises also control the allowed destinations for different employees. Although this feature can be implemented inside the PBXs and the IP-PBXs of the Enterprise, it is much easier to concentrate and manage them in one location, which is the connection between the Enterprise and the Service Provider(s). AudioCodes CPE products provide flexible Call Admission Control mechanisms, for both VoIP and Data*, combined with the abovementioned Least Cost Routing, allowing the Enterprise to fully administer the amount and destinations of incoming and outgoing calls in the organization, saving on operation costs. *Data admission control is supported on Mediant 800 MSBG/E-SBC and Mediant 1000 MSBG/E-SBC 9

10 IDS / IPS - DOS Protection While transitioning from traditional PSTN to SIP Trunking, a large number of potential threats may be introduced. These threats include Eavesdropping, signaling and media manipulation, service theft/fraud, Denial of Service (DoS) and Distributed DoS, SPIT (Spam over IP Telephony) and more. Enterprises must be aware of these threats and deploy the right products to protect themselves, when connecting to SIP Trunking Service Providers. AudioCodes E-SBC products, which combine a SIP-aware firewall and a full Back-to-Back-User- Agent, support the protection against security threats. Combining this with enhanced encryption algorithms and VPN will provide the enterprise with secured network architecture. Protection against security threats Deployment Scenarios Connecting an Enterprise to a SIP Trunking Service Provider may require a combination of multiple functions at the network edge: WAN access device connecting the Enterprise LAN network into the WAN, according to the technology required in the site (xdsl, Ethernet, E1/T1, PON, etc.) Router providing routing services and protocols (Static, RIP, OSPF, BGP, VPN etc.) Data Firewall protecting the Enterprise data network from external attacks and providing a secured DMZ (Demilitarized Zone) for externally facing services SIP security and connectivity services device (SBC or Session Border Controller) for allowing transparent and secured connectivity to the SIP Trunking Service Provider Media Gateway connecting the Enterprise existing TDM-PBX to the SIP Trunking Service provider and potentially providing PSTN breakout local services One of the strengths of AudioCodes CPE product offering is the ability to meet all of these requirements and integrate them into one box the Multi-Service Business Gateway. On the other hand, under certain conditions, customers can pick, choose, and implement a selection of the functionalities, utilizing other mission-specific products already used, along with AudioCodes CPE media gateways. 10

11 Connecting your IP-PBX to SIP Trunking Service Providers IP-to-IP SIP Trunking VoIP Gateway / Enterprise Session Border Controller For Enterprises that already have their data networking infrastructure in place, and have already migrated to an IP-PBX environment, moving from a PSTN connection to a SIP Trunk Service provider requires a dedicated IP to IP SIP Trunking VoIP Gateway, also known as an Enterprise Session Border Controller. This box will perform the required connectivity and security services, and will be placed between the internal VoIP VLAN in the Enterprise, which includes the IP-PBX and the IP Phones, and the WAN network that connects to the SIP Service Provider. AudioCodes E-SBC product line connect IP-PBX with SIP trunking service providers over a secure connection. Integrated IP-to-IP E-SBC functionality Connecting your TDM PBX to SIP Trunking Service Providers TDM-to-IP SIP Trunking Media Gateway For Enterprises who already have their data networking infrastructure in place, but are still using their legacy TDM PBX, moving from a PSTN connection to a SIP Trunk Service provider requires a TDM to IP SIP Trunking Media Gateway. This box will be placed between the TDM PBX and the Enterprise WAN network that is connected to the SIP Service Provider and will perform the required translation between the TDM and the IP environments. Integrated TDM-to-IP functionalities AudioCodes E-SBC product line include integrated TDM to IP functionalities that can perfectly support connectivity for all common types of TDM interfaces (FXS, FXO, E1/T1,DS-3 and OCS-3/STM-1). 11

12 Connecting your mixed PBX Environment to SIP Trunking Service Providers SIP Trunking SBC and Media Gateway Some Enterprises utilize a mixed environment where some of their PBXs are using legacy TDM interfaces, while other PBXs are already equipped with IP interfaces. Others are using both types of PBXs during the migration phase from legacy telephony to IP Telephony. These Enterprises require a combination of an IP-to-IP Session Border Controller and a TDM-to-IP SIP Media Gateway. AudioCodes E-SBC supports this special combination of TDM-to-IP and IP-to-IP functionality in the same box. Building on the success of AudioCodes TDM-to-IP Media Gateways, these products offer an integrated SBC, supporting the requirements of Enterprises that are still migrating from TDM-to-IP-PBXs. Special combination of TDM-to-IP and IP-to-IP functionality in the same box Connecting your Integrated Voice and Data Network to SIP Trunking Service Providers The Integrated Enterprise Multi-Service Business Gateway Enterprises that are planning to upgrade their voice and data infrastructure will benefit from the integration of all required network edge services into one single platform. These Enterprises can integrate the WAN Access Device, Router, Data Firewall, Media Gateway and Session Border Controller functionalities into a single device connected to the SIP Trunking Service Provider network. Multiple functionalities in a single, integrated device AudioCodes Multi-Service Business Gateways are ideal for this application. They integrate all the aforementioned functionalities into a single, integrated device. This saves both capital and operational expenses, while making the lives of both Enterprise, and the Service Provider, much easier. 12

13 About AudioCodes AudioCodes Ltd. (NasdaqGS: AUDC) designs, develops and sells advanced Voice over IP (VoIP) and converged VoIP and Data networking products and applications to Service Providers and Enterprises. AudioCodes is a VoIP technology market leader focused on converged VoIP & data communications and its products are deployed globally in Broadband, Mobile, Cable, and Enterprise networks. The company provides a range of innovative, cost-effective products including Media Gateways, Multi-Service Business Gateways, Session Border Controllers (SBC), Residential Gateways, IP Phones, Media Servers and Value Added Applications. AudioCodes underlying technology, VoIPerfectHD, relies on AudioCodes leadership in DSP, voice coding and voice processing technologies. AudioCodes High Definition (HD) VoIP technologies and products provide enhanced intelligibility and a better end user communication experience in Voice communications. International Headquarters 1 Hayarden Street, Airport City Lod 70151, Israel Tel: Fax: AudioCodes Inc. 27 World s Fair Drive, Somerset, NJ Tel: Fax: Contact us: Website: AudioCodes Ltd. All rights reserved. AudioCodes, AC, AudioCoded, Ardito, CTI2, CTI², CTI Squared, HD VoIP, HD VoIP Sounds Better, InTouch, IPmedia, Mediant, MediaPack, NetCoder, Netrake, Nuera, Open Solutions Network, OSN, Stretto, TrunkPack, VMAS, VoicePacketizer, VoIPerfect, VoIPerfectHD, What s Inside Matters, Your Gateway To VoIP and 3GX are trademarks or registered trademarks of AudioCodes Limited. All other products or trademarks are property of their respective owners. Product specifications are subject to change without notice. Ref. # LTRM /11 V.5 13