ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS



Similar documents
Simplify Delivery of a Next-Generation. Alcatel-Lucent OpenTouch Suite for Mid-Sized and Large Enterprises: Blueprint

TRANSFORMATION OPPORTUNITIES WITH THE ALCATEL-LUCENT OPENTOUCH SUITE OPTIMIZING CONVERSATION DELIVERY OVER CENTRALIZED COMMUNICATIONS NETWORKS

Securing SIP Trunks APPLICATION NOTE.

What is an E-SBC? WHITE PAPER

White Paper. avaya.com 1. Table of Contents. Starting Points

Ingate Firewall/SIParator SIP Security for the Enterprise

Recommended IP Telephony Architecture

Why a Reverse Proxy with My Instant Communicator for mobiles??

SIP Trunking Configuration with

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

FROM TELEPHONY TO IP COMMUNICATIONS: A NATURAL EVOLUTION REDUCE COSTS AND IMPROVE MOBILITY WITH IP COMMUNICATIONS APPLICATION NOTE

An Oracle White Paper August What Is an Enterprise Session Border Controller?

Securing Unified Communications for Healthcare

WebRTC: Why and How? FRAFOS GmbH. FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

Dialogic BorderNet Session Border Controller Solutions

Cisco WebEx Meetings Server

Session Border Controllers in Enterprise

Building the Lync Security Eco System in the Cloud Fact Sheet.

SIP Trunking with Microsoft Office Communication Server 2007 R2

UC and SIP Trunking Luncheon. Sponsored by:

Brochure. Dialogic BorderNet Session Border Controller Solutions

ALCATEL-LUCENT OPENTOUCH SUITE FOR SMALL AND MEDIUM BUSINESSES Simplified communications for businesses on the move

alcatel-lucent for small and Simplified communications for businesses on the move

SIP SECURITY JULY 2014

Best Practices for Securing IP Telephony

Load Balancing for Microsoft Office Communication Server 2007 Release 2

Unified Communications and Desktop Integration

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

Dialogic. BorderNet Products Interwork and Connect Seamlessly and Securely at the Network Edge

Network Security Topologies. Chapter 11

ALCATEL-LUCENT OPENTOUCH BUSINESS EDITION

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Session Control Applications for Enterprises

Unified Communications in RealPresence Access Director System Environments

OPENTOUCH SUITE FOR THE SMB

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

An Oracle White Paper February Centralized vs. Distributed SIP Trunking: Making an Informed Decision

How To Support An Ip Trunking Service

Cisco Advanced Services for Network Security

CLOUD CLOUT WITH OPEN APIS WHAT YOU SHOULD ASK OF YOUR CLOUD PROVIDER

WebRTC: Why You Should Care and How Avaya Can Help You. Joel Ezell Lead Architect, Collaboration Environment R&D

Oracle s Solution for Secure Remote Workers. Providing Protected Access to Enterprise Communications

Enriching the Microsoft Office Suite with Alcatel-Lucent Unified Communications Solutions

Polycom. RealPresence Ready Firewall Traversal Tips

Avaya plus Skype for Business: The Best of Both Worlds

OpenScape UC Firewall and OpenScape Session Border Controller

SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

EXPLOITING SIMILARITIES BETWEEN SIP AND RAS: THE ROLE OF THE RAS PROVIDER IN INTERNET TELEPHONY. Nick Marly, Dominique Chantrain, Jurgen Hofkens

APPLICATION NOTE. SIP Trunking Connectivity, Security and Deployment Scenarios. Introduction

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Oracle s Session Initiation Protocol Trunking Solution. Increase Agility and Reduce Costs with Session Initiation Protocol Trunks

FAQ - Features Question Question Question Question Question Question

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Level: 3 Credit value: 9 GLH: 80. QCF unit reference R/507/8351. This unit has 6 learning outcomes.

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

Evolving Network Security with the Alcatel-Lucent Access Guardian


Telephony Denial of Service (TDoS) Attacks. Dan York, CISSP Chair, VoIP Security Alliance

OPENTOUCH CONVERSATION 2.1 START THE CONVERSATION DEMO SCRIPT. Alcatel-Lucent Enterprise

White Paper. Five Steps to Firewall Planning and Design

alcatel-lucent converged network solution The cost-effective, application fluent approach to network convergence

Security and the Mitel Teleworker Solution

OPENTOUCH SUITE FOR THE SMB

Chapter 2 PSTN and VoIP Services Context

SIP Security Controllers. Product Overview

Huawei One Net Campus Network Solution

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Enterprise Voice and Online Services with Microsoft Lync Server 2013

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

Building the Lync Security Eco System in the Cloud Fact Sheet.

Contents. Specialty Answering Service. All rights reserved.

Extreme Networks CoreFlow2 Technology TECHNOLOGY STRATEGY BRIEF

DEPLOYING VoIP SECURELY

ALCATEL-LUCENT OMNIVISTA 8770 NETWORK MANAGEMENT SYSTEM A SINGLE MANAGEMENT INTERFACE ACROSS SYSTEMS AND DEVICES

SIP Trunking Deployment Models: Choose the One That Is Right for Your Company

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

SangomaSBCs Keeping Your VoIP Network Secure. Simon Horton Sangoma

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

OPENTOUCH SUITE FOR THE SMB

Alcatel-Lucent OpenTouch Connection for Microsoft Outlook. User guide R2.0

ALCATEL-LUCENT OPENTOUCH SUITE FOR SMALL AND MEDIUM BUSINESSES Simplify your communications and maximise your business

5 Key Reasons to Migrate from Cisco ACE to F5 BIG-IP

Oracle s SIP Network Consolidation Solutions. Using SIP to Reduce Expenditures and Improve Communications

Convergence: The Foundation for Unified Communications

Voice over IP Communications

Transcription:

ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS ALCATEL-LUCENT OPENTOUCH SESSION BORDER CONTROLLER A SECURE SOLUTION FOR BORDERLESS CONVERSATIONS APPLICATION NOTE

TABLE OF CONTENTS THE ROLE OF ENTERPRISE SESSION BORDER CONTROLLERS / 1 Main drivers for Enterprise SBCs / 1 Enterprise SBC position and functions / 2 ENTERPRISE SBC IN THE ALCATEL-LUCENT OPENTOUCH BLUEPRINT / 2 OpenTouch Suite perimeter defense / 3 Voice and video over IP for guests / 4 THE EVOLUTION OF ENTERPRISE SBC / 5 Secure WebRTC communications / 5 Secure cloud-based communications / 6 CONCLUSION / 6 ACRONYMS / 7

Session border controllers (SBCs) have traditionally been used as Session Initiation Protocol () firewalls in service providers networks. However, an increasing number of enterprises are deploying an enterprise SBC (E-SBC) because they access their trunking providers through the Internet and need additional security. As new methods of communication are adopted, E-SBCs become the cornerstone of security. E-SBCs secure and provide the appropriate quality of experience (QoE) to remote workers a growing trend in many organizations. E-SBCs secure conversations with people outside the organization a service that is now available and which will gain widespread adoption with the implementation of promising technology, such as WebRTC and cloud deployment models. This paper explains the role of E-SBCs, describes the Alcatel-Lucent OpenTouch blueprint for securing conversations, highlights the benefits and, lastly, considers how SBCs will evolve, both from a technology (WebRTC) and deployment model (cloud) standpoint. THE ROLE OF ENTERPRISE SESSION BORDER CONTROLLERS Main drivers for Enterprise SBCs The three major reasons for E-SBC adoption are described in Table 1. Table 1. Enterprises main drivers for adopting E-SBCs Stronger perimeter defense Improved operational agility Easier access for mobile employees and guests Enterprises use E-SBCs to secure their networks against -based attacks from the Internet that could compromise communication servers. Hackers mainly target these servers to commit long-distance call fraud. They can also mask calls related to their criminal activity. They may also eavesdrop on communications or jeopardize the business by stopping all of an enterprise s communications. Enterprises using trunks for off-net communications must expose their internal IP topology to service providers. Direct Real-time Transport Protocol (RTP) media connectivity between enterprise devices and the trunking provider improves media quality. An E-SBC provides a demarcation point to hide the enterprise topology and devices. Enterprises can modify their network topology and upgrade devices without affecting the trunking service. E-SBCs can enable mobile employees to use native clients instead of complex virtual private network (VPN) clients to secure communications. They enable guests to use clients to participate in internal enterprise collaboration sessions natively. E-SBCs also allow administrators to simplify the authentication architecture by removing VPNs and their dedicated security policies. 1

Enterprise SBC position and functions As shown in Figure 1, E-SBCs perform deep packet inspection of and RTP traffic and complement the firewall s perimeter defense by dynamically opening ports for RTP media streams in the demilitarized zone (DMZ). Figure 1. E-SBC position and role in the enterprise communication architecture /RTP packet inspection Protocol adaption Address Translation Topology hiding Quality of Service VPN-less operations Trunking offers Communication Server ENTERPRISE SBC DATA CENTER DMZ External participants Guests Customers ENTERPRISE WAN Firewall VPN-less remote workers E-SBCs are demarcation points and provide protocol adaptation between and RTP protocols. They also hide the network topology through address and port translation. In addition, E-SBCs provide fine-grained quality of service (QoS) enforcement by marking and RTP packets. E-SBCs monitor the QoS for RTP streams, which is usually a performance indicator for service level agreements with trunking providers. As E-SBCs perform security at the level, remote workers don t require VPN clients to secure off-site communications. E-SBCs also perform perimeter defense for communications with guests and external participants. ENTERPRISE SBC IN THE ALCATEL-LUCENT OpenTouch BLUEPRINT The OpenTouch Suite for Mid-Sized and Large Enterprises (MLE) is the Alcatel-Lucent unified communication and collaboration application. It is deployed in the enterprise datacenter and provides trunking capabilities, web-based collaboration for guests over the Internet, and multi-party, multimedia, multi-device conversation services for employees in the office and on the go. 2

OpenTouch Suite perimeter defense As shown in Figure 2, the OpenTouch Suite perimeter defense is an overlay solution to an enterprise s existing security technology, so no disruption to established security policies is required for installation. The OpenTouch Suite defense relies on three optional components, defined in Table 2. Figure 2. OpenTouch security blueprint REVERSE PROXY Application authentication AUTHENTICATION SERVICE OpenTouch EDGE OpenTouch SBC Collaboration authentication inspection for trunking and remote workers Certified providers OpenTouch APPLICATION DMZ Web-based collaboration app for guests ENTERPRISE WAN Firewall OpenTouch experience on PC, tablet, smartphone Table 2. OpenTouch security elements in the DMZ OpenTouch Session Border Controller OpenTouch Edge Server Reverse proxy This E-SBC performs perimeter defense for trunking and remote workers using a PC, tablet or smartphone. It supports the connectivity needs of organizations from 50 to 5000 users. This server is a front-end that delivers web-sharing capabilities to OpenTouch remote workers and guests. The front-end authenticates guests via web access codes. The Edge Server screens and forwards legitimate conferencing application traffic to the internal conferencing server (e.g., it will block forged URLs). Depending on the policy, guests may dial-in or dial-out over the public switched telephone network (PSTN). This reverse proxy authenticates and terminates the Transport Layer Security (TLS) connections that secure the web services used by the OpenTouch client applications on PCs, tablets and smartphones. Enterprises requiring a reverse proxy for HTTP translation and to authenticate additional web apps can use it for OpenTouch web services. It connects to the enterprise authentication service. 3

These components complement the existing firewall and authentication service (Lightweight Directory Access Protocol (LDAP) or RADIUS-based) to smoothly implement communications over the Internet, as described in Table 3. Table 3. OpenTouch communications over the internet USE CASE DEPLOYED COMPONENTS DIFFERENTIATORS trunking OpenTouch SBC A large number of certified providers are supported when used in conjunction with the OpenTouch telephony module, the OmniPCX Enterprise Communication Server. Remote workers (voice, video) Remote workers (voice, video, web sharing) Guest access to web conferences OpenTouch SBC, reverse proxy OpenTouch SBC, Edge Server, reverse proxy OpenTouch Edge Server The zero-touch management for authentication in the SBC improves the total cost of ownership (TCO) for the solution. The location within the DMZ protects datacenter applications. No information is stored on the Edge Server to reduce vulnerability to hackers. The location within the DMZ protects datacenter applications. No shared document or information is stored on the Edge Server. Guests can dial-in or out over PSTN, policy permitting. Voice and video over IP for guests Some organizations want guests in partner organizations to be able to access their web conferencing infrastructure through voice and video over IP. A typical example is business-to-business (B2B) communications between global organizations: voice and video over IP replace international toll-free numbers. The main issue with this application is how the communications will affect the partner s information technology (IT) infrastructure where the guests are located: voice and video over IP streams must be allowed over the partner s network and through the partner s firewall. This security policy issue is a challenge for most enterprises. However, if the partner s IT organization allows outgoing and media streams, a dedicated OmniTouch Advanced Communication Server conferencing infrastructure from Alcatel-Lucent will resolve these issues for B2B communications. The infrastructure comprises a conference application and a front-end server in the DMZ. The front-end server terminates VoIP, video over IP and HTTP web conferencing streams from the guests. 4

THE EVOLUTION OF ENTERPRISE SBC E-SBCs play a significant role in securing today s communications and will also be a key element in the upcoming changes to multimedia communications over the Internet: WebRTC clients and cloud-based services. Secure WebRTC communications WebRTC is an emerging technology for standard and native voice and video over IP capabilities in web browsers. No plug-in or downloaded software is needed. The security issues related to accessing the camera and microphone of the device will be handled natively by the browser. When the WebRTC standard is published and adopted by most browsers, the volume of B2B and business-to-consumer (B2C) communications will sharply increase. B2B and B2C communications need to be secure. As described in Figure 3, an evolution in edge servers is required to implement a back-to-back WebRTC and Agent. E-SBC will control the and RTP streams exchanged between the Enterprise s applications and the WebRTC application. Figure 3. Call flow of an enterprise WebRTC application /RTP inspection RTP translation Customer-facing app gateway HTTP translation IP inspection Web RTC WebRTC EMPLOYEE SRTP CUSTOMER COMMUNICATION APPLICATION ENTERPRISE SBC EDGE APPLICATION REVERSE PROXY Firewall DMZ ENTERPRISE SBC TO SECURE ENTERPRISE WEB RTC APPLICATIONS Secure cloud-based communications Many organizations consider cloud-based services because they are usually accounted for using an operational expense model, which reduces up-front investment and provides licensing flexibility. Communications services are also delivered via cloud-based providers, such as through a service provider or system integrator using the OpenTouch Enterprise Cloud solution. Depending on the network topology, this solution can rely on OpenTouch SBC technology to secure remote and mobile workers. 5

Enterprises that have deployed OpenTouch SBC to secure OmniPCX Enterprise trunking and want remote and mobile workers to be connected through the OpenTouch Enterprise Cloud keep their SBC: their remote workers communications experience through the cloud is similar to being connected to the SBC. Figure 4. Example of an architecture with hybrid cloud- and premises-based security elements AUTHENTICATION SERVICE OpenTouch ENTERPRISE CLOUD PROVIDER Web-based collaboration app for guests OpenTouch SBC inspection for trunking OMNIPCX ENTERPRISE OpenTouch experience on PC, tablet, smartphone ENTERPRISE WAN Firewall Certified providers CONCLUSION Many enterprises adopt Enterprise Session Border Controllers to protect their trunking interfaces from call fraud and denial of service attacks. The Alcatel-Lucent OpenTouch SBC is an E-SBC for organizations with 50 to 5000 users. The OpenTouch SBC and companion servers create a flexible solution that secures trunking and collaboration on the go for employees and guests. This solution is designed as an overlay that complements enterprise firewall and authentication infrastructures to reduce the TCO. E-SBCs such as the OpenTouch SBC are key security elements for today s unified communications and will be pivotal in upcoming WebRTC and cloud-based technology. 6

ACRONYMS B2B: Business-to-business B2C: Business-to-consumer DMZ: Demilitarized zone E-SBC: Enterprise session border controller HTTP: Hypertext Transfer Protocol IP: Internet Protocol PC: Personal computer PSTN: Public Switched Telecom Network QoS: Quality of service RADIUS: Remote Authentication Dial In User Service RTP: Real-time Transport Protocol SRTP: Secure Real-time Transport Protocol SBC: Session border controller : Session Initiation Protocol TCO: Total cost of ownership TLS: Transport Layer Security VoIP: Voice Over Internet Protocol VPN: Virtual private network WebRTC: Web Real-Time Communications www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2013 Alcatel-Lucent. All rights reserved. E2013051390EN (July)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information