Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios



Similar documents
Oracle s Solution for Secure Remote Workers. Providing Protected Access to Enterprise Communications

Ingate Firewall/SIParator SIP Security for the Enterprise

Acme Packet session border controllers in the enterprise

An Oracle White Paper August What Is an Enterprise Session Border Controller?

An Oracle White Paper February Centralized vs. Distributed SIP Trunking: Making an Informed Decision

An Oracle White Paper December The Value of Diameter Signaling in Security and Interworking Between 3G and LTE Networks

Oracle s SIP Network Consolidation Solutions. Using SIP to Reduce Expenditures and Improve Communications

An Oracle White Paper October Gneis Turns to Oracle to Secure and Manage SIP Trunks

An Oracle White Paper July Introducing the Oracle Home User in Oracle Database 12c for Microsoft Windows

Oracle s Unified Communications Infrastructure Solution. Delivering Secure, Reliable, and Scalable Unified Communications Services

Top Ten Reasons for Deploying Oracle Virtual Networking in Your Data Center

Oracle s Session Initiation Protocol Trunking Solution. Increase Agility and Reduce Costs with Session Initiation Protocol Trunks

An Oracle White Paper July Session Border Controllers: A Primer

Oracle Enterprise Communications Solutions for Microsoft Lync. Migrate seamlessly to Microsoft Lync while reducing cost and complexity

Oracle Communications Session Border Controller: Driving Oracle s SIP Interconnect Solution. Extending Service Reach and Quality

Oracle Enterprise Communications Solutions for Microsoft Lync. Migrate seamlessly to Microsoft Lync while reducing cost and complexity

An Oracle White Paper July Enterprise IP Telephony and Unified Communications Interoperability

Cisco UCM 6.x SIP to AT&T SIP with Acme Packet SBC. A Technical Application Note

An Oracle White Paper June Oracle Database Firewall 5.0 Sizing Best Practices

SIP Trunking Configuration with

G Cloud 7 Pricing Document

An Oracle White Paper Dec Oracle Access Management Security Token Service

Configuring Oracle SDN Virtual Network Services on Netra Modular System ORACLE WHITE PAPER SEPTEMBER 2015

An Oracle Communications White Paper December Serialized Asset Lifecycle Management and Property Accountability

How To Make A Network More Secure For A Conference Call

An Oracle White Paper May Oracle Audit Vault and Database Firewall 12.1 Sizing Best Practices

Securing SIP Trunks APPLICATION NOTE.

An Oracle White Paper June Security and the Oracle Database Cloud Service

G Cloud 7 Pricing Document

Managed Storage Services

Oracle Enterprise Operations Monitor

An Oracle White Paper July Oracle Enterprise Operations Monitor: Real-Time Voice over Internet Protocol Monitoring and Troubleshooting

An Oracle White Paper May Distributed Development Using Oracle Secure Global Desktop

Oracle SDN Performance Acceleration with Software-Defined Networking

An Oracle White Paper January Using Oracle's StorageTek Search Accelerator

Recommended IP Telephony Architecture

SIP Trunking with Microsoft Office Communication Server 2007 R2

An Oracle White Paper July Oracle Desktop Virtualization Simplified Client Access for Oracle Applications

OpenScape UC Firewall and OpenScape Session Border Controller

An Oracle White Paper November Oracle Business Intelligence Standard Edition One 11g

An Oracle White Paper January Oracle Database Firewall

Oracle s Contact Center Communications Solution. Improve Business Agility, Customer Satisfaction and Economics

An Oracle White Paper January Oracle Database Firewall

Secure VoIP for optimal business communication

Oracle Communications Extension Group: Enterprise Application Guide ORACLE WHITE PAPER AUGUST 2015

An Oracle Technical White Paper May How to Configure Kaspersky Anti-Virus Software for the Oracle ZFS Storage Appliance

Running Oracle s PeopleSoft Human Capital Management on Oracle SuperCluster T5-8 O R A C L E W H I T E P A P E R L A S T U P D A T E D J U N E

An Oracle White Paper September Oracle Database and the Oracle Database Cloud

March Oracle Business Intelligence Discoverer Statement of Direction

Oracle s Secure HetNet Backhaul Solution. A Solution Based on Oracle s Network Session Delivery and Control Infrastructure

Maximizing Profitability with Cloud Collaboration for your Business

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

An Oracle White Paper January Delivering Enterprise-Class Communications with WebRTC

What is an E-SBC? WHITE PAPER

SBC WHITE PAPER. The Critical Component

An Oracle White Paper September Advanced Java Diagnostics and Monitoring Without Performance Overhead

June, 2015 Oracle s Siebel CRM Statement of Direction Client Platform Support

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

The new Manage Requisition Approval task provides a simple and user-friendly interface for approval rules management. This task allows you to:

An Oracle White Paper February Integration with Oracle Fusion Financials Cloud Service

An Oracle White Paper February Oracle Data Integrator 12c Architecture Overview

SBC - the UC-glue Security, Interoperability, Reliability. Alexander Kunzi

An Oracle White Paper April, Effective Account Origination with Siebel Financial Services Customer Order Management for Banking

Dialogic BorderNet Session Border Controller Solutions

An Oracle White Paper February Rapid Bottleneck Identification - A Better Way to do Load Testing

SIP Trunking. Cisco Press. Christina Hattingh Darryl Sladden ATM Zakaria Swapan. 800 East 96th Street Indianapolis, IN 46240

Dialogic. BorderNet Products Interwork and Connect Seamlessly and Securely at the Network Edge

An Oracle White Paper July Palladion Enterprise: Real-Time Voice over Internet Protocol Monitoring and Troubleshooting

An Oracle White Paper September Oracle WebLogic Server 12c on Microsoft Windows Azure

FAQ: How to create Effective Messages

Oracle Fusion Applications Splitting Topology from Single to Multiple Host Servers

An Oracle White Paper April Network Isolation in Private Database Clouds

S-Series SBC Interconnect Solutions. A GENBAND Application Note May 2009

Oracle Service Cloud and Oracle WebRTC Session Controller ORACLE WHITE PAPER FEBRUARY 2015

An Oracle White Paper March Oracle s Single Server Solution for VDI

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

An Oracle White Paper June Tackling Fraud and Error

The Oracle Mobile Security Suite: Secure Adoption of BYOD

An Oracle White Paper October BI Publisher 11g Scheduling & Apache ActiveMQ as JMS Provider

A Framework for Implementing World-Class Talent Management. The highest performing businesses are re-focusing on talent management

ABC SBC: Securing the PBX. FRAFOS GmbH

Brochure. Dialogic BorderNet Session Border Controller Solutions

Next Generation Siebel Monitoring: A Real World Customer Experience. An Oracle White Paper June 2010

An Oracle White Paper May Oracle Database Cloud Service

An Oracle White Paper August Oracle OpenSSO Fedlet

Session Border Controllers in Enterprise

An Oracle White Paper November Leveraging Massively Parallel Processing in an Oracle Environment for Big Data Analytics

An Oracle Best Practice Guide April Best Practices for Designing Contact Center Experiences with Oracle RightNow CX Cloud Service

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

ORACLE VM MANAGEMENT PACK

Driving Down the High Cost of Storage. Pillar Axiom 600

An Oracle White Paper July Accelerating Database Infrastructure Using Oracle Real Application Clusters 11g R2 and QLogic FabricCache Adapters

Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y

ORACLE COMMUNICATIONS OPERATIONS MONITOR

Transcription:

An Oracle White Paper June 2013 Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

Introduction Voice over IP (VoIP) and unified communications (UC) are increasingly prevalent as standards-based alternatives to closed proprietary communications systems. The expandability, flexibility, and cost advantages offered by IP networks provide a highly effective means for enterprises and contact centers to communicate, both internally and externally, in today s dynamic business and economic climates. Because an organization s communications network is a business-critical resource, IP-based enterprise and contact center communications networks, services, and applications must be secured. But other requirements, such as maximizing communication service and application interoperability, assuring service availability and quality levels, complying with government regulations, and controlling costs must also be met for successful VoIP/UC delivery. 1

How It Works: Firewalls with SIP Application Layer Gateway versus Session Border Controllers Enterprise firewalls ubiquitous in today s IP networks protect IP data networks, servers, and applications against a variety of threats through stateful inspection and filtering at layers 3 and 4 of the Open Systems Interconnection (OSI) model. To enable basic VoIP connectivity through the firewall, some firewalls add SIP application layer gateways (SIP ALGs) that translate embedded SIP addresses, in effect allowing the firewall to maintain a single end-to-end SIP session between endpoints residing on either side of the firewall. By comparison, session border controllers (SBCs) implement a SIP back-to-back user agent (B2BUA) as defined in IETF RFC 3261. A B2BUA divides each SIP session into two distinct segments, as shown in the following diagram. In doing so, the SBC is able to completely and effectively control SIP sessions, as well as the associated media flows, in ways that SIP ALGs cannot. This unique capability gives SBCs a clear edge in their ability to securely deliver reliable, high-quality, IP-based interactive communications. Firewall with SIP ALG Maintains single SIP session through firewall (FW) Is fully state-aware at layers 3 and 4 Only inspects/modifies SIP and Session Description Protocol (SDP) addresses Unable to terminate, initiate, reinitiate, or respond to SIP signaling messages Only supports static access control lists (ACLs) and policies SBC Implements SIP B2BUA for complete control Is fully state-aware at layers 2 through 7 Inspects/modifies all SIP and SDP header info Can terminate, initiate, reinitiate, and respond to SIP signaling messages Supports static and dynamic ACLs and policies 2

Figure 1. SBCs use a B2BUA to divide each SIP session into two distinct segments. Benefits of Session Border Controllers Session border controllers uniquely provide all controls required for delivering trusted, reliable, and high-quality IP interactive communications: Security: IP private branch exchange (PBX) and UC server denial of service/distributed denial of service (DoS/DDoS) attack protection, SBC self-protection Communications reach maximization: IP PBX and UC protocol interworking, remote network address translation (NAT) traversal Service-level agreement (SLA) assurance: IP PBX and UC server session admission and overload control, data center disaster recovery, remote site survivability, Quality of Experience (QoE)-based routing, SBC high-availability operation Regulatory compliance: session replication for recording Data firewalls with application layer gateways (FW/ALG) are only effective securing data-oriented application infrastructure (PCs, servers). Use Cases: Session Border Controllers versus Firewalls with SIP Application Layer Gateway The best way to illustrate the differences between SBCs and FW with SIP ALG is within the context of common enterprise and contact center VoIP/UC use cases. Each of the ten scenarios shown below is accompanied by an associated business challenge, as well as the technical requirements that would have to be met by the network element in order to address that challenge. Each scenario demonstrates conclusively that only session border controllers are capable of meeting all requirements for the successful delivery of enterprise and contact center VoIP/UC services and applications. 3

USE CASES: SBCS VERSUS FIREWALLS WITH SIP ALG USE CASE SCENARIO BUSINESS CHALLENGE TECHNICAL REQUIREMENTS SBC FW/ALG SBC/FW DoS/DDoS Prevent malicious or nonmalicious Dynamically block attacks self-protection SIP signaling or media attacks and overloads from making the SBC or FW nonresponsive Detect/reject noncompliant (protocol, signaling, and traffic levels) SIP sessions Initiate SIP BYE requests to tear down core-side sessions Statefully control legitimate SIP registrations during overloads Network abuse Prevent unauthorized or fraudulent Control number and bandwidth of control network usage simultaneous sessions Strip unauthorized codecs from SDP headers Scan SIP header attachments for unauthorized content IP PBX and UC Translate dissimilar signaling (SIP Terminate SIP sessions and translate layer protocol interworking and H.323), transport (UDP, TCP, 2-7 protocol information SCTP), and encryption protocols (none, TLS, SRTP, IPsec) Fix protocol anomalies and inconsistencies IP PBX/UC server Ensure continuous service Dynamically monitor and control SIP session admission availability and quality, even under signaling flows to IP PBX/UC servers and overload control adverse traffic loads or attack based upon number of sessions or rate of session establishment Remote site NAT Enable users behind FW/NATs to Keep remote site FW pinholes open by traversal (no SBC or originate and receive VoIP calls and resetting SIP registration interval to less FW w/alg at site) UC sessions than FW port TTL and caching SIP registrations by FW IP/port High availability Ensure no loss of active sessions or Checkpoint SIP signaling, media, and operations session state during SBC or FW configuration state between active and failover standby elements Data center disaster Assure constant service availability Service provider network SBC: detect recovery and quality failure of primary data center SBC and reroute SIP sessions Data center SBC: translate rerouted phone numbers in SIP headers to back-up data center phone numbers Remote site Provide alternative path for Monitor link and routing state of upstream survivability VoIP/UC traffic when primary path router and SIP state of data center SBC or using SBC/FW becomes unavailable IP PBX/UC server 4

Reroute SIP signaling and media to alternative SIP trunking provider, Public Switched Telephone Network (PSTN) gateway, or Internet upon failure QoE-based routing Maximize voice quality and Actively monitor voice QoS thresholds and reliability of services and ASR applications Reroute sessions to alternative providers as needed Release media within access networks to optimize quality Session replication Comply with regulatory Replicate all SIP signaling and media to for recording requirements and maximize recording server(s) in addition to intended customer service quality recipient Replicate selective or all sessions Conclusion Across all use scenarios, only session border controllers meet the requirements for the successful delivery of enterprise and contact center VoIP/UC services and applications. When compared to FW/ALGs, SBCs offer a clear advantage to in their ability to securely deliver reliable, high-quality, IPbased interactive communications. 5

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateway in Enterprise Voice over IP and Unified Communications Scenarios June 2013 Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 Copyright 2013, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0613 oracle.com