SIP Trunking Workshop for Service Providers With real

SIP Trunking Workshop for Service Providers With real life considerations and practical solutions for offering SIP Trunks using Ingate and Intertex E-SBCs The Ingate SIP Trunk-Unified Communications Summit Karl Erik Ståhl President and CTO, Intertex Chairman and CTO, Ingate © Intertex Data AB, Ingate Systems, February 2011 1

1. The Case for SIP Trunking Ø 1: 00 pm-1: 30 pm Moderator: None Ø Opening remarks and overview of the benefits of SIP trunking and UC for service providers, by Ingate Systems. © 2011 Intertex Data and Ingate Systems 2

2. Delivering SIP to the Enterprise Ø 1: 30 pm-2: 30 pm Moderator: Maloff Net. Results Ø 1: 30 -1: 35 Moderator Ø 1: 35 -2: 00 Broadvox Ø 2: 00 -2: 30 Intertex Data AB – Practical solutions © 2011 Intertex Data and Ingate Systems 3

There is more to it… PSTN Ø Voice only, or Voice & Data on the pipe? Ø Internet or Private Pipe? Ø Quality Measures on the Pipe? SIP Trunking Provider GW SIP System Ø Delivery to just a PBX? … or to a UC LAN Ø Is an E-SBC required? When? Ø Who provides/owns the E-SBC? Ø Just SIP Trunking of PBXs or also § Remote users § Hosted services © 2011 Intertex Data and Ingate Systems ßSIP Trunk ßInterface Ø Is there a (data) Firewall in the way? PBX with system phones 4

This Would be Simple SIP Trunking Provider Network Public Internet GW PSTN SIP System SIP Trunk IP-PBX Firew all Data LAN Vo. IP LAN 5

But This is What We Want Public Internet SIP Trunking Provider SIP System GW PSTN Remote Users Intertex IX 78 Demarcation point of service and bringing SIP communication to the LAN IP-PBX Data & Vo. IP LAN Soft Clients and Multimedia Terminals © 2011 Intertex Data and Ingate Systems 6

So this is Not a Good Solution, at least not for a General Service SIP Trunking Provider Network Public Internet GW PSTN SIP System No Remote Users! IP-PBX Will Service Provider issue IP addresses to every Phone? Managed SIP Trunk Provider: Security Warning! Enterprise: Security Warning! Firew all Data LAN Vo. IP LAN ? ? No Soft or Multimedia Clients! UC? 7

And there is Often a Non SIP Capable Firewall in Place SIP Trunking Provider SIP System Remote Users Ingate/Intertex E-SBCs enable SIP based Live UC Across the Borders! SIParator® IP-PBX PSTN GW Firew all (SIP does not traverse ordinary NAT/Firewalls. ) Data & Vo. IP LAN Soft Clients and Multimedia Terminals 8

And There are Different Types of PBXs to Consider PSTN A Good E-SBC Should Provide: Ø SIP Trunking 1) NAT/Firewall Traversal – Must NAT to same address space! 2) Basic SIP and Network Interoperability - E. g. SIP System Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc. Provider Network. GW 3) SIP Repair - E. g. Call Transfer, Fragmented packets, Bugs, etc. 4) Features - E. g. Remote Users, Administration (remote and local) 5) Security - LAN/PBX/Vo. IP network protection, Service attack protection SIP Trunk 1) 2) 3) 4) 5) IX 78 IPPBX 2) 3) 4) 5) SIP Trunk Interface Modern IP-PBXs are of this type. Media goes directly between phone and SIP Trunk. PBX with system phones IPPBX Few PBXs are of this type. Asterisk with firewall (IPtables /NETfilter) can be compiled and configured this way, but requires a lot. Vo. IP & Data LAN only PBX Type 1 Signaling: Media: PBX Type 1. 5 PBX Type 2 9

NAT & Firewalls are a Severe Infrastructure Problem… A common Network and common Protocols changed our lives: SMTP gave us global email! HTTP gave us the Web! IMS NATs and Firewalls were designed to allow such protocols. What about SIP for Live Person-to-Person Communication? SIP does not traverse the common NATs and firewalls protecting the LANs . © 2010 Intertex Data AB (SIP based) Internet email FW FW web FW FW LAN 10

Why are NATs and Firewalls Such Obstacles Typical Internet protocol (SMTP, HTTP…) SERVER HOST Internet SIP is the Protocol for IP Communication Person-to-Person, BUT IT DOES NOT REACH THE USER’s! SIP (and H. 323…) connects Person-to-Person PERSON Internet Locate the person + Set up a session + Open real time media streams © 2010 Intertex Data AB 11

Ordinary Voice IADs – Good for Telephony Replication… Telephone ports (FXS) on the CPE is a popular way to deploy IP telephony. By logically placing the SIP clients on the outside of the NAT/Firewall, unreliable work-around methods like STUN, TURN and ICE become unnecessary. However, this only gives POTS replication, often even stopping general SIP based services! Internet The 5060 SIP-port is just grabbed on the outside to the FXS ports! Lower level SIP ALGs often cause problems and do not handle more than basic scenarios. Often problems with, or total lack of: • SIP to the LAN or Wi. Fi • Calls between SIP clients on LAN • Calls between internal ATA ports and LAN clients • Call transfers, 3 -party calls, etc. • Using SIP generally over the Internet (Operator “took all the SIP”) (Users must not be deprived of general SIP-functionality!) © 2011 Intertex Data AB 12

Our CPEs are SIP Capable NAT/Router/Firewalls IMS Internet SIP No battery draining of Wi. Fi mobile phones, otherwise caused by keep-alive packets* inhibiting sleep mode. * Work-around methods for SIP NAT-traversal like STUN, TURN, ICE and Far End NAT Traversal use frequent keep-alive packets to keep holes in the NAT/Firewall open. § Problems solved where they occur § Wired or wireless SIP clients (phones, soft clients, PDAs) § No special requirements on the SIP Client – Just standard SIP All Intertex CPEs have a SIP Proxy based SIP aware Firewall/NAT § General, can handle complex call scenarios and all SIP services § Additional functionality available (SIP server, PBX functionality etc. ) © 2011 Intertex Data AB 13

Qo. S: Common Vo. IP and Data Pipe Public Internet SIP Trunking Provider SIP System GW PSTN E-SBC also Data Firewall Demarcation point of service and bringing SIP communication to the LAN IP-PBX Data & Vo. IP LAN Using the Ingate or Intertex as the enterprise firewall allows both prioritization and traffic shaping. © 2011 Intertex Data and Ingate Systems 14 14

Qo. S: Separate Vo. IP Pipe in Parallel with Data Public Internet Firew IP-PBX SIP Trunking Provider SIP System GW PSTN E-SBC SIParator® Demarcation point of service and bringing SIP communication to the LAN all Data & Vo. IP LAN No prioritization or traffic shaping to be done by the ESBC. But get a good pipe! © 2011 Intertex Data and Ingate Systems 15

Qo. S: Common Vo. IP and Data Pipe with Firewall PSTN Public Internet SIP Trunk Provider G W SIP System Bridge for Existing NAT/ Firewall (non SIP aware) IPNAT/ PBX Firew all SIParator® IPNAT/ PBX Firew all WAN SIParator® Data & Vo. IP LAN If common IP pipe, the existing firewall must restrict bandwidth usage to allow sufficient voice bandwidth. Often problematic. WAN SIParator mode allows the Ingate or Intertex to control data usage on the Pipe to assure sufficient voice bandwidth! 16 16

Advanced Qo. S Configurations for Ingate At a detailed level, for SIP and other traffic 17

Intertex IX 78 Smart Qo. S Defaults For traffic shaping, just fill in your bandwidth! (For internal ADSL it is mostly automatic. ) Data will be pushed back in favor of voice to keep the used bandwidth within the limit. And for a specific SIP Trunk provider one can select for the voice: © 2011 Intertex Data AB 18

Carriers having Quality Separated Triple Networks can Preferably Reuse Those for SIP Trunking. Clouds may be Private or Globally Routable. E. g. Telia Internet IMS IP-TV Vo. D PVC 1 IP-TV Vo. IP IMS Vo. D VLAN 1 PVC 3 PVC 2 ADSL Private Virtual Circuits E. g. B 2 Vo. IP VLAN 3 VLAN 2 Virtual LANs (VLAN) Ethernet E. g. BT Internet IMS IP-TV Vo. D WAN 1 WAN 2 Ethernet Vo. IP IP-TV Vo. D Internet Priority 2 Priority 3 IMS Vo. IP Priority 1 WAN 3 IP Qo. S Separated Subnets ADSL or Ethernet IP Level Qo. S The Intertex IX 78 Supports All of these Architectures! © 2011 Intertex Data AB 19

On Telia’s (Sweden’s Incumbent Telco) Network, the IX 78 Delivers a Multimedia LAN, Ready for UC PBXs, Hosted Services and End-to-End SIP Services The Multimedia LAN Internet IMS Vo. IP IP-TV TR-069 All services must be available to multimedia terminals! – Over controlled high Qo. S pipes as well as over the Internet. Application Innovation Requires it! Vo. D VLANs or ADSL Virtual Circuits Wi. Fi The Multimedia LAN Internet IPPBX Telepresence PDA 20

3. The Value of a Service Provider Demarcation Point Ø 2: 30 pm-3: 30 pm Moderator: Maloff Net. Results Ø 2: 30 -2: 35 Moderator Ø 2: 35 -3: 00 Earth. Link Business Ø 3: 00 -3: 30 Intertex Data AB – Practical solutions © 2011 Intertex Data and Ingate Systems 21

Service Provider Demarcation Point PSTN Public Internet SIP Trunk Provider G W SIP System IP Access IPNAT/ PBX Firew all Service Provider’s Demarcation Point THE POINTS ØDelivery of Service: To a PBX or UC LAN ØProvisioning, Definition of Service: Installation, Configuration, CAC ØMonitoring: Network performance, Qo. S MOS ØManagement: Support, Debugging, Upgrade Data & Vo. IP LAN ØBilling - Why not? Here we know what is going on! 22

The Role of the E-SBC To get SIP Trunking working: Ø SIP NAT/Firewall Traversal § Must NAT SIP to the protected private address space! Ø Basic SIP and Network Interoperability § E. g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc. Ø SIP Repair § E. g. Call Transfer, Fragmented packets, Bugs, etc. But don’t forget: Ø Security § LAN/PBX/Vo. IP network protection, Service attack protection Ø Qo. S – Quality of Services § Requirements depending on IP delivery and firewall Ø Features § E. g. Remote Users, Administration (remote and local) Ø Provisioning, Monitoring, Management © 2011 Intertex Data and Ingate Systems 23

All Types of PBXs has to be Supported PSTN A Good E-SBC Should Provide: Ø SIP Trunking 1) NAT/Firewall Traversal – Must NAT to same address space! 2) Basic SIP and Network Interoperability - E. g. SIP System Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc. Provider Network. GW 3) SIP Repair - E. g. Call Transfer, Fragmented packets, Bugs, etc. 4) Features - E. g. Remote Users, Administration (remote and local) 5) Security - LAN/PBX/Vo. IP network protection, Service attack protection SIP Trunk 1) 2) 3) 4) 5) IX 78 IPPBX 2) 3) 4) 5) SIP Trunk Interface Modern IP-PBXs are of this type. Media goes directly between phone and SIP Trunk. PBX with system phones IPPBX Few PBXs are of this type. Asterisk with firewall (IPtables /NETfilter) can be compiled and configured this way, but requires a lot. Vo. IP & Data LAN only PBX Type 1 Signaling: Media: PBX Type 1. 5 PBX Type 2 24

Also Important to Support Multimedia and UC Terminals and Remote Users in a Modern UC PBX Environment Public Internet SIP Trunking Provider SIP System GW PSTN Remote Users IP-PBX Firew all Intertex IX 78 Demarcation point of service and bringing SIP communication to the LAN Data & Vo. IP LAN Soft Clients and Multimedia Terminals © 2011 Intertex Data AB 25

Creating an Interface for ALL PBXs Ø Proxy Mode § IP-PBX talks to SIP System § Registration/Authentication model must match § Little configuration in the IX 78 § Service credentials in the PBX Ø B 2 BUA Mode (Proxy still doing the basics) IPPBX § IP-PBX only talks to the IX 78 § Wider separation between PBX and SIP System § Service Credentials only in the IX 78 § More SIP Normalization possibilities (e. g. REFER) § Any new operator service platform only requires IX 78 reconfiguration (the PBX configuration can remain) IPPBX 26

Trunk-side Parameters SIP Connect 1. 1 can be setup (for any PBX) Read-only value set by Service Provider (in some cases). Regulates customer’s monthly fee! 27

PBX-side Parameters 28 28

Registration, Call Routing, Caller. ID SIP Connect 1. 1 Setup 29

Trouble Shooting & Debugging – Network Status 30

Trouble Shooting & Debugging – Logging! 31

Trouble Shooting & Debugging – Internal SIP Log 32

Packet Captures § Creates a Wire. Shark PCAP network trace § Network Interface Selection – All Interfaces § Start – Stop - Download 33

Monitoring - Call Quality Statistics Internal Call Log, containing CDRs with Quality Statistics. Can be output via SYSLOG, RADIUS (Ingate) or to the management system i. EMS (see later). © 2011 Intertex Data and Ingate Systems 34

Management of the CPE / E-SBC Provisioning, Configuration, Monitoring, Reporting, Upgrade, Logging, Debugging, Diagnostics, Support… Ø Experience: § Existing management systems often difficult to change • Resistance against touching what has been built over the years § Remote GUI access to CPE often used § Requirements • • • Quite few functions and possibilities are actually used Alive, Configured, Upgrades, New configuration - A must! Often on wish list: Bad Sound (MOS) alarm, etc. Ø EMS (instead of NMS) is a trend § Element Management System (EMS) • • Specially built for the Product Interfaces to OSS and Fault Management System at high level. § Intertex and Ingate EMS in progress – i. EMS • • Easy to program and interface to Highly scalable © 2011 Intertex Data and Ingate Systems 35

Element Management System – The i. EMS Ø Functions for Provisioning, Monitoring, Reporting, Diagnostics, Logging, Debugging, Support, Configuration and Upgrade. Available now with basic functionality. Ø Will handle both Ingate and Intertex Firewalls and SIParators. Ø Highly scalable, runs on PC servers under the Linux OS. Ø HTTPS/SOAP interface to the IX 78. Can read and write all configuration parameters, as well as asynchronous reporting by the device (like SNMP traps). Ø Web based secure access to the i. EMS. Customized portals for operators, installers and customers, for the purpose of administration, management and usage. Ø The i. EMS has northbound interfaces for integrating with the operator’s OSS and Fault Management systems, using XML-RPC and/or SOAP. © 2011 Intertex Data AB 36 36

i. EMS – CDRs with Call Quality Metrics 37

i. EMS Interfaces OSS, Fault Management, etc. XML-RPC (or SOAP) (GET/SET/EVENTS) Northbound API WEB GUI DB DB DB Southbound API WAN CPE CPE set. Trunk version1. 0 ems usernameinstaller passwordfoobar 123 service registrarsip. intertex. seproxyproxy. intertex. se trunk identity5162809890passwordfoobar identity5162809895passwordbarfoo CPE CPE CPE © 2011 Intertex Data and Ingate Systems 38

SIP Trunking Made Easy Ø Installation Wizard 39

SIP Trunk-UC Workshop Startup Tool – Network Topology Assign IP Addresses, the tool will config the Ingate. Select the deployment according to the picture Status Information, helpful for troubleshooting 40

SIP Trunk-UC Workshop Startup Tool – IP-PBX Selection Select IP-PBX Vendor and Model Assign the IPPBX IP Address Assign the IPPBX Domain (if required) For every IP-PBX vendor on the List Ingate has captured the programming requirements to ensure quick and easy config Status Information, helpful for troubleshooting 41

SIP Trunk-UC Workshop Startup Tool – ITSP Selection Select ITSP Vendor For every ITSP vendor on the List Ingate has captured the programming requirements to ensure quick and easy config User Account Information, DID Assignment and Registration Authentication Assign the ITSP IP Address Status Information, helpful for troubleshooting 42

4. Ensuring Interoperability – The Key to Service Revenue Growth Ø 3: 30 pm-4: 30 pm Moderator: Maloff Net. Results Ø 3: 30 -3: 35 Moderator Ø 3: 35 -3: 50 Bandwidth. com Ø 4: 00 -4: 30 Intertex Data AB – Practical solutions © 2011 Intertex Data and Ingate Systems 43

PBX and ITSP Interoperability Ø Large variation among PBX: s Ø Even larger variation towards ITSP: s Ø “SIP Connect” recommendation by SIP Forum … helps and improves, but is not implemented yet. Ø Installation tools § Ix 78 Wizard live demo § Ingate Start UP Tool – See Provision section! © 2011 Intertex Data and Ingate Systems 44

Confirmed Interoperability: Ingate & Intertex SIP Trunk Providers § 360 Networks § Airespring § AT&T § Band. Tel § Bandwidth. com § Broadvox § BT (British Telecom) § Cablecom § Cbeyond § Cellip § Comm Partners § Cordia Corporation § Excel Switching § Gamma Telecom § Global Crossing § IP-Only §Nectart § Juma Networks § Level 3 § Netlogic § Nexvortex § Nuvox § O 1 § Paetec § Primus § RNK Telecom § TDC § Telavox § Tele 2 § Tele Pacific § Teletek § Telia § Toplink §Tritel § Vo. EX § Voice Flex § Vo. IP Unlimited § Voxbone § Voxitas § Xelo. Q More in pipeline. . . Carrier Equipment § Acme Packet § Broadsoft § Nex. Point More in pipeline. . . already interoperate with most SIP Trunk Compliant with § Sonus § Sylantro § SER © 2011 Intertex Data and Ingate Systems IP-PBXs § 3 Com § Aastra §Aastra MX One § Digium/Asterisk § Avaya IP Office § Avaya SES/CM § Avaya QE § Brekeke § Broadsoft § Cisco Call Manager § Ericsson MX-One § Fonality § Innovaphone § Interactive Intelligence § Iwatsu § LG Nortel § Microsoft § Mitel § NEC / Sphere § Nortel BCM § Nortel SCS § Objectworld § Panasonic § Pingtel § Samsung § SER § Shoretel § Siemens 8000 § SIP-Gear § Sonus § Sphere Communications § Swyx More in pipeline. . 45

Is there a SIP Connect Compliant IP-PBX + ITSP? Ø If any, the E-SBC could just be SIP proxy, with only simple network setup, and perform: § § NAT / Firewall traversal Qo. S (Quality of Service) SIP Security (Attack Protection) Monitoring and Debugging Ø Ingate & Intertex E-SBCs can be SIP Connect towards the ITSP, but specific towards the PBXs Ø Ingate & Intertex E-SBCs can be SIP Connect towards the PBXs, but specific towards the ITSP Ø But usually, we have to be specific to both the ITSP and the PBX © 2011 Intertex Data and Ingate Systems 46

Trunk-side Parameters SIP Connect 1. 1 can be setup (for any PBX) 47

PBX-side Parameters 48 48

Registration, Call Routing, Caller. ID SIP Connect 1. 1 Setup 49

If More is Required – There is plenty. . . 50

. . . and More 51

. . . and if that is not enough Ø There is Generic Header Manipulation E. g. add Diversion header: sip: $1@example. com? Diversion=%3 csip%3 a $(from. user)%40192. 168. 1. 1%3 e To cope with not foreseen behavior § Can fix much – not all § Needs SIP expertise Ø How do we know what to configure and how to set it up? © 2011 Intertex Data and Ingate Systems 52

Roll-out and Maintenance Ease and security of role out and maintenance, are main Service Provider concerns Ø Initial configuration § SIP Trunking requires input from 3 “places” • Numbers and credentials from Service Provider • Information/Knowledge about the PBX and ITSP • Information about the customer network and setup § More complex than usual • And all compiled at installation time Ø Upgrades Ø New configuration Ø Exchange of hardware © 2011 Intertex Data and Ingate Systems 53

Ingate has the Startup Tool for a very wide variety of PBXs and ITSPs § “Out of the Box” setup and commissioning of the Firewall and SIParator products § Update current configuration § Product Registration and unit Upgrades, including Software and Licenses. § Automatic selection of ITSP and IP-PBX § Backup of Startup Tool database § Located at www. ingate. com FREE! 54

For Volume Deployment there Must be Provisioning The IX 78 has Several Provisioning Methods Ø Web Wizard adapted to Provider’s Trunk Service § No Provider integration needed § Installer inputs trunk side and PBX side data Ø Configuration fetched from Provider’s Web Server § Configuration, Upgrades, Licenses § At boot, by timer, or by kick (on request) § Installer runs small Wizard for PBX side Ø Via Element Management System: i. EMS § Provider inputs Trunk Data manually or automatically via OSS (via XML-RPC or SOAP) § IX 78 connects automatically § Installer runs small Wizard for PBX side Ø Or a combination can be used (on request) In the two latter methods, URL’s to the Provider’s provisioning server and i. EMS are preloaded in the IX 78, or fetched via DHCP. © 2011 Intertex Data AB 55

The SIP Trunking Configuration Wizard Ø jkjjk

5. Addressing Security Issues Ø 4: 30 pm-5: 30 pm Moderator: Maloff Net. Results Ø 4: 30 -4: 35 Moderator Ø 4: 35 -5: 00 Ingate – Presenting a case study. Ø 5: 00 -5: 30 Intertex Data AB – Practical solutions © 2011 Intertex Data and Ingate Systems 57

Security Ø Privacy – little concern today Ø Theft of Service & Toll Fraud Ø Denial of Service (Do. S) Ø Protecting the PBX Ø Protecting the Service Provider © 2011 Intertex Data and Ingate Systems 58

Privacy – Similar to PSTN § SIP Trunking and SIP UC can be more private than traditional PSTN solutions (POTS and PRI) § Compromising Privacy of POTS and PRI requires physical presence, and these are never encrypted § SIP signalling and media rarely encrypted, but can be 59

Signaling Encryption TLS is Transport Layer encryption and certificate check Both Ingate and Intertex E-SBCs can transcode between UDP, TCP and TLS for any call 60

Privacy - Media SRTP is encryption of the media (voice) The Ingate E-SBCs can transcode between RTP (in the clear) and SRTP (encrypted) media 61

Theft of Service & Toll Fraud § What is Theft of Service? (or Intrusion of Service) § A Third Party attempting to defraud either the § Enterprise or the Carrier Devices attempting “Spoof” a Client device in an attempt to look like an extension (or enterprise) and gain services directly 62

Theft of Service & Toll Fraud § Now a Real World Problem § But only a Problem when: § Authentication is not used. There are: § Digest Authentication (password) § IP address § § Relies on that packets must return to the caller MTLS (TLS is not sufficient) § The Caller must be authenticated § Too weak passwords are used § Most common cause! § Typical 1234, admin, demo, test or the extension number The methods are good – The usage may be poor. . 63

Trend for Theft Protection § Service providers provision the credentials for their service, so the customer never sees them. § Service Providers are starting to own CPE edge equipment (E-SBCs) and provision the security credentials for their own access to that CPE. 64

IX 78 Preventing Unauthorized Usage Simple General Default Configuration in the Intertex IX 78 Remote users to the PBX can be authenticated by the IX 78 (also) © 2011 Intertex Data AB 65

Allowed Usage of the SIP Trunk © 2011 Intertex Data AB 66

Protection Against Password Guessing Brute Force Attack Protection Attackers are nowadays trying to find simple passwords by brute force testing. 10 – 100 trials/second have been seen (e. g. Sip. Vicious / friendli-scanner). After 3 trial we pretend all attempts are wrong, so the correct one is never found. © 2011 Intertex Data AB 67

Denial of Service (Do. S) § What is Denial of Service? § A Third Party makes a communications resource unavailable to its intended users § Generally consists of the concerted efforts to prevent SIP communications service from functioning efficiently or at all, temporarily or indefinitely § One common method of attack involves saturating the target (victim) IP-PBX with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable 68

Denial of Service § Nowadays Real Do. S Attacks are Occurring § Few pure Do. S attacks, but scanning for open SIP § § § servers and trying passwords (e. g. SIPvicious. org / friendly-scanner) may become a Do. S attack. Attacked SIP devices can simply choke from overload, when requesting authentication Or SMB with limited IP bandwidth can have that consumed Communication Servers have direct relationships with revenue and should be isolated from Do. S 69

SIP Do. S Detection and Prevention § Intrusion Detection System (IDS) for SIP § Intrusion Prevention System (IPS) for SIP § Ingate has an IDS / IPS system that identifies § § intrusions by examining network traffic. Ingate is located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders/edges. Ingate captures all SIP traffic and analyzes the content of individual packets for malicious traffic, that will be stopped. 70

Ingate SIP IDS/IPS: Attack Recognition § IDS/IPS - Rule Packs § Predefined Rule Packs (signatures) for filtering known industry Do. S patterns specific for SIP applications 71

Ingate SIP IDS/IPS: Rate Limiting § SIP signaling late limiting is generally effective Untrusted Network SIP Protocol Method, Response Code Matching/Filtering Traffic Rate Blacklist Policy 72

IX 78 Preventing SIP Do. S Attack Ø Signature Recognition If the internal SIP proxy detects known signatures in SIP headers from attackers, it instructs the internal firewall to block attacking IP address for 60 seconds. New signatures can be added manually or provisioned automatically. Ø SIP Rate Limiting: If there are more than 20 SIP packets/seconds from the same IP-address, the internal firewall blocks that IP-address for 20 seconds and does not respond to that IP address until the SIP packed rate is below 3 packets/seconds. © 2011 Intertex Data AB 73

Protecting the PBX and Carrier § SIP Protocol Packet Error Detection and Correction § SIP Signaling are only passed through the Internal § § SIP proxy in Ingate and Intertex products. Malformed SIP Packets will not reach the PBXs or Service Providers from our side. Standardized SIP Interface in both directions 74

6. Generating Revenue from HD Video Ø 5: 30 pm-6: 30 pm Moderator: Maloff Net. Results Ø 5: 30 -5: 35 Moderator Ø 5: 35 -6: 00 UCIF – Polycom Ø 6: 00 -6: 30 Intertex Data AB – Reusing the E-SBC SIP trunking infrastructure. © 2011 Intertex Data and Ingate Systems 75

Global Video Calling Using the E-SBC Telco Opportunity Video Calling High Quality, Chargeable, Global Video Calling Ready to go, using SIP Trunking Infrastructure • • • High Quality (Telepresence) Video Calling Routed and Billed (CDRs produced) by the E-SBC Simple settlement free IP Peering between Telcos © 2011 Intertex Data AB 76

What’s Special About Video Calling? Ø We have been building islands – again… § But there is no old Video PSTN to connect those together Ø However, there is a standard (SIP) and a network (Internet) § We have seen such video calls for a long time Ø What more is needed? § High quality – Teleprecense; Guaranteed bandwidth and Qo. S? § Global; Not only within a company and not only within one carrier’s network § Telephone numbers (in addition to sip addresses) § Allow Telcos to Bill (being more than just Bandwidth Providers)? © 2011 Intertex Data AB 77

There is a Solution! Ø Do More at the Enterprise Edge! § We can route here – The earlier the better § We can produce CDR’s for billing here § We can do number resolution here (or the ITSP can do it) Ø The Good News: § Reuse the SIP Trunking infrastructure (using E-SBCs) § Simple peering between carriers © 2011 Intertex Data AB 78

Reusing the SIP Trunking E-SBC Ø Telco owned E-SBCs are already used for (voice) SIP Trunking § Full operator control § Service provider’s demarcation point § Enables the SIP Trunking – Video is not different from voice for: NAT/Firewall traversal, PBX interoperability and Security Ø Reuse the same E-SBC for Video Calling! Ø In the Ingate and Intertex E-SBCs, it is all there: § Classify outgoing calls (as Video, HD voice or plain voice) § Assure right quality pipe and/or quality marking is used § Route the call directly to the other party (or • Use ENUM (public or private) for E. 164 number to SIP address resolution • Only settlement free IP peering between operators required • Can fallback to best effort IP peering (Internet) in operator network § Produce and deliver CDRs for each call • Report Minutes and Data used • Include video and voice quality metrics (including MOS scores) • Deliver via Radius, Syslog, Management system (TR-069 informs) or method by choice © 2011 Intertex Data AB 79

Simple For the Carrier AT&T Internet Qwest Internet Qo. S IP Network MPLS ENUM C D R SIParator IX 78 © 2011 Intertex Data AB 80

Quality Separated Networks Out to the Customer Edge is Not New Widely Used for Triple Play Services E. g. Telia Internet IMS IP-TV Vo. D PVC 1 IP-TV Vo. IP IMS Vo. D VLAN 1 PVC 3 PVC 2 ADSL Private Virtual Circuits E. g. B 2 Vo. IP VLAN 3 VLAN 2 Virtual LANs (VLAN) Ethernet E. g. BT Internet IMS IP-TV Vo. D WAN 1 WAN 2 Ethernet Vo. IP IP-TV Vo. D Internet Priority 2 Priority 3 IMS Vo. IP Priority 1 WAN 3 IP Qo. S Separated Subnets ADSL or Ethernet IP Level Qo. S The Intertex IX 78 Supports All of these Architectures! © 2011 Intertex Data AB 81

i. EMS – CDRs with Call Quality Metrics © 2011 Intertex Data AB 82

For the Telcos To Do Ø Provide high quality IP pipes for Video and HD Voice (e. g. MPLS) § If on separate layer 2 networks for quality, still make them routable to the Internet (for fallback to “best effort peered” = Internet) Ø Enter users in ENUM (public or private) § E. 164 numbers to SIP address resolution Ø Settlement Free Peering between carriers for high Qo. S IP networks § Just like for the Internet - Now also for high quality IP network (e. g. by MPLS) Ø Deploy same CPEs (E-SBCs) as for SIP Trunking § Can also be general SIP enablers (at least Intertex’ and Ingate’s) for offering all types of SIP based services Ø Process the CDRs from the E-SBC as usual for Billing © 2011 Intertex Data AB 83

What’s out there 1? - Cisco TIP Ø http: //newsroom. cisco. com/dlls/2010/prod_012610. html § Telepresence Interoperability(? ) Protocol (TIP) § “Cisco already supports H. 323, which allows Cisco…” Ø Don’t we already have SIP, SDP, RTCP and Codec standards? … § And don’t they define interoperability far beyond Cisco? Ø Is there more than how to transfer to several screens? © 2011 Intertex Data AB 84

What’s out there 2? – The IMS World Ø Fine – But when? § Stuck in its own complexity… Where is the Multimedia and Interoperability? § And the IMS world still has to find out how reach the users on the fixed network the LANs behind NATs and Firewalls – Or stay with POTSo. IP on FXS-ports Ø A “One. Voice” initiative to create Vo. LTE § AT&T, Bell Canada, China Mobile, Deutsche Telekom/T-Mobile, KDDI, mobilkom austria, MTS, NTT Do. Co. Mo, Orange, SKT, Soft. Bank, Telecom Italia, Telecom New Zealand, Telefónica, Telenor, Telia. Sonera, Verizon Wireless, Vodafone, Acme Packet, Alcatel-Lucent, Aylus, Camiant, Cisco, Colibra, Communigate, Comneon, Ericsson, Fujitsu, Genband, Huawei, LG, Motorola, Movial, Mu, NEC, Nokia Siemens Networks, Qualcomm, RADVISION, Samsung, Sony Ericsson and Tekelec § Isn’t Vo. IP already invented? Ø “One. Video” initiative can be expected… Ø Until then: Route at the edge by the E-SBC! § E-SBC still needed to reach users on LAN and for UC PBX interoperability § The IMS can still be the SIP registrar and billing server… © 2011 Intertex Data AB 85

What’s out there 3? Juniper, Polycom. . . Ø Juniper, Polycom forge telepresence, video conferencing alliance http: //www. zdnet. com/blog/btl/juniper-polycom-forge-telepresence-video-conferencing-alliance/29868 § “a counterweight to Cisco Systems and its recent acquisition of Tandberg” § “optimize their platforms so service providers can offer video and telepresence cheaply. The argument: It’s cheaper for enterprises to deploy telepresence as a service from their network providers instead of building out their own networks. ” § Sure! Ø http: //www. juniper. net/us/en/local/pdf/solutionbriefs/3510358 -en. pdf Ø About pre-reservation of capacity for high bandwidth calls © 2011 Intertex Data AB 86

SIP Capable Firewalls and SIParators® Thank You! Ingate Systems Inc. Intertex Data AB www. ingate. com Contact: Steve Johnson steve@ingate. com sip: steve@ingate. com Tel: +1 603 883 6569 Mob: +1603 557 7918 www. intertex. se Contact: Karl Stahl karl. stahl@intertex. se sip: kalle@intertex. se Tel: +46 8 12205629 Mob: +46 70 7254532 87