avaya session border controller for enterprise

Semana de atualização AvayaConceitos e Introdução ASBCE

Sérgio Tani – Systems Engineer

Westcon Brasil

Agenda

• What’s a Session Border Controller?

• What’s for?

• Where we can use it?

• Executive Summary

• Enterprise SBC – Trends and Drivers

• Avaya SBC for Enterprise Offer

• Competition & Positioning

• Um Session Border Controller (SBC) é um

dispositivo de reconhecimento de sessão VoIP

que controla a admissão de chamada para uma

rede em sua “borda” e, opcionalmente

(dependendo do dispositivo), executa uma série

de funções de controle de chamadas para aliviar

a carga sobre os elementos de chamada dentro

da rede.

O que é um SBC?

• O Session Border Controller divide-se em duas partes logicamente distintas.

• A função Signaling SBC (SBC-SIG) controla o acesso de mensagens de sinalização VoIP para o núcleo da rede, e manipula o conteúdo dessas mensagens.

• A função Media SBC (SBC-MEDIA) controla o acesso de pacotes de mídia para a rede, oferece serviços diferenciados e de QoS para diferentes fluxos de mídia.

O que é um SBC? (cont.)

Agenda


• What’s for?






• Funções básicas:• Proteger a borda da rede de um Service Provider

• Prover Call Admission Control.

• Funções adicionais:• QoS

• Media Bridging

• Interoperabilidade entre protocolos de sinalização

• Rastreamento de chamadas (para efeito de CDR)

Para que um SBC é usado?

Agenda


• What’s for?






Onde são usados os SBCs?

• Session Border Controllers normalmente são

implementados na DMZ de uma rede.

• Session Border Controllers podem ser

implementados em quaisquer dos seguintes

cenários.

Cenários possíveis

• Na borda entre um SP e seu cliente (User Network Interface –UNI)

• Na borda entre dois SPs com acordo recíproco a respeito do tráfego VoIP (Network-to-Network Interface – NNI)

• Dentro da estrutura do SP ofertando serviços VPN para seusclientes, fazendo o bridge de chamadas através das localidades VPN de seus clientes

• No core de uma rede, com o intuito de resolver problemas de topologia para comunicações internas

• Fazendo a função de “transcoding” centralizado

Cenário UNI

Cenário NNI

Cenário VPN

Resolvendo problemas internos de

topologia

Centralized codec transcoding

Agenda


• What’s for?






• How to Order

Minimum training required for partners who already hold UC

or IP Office Sales and Design

Authorizations

Quickly ramp to expand the

collaboration capabilities of your customer beyond enterprise borders

Unified Communications Market is Primed!

The future of collaboration

is now, with massive market potential and

Avaya Market Leadership

Business Proposition

Executive Summary

It’s all about secure collaboration !

• Expand the scope of an existing Avaya collaboration solution

• SIP is inherently unsecure! Your customer is at risk! Securely leverage SIP Trunking or Remote Worker capabilities

• Enable BYOD strategies of your customers

Agenda


• What’s for?






• How to Order

Customers Facing Rapid Technology

ChangeMore Collaboration and Mobile Devices…

More Enterprise Security Threats

Tablets by

2016

802Million

Mobile

projects will

outnumber

PC projects

4:1

Increase in

dedicated

video soft

clients by 2016

400%

Increase in

mobile

enterprise

investments

through

2015

30%

Of enterprise

will be cloud

based by 2015

16%

Source: Gartner

The business advantages to SIP are clear

• Operational efficiencies

• Collaborative communications

• Network consolidation

FBI warning VoIP attacks

TDoS attacks allow thieves to loot

bank account information

(May 2010)

Hackers phone home on our coin

Stolen calls - in just 15 days, over

$30,000 in calls made globally

(February 2012)

VoIP Attacks on The Rise!

Secure Your VoIP Servers –

blog.sipvicious.org

Cloud-initiated wave of SIPVicious

port 5060 scans lead to €11 million

loss (October 2010)

Hacker toured dozens of global conference rooms using common videoconferencing equipment. Easily hacked several top

venture capital, law firms, pharmaceutical and oil companies…(and) the Goldman Sachs boardroom. Videoconferencing

systems were designed with visual and audio clarity in mind, not security (January 2012)

Massive DDoS attack

crashes TelePacific VoIP

system. Average 34

million SIP traffic VoIP

connections requests…

shot up to 69 million

[in 1 day] flooding their

systems

(March 2011)

65% of Organizations Experience

Three DDoS Attacks a Year, But

Majority are Unprepared to Mitigate

Attacks

(November 2012)

FBI finds Philippine hackers

compromised AT&T business

customers used their phone

systems to call phone numbers -

revenues to hackers. Scheme cost

AT&T $2.0 million

(November 2011)

Communications Fraud Control

Association survey shows 34

respondents with $2.0 billion in

telecom fraud losses

(2011)

Could This Be Your Network?

SBCE

AdvancedFirewall IP-PBX

…requires intimate knowledge of VoIP and call states

IDS / IPS

Layer 3 attack

Layer 4 attack

SBCE

Standard

OS attack

Application attack

SIP protocol fuzzing

SIP denial of service/distributed denial of service

SIP spoofing

SIP advanced toll fraud (call walking, stealth attacks)

Remote Worker

Media Replication

Signaling/Media Encryption

VoIP Security is Different

The Solution – Avaya Session Border

Controller for Enterprise Portfolio

Secure VoIP

and UC over any

network to any

device, including

smartphones,

alternative devices

and SIP endpoints

Innovative VPN’less

remote worker

offering - enabling

true BYOD

Fit for purpose SME /

Enterprise solution

Not a repackaged

carrier SBC

Scalability – up to 2,000

sessions

High Availability

TCO & ROI

Rapid implementation

of safe SIP trunks,

remote workers and

advanced UC

applications

SIP trunks operational

in minutes, not months

GUI-based SIP

normalization tool

Industry Leading

Enterprise UC

Security

Price/Performance

Optimized for

Enterprise & SME

Ease of

Implementation

& Management

Service Provider Enterprise Everywhere else

MultimediaApps.Customer

Interaction

CollaborationApps.

SIP

SIP

AutomationApplications

Avaya

SBCE

Avaya

SBCE

SIP

Enterprise networks reach well past the network border

SIP

Trunks

Credit card privacy rules: other compliance laws require security

architecture specific to VoIP and other UC.1

Unified Communications Security –

Should You Care?

Increase

‘VoIP hacking at new levels2

Up to

of attacks

VoIP scanning –botnets, Cloud used

for VoIP fraud3

Reduce Deployments by

VoIP /UC security reduces VoIP / UC deployment time

by one third4

Toll fraud: yearly enterprise losses in Billions

inadequate securing of SIP trunks, UC and VoIP applications5

1 Payment Card Industry Data Security Standard (PCI DSS)2 VIPER LAB Honeypot research3 VIPER LAB Honeypot research

4 Aberdeen Group 20115 Communications Fraud Control Association (CFCS) 2008 Survey

So … why do I need to secure SIP?

• Cost reduction

• Flexibility

• Risk mitigation

• Compliance

• Encryption is needed in many apps

• BYOD (real time applications)

• Provide VPN-less encrypted sessions

It’s all about secure collaboration !

Agenda


• What’s for?






• How to Order

Application Specific Security

Complements Existing Security Architecture

Avaya

SBCE

Firewall

FirewallApplication Level

Security Proxy(Policy Application,

Threat Protection Privacy,

Access Control)

Avaya SBCE 6.2 is further enhanced with …

Avaya Session Border Controller for EnterpriseA New But Already Proven Solution

• Substantial interoperability testing

and improvements in Avaya UC

environments especially for

VPN’less remote worker

• Testing against all Avaya UC

platforms

• Avaya Aura®

• IP Office

• CS 1000

• New hardware platform

targeted at SMEs

(GA: Jan 2013)

• New product structure

• Separation of ordering

hardware and software

• Fully integrated into Avaya

processes and tools

• Ordering and Logistics

• Services access

• Available in ASD

Avaya Session Border Controller for EnterpriseDeployment Models

• SIP Trunking (requires standard licenses)

• Enforce security policies of the enterprise

while solving demarcation issues

• Remote Worker (requires standard +

advanced licenses)

• Mobile workspace security, secure

distributed call centers, remote workers,

teleworkers

• Confidently extend UC to mobile

workspaces across any network

• Secure VPN’less access enabling true

BYOD

• Compliance (requires standard +

advanced licenses)

• Secured Media Replication/Forking for

archiving, logging

Avaya SBCE: SIP Trunking ArchitectureUse Case: SIP Trunking to Carrier

• Carrier offering SIP trunks as lower-cost alternative to TDM

• Heavy driver for Enterprise adoption of SBC

• THE DMZ IS A SECURITY RECOMMENDATION, NOT A REQUIREMENT

Avaya SBCE is located in a DMZ behind the Enterprise firewall

Services: security and demarcation device between the IP-PBX and the Carrier

− NAT traversal,

− Securely anchors signaling and media, and can

− Normalize SIP protocol

Avaya

SBCE

DMZ

SIP

Trunks

Enterprise

IP PBX

Carrier SIP trunks to the Avaya Session Border Controller for Enterprise

Carrier

InternetFire

wall

Fire

wall

Secure Remote Worker with BYOD

Personal PC, Mac or iPad devices

Avaya Flare®, Avaya one-X® SIP client app

App secured into the organization,

not the device

One number UC anywhere

Avaya

SBCEAvaya Aura®

PresenceServer

Sys

tem

Ma

na

ge

r

Communication Manager

Avaya Aura Conferencing

Aura Messaging

Session Manager

Untrusted Network(Internet, Wireless, etc.)

Introducing…Avaya SBCE – Targeted for the SME Market

• GA January 2013

• Enterprise class SIP Security for SME

• Price / performance optimized for SME

• Superior ease of implementationand management

Enterprise-Class

Priced for SME!

Enhanced DoS, Toll Fraud Protection

GUI based EMS and SIP Normalization Tool

Scalable to largest SME environments

Upgradable

Advanced Features

VPN-less SIP remote worker protection

Signaling/Media encryption

Media Replication

SME Targeted

Implementations

Ideal for IP Office, Avaya Aura® ME

and Branch implementationswith up to 500SIP sessions

Agenda




• Target Markets & Use Cases

• Competition and Positioning

Avaya SBC for Enterprise

Cross

Industry

UC

Customers

Gov’t

SME

Cost & Value conscious

customers

Enterprises evolving to

Unified Communications

more advanced in their

adoption of VoIP

Government

agencies are

transforming their

communications

infrastructures

Avaya SBCE 6.2

fully supported

by IP Office 8.1.

Avaya Session Border Controller for

Enterprise Use Case: SIP Trunking

• DoS and DDos Prevention

• Secures the Enterprise Border

• Provides SIP normalization between

the enterprise and the carrier

• A major bank adopts SIP trunking to cut telecoms costs

• SIP trunks are for in-bound call center representatives –

retail banking customers

• In hours bank’s new system has VoIP Denial of Service attack.

Effectively:

• Blocks all call center service calls

• Cuts off customer communications

Avaya Session Border Controller for Enterprise

with SIP trunk termination needs and requirements

for companies large and small

BusinessIssue

Solution

Benefits

Avaya Session Border Controller for Enterprise

Use Case: Secure Remote Workers

• Ensured ease of implementation and deployment and excellent

QoS across hundreds of locations

• Ripped and replaced VPN phones with secure SIP phones

improving convenience and support

• Enabled secure collaboration for over 20,000 employees

worldwide

• An enterprise needed to upgrade their communications

infrastructure ensuring a secure, quality driven collaboration

network that could support a large global workforce dispersed

across many locations including home based-workers

• They needed to securely manage BYOD demands for their

salespeople, IT department, and other increasingly mobile

remote and mobile employees.

The Avaya Aura core communications platform

secured by the Avaya SBCE, delivered a secure

SIP infrastructure that ensured remote and mobile

employees had secure collaboration

BusinessIssue

Solution

Benefits

Agenda


• What’s for?






• How to Order

SBCE 6.2 with advanced

features on Dell server

with HA

SBCE 6.2 on Portwell server

SBCE 6.2 with advanced

features on Dell server

How to position Avaya SBCE

• Avaya IP Office

• Avaya Aura® solution for

Midsize Enterprise

• SIP Trunking <= 500

sessions

Any mode from any device

• Avaya IP Office


Midsize Enterprise

• Full Avaya Aura solution

• CS 1000

Large Enterprise

• SIP Trunking > 500 sess.

• VPN-Remote Worker /

BYOD

• High Availability

• Avaya IP Office


Midsize Enterprise

• Full Avaya Aura solution

• CS 1000

• SIP Trunking > 500 sess.

• VPN-less Remote

Worker / BYOD

Market

SegmentOfferCustomer

CharacteristicsKey Selling Points

Small Enterprise

*Remote Worker capabilities for IP Office and CS1000 will be provided post GA in a Service Pack

Avaya Session Border Controller for

Enterprise Competitive Differentiators

True Enterprise Solution

Designed fromthe ground up for enterprise needs

Advanced Threat Protection

based on active, primary research

Ease of Implementation

and Management

Innovative VPN’lessremote worker

solution -Enabling true BYOD

Simple UpgradePath for Advanced

Applications

Common Criteria Certification (EAL3+)

SBC Competitors

• Acme Packet – Carrier SBC

• Sonus – Carrier SBC

• Ingate – SME SBC

• AudioCodes – SME and Enterprise SBC

• Edgewater – Enterprise SBC

• Genband – Enterprise SBC

• Cisco – Enterprise SBC

To learn more visit the Avaya SBCE COMPETITIVE PORTAL

https://avaya.my.salesforce.com/apex/sp_GeneralDetailHome?Id=a3j30000000LGJ6AAO

Agenda


• What’s for?






• How to order

Avaya SBCE - Simple “1,2,3” model

Avaya SBCE Product Options

• High Availability requires an extra Dell R210-II XL to run a separate EMS

(Element Management System) in addition to the 2 core servers

• The HP DL 360 is the common server hosting the AA-SBC Code and will be

supported for migrations from AA-SBC to A SBCE software

Server Max. # of Sessions –

without encryption

Max. # of Sessions –

with encryption (TLS,

SRTP)

Standard

Software

License

Advanced

Software

License

High

Availability

Portwell

CAD-0208

500 250

Dell

R210-II XL

2,000 1,000

HP DL360(migrations only)

2,000 1,000

Standard Services – Secure SIP Trunking Advanced Services

Avaya SBCE Feature Groups

• Broadly scalable based on platform

• High availability solutions with stateful failover

• EMS: well-constructed ‘craft’ interfaces for

simplicity of implementation and administration

• Advanced UC Security: Toll Fraud, Call

Walking, etc.

• Deep Packet Inspection (SIP and Media)

• DoS/DDoS (flood, resource hang/open

transaction, crash/fuzz)

• ACL/White/Black listing

• SIP Normalization – SIP trunk integration

module STIM

• Call Admission Control

• Quality of Service marking and tracking

• DTMF manipulation

• NAT

• RFC 5853 Compliant

• Remote Worker: validate and securely

support remote/mobile users for

extension of Avaya Aura UC services

• VPN-less

• Supports both near and far end NAT

• Supports Avaya hard and soft clients

per solution-tested compatibility matrix

• Encryption Services

• SIP TLS ↔ TCP, UDP

• sRTP ↔ RTP

• Media replication

• Ability to fork media

to a recording device

Avaya SBCE Software Licenses

• Standard and Advanced Licenses can reside on same SBCE as required

• # of advanced licenses needs to match # of standard licenses

• # of licenses are based on simultaneous sessions

• Configuration Examples (software only)

• Solution for 200 SIP Trunks (without encryption)

– 200 * 270137 “ASBCE R6.2 STD SVCS LIC 1-500”

• Solution for 200 SIP Trunks (with encryption)


– 200 * 270390 “ASBCE R6.2 ADV SVCS LIC 1-500”

• Solution for 75 Remote Worker sessions



• Solution for 200 SIP Trunks (with encryption) and 75 Remote Worker sessions



Avaya Aura® Suite LicensingDriving user profile driven collaboration oriented sales conversations

Foundation Suite

Avaya Aura

CM,SM, SMGR

Avaya Aura

Presence

Flare

for PCVoice

CM

MessagingMS Lync

Plug in ACA w/ Video

ACE

ACE 6.2

Mobility Suite

Avaya Aura

CM, SM, SMGR

Avaya Aura

Presence

Flare

for PC

CM

MessagingMS Lync


ACE

ACE 6.2

One-X

Mobile/

SIP/iOS/CES

Flare

for iPadVoice

Avaya

SBCE Avaya Aura

Messaging

Collaboration Suite

Avaya Aura

CM, SM, SMGR

Avaya Aura

Presence

Flare

for PC

CM

MessagingMS Lync


ACE

ACE 6.2

One-X

Mobile/

SIP/iOS/CES

Flare

for iPadVoice/Web/Video

Avaya

SBCE

Scopia /user *

Desktop & Mobile

Avaya Aura Conferencing

(Audio/Web/Video)

Avaya Aura

Messaging

Mix & Match per user across the enterprise

Optional a-la-carte

Conferencing or Scopia (/port)

Optional a-la-carte

Conferencing or Scopia (/port)

Optional Video Room connectivity

* per-user Scopia ships FQ3

one-X

Communicator

w/Video

one-X

Communicator

w/Video

one-X

Communicator

w/Video

EC500

EC500

End of Sale – Avaya Aura SBC

• Effective May 6th 2013, Avaya will no longer sell (make commercially available) the Avaya Aura Session Border Controller (AA-SBC).

• The HP DL360 server which serves the AA-SBC software will be used for the A SBCE code so no hardware swap is required. If the customer has new requirements for more than 750 SIP Trunk Sessions, a new A SBCE will be required with new hardware.

• EoS Announcement -https://downloads.avaya.com/css/P8/documents/100168696

https://downloads.avaya.com/css/P8/documents/100168696

Obrigado!

Sérgio Tani

Systems Engineer – Westcon

[email protected]

+55 11 5525-7257

+55 11 99917-7123

avaya session border controller for enterprise

Documents