January 23-26, 2007• Ft. Lauderdale, Florida
High Volume Applications
SIP Trunking for the Contact Center Presented by
Pete Sandstrom, CTO BandTelJanne Magnusson, Director Operations Ingate
Due to slides with Flash animation, please review in Slide Show Mode
January 23-26, 2007• Ft. Lauderdale, Florida
Session Overview
1. Why have signaling
2. “Inside” SIP
3. SIP Enterprise Benefits
4. SIP Benefits For The Contact Center
5. The Role of the Internet Telephony Service Provider (ITSP)
6. Special ITSP Services
7. Call Center Architectures
8. SIP and the Future
January 23-26, 2007• Ft. Lauderdale, Florida
1. Why Have Signaling
• Signaling provides the mechanism to setup, route, monitor disconnect a call
• Signaling provides a way to alert a station (i.e. ring the phone).
• Signaling provides a way to meter the service (i.e. lets the carrier generate you a bill)
January 23-26, 2007• Ft. Lauderdale, Florida
2. “Inside” SIP Signaling
January 23-26, 2007• Ft. Lauderdale, Florida
3. SIP Enterprise Benefits
• Save Costs - SIP Trunking can reduce trunking costs by 40%.
• Convergence of the enterprise network organization - the data group is becoming the data/telecom group.
• Provisioning is simplified - increasing or decreasing capacity is now simply a keyboard stroke and management is simplified with SIP Trunking.
• Fewer Carriers- having the IP pipe and voice service from one source improves operations, reduces billing errors, simplifies “finger-pointing” problems and offers better price/SLA negotiations.
January 23-26, 2007• Ft. Lauderdale, Florida
4. SIP Contact Center Benefits
• New Applications - SIP and IP “frees one from location”
allowing amazing new inbound and outbound possibilities.
• Virtual Trunking - SIP can enable new applications not
possible in TDM space due to the nature of IP being un-
tethered from a specific location.
• Geographical Unification - SIP can unify may disperse
enterprise offices into one virtual entity, and do so without any
special leased circuit trunking facilities.
January 23-26, 2007• Ft. Lauderdale, Florida
SIP Adds “Intelligent Signaling”The problem - calling client needs to talk to an agent that specializes in handling accounts receivable issues on a particle product for a particular company. The serving contact center enterprise has agents in one of it four locations that can service the clients needs.
1. Inbound Caller Needs - to get to contact center agent in a timely manner
2. Inbound Caller Needs - to get to the agent with the right expertise to handle their need
3. The Contact center needs - a virtual presence via virtual trunking4. The Contact center needs - an unencumbered standard
mechanism to terminate the caller to the right agent5. The contact center needs - to do all of the above in an
economical manner
January 23-26, 2007• Ft. Lauderdale, Florida
Inbound Contact Center with “Intelligent Signaling”
Intelligent CC Front end
CC has no agents free
CC has qualified agents free
CC has no qualified agents
CC has no agents free
SIP ITSP
PSTN
January 23-26, 2007• Ft. Lauderdale, Florida
Outbound Contact Center Possibilities With SIP “Intelligent Signaling”
• Outbound call centers generally dial out (auto dialers) at a rate that exceeds the number of physical agents that are sitting in the call center.
• Only a fraction of the calls made get answered at the far end. • In order to keep the agent pool busy and talking at all times, a ratio of
dialed calls to agents is maintained. Many times that ratio can be as high as 4, 5, or even 6 calls dialing for every agent present.
• The result in TDM space is wasted bandwidth and wasted circuits
Lots of calls “ringing”
January 23-26, 2007• Ft. Lauderdale, Florida
Outbound Contact Center Possibilities with SIP “Intelligent Signaling”
• With SIP, bandwidth used for “call progress” tones is eliminated.• Callers-talking/bandwidth ratio is increased radically (4 to 5 times in
some cases).
January 23-26, 2007• Ft. Lauderdale, Florida
5. The Role of the ITSP-Internet Telephony Service Provider
• Getting to the ITSP - should be “seamless” to the customer.
• Total Resiliency - in the event of an ITSP element failure (it will happen) real-time dynamic fault switchover must be in place.
• Load to the ITSP - dynamic diverse routing to multiple call processing elements should be automatic and with “no downtime.”
• Getting to the Public Switched Telephone Network (PSTN) - the ITSP client needs many paths to and from the PSTN for resiliency and guaranteed continuation of service.
January 23-26, 2007• Ft. Lauderdale, Florida
Fulfilling the Role:BandTel’s N-Plus™ Architecture
January 23-26, 2007• Ft. Lauderdale, Florida
QoS and the Internet: The Economics of peering and why it works in North America
IP NET - BIP NET - B
IP NET - ABandwidth (BW) managed Zone: IP carrier peers watch and police each other
BW limited Zone: BW limits strictly enforced by carrier
In North America, we see a great call:•Packet Delay: < 100 msecs•Packet loss < 4%•Jitter < less then 10 msecs
January 23-26, 2007• Ft. Lauderdale, Florida
6. Special ITSP Services
• Routing Plan Flexibility – QoS
• Security – at the ITSP and Customer Premise
• Special Services; i.e. Early Media (Silent Running)
• Online Traffic Monitoring (TotalView)
• Online Billing
• Traffic Re-routing (Total Reroute)
January 23-26, 2007• Ft. Lauderdale, Florida
MPLS with IP = High QoS
January 23-26, 2007• Ft. Lauderdale, Florida
Security: at the ITSP POP • Dynamic Authentication (Message Digest 5) - ITSP must watch for ID theft
and flag.
• IP authentication (static IP address) - virtually impossible to spoof if ITSP drops “source routed packets” at the border controller.
• Split Paths - the ITSP should split media (conversations) and signaling to different redundant locations, making media/signaling taps virtually impossible at the Customer Premise Equipment (CPE) side.
• Secure Borders - ITSP must save secure Points of Presence (POPs) that can
restrict/deny all outside attacks such as: • DOS (Denial of Service)• IP Spoofing• SPIT (Spam over Internet Telephony)• VOMIT (Voice Over Mis-configured Internet Telephony)
January 23-26, 2007• Ft. Lauderdale, Florida
Security: at the Customer Site
• The CPE Border - SIP-Aware Firewall (SAFW) that allows L5 (Transport Layer 5) Security (i.e. no L2 (Datalink Layer 2) pinholes*) is a must have.
• Authentication - must require ITSP Message Digest 5 (MD5) encryption or IP Authentication for Account Authorization.
• Split Paths - the ITSP should split media (conversations) and signaling to different redundant locations, making media/signaling taps virtually impossible at the CPE side.
• Security Inside - most fraud occurs from inside the CPE border.– Trojans - lurking on enterprise servers– Disgruntled or dishonest employees - past and present
January 23-26, 2007• Ft. Lauderdale, Florida
TotalView: The User Can See
January 23-26, 2007• Ft. Lauderdale, Florida
Real-Time Call Activity
January 23-26, 2007• Ft. Lauderdale, Florida
Accounting History
January 23-26, 2007• Ft. Lauderdale, Florida
7. Call Center Architectures - with Dedicated IP Pipes
WANWAN-CPE
Router
Tier I/IIManaged IP
Network
Notes:1. The IP pipe is dedicated to VoIP so no QoS arrangements are needed with the carrier.2. No firewall is needed as there are no “LAN” connections with other enterprise devices.3. This is a common architecture for dedicated media gateway deployments.
1 - The IP pipe is dedicated to VoIP so no QoS arrangements are needed with the carrier.
2 - No firewall is needed as there are no LAN connections with other enterprise devices.
3 - This is a common architecture for dedicated media gateway deployments.
January 23-26, 2007• Ft. Lauderdale, Florida
Call Center Architectures - with Shared IP Pipes
SIP Aware Firewall(SAFW)
(P1)(P2)(P3)Tier I/IIManaged IP
Network IPWith QoS
LANRouter
WAN
L2 Smart Hub
Dumb Hub
Enterprise Bulk IP
SIP UAs
Notes:1. VoIP and bulk enterprise share the same IP pipe. 2. The SAFW handles all QoS issues for VoIP by prioritizing VoIP traffic over bulk enterprise traffic.3. The SAFW handles all SIP addressing transformation issues between the LAN and WAN demarc.4. Architecture offers partial QoS for VoIP (no inbound UDP QoS).5. Excellent utilization of IP pipe resources.
1 – VoIP and bulk enterprise share the same IP pipe.
2 – The SAFW-SIP-Aware Firewall handles all the QoS issues by prioritizing VoIP traffic over the bulk enterprise network.
3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc.
4 – Architecture offers partial QoS for VoIP (no inbound UDP QoS).
5 – Excellent utilization of IP pipe resources.
January 23-26, 2007• Ft. Lauderdale, Florida
8. SIP and the Future
• Voice to packet is happening; its just better- packet networks (IP in particular) are easier to manage and provision. As such the transition form voice to packet is inevitable.
• New Services - In IP space new possibilities arise due to the nature of the Technology. The media travels with its destination address inside, freeing it from circuits, and the inherent limitations of circuits.
• New Choices - in packet space the end telecom user is empowered, and free to let the market work in their favor as alternate service providers are a keystroke away.
January 23-26, 2007• Ft. Lauderdale, Florida
Summary
• Successful ITSPs will be:• Resilient (fault tolerant)• Scalable• Secure and • Provider a network and customer premise
architecture that offers QoS.
January 23-26, 2007• Ft. Lauderdale, Florida
What is Required for SIP to Traverse?
• Signaling between the SIP client and its SIP registrar – In both directions– May be on the same or on different sides of the firewall
• Callers must be able to reach the SIP registrar – At all times if you want to receive calls– Problem if caller on the outside and SIP registrar on inside
(e.g. an IP PBX or MS LCS)
• Media (the voice or video packets) must flow end to end– In both directions– Must reach the correct end point, even on a network with
private addresses– Pin holes must be opened and media routed (NATed)
Who shall be in control of all of this?
January 23-26, 2007• Ft. Lauderdale, Florida
Who Shall be in Charge of the Firewall?
The firewall manager, the users or some service provider?
• STUN, TURN, ICE:– The users are in control, for SIP and ANY OTHER USAGE– The firewall has to be sufficiently open to allow this– Still cannot handle when the SIP Server is on the inside (e.g. IP
PBX or MS LCS)• Session Border Controllers with Far end NAT traversal:
– The service provider is in control– The firewall has to be sufficiently open to allow this
• UPnP:– The clients (most often Windows) controls the NAT/Firewall (for
ANY USAGE)– Both the client and the firewall must implement UPnP– Clients still have to have open binding outside to SIP registrar
• SIP capable firewall– The firewall manager has a possibility to be in charge
January 23-26, 2007• Ft. Lauderdale, Florida
Two Types of SIP Capable Firewalls
• SIP Proxy based SIP aware Firewall/NATs (Intertex, Ingate)
– General, can handle complex call scenarios – Encryption (TLS and SRTP)– Authentication – Additional functionality possible
(Remote SIP Connectivity, VoIP Survival, SIP server, PBX etc.)
• Lower level ALG SIP aware Firewall/NATs – Difficult to handle more than basic scenarios– TLS not possible
January 23-26, 2007• Ft. Lauderdale, Florida
The Function of a SIP Capable Firewall
SIP capable Firewall
SIP Proxy/RegistrarSIP Signaling 10.x.xx168.x.xx
•Check the SIP signaling•Rewrite for the different address spaces
•Forward the signaling to the correct SIP proxy or client-For inbound calls – need to know location of each SIP user (unless registrar is on the inside)
•Open pinholes in the firewall for the media-Only for the duration of the call
-Only between the exact endpoints •Media flows through the pinhole (UDP/TCP)
Media
•Close pinholes after the call
January 23-26, 2007• Ft. Lauderdale, Florida
The Ingate Solution….Fully SIP-Capable Firewalls
SIP
Ingate Firewall®
Normal Firewalls
With SIP-Proxy and -Registrar
January 23-26, 2007• Ft. Lauderdale, Florida
Ingate SIParator®
You Don’t Need to Replace your Firewall!
Normal Firewalls
DMZ
SIP
SIP
SIP-enables any firewall
January 23-26, 2007• Ft. Lauderdale, Florida
• Encrypted SIP-signaling – Support for TLS encryption.
• Encrypted media– Support for RTP media streams created by Microsoft Windows
Messenger.– Support for SRTP (Sdescriptions)
Encryption
TLS
SRTP
In the clear
RTP
TerminationTLS
MS Encryption
In the clear
SRTP
Transcoding
IP-PhoneIngate Firewall or SIParator IP-PBX / SIP Server
SRTP
TLS
Pass throughTLS
January 23-26, 2007• Ft. Lauderdale, Florida
Authentication
• SIP Digest authentication– Equivalent to http Digest.
– Each user has a username and password.
– Servers can verify that users are who they really claim to be.
– Can be selected for different SIP methods.
• TLS authentication– Clients can verify that the Server is what it claim to be.
– Hop-by-Hop• Encryption between each SIP device.• TLS can be used in only parts of the signaling path.
– Gives encrypted Instant Messaging
– Support for Mutual TLS (MTLS)
• Local and external (RADIUS) user database supported
January 23-26, 2007• Ft. Lauderdale, Florida
SIP Filtering
• IP addresses and/or networks filtering– The unit can be configured to allow SIP traffic from only certain
IP addresses and/or networks
• SIP To and From header filtering– Filters can be applied both on user and domain level.– Filtering on SIP header examples:
• [email protected] can call [email protected] but not the other way around.
• *@spam.org can not call *@ingate.com
• SIP content (MIME type) filtering– Filtering on specific SIP content types e.g. Message (IM), Precense etc– Can only be applied on “overall” level not per user or domain – One application could be to e.g. prevent the use of IM.
• Class 1xx message processing filtering– Select if status messages about the negotiation process will be
forwarded to the client or stay in the server.
January 23-26, 2007• Ft. Lauderdale, Florida
DoS Attack Prevention
• Ingate has experience of DoS attacks in normal data firewall environments but we have not yet seen any SIP specific attacks outside our own lab
• Available today– Ability to black list on IP address / Domain– SIP message loop detection– Maximum/guaranteed bandwidth (QoS) settings ensure that VoIP
traffic is maintained in certain scenarios – Ingate architecture ensures that existing media sessions are
unaffected by an overloading attack against the SIP stack– Management access is also isolated from SIP attacks allowing
remedial action to be taken– Blocking of SIP packets on kernel level
January 23-26, 2007• Ft. Lauderdale, Florida
Logging
• Extensive SIP logging– All SIP packets can be logged in a readable format in the log– Detailed debug logging to understand Ingate behavior
• Flexible log monitoring– Log information can be stored locally or sent via syslog and
e-mail.• Status monitoring
– SNMP supported– All register users displayed– All active session displayed including session status (state,
used ports and detection of one-way media)• Call data records
– Accounting information can be sent to a RADIUS server according to RFC 2866.
January 23-26, 2007• Ft. Lauderdale, Florida
Questions?
January 23-26, 2007• Ft. Lauderdale, Florida
About BandTel
• Headquartered in Newport Beach, California, BandTel is a leading worldwide provider of SIP Trunking services. The company is dedicated to ensuring its customers and partners alike have access to the most reliable, end-to-end VoIP service available on the market today.
• Its N-Plus™ network architecture is designed to solve the throughput and redundancy problems on high-capacity SIP-based networks and eliminate any single point of failure.
• BandTel continues to develop strong partnerships with leading carriers and telecommunications companies, including Global Crossing, XO Communications, Level 3, Qwest Communications, Verizon Business, and Primus.
January 23-26, 2007• Ft. Lauderdale, Florida
About Ingate
• Formed 2001– Firewall technology from Cendio Systems
• Appliance firewalls since 1994– Capital and SIP technology from Intertex Data AB
• Began SIP development in 1998
• Released the worlds first SIP capable Firewall in 2001
• Located in Stockholm and Linköping, Sweden with a subsidiary, Ingate Systems Inc., based in Hollis, NH.
• Confirmed IP-PBX interoperability:3Com, Asterisk, Avaya, Broadsoft, Cisco Call Manager, Ericsson MX-One, Mitel, Pingtel, SER, Shoretel, Sphere, Swyx, Zultys
• Confirmed carrier interoperability:Bandtel, Broadband.com, Cbeyond, Global Crossing, IP-Only, O1, RNKTel, Tele2, VoEx
January 23-26, 2007• Ft. Lauderdale, Florida
For More Information About SIP Trunking
Visit BandTel’s New SIP Trunking Resource Center
www.BandTel.com/siptrunking2.asp