january 23-26, 2007 ft. lauderdale, florida high volume applications sip trunking for the contact...

January 23-26, 2007• Ft. Lauderdale, Florida

High Volume Applications

SIP Trunking for the Contact Center Presented by

Pete Sandstrom, CTO BandTelJanne Magnusson, Director Operations Ingate

Due to slides with Flash animation, please review in Slide Show Mode


Session Overview

1. Why have signaling

2. “Inside” SIP

3. SIP Enterprise Benefits

4. SIP Benefits For The Contact Center

5. The Role of the Internet Telephony Service Provider (ITSP)

6. Special ITSP Services

7. Call Center Architectures

8. SIP and the Future


1. Why Have Signaling

• Signaling provides the mechanism to setup, route, monitor disconnect a call

• Signaling provides a way to alert a station (i.e. ring the phone).

• Signaling provides a way to meter the service (i.e. lets the carrier generate you a bill)


2. “Inside” SIP Signaling


3. SIP Enterprise Benefits

• Save Costs - SIP Trunking can reduce trunking costs by 40%.

• Convergence of the enterprise network organization - the data group is becoming the data/telecom group.

• Provisioning is simplified - increasing or decreasing capacity is now simply a keyboard stroke and management is simplified with SIP Trunking.

• Fewer Carriers- having the IP pipe and voice service from one source improves operations, reduces billing errors, simplifies “finger-pointing” problems and offers better price/SLA negotiations.


4. SIP Contact Center Benefits

• New Applications - SIP and IP “frees one from location”

allowing amazing new inbound and outbound possibilities.

• Virtual Trunking - SIP can enable new applications not

possible in TDM space due to the nature of IP being un-

tethered from a specific location.

• Geographical Unification - SIP can unify may disperse

enterprise offices into one virtual entity, and do so without any

special leased circuit trunking facilities.


SIP Adds “Intelligent Signaling”The problem - calling client needs to talk to an agent that specializes in handling accounts receivable issues on a particle product for a particular company. The serving contact center enterprise has agents in one of it four locations that can service the clients needs.

1. Inbound Caller Needs - to get to contact center agent in a timely manner

2. Inbound Caller Needs - to get to the agent with the right expertise to handle their need

3. The Contact center needs - a virtual presence via virtual trunking4. The Contact center needs - an unencumbered standard

mechanism to terminate the caller to the right agent5. The contact center needs - to do all of the above in an

economical manner


Inbound Contact Center with “Intelligent Signaling”

Intelligent CC Front end

CC has no agents free

CC has qualified agents free

CC has no qualified agents

CC has no agents free

SIP ITSP

PSTN


Outbound Contact Center Possibilities With SIP “Intelligent Signaling”

• Outbound call centers generally dial out (auto dialers) at a rate that exceeds the number of physical agents that are sitting in the call center.

• Only a fraction of the calls made get answered at the far end. • In order to keep the agent pool busy and talking at all times, a ratio of

dialed calls to agents is maintained. Many times that ratio can be as high as 4, 5, or even 6 calls dialing for every agent present.

• The result in TDM space is wasted bandwidth and wasted circuits

Lots of calls “ringing”


Outbound Contact Center Possibilities with SIP “Intelligent Signaling”

• With SIP, bandwidth used for “call progress” tones is eliminated.• Callers-talking/bandwidth ratio is increased radically (4 to 5 times in

some cases).


5. The Role of the ITSP-Internet Telephony Service Provider

• Getting to the ITSP - should be “seamless” to the customer.

• Total Resiliency - in the event of an ITSP element failure (it will happen) real-time dynamic fault switchover must be in place.

• Load to the ITSP - dynamic diverse routing to multiple call processing elements should be automatic and with “no downtime.”

• Getting to the Public Switched Telephone Network (PSTN) - the ITSP client needs many paths to and from the PSTN for resiliency and guaranteed continuation of service.


Fulfilling the Role:BandTel’s N-Plus™ Architecture


QoS and the Internet: The Economics of peering and why it works in North America

IP NET - BIP NET - B

IP NET - ABandwidth (BW) managed Zone: IP carrier peers watch and police each other

BW limited Zone: BW limits strictly enforced by carrier

In North America, we see a great call:•Packet Delay: < 100 msecs•Packet loss < 4%•Jitter < less then 10 msecs


6. Special ITSP Services

• Routing Plan Flexibility – QoS

• Security – at the ITSP and Customer Premise

• Special Services; i.e. Early Media (Silent Running)

• Online Traffic Monitoring (TotalView)

• Online Billing

• Traffic Re-routing (Total Reroute)


MPLS with IP = High QoS


Security: at the ITSP POP • Dynamic Authentication (Message Digest 5) - ITSP must watch for ID theft

and flag.

• IP authentication (static IP address) - virtually impossible to spoof if ITSP drops “source routed packets” at the border controller.

• Split Paths - the ITSP should split media (conversations) and signaling to different redundant locations, making media/signaling taps virtually impossible at the Customer Premise Equipment (CPE) side.

• Secure Borders - ITSP must save secure Points of Presence (POPs) that can

restrict/deny all outside attacks such as: • DOS (Denial of Service)• IP Spoofing• SPIT (Spam over Internet Telephony)• VOMIT (Voice Over Mis-configured Internet Telephony)


Security: at the Customer Site

• The CPE Border - SIP-Aware Firewall (SAFW) that allows L5 (Transport Layer 5) Security (i.e. no L2 (Datalink Layer 2) pinholes*) is a must have.

• Authentication - must require ITSP Message Digest 5 (MD5) encryption or IP Authentication for Account Authorization.

• Split Paths - the ITSP should split media (conversations) and signaling to different redundant locations, making media/signaling taps virtually impossible at the CPE side.

• Security Inside - most fraud occurs from inside the CPE border.– Trojans - lurking on enterprise servers– Disgruntled or dishonest employees - past and present


TotalView: The User Can See


Real-Time Call Activity


Accounting History


7. Call Center Architectures - with Dedicated IP Pipes

WANWAN-CPE

Router

Tier I/IIManaged IP

Network

Notes:1. The IP pipe is dedicated to VoIP so no QoS arrangements are needed with the carrier.2. No firewall is needed as there are no “LAN” connections with other enterprise devices.3. This is a common architecture for dedicated media gateway deployments.

1 - The IP pipe is dedicated to VoIP so no QoS arrangements are needed with the carrier.

2 - No firewall is needed as there are no LAN connections with other enterprise devices.

3 - This is a common architecture for dedicated media gateway deployments.


Call Center Architectures - with Shared IP Pipes

SIP Aware Firewall(SAFW)

(P1)(P2)(P3)Tier I/IIManaged IP

Network IPWith QoS

LANRouter

WAN

L2 Smart Hub

Dumb Hub

Enterprise Bulk IP

SIP UAs

Notes:1. VoIP and bulk enterprise share the same IP pipe. 2. The SAFW handles all QoS issues for VoIP by prioritizing VoIP traffic over bulk enterprise traffic.3. The SAFW handles all SIP addressing transformation issues between the LAN and WAN demarc.4. Architecture offers partial QoS for VoIP (no inbound UDP QoS).5. Excellent utilization of IP pipe resources.

1 – VoIP and bulk enterprise share the same IP pipe.

2 – The SAFW-SIP-Aware Firewall handles all the QoS issues by prioritizing VoIP traffic over the bulk enterprise network.

3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc.

4 – Architecture offers partial QoS for VoIP (no inbound UDP QoS).

5 – Excellent utilization of IP pipe resources.


8. SIP and the Future

• Voice to packet is happening; its just better- packet networks (IP in particular) are easier to manage and provision. As such the transition form voice to packet is inevitable.

• New Services - In IP space new possibilities arise due to the nature of the Technology. The media travels with its destination address inside, freeing it from circuits, and the inherent limitations of circuits.

• New Choices - in packet space the end telecom user is empowered, and free to let the market work in their favor as alternate service providers are a keystroke away.


Summary

• Successful ITSPs will be:• Resilient (fault tolerant)• Scalable• Secure and • Provider a network and customer premise

architecture that offers QoS.


What is Required for SIP to Traverse?

• Signaling between the SIP client and its SIP registrar – In both directions– May be on the same or on different sides of the firewall

• Callers must be able to reach the SIP registrar – At all times if you want to receive calls– Problem if caller on the outside and SIP registrar on inside

(e.g. an IP PBX or MS LCS)

• Media (the voice or video packets) must flow end to end– In both directions– Must reach the correct end point, even on a network with

private addresses– Pin holes must be opened and media routed (NATed)

Who shall be in control of all of this?


Who Shall be in Charge of the Firewall?

The firewall manager, the users or some service provider?

• STUN, TURN, ICE:– The users are in control, for SIP and ANY OTHER USAGE– The firewall has to be sufficiently open to allow this– Still cannot handle when the SIP Server is on the inside (e.g. IP

PBX or MS LCS)• Session Border Controllers with Far end NAT traversal:

– The service provider is in control– The firewall has to be sufficiently open to allow this

• UPnP:– The clients (most often Windows) controls the NAT/Firewall (for

ANY USAGE)– Both the client and the firewall must implement UPnP– Clients still have to have open binding outside to SIP registrar

• SIP capable firewall– The firewall manager has a possibility to be in charge


Two Types of SIP Capable Firewalls

• SIP Proxy based SIP aware Firewall/NATs (Intertex, Ingate)

– General, can handle complex call scenarios – Encryption (TLS and SRTP)– Authentication – Additional functionality possible

(Remote SIP Connectivity, VoIP Survival, SIP server, PBX etc.)

• Lower level ALG SIP aware Firewall/NATs – Difficult to handle more than basic scenarios– TLS not possible


The Function of a SIP Capable Firewall

SIP capable Firewall

SIP Proxy/RegistrarSIP Signaling 10.x.xx168.x.xx

•Check the SIP signaling•Rewrite for the different address spaces

•Forward the signaling to the correct SIP proxy or client-For inbound calls – need to know location of each SIP user (unless registrar is on the inside)

•Open pinholes in the firewall for the media-Only for the duration of the call

-Only between the exact endpoints •Media flows through the pinhole (UDP/TCP)

Media

•Close pinholes after the call


The Ingate Solution….Fully SIP-Capable Firewalls

SIP

Ingate Firewall®

Normal Firewalls

With SIP-Proxy and -Registrar


Ingate SIParator®

You Don’t Need to Replace your Firewall!

Normal Firewalls

DMZ

SIP

SIP

SIP-enables any firewall


• Encrypted SIP-signaling – Support for TLS encryption.

• Encrypted media– Support for RTP media streams created by Microsoft Windows

Messenger.– Support for SRTP (Sdescriptions)

Encryption

TLS

SRTP

In the clear

RTP

TerminationTLS

MS Encryption

In the clear

SRTP

Transcoding

IP-PhoneIngate Firewall or SIParator IP-PBX / SIP Server

SRTP

TLS

Pass throughTLS


Authentication

• SIP Digest authentication– Equivalent to http Digest.

– Each user has a username and password.

– Servers can verify that users are who they really claim to be.

– Can be selected for different SIP methods.

• TLS authentication– Clients can verify that the Server is what it claim to be.

– Hop-by-Hop• Encryption between each SIP device.• TLS can be used in only parts of the signaling path.

– Gives encrypted Instant Messaging

– Support for Mutual TLS (MTLS)

• Local and external (RADIUS) user database supported


SIP Filtering

• IP addresses and/or networks filtering– The unit can be configured to allow SIP traffic from only certain

IP addresses and/or networks

• SIP To and From header filtering– Filters can be applied both on user and domain level.– Filtering on SIP header examples:

• [email protected] can call [email protected] but not the other way around.

• *@spam.org can not call *@ingate.com

• SIP content (MIME type) filtering– Filtering on specific SIP content types e.g. Message (IM), Precense etc– Can only be applied on “overall” level not per user or domain – One application could be to e.g. prevent the use of IM.

• Class 1xx message processing filtering– Select if status messages about the negotiation process will be

forwarded to the client or stay in the server.


DoS Attack Prevention

• Ingate has experience of DoS attacks in normal data firewall environments but we have not yet seen any SIP specific attacks outside our own lab

• Available today– Ability to black list on IP address / Domain– SIP message loop detection– Maximum/guaranteed bandwidth (QoS) settings ensure that VoIP

traffic is maintained in certain scenarios – Ingate architecture ensures that existing media sessions are

unaffected by an overloading attack against the SIP stack– Management access is also isolated from SIP attacks allowing

remedial action to be taken– Blocking of SIP packets on kernel level


Logging

• Extensive SIP logging– All SIP packets can be logged in a readable format in the log– Detailed debug logging to understand Ingate behavior

• Flexible log monitoring– Log information can be stored locally or sent via syslog and

e-mail.• Status monitoring

– SNMP supported– All register users displayed– All active session displayed including session status (state,

used ports and detection of one-way media)• Call data records

– Accounting information can be sent to a RADIUS server according to RFC 2866.


Questions?


About BandTel

• Headquartered in Newport Beach, California, BandTel is a leading worldwide provider of SIP Trunking services. The company is dedicated to ensuring its customers and partners alike have access to the most reliable, end-to-end VoIP service available on the market today.

• Its N-Plus™ network architecture is designed to solve the throughput and redundancy problems on high-capacity SIP-based networks and eliminate any single point of failure.

• BandTel continues to develop strong partnerships with leading carriers and telecommunications companies, including Global Crossing, XO Communications, Level 3, Qwest Communications, Verizon Business, and Primus.


About Ingate

• Formed 2001– Firewall technology from Cendio Systems

• Appliance firewalls since 1994– Capital and SIP technology from Intertex Data AB

• Began SIP development in 1998

• Released the worlds first SIP capable Firewall in 2001

• Located in Stockholm and Linköping, Sweden with a subsidiary, Ingate Systems Inc., based in Hollis, NH.

• Confirmed IP-PBX interoperability:3Com, Asterisk, Avaya, Broadsoft, Cisco Call Manager, Ericsson MX-One, Mitel, Pingtel, SER, Shoretel, Sphere, Swyx, Zultys

• Confirmed carrier interoperability:Bandtel, Broadband.com, Cbeyond, Global Crossing, IP-Only, O1, RNKTel, Tele2, VoEx


For More Information About SIP Trunking

Visit BandTel’s New SIP Trunking Resource Center

www.BandTel.com/siptrunking2.asp

january 23-26, 2007 ft. lauderdale, florida high volume applications sip trunking for the contact...

Documents