Avaya Session Border Controller for

Enterprise (ASBCE) Overview

What is a Session Border Controller?

1. SIP trunking border

Session = real-time, interactive

communication session
Border = IP-IP network borders
SIP trunks to service providers
Remote worker access
Intra- & extra-enterprise

Federated
partners

2. Hosted services border

Contact center,
audio/video conferencing,
emergency services, etc.

To PSTN

Redundant data centers

CC

UC
ASM

Control
Security & SLA assurance
Regulatory compliance

Private network
H.323

Regional
site

SIP

Remote
site

Internet

SIP

HQ/
campus

Nomadic/
mobile user

Teleworker

Remote
site

3. Internet border
2012 Avaya Inc. All rights reserved.

Where Avaya Aura SBC fits in the Avaya

Aura architecture
Unified Communications

Collaboration
Solutions

Contact Center

Interaction
Solutions

Communication
Manager

Application
Enablement

Performance
Analytics

Presence
Services

Session Manager

Deskphones

2012 Avaya Inc. All rights reserved.

Clients

System
Manager

Service
Provider
Network

SBC

Video
Endpoints

Why use an SBC?

Security
Enforces a customers unique security policies
SIP trunk providers own SBC (if private SIP trunk service) focuses on the
providers security concerns
Complete network topology hiding
Interoperability problems between multivendor solutions will occur
Flexibility
Provides layer of independence from Service Provider allows enterprise to
make changes more quickly vs. negotiating / relying on Service Provider if
needs change
Normalization point for signaling and RTP media streams
Allows for multiple SIP trunk provider access points
Support of enterprise-specific call flows that may not be directy supported by
SIP trunk provider
Accountability
Per call status QoS, SLA monitoring
Report on intrusion attempts
Session recording
2012 Avaya Inc. All rights reserved.

How are SBCs different from firewalls?

Traditional firewalls cannot:
Prevent SIP-specific overload conditions and malicious attacks
Open / close RTP media ports in sync with SIP signaling
Track session state and provide uninterrupted service
Perform interworking or security on encrypted sessions
Scale to handle thousands of real-time sessions
Provide carrier-class availability
Solve multi-vendor SIP interoperability problems
InfoSec best practice = deploy defense-in-depth model with applicationlevel security proxies for email and web applications
This means firewalls alone are not sufficient
Same model applies for IP telephony, UC and CC applications

2012 Avaya Inc. All rights reserved.

Avaya Aura SBC Key Features

Reliability and Scale

SM
SBC

SP

CM

Active/standby redundancy
Scales upto 5000 sessions
Redundant SIP connectivity to service

providers and Session Manager /

Communication Manager possible

Applications
SIP trunking to PSTN providers
SIP trunking to hosted service providers

(i.e. conferencing, contact center, etc.)

SIP trunking to federated businesses
Remote worker via Internet

Security
Acme Packets proven SBC security

framework for DoS/DDOS protection

TLS & SRTP encryption

Service Provider Interoperability

Flexible controls to solve interop

Evolution
Deployable on Avaya Aura System

Platform
Easily add SBC to existing installations
Flexible feature set for new applications
2012 Avaya Inc. All rights reserved.

problems
Proven configuration templates
Tested with SPs through DevConnect

Avaya Session Border Controller for Enterprise

Deployment Models
SIP Trunking
Enforce security policies of the enterprise
while solving demarcation issues

Remote Worker
Mobile workspace security, secure distributed call
centers, remote workers, teleworkers
Confidently extend UC to mobile workspaces
across any network
Secure VPNless access

Core Security
Securely add various UC applications and devices
(voice, video, IM) across the corporate network

Compliance
Secured Media Replication/Forking for archiving,
logging

2012 Avaya Inc. All rights reserved.

Secure Remote Worker with BYOD

Avaya Aura
Conferencing
Aura
Messaging

Presence
Server

Session Manager

Avaya

System
Manager

Communication
Manager

Aura

Personal PC, Mac or iPad devices

Avaya Flare, Avaya one-X SIP client app
App secured into the organization,
not the device
One number UC anywhere

Avaya
SBCE

Untrusted Network
(Internet, Wireless, etc.)

VPN-less Remote Worker

2012 Avaya Inc. All rights reserved.

Remote Worker: VPN vs VPNless Endpoints

VPN Endpoint

VPNless Endpoint

VPN Headers add additional

size to traffic. In aggregate
reduces bandwidth.

TLS/SRTP encrypts the traffic

with a smaller bandwidth
footprint than VPN

Encrypts traffic, yet does not

validate it. (Encrypting and
distributing a virus isnt helpful)

Signaling and media are

unencrypted at the SBC and
inspected at Layer 7 to
validate the traffic before it is
allowed through

No ability at VPN head-end to

distinguish between voice and
data traffic. Ultimately voice
quality suffers.
Cumbersome user experience
for real-time communication
application

2012 Avaya Inc. All rights reserved.

Numerous policies allow

Enterprise control of
endpoints.
Consistent user experience for
applications
10

Avaya SBC for Enterprise

1 Software Base:
Avaya Aura SBC for Enterprise
3 HW Platforms:
Dell & HP for Enterprise; Portwell CAD-0208 for IPO
2 Use Cases

SIP Trunking

Remote Worker

CS1000

SIP
Trunking

Avaya SBC
for Enterprise

SIP
Trunking

2012 Avaya Inc. All rights reserved.

SIP
Trunking

Avaya SBC
for Enterprise

Avaya SBC
for Enterprise

SIP
Trunking

Avaya SBC
for Enterprise

11

Whats a DMZ?
A DMZ is used to provide a controlled separation at the edge of the
Enterprise network.
Our SBC can sit parallel to the FW or in the DMZ. Acme claims firewalls
destroy voice quality and that they are so secure they dont need it.
The security standard is to use a DMZ for Enterprise application access.
Security is about layers of protection.

CS1000

Enterprise

Avaya
SBCE

Firewall

Firewall

2012 Avaya Inc. All rights reserved.

Internet

DMZ

SIP Trunks
Carrier

12

Avaya SBCE: SIP Trunking Architecture

Use Case: SIP Trunking to Carrier
Carrier offering SIP trunks as lower-cost alternative to TDM
Heavy driver for Enterprise adoption of SBC
Support Aura, IPO and CS1K
From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ
CS1000

Enterprise

Internet

DMZ

Firewall

Firewall

Avaya
SBCE

SIP Trunks
Carrier

Carrier SIP trunks to the Avaya Session Border Controller for Enterprise
Avaya SBCE is located in a DMZ behind the Enterprise firewall
Services: security and demarcation device between the IP-PBX and the Carrier
NAT traversal,
Securely anchors signaling and media, and can
Normalize SIP protocol
2012 Avaya Inc. All rights reserved.

13

Avaya SBCE: Remote Worker Architecture

Use Case: Remote Worker

Extend UC to SIP users remote to the Enterprise
Solution not requiring VPN for UC/CC SIP endpoints
From a SECURITY Stand Point, it is recommended the SBCE be in the DMZ
Enterprise

Internet

DMZ

Firewall

Firewall

Avaya
SBCE

Remote Workers

Remote Worker are external to the Enterprise firewall

Avaya Session Border Controller for Enterprise
Authenticate SIP-based users/clients to the enterprise
Securely proxy registrations and client device provisioning
Securely manage communications without requiring a VPN
2012 Avaya Inc. All rights reserved.

14

Carrier SBCs
SP Network

Enterprise Network
IP PBX

FW

Intranet

Carrier SBC

Carrier SBC

Historically designed to sit at the SPs edge to protect the carrier.

Complex to use command-line devices
Provides a distinct separation between networks while providing a means of
transporting signaling and media
Perform topology hiding for the SP
Tracking calls (CDR) for billing
Act as a Network Address Translator (NAT) for the SP
Provides admission control to limit calls from customer (and insure SLA)
Protocol Internetworking for H.323 and SIP

2012 Avaya Inc. All rights reserved.

15

Enterprise SBC
Mobile Users,
Telecommuters

Enterprise Network
IP PBX

DMZ
Internal
FW

Avaya External
SBCE FW/NAT

Intranet

Avaya SBCE
Encryption
TLS proxy
SRTP proxy
Enablement
FW / NAT traversal
Call admission control
Signaling and media firewall

2012 Avaya Inc. All rights reserved.

SRTP/
RTP
Remote Worker

SIP Trunking

Internet

Security
Floods and fuzzing prevention
Spoofing prevention (fingerprint verification)
Media anomaly prevention
Stealth attack prevention
Tollfraud Prevention
Anti-spam
Whitelist/Blacklist
Behavior learning

16

NAT Transversal
SBC External IP
Address
192.168.45.4

IP PBX

Enterprise

FW IP Address
96.54.23.10

Internet or Provider
Network

At a basic level think of it this way: If the SBC sends an INVITE

message to the carrier, can the carrier reply and reach IP address
192.168.45.4? No.
The SBC facilitates NAT Transversal by making sure all signaling
messages have a REACHABLE return address. In this example, the
INVITE would have a source address of 96.54.23.10.
When a reply is sent it reaches the firewall which forwards to external
IP Address.
2012 Avaya Inc. All rights reserved.

17

Avaya Session Border Controller for Enterprise 6.2

- A new but already proven solution
ASBCE 6.2 is further enhancing the Sipera E-SBC with
Substantial interoperability testing and improvements in Avaya UC
environments especially for VPNless remote worker
Testing against all Avaya UC platforms
Avaya Aura
IP Office
CS 1000

New hardware platform targeted at SMEs

New product structure
Separation of ordering hardware and software
Fully supported in Support Advantage (enterprise) and IPOSS (IP Office)

Fully integrated into Avaya processes and tools

Ordering and Logistics
Services access
Available in ASD and EC (spring 2013)

Migration path for existing Avaya Aura SBC customers

2012 Avaya Inc. All rights reserved.

18

Call Servers
For SIP Trunking, an accepted architecture is:
Call Server + SBC
Call Server + SM + SBC

A valid call server is

CS1k 7.5 ++
CM 5.2.1 ++
IPO 8.x ++

Session Manager is NOT required

for SIP Trunking

SM must be 6.x

2012 Avaya Inc. All rights reserved.

19

Carriers Tested as of November 10th, 2013.

Alestra
AT&T
AT&T Puerto Rico
Belgacom
Bell Canada
Broad-Connect
Broadview
BT Global Services
BT HIPCOM
BT Italia
BT Wholesale
Cable & Wireless
CenturyLink
2012 Avaya Inc. All rights reserved.

Colt
Etisalat
Fastweb SPA
Frontier
Gamma
IntelePeer
KPN
Level 3
MTSAllStream
PAETEC
Phonect
QSC
Sprint
Swisscom
Tele2
Telefonica del Peru
Telenor

Teliasonera
TELUS
T-Mobile NL
UPC
Vamoin1/KPN
Verizon Business
Virgin Media
Vodafone DE
Vodafone NL
VoicePulse
Windstream
Worldnet P. Rico
XO

Find App Notes Here:

https://devconnect.avaya.com/public/dyn/d_dyn.jsp?fn=103
20

ASBCE 6.2 System Capacity

Session Border Controller
capacities are rated in
Simultaneous Sessions
A simultaneous
session = a
communication
session between 2 SIP
endpoints
Can think of it as
analogous to a DSO in
the old world
Key for engineering is
to understand the
numbers of sessions
required in the solution

Rules of Thumb
SIP trunking usually 5 users per SS
Must account for higher ratio in small
Remote Worker must consider both
On-net and off-net requirements
Remember, in Dell configs, Encryption
Services impact capacity
2012 Avaya Inc. All rights reserved.

For Secure SIP

trunking, look at the
number of TDM DSOs
required
For Remote Worker,
calculate required call
volumes
21

Hardware Redundancy Options

SME Offer Portwell CAD-0208
High Availability is not available

Enterprise Offer (Dell R210-II)

High Availability is an option
Will come with a third server for the EMS
Geo-Redundancy at Layer 2 <150ms
Active- Standby Mode

EMS will be on board for all single server

implementations
Management IP must be a separate subnet.
2012 Avaya Inc. All rights reserved.

22

ASBCE 6.2 Simple 1,2,3 Product Construct

One software
Product

Two Licensed
Feature Groups

Three Hardware
Configurations
EMS
Core

Standard Service

Core

- Per session license

- Secure SIP Trunking

EMS + Core
Advanced Service
- Per session license
- Remote Worker, Media
repl. , Encryption

Portwell CAD-0208
EMS + Core

High
Availability
(HA)

Single
Availability
(SA)

Single
Availability
(SA)

One software product broadly scalable SIP/UC security

Two licensable feature groups
Standard Services for secure SIP trunking
Advanced Services for Remote Worker, Media replication and Encryption

Hardware platforms (Dell and Portwell) for cost-effective scaling

2012 Avaya Inc. All rights reserved.

23
23

Avaya SBCE - Solution Highlights - Licensed Feature Groups

Standard Services Secure SIP Trunking

Advanced Services

Broadly scalable based on platform

High availability solutions with stateful failover

EMS: well-constructed craft interfaces for

simplicity of implementation and administration

Advanced UC Security: Toll Fraud, Call

Walking, etc.

Remote Worker: validate and securely

support remote/mobile users for extension
of Avaya Aura UC services
VPN-less
Supports both near and far end NAT

Deep Packet Inspection (SIP and Media)

DoS/DDoS (flood, resource hang/open

transaction, crash/fuzz)

Encryption Services
SIP TLS TCP, UDP
sRTP RTP

Media replication

ACL/White/Black listing

Ability to fork media to a recording

device

SIP Normalization SIP trunk integration

module STIM

UCID and SIPREC for future release

Call Admission Control

Quality of Service marking and tracking

DTMF manipulation

NAT

RFC 5853 Compliant

2012 Avaya Inc. All rights reserved.

24

Solution Design Questions to ask.

SIP Trunking
Number of concurrent sessions required?
Whats at the Core (Aura, IPO, CS1K)?
Who is the service provider?
What other elements are in the Enterprise Core?
Is HA required?

SBCE Hardware
SME offer (Portwell CAD-0208)
500 Sessions No HA

Enterprise offer (Dell R210-II XL)

5000 sessions HA is available

2012 Avaya Inc. All rights reserved.

25

Solution Design Questions to ask

Remote Worker
Number of remote workers?
What are the remote SIP applications (End Points)?
Is encryption required?
What is at the Core (Aura, CS1K, IPO)?

SBCE Hardware
SME offer (Portwell CAD-0208)
250 Encrypted Sessions No HA

Enterprise offer (Dell R210-II XL)

1000 Encrypted Sessions HA is available

2012 Avaya Inc. All rights reserved.

26