2. Acme Packet enterprise SBC solutions
controls four IP network borders
1. SIP trunking border 4. Hosted services border
VoIP & UC security
IP Contact center,
subscribers audio/video conferencing,
PSTN IP Centrex, etc.
SIP trunking
SIP & H.323 interoperability Service
providers
Data center disaster recovery
Data
Remote site survivability centers
IP PBX UC
Contact center virtualization
Remote site & worker connectivity
via the Internet
Private network Internet
Regulatory compliance H.323 SIP SIP
– recording & privacy
Regional Remote HQ/ Nomadic/ Tele- Remote
site site campus mobile user worker site
2. Private network border 3. Internet border
Proprietary and Confidential 2
3. Acme Packet market-leading
Net-Net product family
Session border Multiservice Session routing
controller security gateway proxy
Security
Revenue & cost optimization Net-Net OS SLA assurance
Regulatory compliance
Multi-protocol Service reach High availability
maximization
Net-Net 4250 &
Net-Net 4500 & Net-Net 9200
Net-Net
ATCA
Net-Net Net-Net 2600 Net-Net 3800
OS-E
(software-only)
Net-Net EMS & SAS
Proprietary and Confidential 3
4. Net-Net platform capacity comparison
Net-Net 45001 & Net-Net 92001
ATCA blade1
Net-Net 26001 &
Net-Net OS-E2 Net-Net 38001 Net-Net 42501
Licensed session NN2600: 150 – 4K
150 – 4K 250 – 32K 500 – 32K 4K – 128K
capacity range NNOS-E: 25 - 500
System 5 Gbps or
5 Gbps 5 Gbps 5 Gbps 5 Gbps
Throughput 10 Gbps
Network interfaces (8) 1 Gbps or
(6) 1 Gbps (4) 1 Gbps (2) 1 Gbps (4) 1 Gbps
(# active) (2) 10 Gbps
IPsec tunnel
n/a 5K 120K 200K 400K
capacity
Transcoding session
400 Not available Not available Not available 0 – 16,000
capacity
Local route table
1M 1M 1M 2M 1M or 2M
capacity (# of routes)
Note 1: Capacity can vary by signaling protocol, call flow, codec, configuration, feature usage and SPU and NPU options
Note 2: Capacity of third-party platforms running Net-Net OS-E may vary depending on the server capabilities; standard NNOS-E licensing
is limited to 500 sessions
Proprietary and Confidential 4
5. Acme Packet Net-SAFE
security framework
SBC DoS/DDoS protection
– Protect against SBC DoS/DDoS attacks & overloads
Access control
– Dynamic, session-aware access contro
Topology hiding & privacy
– Complete service infrastructure hiding
user privacy support
– Support for L2 and L3 VPN services, SBC DoS
traffic separation and security protection
Viruses, malware & SPIT mitigation
– Deep packet inspection enables Fraud Access
prevention control
protection against malicious or
annoying attachments / traffic
Infrastructure DoS/DDoS prevention Service
infrastructure Topology hiding
– Prevent DoS/DDoS attack infiltration DoS
to service infrastructure & subscribers prevention & privacy
Fraud prevention Viruses
malware
– Prevent misuse & fraud & SPIT
– Protect against service theft mitigation
Monitoring and reporting
– Record attacks & attackers
– Provide audit trails
Proprietary and Confidential 5
6. How an enterprise SBC helps with
SIP trunk security
Although many service provider SIP trunks are delivered over private IP
networks instead of public IP WANs, security issues can still arise
Most enterprise security officers will apply the “Defense in Depth” model
to the SIP trunk IP flow
– Just as they do for other IP flows like email and web applications
The enterprise SBC acts as the Application Layer Gateway (ALG) for all
SIP signaling and media traffic – similar to ALGs used for other enterprise
IT applications today
– Features include dynamic port control, full SIP firewall, and DDOS protection
Service Providers use SBCs to protect their network – shouldn’t
enterprises do the same ?
Enterprise Infrastructure
Web Traffic
Security Proxy Service Provider SIP
Trunking Infrastructure
SIP Traffic
Security MPLS VPN PSTN
Proxy
Email Traffic
Security
Proxy
“Defense In Depth” Security Model
Proprietary and Confidential 6
7. SBC DoS/DDoS protection
Dynamic trust management
– Success based trust model protects Hosted services/
resources Other IP IP contact center ASP
subscribers
– Adjust resources based on real-time PSTN
events
Service
Proactive threat mitigation providers
– Drop malformed sessions
– Block known malicious traffic
sources Headquarters
– Identify automated calling and reject UC CC IPT
based on defined policies
MPLS VPN Internet
H.323 SIP SIP Spammers
RO
BO
Zombie PCs SOHO Mobile Nomadic
user user
Proprietary and Confidential 7
8. SBCs eliminate
communications barriers
Session control
– Unify dial plans - DNS, ENUM, Hosted services/
LDAP, Local Route Tables (LRT) Other IP
subscribers
IP contact center ASP
PSTN
– Route sessions – policies based
on ToD/DoW, cost, media, etc.
Service
providers
NAT traversal (adaptive, STUN)
– Cross NAT/FW borders
– Define trusted users/devices Headquarters
– Contain unidentified/untrusted UC CC IPT
users/devices
Protocol interworking/correction
– Interwork signaling, transport &
encryption protocols MPLS VPN Internet
– Correct protocol variations – H.323 SIP SIP
malformed/non-compliant RO
headers BO
– Transcode between codecs Regional Branch SOHO Mobile Nomadic
office office user user
– Adapt IMS for enterprise
Proprietary and Confidential 8
9. How SBC helps with SIP trunking
interoperability
PBXs are not always able to connect directly to carrier SIP trunks due to
differences in SIP implementations or when H.323 is the only available IP
interface
Acme Packet solves this problem by providing:
– Complete SIP header manipulation rule (HMR) capabilities to interwork
different SIP dialects between PBX and carrier SIP trunking elements
– Full H.323 – SIP interworking
– Media transcoding & DTMF format (INFO / 2833) interworking
– Signaling transport (UDP / TCP / TLS) and media encryption (RTP/SRTP)
interworking
These capabilities enable virtually any SIP or H.323 capable PBX or UC
platform to talk to any carrier SIP trunk service
– Proven interoperability with all of the major PBX and UC vendors & SIP trunk
carriers
Enterprise
Telephony
Infrastructure Service Provider SIP
Trunking Infrastructure
SIP MPLS VPN PSTN
or
H.323
OCS 2007
Proprietary and Confidential 9
10. How an enterprise SBC helps with
SIP trunk troubleshooting
A challenge for many enterprise telephony managers is to how to apply
traditional TDM troubleshooting methods to SIP trunks
The enterprise SBC helps by providing an embedded probe that allows
you to monitor all SIP & H.323 signaling and media traffic
– Provides full signaling traces, ladder diagrams, and media statistics
– Information is automatically collected and can be retrieved via EMS and can be
sorted based on calling or called party number, SIP call ID, time-of-call, etc.
– An embedded call recording utility is also provided
– EMS allows partitioned access to control who can view what information
Call Diagram = Ladder Diagram & Detailed Message Trace Statistics = Media Quality Stats with MOS, packet loss, etc.
Play = Bi-directional Media Recording Capability
(on-platform Session Replication for Recording (SRR))
Proprietary and Confidential 10