Mobility: Connecting Remote Workers TeliaSonera SIP Trunking Deployment

© 2011 Intertex Data AB

Prepared for: Ingate Systems 3 Day Seminar Unified Communications: SIP Trunking, Video, Collaboration and MoreITEXPO Conference, Austin, September 2011

By: Karl Erik Ståhl President Intertex Data ABCEO and Chairman Ingate Systems ABkarl.stahl@intertex.se

Also see Live Demo Presentation from ITEXPO SIP Trunking Summit Miami, February 2011! http://www.ingate.com/files/ITEXPO_Miami_2011_Presentations/Intertex%20-%20UC%20Across%20the%20Borders.pps

© 2011 Intertex Data and Ingate Systems

What are Mobility and Remote Users?

We certainly want our home workers connected to the company PBX

And the same goes for our road warriors - at the hotel- at public WiFi

All should have all PBX services- Reached by extension number or DID- Place PSTN calls (displaying correct CallerID)- Voice mail, conferencing etc.- Presence, IM, video if supported by the PBX

Call me on my Swedish office number +46 8 12345629 now!

2 slides from Live Demo Presentation from ITEXPO SIP Trunking Summit Miami, February 2011! http://www.ingate.com/files/ITEXPO_Miami_2011_Presentations/Intertex%20-%20UC%20Across%20the%20Borders.pps

INGATE LAN

ingate.com

InternetUS, Miami

THIS LAN, SIP Trunk-UC Summit

(sophie@ingate.com) steeg@intertex.se

CELL

PSTN

INTERTEX LAN

intertex.se

Sweden

3G

stefan@ingate.com

PSTN

SIP/PSTNGateway

SIP Trunk Provider 1

PSTNSIP/PSTNGateway

SIP Trunk Provider 2

calle@intertex.se

Japan

kamill@von.sipnr.org

We Saw Mobility and Beyond POTS

Ordinary phone calls reach my laptop across the Ocean!

I can use extension number as connected to the home PBX

And I see presence and can put calls into conference…

I can also:Call Sophie in another domain (federate)… even with Video … even though, she is also remote from the Ingate office (Actually she is in the room.) … with media going the shortest way (here on the LAN) while signaling goes back to Sweden!

© 2011 Intertex Data AB 5

We Saw Mobility and Beyond POTS All other PBX functionality also works remotely

E.g. IM (Instant Messaging)

© 2011 Intertex Data AB 6

But Why are NATs and Firewalls Such Obstacles

Typical Internet protocol (SMTP, HTTP…)

Internet

HOSTSERVER

SIP (and H.323…) connects Person-to-Person

Internet

PERSONPERSON

Locate the person Set up a session+ Open real time media streams+

© 2011 Intertex Data AB 7

SIP Does It! – But a Very General Solution is Required

PSTN

Public Internet

SIP Trunking Provider

GWSIP System

Data & VoIP LAN

IP-PBX

Soft Clients and Multimedia Terminals

Intertex IX78 E-SBCThe SIP Proxy in the E-SBC forwards and rewrites the SIP signaling and controls media through its NAT/Firewall.

Remote Usercalle@intertx.se

DNS

intertex.se

© 2011 Intertex Data AB 8

And there May be More to Consider (Telia Network)…

IX78 E-SBC is a SIP Proxy based Firewall Controlling SIP Signaling and Media

TR-069TR-069 Internet Internet

IP-TV

VoD

IP-TV

VoD

IMS

VoIP

IMS

VoIP

PDA

VLANs or ADSL Virtual Circuits

The Multimedia LAN

WiFi

IP-

PBX

SIP Trunk

Remote User

The remote user is often behind a remote NAT/FW – SIP Traversal needed. Far End NAT Traversal (FENT) can be enabled in the IX78 E-SBC.

NATFW

SIP on different WAN pipes must be handled

© 2011 Intertex Data AB 9

Remote Users Require More Security Measures

Remote users to the PBX can be authenticated by the IX78 (also)

Brute Force Attack Protection

Attackers are nowadays trying to find simple passwords by brute force testing. 10 – 100 trials/second have been seen (e.g. SipVicious / friendli-scanner). After 3 trial we pretend all attempts are wrong, so the correct one is never found.

© 2011 Intertex Data AB 10

…in Addition to e.g. Preventing SIP DoS Attack

Signature RecognitionIf the internal SIP proxy detects known signatures in SIP headers from attackers, it instructs the internal firewall to block attacking IP address. New signatures can be added manually or provisioned automatically.

SIP Rate Limiting:

If there are more than 20 SIP packets/seconds from the same IP address, the internal firewall blocks that IP address for 20 seconds and does not respond to that IP address until the SIP packet rate is below 3 packets/seconds.

11

Different Types of PBXs are SIP Trunked

Data LAN only

PBX with PBX with system system phonesphones

PBX Type 1.5

VoIP & Data LAN

PBX Type 2

IPIP-- PBXPBX

Few PBXs are of this type. Asterisk with firewall (IPtables /NETfilter) can be compiled and configured this way, but requires a lot.

A Good E-SBC Should Provide:1) NAT/Firewall Traversal – Must NAT to same address space!

2) Basic SIP and Network Interoperability - E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.

3) SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc. 4) Features - E.g. Remote Users, Administration (remote and local)

5) Security - LAN/PBX/VoIP network protection, Service attack protection

VoIP & Data LAN

IPIP-- PBXPBX

PBX Type 1

Modern IP-PBXs are of this type. Media goes directly between phone and SIP Trunk.

SIP Trunk Interface

Signaling:Media:

SIP Trunk

PSTNSIP Trunking

Provider NetworkGW

SIP System

2) 3) 4) 5)2) 3) 4) 5)IX78

1)1) 2) 3) 4) 5)2) 3) 4) 5) 2) 3) 4) 5)2) 3) 4) 5)

But they may not have SIP Phones...

© 2011 Intertex Data and Ingate Systems 12

Remote Users Supported

If the PBXs uses SIP compliant phones IX78 E-SBC set up to forward incoming SIP to the PBX Can use WAN IP address or domain name in the SIP address. The E-SBC can authenticate the users Remote users should preferably also be behind an Intertex/Ingate E-SBC for

automatic NAT/Firewall traversal If the remote user is behind an ordinary NAT/Firewall (non SIP aware), FENT

(Far End Nat Traversal) can be enabled in the IX78 E-SBC

If non-SIP IP phones are used, the PBX vendor may have some tunneling solution for remote workers

The IX78 not involved

Standard SIP phones (local or remote) can also be registered directly to the IX78 E-SBC

Directly ready for remote users The E-SBC will authenticate the users Extension numbers can be integrated Not all PBX features will be available to such phones

© 2011 Intertex Data AB 13

PBX with PBX with non-SIP non-SIP phonesphones

SIP Clients Can be Registered Directly to the IX78 E-SBC

There are many PBXs out there that do not allow Soft Clients, Remote Users or Standard SIP Phones.

Registrar

Soft Client WiFi Mobile

Remote UsersNumbers integrated

14

E-SBCs & SIP Capable Firewalls

Ingate Systems Inc.www.ingate.comInfo@ingate.com7 Farley Road Hollis, NH 03049United StatesPh: +1 (603) 883-6569Tel sv: +46 8 6007750

Intertex Data ABwww.intertex.seinfo@intertex.seRissneleden 45 SE-174 44 SundbybergSwedensip:reception@intertex.seTel: +46 8 6282828

See us at ITEXPO Room 9C!

© 2011 Intertex Data AB 15

Ordinary Voice IADs – Good for Telephony Replication…

InternetInternet

The 5060 SIP-port is just grabbed on the outside to the FXS ports!

Lower level SIP ALGs often cause problems and do not handle more than basic scenarios.

• SIP to the LAN or WiFi• Calls between SIP clients on LAN • Calls between internal ATA ports and LAN clients• Call transfers, 3-party calls, etc.• Using SIP generally over the Internet (Operator “took all the SIP”) (Users must not be deprived of general SIP-functionality!)

Often problems with, or total lack of:

Telephone ports (FXS) on the CPE is a popular way to deploy IP telephony. By logically placing the SIP clients on the outside of the NAT/Firewall, unreliable work-around methods like STUN, TURN and ICE become unnecessary. However, this only gives POTS replication, often even stopping general SIP based services!

© 2011 Intertex Data AB 16

No battery draining of WiFi mobile phones, otherwise caused by keep-alive packets* inhibiting sleep mode.* Work-around methods for SIP NAT-traversal like STUN, TURN, ICE and Far End NAT Traversal use frequent keep-alive packets to keep holes in the NAT/Firewall open.

Our CPEs are SIP Capable NAT/Router/Firewalls

InternetInternet

Problems solved where they occur

Wired or wireless SIP clients (phones, soft clients, PDAs)

No special requirements on the SIP Client – Just standard SIP

SIP

All Intertex CPEs have a SIP Proxy based SIP aware Firewall/NAT

General, can handle complex call scenarios and all SIP services

Additional functionality available (SIP server, PBX functionality etc.)

IMSIMS