Mobility Connecting Remote Workers Telia Sonera SIP Trunking
Mobility: Connecting Remote Workers Telia. Sonera SIP Trunking Deployment Prepared for: Ingate Systems 3 Day Seminar Unified Communications: SIP Trunking, Video, Collaboration and More ITEXPO Conference, Austin, September 2011 By: Karl Erik Ståhl President Intertex Data AB CEO and Chairman Ingate Systems AB karl. stahl@intertex. se Also see Live Demo Presentation from ITEXPO SIP Trunking Summit Miami, February 2011! http: //www. ingate. com/files/ITEXPO_Miami_2011_Presentations/Intertex%20 -%20 UC%20 Across%20 the%20 Borders. pps © 2011 Intertex Data AB
What are Mobility and Remote Users? 2 slides from Live Demo Presentation from ITEXPO SIP Trunking Summit Miami, February 2011! http: //www. ingate. com/files/ITEXPO_Miami_2011_Presentations/Intertex%20 -%20 UC%20 Across%20 the%20 Borders. pps We certainly want our home workers connected to the company PBX And the same goes for our road warriors - at the hotel at public Wi. Fi All should have all PBX services - Reached by extension number or DID Place PSTN calls (displaying correct Caller. ID) Voice mail, conferencing etc. Presence, IM, video if supported by the PBX Call me on my Swedish office number +46 8 12345629 now! © 2011 Intertex Data and Ingate Systems
Japan Internet US, Miami PSTN Sweden kamill@von. sipnr. org SIP/PSTN Gateway SIP Trunk Provider 2 Provider 1 PSTN CELL PSTN SIP/PSTN Gateway ingate. com THIS LAN, SIP Trunk-UC Summit INGATE LAN 3 G intertex. se (sophie@ingate. com)calle@intertex. se stefan@ingate. com steeg@intertex. se INTERTEX LAN
We Saw Mobility and Beyond POTS Ordinary phone calls reach my laptop across the Ocean! I can also: § Call Sophie in another domain (federate) § … even with Video § … even though, she is also remote from the Ingate office (Actually she is in the room. ) § … with media going the shortest way (here on the LAN) while signaling goes back to Sweden! I can use extension number as connected to the home PBX And I see presence and can put calls into conference…
We Saw Mobility and Beyond POTS Ø All other PBX functionality also works remotely E. g. IM (Instant Messaging) © 2011 Intertex Data AB 5
But Why are NATs and Firewalls Such Obstacles Typical Internet protocol (SMTP, HTTP…) SERVER HOST Internet SIP (and H. 323…) connects Person-to-Person PERSON Internet Locate the person + Set up a session + Open real time media streams © 2011 Intertex Data AB 6
SIP Does It! – But a Very General Solution is Required DNS Public Internet intertex. se SIP Trunking Provider SIP System GW PSTN Remote User calle@intertx. se Intertex IX 78 E-SBC The SIP Proxy in the E-SBC forwards and rewrites the SIP signaling and controls media through its NAT/Firewall. IP-PBX Data & Vo. IP LAN Soft Clients and Multimedia Terminals © 2011 Intertex Data AB 7
And there May be More to Consider (Telia Network)… Remote User NAT FW Internet Vo. IP IP-TV SIP on different WAN pipes must be handled The remote user is often behind a remote NAT/FW – SIP Traversal needed. Far End NAT Traversal (FENT) can be enabled in the IX 78 E-SBC. IMS Vo. D TR-069 SIP Trunk VLANs or ADSL Virtual Circuits Wi. Fi The Multimedia LAN IPPBX PDA IX 78 E-SBC is a SIP Proxy based Firewall Controlling SIP Signaling and Media © 2011 Intertex Data AB 8
Remote Users Require More Security Measures Remote users to the PBX can be authenticated by the IX 78 (also) Brute Force Attack Protection Attackers are nowadays trying to find simple passwords by brute force testing. 10 – 100 trials/second have been seen (e. g. Sip. Vicious / friendli-scanner). After 3 trial we pretend all attempts are wrong, so the correct one is never found. © 2011 Intertex Data AB 9
…in Addition to e. g. Preventing SIP Do. S Attack Ø Signature Recognition If the internal SIP proxy detects known signatures in SIP headers from attackers, it instructs the internal firewall to block attacking IP address. New signatures can be added manually or provisioned automatically. Ø SIP Rate Limiting: If there are more than 20 SIP packets/seconds from the same IP address, the internal firewall blocks that IP address for 20 seconds and does not respond to that IP address until the SIP packet rate is below 3 packets/seconds. © 2011 Intertex Data AB 10
Different Types of PBXs are SIP Trunked PSTN Ø SIP Trunking A Good E-SBC Should Provide: But they may not 1) NAT/Firewall Traversal – Must NAT to same address space! have SIP Phones. . . 2) Basic SIP and Network Interoperability - E. g. Provider Network. GW Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc. SIP System 3) SIP Repair - E. g. Call Transfer, Fragmented packets, Bugs, etc. 4) Features - E. g. Remote Users, Administration (remote and local) 5) Security - LAN/PBX/Vo. IP network protection, Service attack protection SIP Trunk 1) 2) 3) 4) 5) IX 78 IPPBX 2) 3) 4) 5) SIP Trunk Interface Modern IP-PBXs are of this type. Media goes directly between phone and SIP Trunk. PBX with system phones IPPBX Few PBXs are of this type. Asterisk with firewall (IPtables /NETfilter) can be compiled and configured this way, but requires a lot. Vo. IP & Data LAN only PBX Type 1 Signaling: Media: PBX Type 1. 5 PBX Type 2 11
Remote Users Supported Ø If the PBXs uses SIP compliant phones § § IX 78 E-SBC set up to forward incoming SIP to the PBX Can use WAN IP address or domain name in the SIP address. The E-SBC can authenticate the users Remote users should preferably also be behind an Intertex/Ingate E-SBC for automatic NAT/Firewall traversal § If the remote user is behind an ordinary NAT/Firewall (non SIP aware), FENT (Far End Nat Traversal) can be enabled in the IX 78 E-SBC Ø If non-SIP IP phones are used, the PBX vendor may have some tunneling solution for remote workers § The IX 78 not involved Ø Standard SIP phones (local or remote) can also be registered directly to the IX 78 E-SBC § § Directly ready for remote users The E-SBC will authenticate the users Extension numbers can be integrated Not all PBX features will be available to such phones © 2011 Intertex Data and Ingate Systems 12
SIP Clients Can be Registered Directly to the IX 78 E-SBC There are many PBXs out there that do not allow Soft Clients, Remote Users or Standard SIP Phones. d rate g e t n i ers PBX with non-SIP phones Numb Soft Client © 2011 Intertex Data AB Registrar Remote Users Wi. Fi Mobile 13
E-SBCs & SIP Capable Firewalls See us at ITEXPO Room 9 C! Intertex Data AB Ingate Systems Inc. www. intertex. se info@intertex. se Rissneleden 45 SE-174 44 Sundbyberg Sweden sip: reception@intertex. se Tel: +46 8 6282828 www. ingate. com Info@ingate. com 7 Farley Road Hollis, NH 03049 United States Ph: +1 (603) 883 -6569 Tel sv: +46 8 6007750 14
Ordinary Voice IADs – Good for Telephony Replication… Telephone ports (FXS) on the CPE is a popular way to deploy IP telephony. By logically placing the SIP clients on the outside of the NAT/Firewall, unreliable work-around methods like STUN, TURN and ICE become unnecessary. However, this only gives POTS replication, often even stopping general SIP based services! Internet The 5060 SIP-port is just grabbed on the outside to the FXS ports! Lower level SIP ALGs often cause problems and do not handle more than basic scenarios. Often problems with, or total lack of: • SIP to the LAN or Wi. Fi • Calls between SIP clients on LAN • Calls between internal ATA ports and LAN clients • Call transfers, 3 -party calls, etc. • Using SIP generally over the Internet (Operator “took all the SIP”) (Users must not be deprived of general SIP-functionality!) © 2011 Intertex Data AB 15
Our CPEs are SIP Capable NAT/Router/Firewalls IMS Internet SIP No battery draining of Wi. Fi mobile phones, otherwise caused by keep-alive packets* inhibiting sleep mode. * Work-around methods for SIP NAT-traversal like STUN, TURN, ICE and Far End NAT Traversal use frequent keep-alive packets to keep holes in the NAT/Firewall open. § Problems solved where they occur § Wired or wireless SIP clients (phones, soft clients, PDAs) § No special requirements on the SIP Client – Just standard SIP All Intertex CPEs have a SIP Proxy based SIP aware Firewall/NAT § General, can handle complex call scenarios and all SIP services § Additional functionality available (SIP server, PBX functionality etc. ) © 2011 Intertex Data AB 16
- Slides: 16