Vocalcom Technical Voice Architecture

advertisement
VIRTUAL CONTACT CENTER in the Cloud
Vocalcom High Availability Voice
www.vocalcom.com
Mediant 4000 SBC Configuration
Version 1.0 by Simon Harrison
June 14th 2013
Audiocodes HA Mechanisms
Audiocodes SBC High Availability provide :
www.vocalcom.com
 A 1+1 redundancy scheme
 A keep-alive mechanism to automatically switchover SBC in
case of failure
 A call context synchronization in order to preserve active calls
during a switchover
www.vocalcom.com
 A method to upgrade SBC firmware without disturbing current
calls (Hitless Software Upgrade)
 A single configuration and auxiliary files repository for the
M4K cluster
www.vocalcom.com
www.vocalcom.com
Vocalcom Deployment
VIRTUAL CONTACT
CONTACT
CENTER
CENTER in the Salesforce Cloud
www.vocalcom.com
Mediant 4000 HA
Version 1.0 by Simon Harrison
June 14th 2013
www.vocalcom.com
www.vocalcom.com
Mediant 4000 HA – Mode 1 – Local
Deployment
www.vocalcom.com
www.vocalcom.com
Mediant 4000 HA – Mode 2 –
Geographical Redundancy
Mediant 4000 HA – Firewalls Config
www.vocalcom.com
www.vocalcom.com
 The following table provide rules to setup SBC firewall in case
of security activation or, in case of geographical HA, for
filtering nodes on the SBC’s MAINTENANCE vlan
Source
Host
Dest
Host
Dest Port
Protocol
Comment
M4K-1
M4K-2
669
UDP
Keep-Alive packets
M4K-2
M4K-1
669
UDP
Keep-Alive packets
M4K-1
M4K-2
2442
TCP
HA Control and Data
packets
M4K-2
M4K-1
2442
TCP
HA Control and Data
packets
M4K-1
M4K-2
80
TCP
File Transfert
M4K-2
M4K-1
80
TCP
File Transfert
Mediant 4000 HA: Pre Requisites
 High Availability Feature key (licensing)
www.vocalcom.com
www.vocalcom.com
 Two Mediant 4000 SBC
 Two Gigabit Ethernet ports per switch
 Power Consumption M4K HA :
– 2.5A @ 230VAC, 75W
VIRTUAL CONTACT
CONTACT
CENTER
CENTER in the Salesforce Cloud
www.vocalcom.com
SBC Security
Version 1.0 by Simon Harrison
June 14th 2013
www.vocalcom.com
www.vocalcom.com
AudioCodes Session Border Controller
Main Tasks
Security
Connectivity
AudioCodes Session Border Controller
QoE
AudioCodes Session Border
Controller (SBC) - Key Roles
www.vocalcom.com
www.vocalcom.com
Perimeter
Defense
• Firewall and
Access Control
• Encryption
• Topology Hiding
• Denial of Service
protection
• Call Theft and
Fraud protection
Interoperability
• SIP Normalization
• DTMF Conversion
• Fax Conversion
• Protocol/Coder
Policing
• Voice
Transcoding
NAT Traversal
SLA and QoS
Assurance
• Call Admission
Control
• QoS Monitoring
and
Troubleshooting
• Voice Service
Assurance
• Survivability
How Does AudioCodes SBC Secure SIP
Traffic
www.vocalcom.com
Accept
messages
based on SIP
header
properties.
For exp,
request URI etc
www.vocalcom.com
Look at the IP
addresses and
ports to filter
unwanted
packets and
throttles the
incoming
packet rate
Filter out SIP
messages which
do not belong to
an open dialog
Filter oversized
SIP messages,
unwanted SIP
bodies, SIP
syntax policing
Overcome TCP
vulnerabilities,
perform TLS
authentication
12
Security : Topology Hiding
www.vocalcom.com
www.vocalcom.com
 Topology hiding is important for hiding network internals and
for privacy
 Achieved through use of SIP B2BUA:
– VIA stripping – each B2BUA leg will have its own VIA rules
independent of the other leg
– Independent Route/Record Route in each leg
– Host name modification (e.g. To/From)
– Inserting the SBC Contact in each leg
– Different Call ID for each leg
– NAT/Layer 3 Topology Hiding – modification of Src. IP
address in IP Header
– Restrict caller ID for un trusted legs
AudioCodes Proprietary and Confidential Information
Security : DoS/DDoS
www.vocalcom.com
 Protection against DOS/SIP attacks
– Access list within layer 3 and layer 5
– Layer 3 Rate limiting according to local and remote IP port and
transport type
– SIP Dialog rate and concurrent calls limiting
– Rich message filtering rules: message size, number of headers,
message body types, request type and more
 Protection against SIP vulnerabilities
www.vocalcom.com
 OS/IP stack vulnerabilities handling
 Passed DoD tests and got FIPS140 certificate
Security : Call Admission Control
 Limit number of concurrent calls per Subnet/SIP trunk
www.vocalcom.com
 Limit number of registered users per subnet
 Limit call setup rate per Subnet/SIP trunk/user (average and
burst)
 VoIP codec policing and prioritizing
 Self overload protection
www.vocalcom.com
 Registration flood protection and throttling
 Protocol Validation
www.vocalcom.com
www.vocalcom.com
Security : Encryption
 TLS
– SSL 2.0, SSL 3.0, TLS 1.0
– Re handshake
– Mutual authentication
– Certificate Revocation Checking
– Verify Subject Alt Name against the provisioned proxy name
 SRTP-RFC 4568 sdes (voice, video)
– SRTP enforcement
– Best effort SRTP using two media lines
 IPSEC – Control & management only
 VPN (MSBG)
Mediant 4000 SBC Highlights
 Med to high-density SBC platform
– 250 to 4000 SBC sessions and more…
www.vocalcom.com
 Based on field proven AudioCodes SBC family
 High availability with 2-box redundancy
 State-of-the art AMC (MicroTCA) based platform
www.vocalcom.com
 Cost effective compact footprint (1U)
Mediant 4000 SBC Highlights
 Strong DOS/DDOS and VoIP firewall protection
www.vocalcom.com
www.vocalcom.com
 Easy SBC session capacity upgrades via software key
 SIP TLS security and Media Encryption
 Media handling including transcoding capabilities
– Wide range of vocoders including Low Bit Rate (LBR), wireline,
cellular and wideband vocoders
– Decoupling of DSPs (Transcoding) from CPU (SBC sessions)
VIRTUAL CONTACT
CONTACT
CENTER
CENTER in the Salesforce Cloud
TeleHouse 2
www.vocalcom.com
Deployment of first SBC in production
Version 1.0 by Simon Harrison
June 14th 2013
TeleHouse 2 Deployment : Rack
Utilization & Power Consumption
• 6U used in cabinet
www.vocalcom.com
• Total power consumption :
Hardware
Used
Power
Qty
Total
Mediant 4000
75 W
6
450 W
Total
450 W
www.vocalcom.com
• 8 power connectors are needed to plug
each power supply
TeleHouse 2 Deployment : Network
Connections
www.vocalcom.com
www.vocalcom.com
 Mediant 4000’s
• Red Ethernet connection carries
SIP signaling and media using a
single IP address
• Orange Ethernet connection is
used for OAMP purpose (remote
access, supervision…)
• 2 ports per switch and per
Mediant 4000 are needed
Download