Acme Packet session border controllers in the enterprise

Large enterprises have been expanding their deployments of IP telephony (IPT) for several years now. Planning has already begun to extend the benets of interactive communications over IP beyond voice services to include real-time presence-based voice, videoconferencing, chat/instant messaging, multimedia collaboration, telepresence, and more. With encouragement from major IT vendors, some enterprises will achieve this objective by deploying suites of integrated real-time applications over IP often referred to as Unied Communications (UC)as well as core business applications enhanced with interactive communications capabilities, e.g., CRM enabled with click-to-call and call recording features. Delivering these real-time, interactive communications services and applications over IP will be critical to fostering business agility, boosting employee accessibility and efciency, improving customer service, and reducing IT capital and operating costs. But signicant challenges in security, interoperability, service assurance and regulatory compliance emerge once enterprises begin migrating voice and video away from service provider TDM services and converging them on IP networks. Session border controllers (SBCs), product solutions extensively used by service providers to address these shortcomings, are now being deployed by enterprises to enable the delivery of secure, high-quality, real-time interactive communications, including IPT and UC. Similarly, service providers are using SBCs in new outsourced interactive communications offerings for enterprises such as hosted contact centers and hosted Voice over IP (VoIP) services. Business challenges The business world is now global, 24/7/365, mobile, and real-time. The emergence of new economic powerhouses like India and China has intensified the competition for customer loyalty and money. The advent of a more globalized economy has meant both improved availability of lower-cost labor and the entry of agile new competitors unburdened by legacy IT infrastructure. Meanwhile, customer expectations of the level of service their vendors provide are rising. Any enterprise that hopes to survive in this environment must optimize the efficiency of its internal and customer-facing business processes by reducing human latency; the time it takes to identify, access and connect the best-available employees to make decisions, address customer needs and solve problems quickly. In this newly competitive environment, enterprises face a broad spectrum of challenges, including how to: Equip employees with better real-time communications tools to improve the speed and efficiency with which they interact with each other and with customers; this includes adding real-time communications features to core business and productivity applications Build customer loyalty by optimizing business processes such as order entry and inquiry/problem resolution, enabling customers to quickly reach the right employees via the best available communications channels

Respond to economic and competitive pressures by reducing infrastructure costs, notably by using IT selectively to simplify, optimize and drive cost out of overhead business processes (e.g., travel, communications) Identify processes and skills that are core to the business, and selectively outsource the rest Minimize the enterprises exposure to risk with appropriate investments in security and business continuity while achieving compliance with all relevant government and commercial regulatory requirements

Acme Packet enterprise session border control solutions Acme Packet SBCs enable enterprises to control four critical IP network borders to their data centers that host IPT/UC infrastructure, as shown in Figure 1: IP trunking borderconnections to service provider IP networks linking the enterprise to the outside world of PSTN and IP endpoints Private network borderconnections to internal employees located on the enterprise campus LAN and in remote ofces connected via private WAN services such as MPLS VPNs Internet borderconnections to small ofces, users working from home and mobile employees over the public Internet Hosted services interconnect border private connections to service providers or Application Service Providers (ASP) that offer hosted IP-based audio and videoconferencing services, IP contact center services, IP Centrex to augment premise-based systems for certain sites, business groups or divisions and VoIPenabled business applications such as salesforce.com.

Figure 1

Comparing SBCs to firewalls with SIP ALG in enterprise VoIP & UC scenarios
Overview Voice over IP (VoIP) and unified communications (UC) are increasingly prevalent as standards-based alternatives to closed proprietary communications systems. The expandability, flexibility and cost advantages offered by IP networks provide a highly effective means for enterprises and contact centers to communicate both internally and externally in todays dynamic business and economic climates. Because an organizations communications network is a business-critical resource, IP-based enterprise and contact center communications networks, services and application must be secured. But other requirements, such as maximizing communication service and application interoperability, assuring service availability and quality levels, complying with government regulations and controlling costs must also be met for successful VoIP/UC delivery. How it works firewalls with SIP ALG vs. session border controllers Enterprise firewallsubiquitous in todays IP networksprotect IP data networks, servers and applications against a variety of threats through stateful inspection and filtering at layers 3 and 4 of the OSI model. To enable basic VoIP connectivity through the firewall, some firewalls add SIP application layer gateways (SIP ALGs) that translate embedded SIP addresses, in effect allowing the firewall to maintain a single end-to-end SIP session between endpoints residing on either side of the firewall.

Maintains single SIP session through FW Fully state-aware at layer 3 & 4 Only inspects/modifies SIP, SDP addresses Unable to terminate, initiate, re-initiate or respond to SIP signaling messages Only supports static ACLs & policies

Implements SIP B2BUA for complete control Fully state-aware at layers 2-7 Inspects/modifies all SIP, SDP header info Can terminate, initiate, re-initiate and respond to SIP signaling messages Supports static and dynamic ACLs & policies

By comparison, session border controllers (SBCs) implement a SIP back-to-back user agent (B2BUA) as defined in IETF RFC 3261. A B2BUA divides each SIP session into two distinct segments as shown in the diagram below. In doing so, the SBC is able to completely and effectively control SIP sessions, as well as the associated media flows, in ways that SIP ALGs cannot. This unique capability gives SBCs a clear edge in their ability to securely deliver reliable, high-quality IP-based interactive communications.

Use cases SBCs vs. firewalls with SIP ALG The best way to illustrate the differences between SBCs and FW w/ SIP ALG is within the context of common enterprise and contact center VoIP/UC use cases. Each of the ten scenarios shown below is accompanied by an associated business challenge as well as the technical requirements that would have to be met by the network element in order to address that challenge. Each scenario demonstrates conclusively that only session border controllers are capable of meeting all requirements for the successful delivery of enterprise and contact center VoIP/UC services and applications.

Net-Net Session border controllers uniquely provide all controls required for delivering trusted, reliable, high-quality IP interactive communications o Security IP PBX & UC server DoS/DDoS attack protection, SBC self-protection o Communications reach maximization IP PBX & UC protocol interworking, remote NAT traversal o SLA assurance IP PBX & UCserver session admission & overload control, data center disaster recovery, remote site survivability, QoE-based routing, SBC highavailability operation o Regulatory compliance session replication for recording Data firewalls with application layer gateways (FW/ALG) only effective securing data-oriented application infrastructure (PCs, servers)

IP trunking for PBXs the enterprise perspective

Benefits Enterprises, including contact centers, universities and government organizations, have a growing interest in using SIP and H.323 trunks for interconnecting IP PBX islands and enabling native IP communications for voice, conferencing, messaging and collaboration applications. Moreover, as enterprises migrate to an all IP communications environment, they are looking to service providers to take VoIP traffic from their sites and provide IP-to-PSTN gateway services for inbound and outbound traffic. Enterprises can realize capital and operating expense savings by leveraging more efficient and economical IP connections. Direct VoIP peering between enterprise sites also simplifies the introduction of enhanced communications applications such as unified communications. Several benefits can be realized by leveraging IP trunks for connectivity to the PSTN and other enterprise IP networks and endpoints: Reduce costs, both capital and operating, by eliminating media gateways and TDM voice trunks, while collapsing applications on existing data network Simplify operations by transferring media gateway and PSTN interconnection management to a service provider Accelerate provisioning and deployment as IP interconnects can be provisioned in days as opposed to months Enhance operations with flexible routing policies that provide cost effective call termination, disaster recovery and business continuity Improve quality by eliminating unnecessary IP-to-TDM-to-IP conversions and exploiting high fidelity codecs Enable new services and applications that require end-to-end IP connectivity such as interactive video, presence, instant messaging, multimedia collaboration and unified communication

Acme Packets Net-Net SBCs are designed to satisfy the critical security, application reach maximization, SLA assurance, cost optimization and regulatory compliance requirements to enable IP trunking for enterprises.

Applications Enterprises are connecting their VoIP networks to service providers and other organizations using IP as opposed to costly TDM hand-offs for a variety of cost-saving applications, including: PSTN termination or origination Enterprise VoIP peering Hosted services call recording, conferencing, contact center Regulatory services emergency services, lawful intercept

Challenges Connecting IP PBXs to service providers networks using IP trunks introduces challenges and unique requirements for building a trusted border between the enterprise and service provider. Some of the critical capabilities required at this border include: Security hiding and protecting network resources and user information from attack and misuse Application reach exchanging traffic across heterogeneous networks with differing or conflicting network characteristics such as IP addresses, signaling and transport protocols, codecs, encryption, etc. SLA assurance handling latency sensitive traffic with high priority and maintaining network availability and high service quality during abnormal busy periods Cost optimization routing calls in cost effective manner and capturing session data for accounting and traffic management and planning Regulatory compliance enabling emergency service routing and call recording in order to comply with government regulations for VoIP

To overcome these challenges enterprises and services providers are deploying SBCs at both ends of the IP trunk. The SBC enables seamless communications across network borders between the enterprise sites and the service provider network. The SBC is used to mediate the differences in the various networks as well as provide security, quality and cost control at the ingress and egress of those networks.

Acme Packet Net-Net product family delivers trusted, first-class interactive communications and data
Acme Packets Net-Net family of session border controllers, multiservice security gateways and session routing proxies enable the delivery of trusted, first-class interactive communicationsvoice, video and multimedia sessionsand data services across IP network borders. The brand name "Net-Net" reflects the role of these products in interconnecting IP networks to deliver these services and applications. Our Net-Net family supports multiple applications in service provider, enterprise, government and contact center networksfrom VoIP trunking to hosted enterprise and residential services to fixed-mobile convergence. They satisfy critical security, service assurance and regulatory requirements in wireline, cable and wireless networks; and support multiple protocolsSIP, H.323, MGCP/NCS, H.248 and RTSPand multiple border pointsservice provider access and interconnect, and enterprise access and trunking. For enterprises and contact centers, our Net-Net product family enables the secure delivery of a broad range of interactive communications services and applications ranging from basic VoIP to Service Oriented Architecture (SOA)-enabled unified communications. It secures the borders to the service provider IP network, the private VPN connecting major enterprise or contact center sites and the Internet for connecting remote offices, teleworkers and callers to the contact center. It ensures interoperability of both legacy IP-PBX equipment and next-generation unified communications platforms such as Microsoft OCS and manages their traffic load and resource availability. Products All of our productssession border controllers (SBC), multiservice security gateways (MSG) and session routing proxies (SRP)operate Acme Packet Net-Net OS. Net-Net OS offers extremely rich functionality in terms of architectural flexibility, signaling protocol breadth, control function and feature depth, carrierclass availability and manageability. It supports all five required border control functions security, service/application reach maximization, SLA assurance, revenue and cost management and regulatory compliance. Net-Net OS operates on all of our hardware platforms - the Net-Net 2600, 3800, 4000 and 9200 series systems and Net-Net 4500 ATCA blade. Our software-only platform, Net-Net OS-E, is also supported on certified third party hardware platforms to satisfy the low-end performance, capacity and price requirements of enterprises and contact centers. Our products, which also include our Net-Net EMS and SAS management tools, help service providers, enterprises, governments and contact centers throughout the world to successfully deliver trusted, first-class IP communications. Acme Packet products by platform

Net-Net OS-E Net-Net OS-E is a software-only, integrated session border controller (SBC) platform for Acme Packetcertified third-party servers. The server options available provide enterprises, contact centers and Acme Packet partners with the flexibility to choose a system that best matches the performance, capacity and price requirements of the service or application. Net-Net OS-E is also supported in Virtual Machine (VMware or Xen) operating environments. Net-Net 2600 Our Net-Net 2600 platform delivers an integrated SBC configuration optimized for enterprise and contact center applications. The 1U Net-Net 2610 and 2U Net-Net 2620 are Acme Packet-supported Intel quadcore servers operating Net-Net OS-E. They provide all of the critical controls for delivering trusted, first class interactive communicationsvoice, video and multimedia sessionsacross IP network borders. Net-Net 3800 The Net-Net 3800 platform is our integrated SBC solution for smaller service providers, government defense and securityfocused agencies, small enterprises and smaller sites within larger organizations. The Net-Net 3800 and all higher capacity platforms feature Acme Packets custom hardware design tightly integrated with Net-Net OS to satisfy the most critical infrastructure security requirements. Net-Net 4000 This carrier-class platform is the industrys most widely deployed session border controller, delivering unmatched capabilities in a 1U form factor. Comprised of two distinct models, the Net-Net 4250 and NetNet 4500, the Net-Net 4000 series offers extremely rich functionality, architectural flexibility and signaling protocol breadth, and satisfies all of the performance, capacity, availability and manageability requirements of service providers, enterprises, government organizations and contact centers. Net-Net 9200 Our next-generation platform offers our highest levels of performance, availability and capacity to service provider and large enterprise VoIP/UC deployments in a single 7 RU hardware chassis-based system. The multiprocessor Net-Net 9200 platform, in SBC configurations, also supports transcoding and transrating for a wide selection of wireline and wireless codecs. Net-Net 4500 ATCA blade This ATCA blade is designed to be easily integrated by wireless and wireline communication systems vendors into their ATCA chassis. The blade supports all Acme Packet Net-Net SBC, MSG and SRP configurations, and all of the functions and features supported by Net-Net OS. Consisting of an ATCA front card and rear transition module, the ATCA blade is purpose-built to enable Net-Net OS functions and exploits the power and capacity of the industrys best processing and memory components.

About Acme Packet

Mission Acme Packet enables the delivery of trusted, first-class interactive communicationsvoice, video and multimedia sessionsand data services across IP network borders. Our Net-Net family of session border controllers, multiservice security gateways and session routing proxies supports multiple applications in service provider, enterprise and contact center networksfrom VoIP trunking to hosted enterprise and residential services to fixed-mobile convergence. They satisfy critical security, service assurance and regulatory requirements in wireline, cable and wireless networks; and support multiple protocolsSIP, H.323, MGCP/NCS, H.248 and RTSPand multiple border pointsservice provider access and interconnect, and enterprise access and trunking. Markets Our Net-Net family supports multiple applications in service provider, enterprise and contact center networksfrom VoIP trunking to hosted enterprise and residential services to fixed-mobile convergence. For enterprises and contact centers, our Net-Net product family enables the secure delivery of a broad range of interactive communications services and applications ranging from basic VoIP to Service Oriented Architecture (SOA)-enabled unified communications. It secures the borders to the service provider IP network, the private VPN connecting major enterprise or contact center sites, and the Internet for connecting remote offices, teleworkers and callers to the contact center. It ensures interoperability of both legacy IP-PBX equipment and next-generation unified communications platforms such as Microsoft OCS and manages their traffic load and resource availability. Financial highlights Total revenue (US$ in millions)

10