Dialogic BorderNet

4000 Session Border

Controller
System Introduction

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

Objectives
By the end of this session, participants will have been given
detailed instruction on:
What is a Session Border Controller (SBC)?
VoIP Challenges in traditional IP Networks
The Solution Dialogic BorderNet 4000 Session Border Controller
Main BorderNet 4000 SBC features
Type of network topology

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

SBC Terminology
Session: Real-time interactive voice, video or multimedia
communication over IP delivers the application
Border: Point of demarcation between your IP network and your
customers network source of challenges
Service provider-to-service provider (Interconnect/Peering)

Service provider-to-customer or subscriber (Access)

Control: Exerting control over the session signaling and media

streams meeting the challenges
Session set up
Session management
Session tear down

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

SBC Concept
Session border control is not a standardized set of functions
Has evolved to address the wide range of issues that arise when voice and
multimedia services are overlaid on IP infrastructure
1.
2.
3.
4.

Security and prevention of service abuse to ensure Quality of Service (QoS)

Monitoring for regulatory and billing purposes
Maintaining privacy of carrier and user information
Resolution of VoIP protocol problems arising from the widespread use of firewalls and
NAT servers, and the vast array of differing protocols used in VoIP networks

These issues are relevant for access to both carrier and enterprise networks
User-Network Interfaces (UNI) to end users and access networks
Network-Network Interfaces (NNI) to interconnect networks

Signaling
Media

UNI

Access
Network

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

Services

Core
Network

NNI

Interconnect
Network

Dialogic BorderNet Session Border Controllers

Enterprise access SBC
Dialogic BorderNet 2020 Session Border Controller

Residential / SOHO SBC

Dialogic BorderNet 3000 Session Border Controller

Peering / Interconnect SBC

Dialogic BorderNet 4000 Session Border Controller
SIP
Trunking/
Access

Residential
Access

Service Provider
Network

SIP Trunking/
Enterprise Access
BorderNet 2020 SBC

Residential/SOHO Access
BorderNet 3000 SBC
COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

Other SP
Network

Peering SBC
BorderNet 4000 SBC

Traditional Firewall Concept

A firewall provides a barrier which protects a private network
from unauthorized traffic reaching from the public network
Layer 3/4 Packet Filtering - allows/blocks access to local
network by opening ports to certain types of packets which
corresponds to specified IP addresses/ports
In order to provide network hiding functions, many firewalls
combine filtering functionality with NAT functions
Restrictive Rule:
Allow HTTP only from host 100.5.5.1

Private

Public

SRC IP: 100.5.5.1

Port:80 (HTTP)
SRC IP: 111.5.5.1
Port:23 (Telnet)

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

NAT (Network Address Translation) Concept

NAT server translates IP addresses so that users on a private
network can see the public network, but public network users
cannot see the inside of a private network
NAT has two main functions:
1. Source NATing - On outgoing packets, a NAT device maps local private network
addresses to one or more global public IP addresses
2. Destination NATing - On incoming packets, the NAT device maps global IP
addresses back into local IP addresses
Src: 10.5.130.26
Dest:200.1.1.2

Src: 100.99.98.10
Dest: 200.1.1.2

Private
Src: 10.5.130.26

NAT

Public

Src:200.1.1.2
Dest: 10.5.130.26

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

Src:200.1.1.2

Dest: 200.1.1.2

Dest: 100.99.98.10

NAT vs. PAT

There are two types of NAT services:
1. NAT Server
Allows an organization to use a range of private IP addresses when
communicating within an inside network and to share a small pool of public IP
addresses when communicating with an outside network
2. PAT Server
A Network Address Port Translator (NAPT) or Port Address Translator (PAT) device
that has a block of inside addresses and one or more outside addresses
The port number is the differentiator
between the different originators
Fewer Public IP addresses are needed

Src: 10.5.130.26

100.99.98.1
100.99.98.2
100.99.98.3
..
.
100.99.98.30

Private

NAT

Src: 100.99.98.1
Dest:200.1.1.2

Public

Dest:200.1.1.2
100.99.98.1

29000
29001
..
.
29003

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

Src: 100.99.98.1:29000
Dest:200.1.1.2

VoIP Challenges in
Traditional IP Networks

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

Lack of Symmetry
Endpoints behind firewall can open connections to an endpoint located on an
external network

Endpoints on an external network cannot communicate with an internal

endpoint
Audio is allowed out but not in

The external endpoint will need to have an open connection through the
firewall
Solution option Pinhole
The internal endpoint opens a special connection (pinhole) through the firewall and it will
remain opened as long as the internal endpoint keeps the connection open
This pinhole will allow traffic to flow in both directions
The pinhole will have to be maintained in order to keep it opened
I will tell the firewall to allow it

I want to talk with you

Private
COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

Public
10

Application Layer Data Security Aspects

FE NAT masks IP + transport headers only
SIP is sent in simple text and can be easily intercepted and read by intruders

Internal network info is revealed in SIP headers and SDP parameters

SIP: Via, record-routes, request-lines, etc.
SDP: Originator, creator, media profiles, etc.

IP Header: 20.2.2.1

UDP Header: 21000

Public

Message Headers
SIP Invite Message
From: CallerA@10.5.130.26:29015
Via: 10.5.130.26:29015:29015
Contact: CallerA@10.5.130.26
SDP
O=10.5.130.26
M= audio 29015 RTP/AVP 0

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

20.2.2.1
NAT

Remote
Private
Src: 10.5.130.26:29015
Dest: 200.1.1.2

11

Media Dynamic Ports Handling

During the call setup, media ports are dynamically negotiated between the
endpoints using SDP parameters
Traditional firewall (FW) / NAT are unaware of this negotiation
Will not allow data through these dynamically assigned ports

Difficult to implement policy-based security

Unpredictable media ports are chosen Open a range of ports eliminates the
FWs efficiency
Allow SIP Calls (port 5060)
212.5.5.5

20.2.2.1

NE FW

FE FW

Invite:5060

SDP- m: audio 29068

192.168.46.7

200 OK:5060

SDP- m: audio 48097

RTP: 29068
RTP: 48097
COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

12

10.5.5.1

Application Aware Firewall ALG Concept

From : 7777500@10.1.2.3

10.7.5.6 5060

IP

UDP

Via : SIP/2.0/UDP 10.7.5.6:5060

From : 7777500@100.99.98.1

Via : SIP/2.0/UDP 10.1.2.3:5060

Via : SIP/2.0/UDP 100.99.98.1:5060

Contact: sip:userA@10.1.2.3

Contact: sip:userA@100.99.98.1
100.99.98.1 5060 SDP: o = 100.99.98.1 :5012

SDP: o = 10.1.2.3 :49036

Application

IP

UDP

SIP: INVITE

SIP: INVITE

Internal Packet
SDP [c;m;x]
Layer 5

SIP [from..To]

External Packet
Changed
No change

SDP [c;m;x]

No change
Changed

SIP [from..To]

Layer 4

UDP [Ports]

Changed

UDP [Ports]

Layer 3

IP [IP Add]

Changed

IP [IP Add]

Layer 2 MAC[MAC Add]

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

Application

No change

MAC[MAC Add]
13

In traditional NAT,
payload remains the
same

Where does an SBC Fit in an IP Communication Network?

Media Layers

Host Layers

Application
Presentation
Session

Transport

Network Element Examples

Layer 7 - Data
Layer 6 Data (e.g., data
representation and encryption)

Layer 5 Data (e.g., SIP,

H.323)

SBC, SoftSwitch,
B2BUA,
Application server

Layer 4 Segments
(e.g., TCP, UDP)

Router

Network

Layer 3 Packets (e.g., IP)

Data Link

Layer 2 Frames (e.g.,

LAN switch

Ethernet, ATM, Frame Relay)

Physical

Layer 1- Bits (e.g., bit

transmission)

An SBC is signaling device controlling media sessions over IP networks

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

14

The Solution

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

15

Dialogic BorderNet 4000 Session Border Controller

Security
The BorderNet 4000 SBC is a service provider security solution for
managing and protecting network resources, applications and
services
The 4000 SBC secures the core network from unauthorized
signaling and media flows reaching from public networks:
Engineered as a scalable solution for multitude of popular services
(voice, video, presence, instant messaging, etc.)
Real-time response to network security threats

Dialogic BorderNet 4000 Session Border Controller

Packet flows are dynamically analyzed and controlled before they can degrade the BorderNet 4000
SBC or core network performance
COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

16

Dialogic BorderNet 4000 Session Border Controller

Platform
Session Capacity
250-32000 licensed sessions (SIP, H.323)
600 CAPS (media and signaling)

Hardware Platform
1U x 20 deep
Dual multi-core 2.4GHz processors
250 GB HDD (1+1 redundant, hot swappable)
AC/DC power supplies and fans (redundant, hot swappable)
Standalone and 99.999% availability HA configuration
NEBS ready

Signaling and Media Connectivity

4 x GigE copper or optical ports (1+1 redundant)
Hardware acceleration for IPsec, TLS and SSL is in place but not used

Management and HA Connectivity:

Redundant 10/100/1000 BaseT Ethernet ports

Scalability
1,024 VLANs
2,048 IP addresses (signaling and media)
500 SIP interfaces
2,048 peers
COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

17

Eth0 / MGT0

Eth1 / HA0

Eth3 / MGT1

Eth2 / HA1

Eth11 Eth10 Eth9

Eth7 Eth6

Eth5

Eth8

Eth4

Dialogic BorderNet 4000 Session Border Controller

Architecture
Base Architecture:
SIP B2BUA based architecture
SIP and H.323 IWF (interworking function) support

Security:
ACLs, DoS protection, topology hiding, NAT/NAPT, etc.
TLS encryption for signaling security

Interworking:
Header manipulation (modify, add, delete, digit manipulation)
SDP manipulation to control codec choice

Routing and Session Control:

Static interface routing
SIP header-based routing
Integrated DNS

Management and Operations:

Integrated web-based provisioning, status, performance, reporting
Profile-based provisioning
Session tracing using Wireshark with custom filters
Real-time QoS and session statistics reporting
COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

18

Dialogic BorderNet 4000 Session Border Controller

Security
Layer 7 - Data

Layer 6 and 7 (SDP)

Allows sessions from configured / unconfirmed peers
Dynamic blacklisting of misbehaving peers
Session constraints based on bandwidth and call rates
Customizable topology hiding

Layer 5 (SIP / H.323)

Layer 6 Data (e.g.,

data representation and
encryption)

Layer 5 Data (e.g.,

SIP, H.323)

Layer 4 Segments

Syntax and semantic validation of all signaling messages (e.g., TCP, UDP)
TLS for SIP and management traffic
Layer 3 Packets
(e.g., IP)

Layer 3 and 4
Rate-limiting to protect against DoS attacks
Media topology hiding
TCP/IP firewall

Layer 2 Frames
(e.g., Ethernet, ATM,
Frame Relay)

Layer 1- Bits (e.g., bit

transmission)

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

19

Dialogic BorderNet 4000 Session Border Controller

WebUI Local Manager
WebUI Local Manager
Enables web-browser access to the built-in
management system
Multiple user access / privilege levels
Support for all BorderNet 4000 SBC
administrative and maintenance functions
Real-time status and reporting
WebUI local manager includes a dashboard
with real-time status and reporting
information
Dashboard data includes:
Concurrent sessions and sessions per second
Real time system status metrics (e.g., alarms)

Top-level alarm view with instant access to

details
Multi level platform states view

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

20

Dialogic BorderNet 4000 Session Border Controller

Topology

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

22

Summary
In this module we covered:
What is a Session Border Controller (SBC)?
VoIP challenges in traditional IP networks
The solution Dialogic BorderNet 4000 Session Border Controller
BorderNet 4000 SBC features overview
Type of network topology

Any Questions ?

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

23

Dialogic, Veraz, Brooktrout among others as well as related logos, are either registered trademarks or trademarks of Dialogic Inc. and all companies controlling, controlled
by, or under common control with Dialogic Inc. (Dialogic). The names of actual companies and products mentioned herein are the trademarks of their respective
owners.
This document discusses one or more open source products, systems and/or releases. Dialogic is not responsible for your decision to use open source in connection with
Dialogic products (including without limitation those referred to herein), nor is Dialogic responsible for any present or future effects such usage might have, including
without limitation effects on your products, your business, or your intellectual property rights.
05/12

COMPANY CONFIDENTIAL COPYRIGHT 2013 DIALOGIC INC. ALL RIGHTS RESERVED.

24