Author Archives: InfoStructure

Role of Managed Services Environment

In a managed service offering, often the service provider delivers an MPLS (Multi-Protocol Label Switching)
interface and delivers a private address space into the organization from their network.

We discussed managed SIP trunk service offerings, what they were and their advantages. Now we’ll drill down even further and look at why Ingate is an important part of these deployments to normalize SIP traffic, maintain network security and bridge the voice and data LANs for more effective use of SIP in the enterprise.

In a managed service offering, often the service provider delivers an MPLS (Multi-Protocol Label Switching) interface and delivers a private address space into the organization from their network. This resolves the NAT traversal issues. However, it does not solve SIP normalization issues between the IP-PBX and ITSP. It also doesn’t address security. Despite the actual delivery mechanism of the SIP trunks, the Ingate unit is still required to normalize the traffic between the business and the service provider when those two implementations are not identical.

From a security point of view, since the service provider is offering the Local Area Network and the private IP addresses from their network space, business must ask themselves: Do I trust the service provider to protect my IP-PBX and other parts of my network from harm? If the answer is not a definitive “yes” then the company will be well advised to install an Ingate SIParator or Firewall to perform this very important function.

Finally, by delivering service this way, the service provider is in effect creating separate voice and data networks in the customer premise. This means that personal computers are not going to be connected to the same LAN segment and cannot be used for such services as Presence and Instant Messaging, soft clients cannot be used and the PC cannot be used to self-configure user accounts. In these instances, the Ingate can act as a bridge between the two networks allowing the full capabilities of SIP to be realized, including the promise of Business VoIP.

Managed SIP Trunking Service Providers

Managed SIP Trunks offer the advantage of a closely monitored network maintained to deliver the highest voice quality.

The physical connection to the service provider can vary according to the needs of the enterprise and may range from a single T1 with 1.5Mbps of bandwidth which is sufficient for 23 simultaneous calls, up to and including fiber optic connections with very large capacities. Since voice is very susceptible to delay, often the Managed SIP Trunking Service Provider will deliver service using MPLS (Multi-Protocol Label Switching) which assures that the voice packets will receive delivery precedence over other services being delivered on the same physical connection.

For both of the above reasons, many service providers are willing to write Service Level Agreements (SLAs) that guarantee a certain level of service quality and managed SIP Trunks are often more expensive than those services which are offered over the Public Internet.

The firewall remains critical in this application as a security device between a foreign network and the enterprise network. The firewall provides voice and data security for the enterprise, from other foreign networks. It also monitors and secures the SIP traffic, protecting the IP-PBX from malicious attacks which may range from theft of service to Denial of Service attacks. This is important because any malicious issues on foreign networks can quickly become enterprise issues without a security device in between.

Managed SIP Trunks offer the advantage of a closely monitored network maintained to deliver the highest voice quality. The enterprise needs to ensure that its network is robust and that no internal bottlenecks exist that could reduce voice quality. Enterprises should also consider establishing its own security perimeter to maintain control of its network and who is allowed to use the SIP Trunking services.

SIP Trunking Bring Your Own Bandwidth

Companies like InfoStructure provide open access to their telephony services over the Internet.

Internet Telephony Service Providers (ITSPs) provide SIP trunking services to all who have Internet connectivity. VoIP communications is just another application provided over the Internet alongside Web, e-mail, FTP and other services commonly found on the Internet.

ITSP companies like InfoStructure provide open access to their telephony services over the Internet. The enterprise leases telephony services such as SIP trunking to provide PSTN numbers and access.

The ISP (Internet Service Provider) is simply the service to gain access to the Internet. The physical connection to the Internet can vary according the enterprise’s needs; it can be as small as DSL or grow to T1, T3, Ethernet, OCx, and more. The advantage is the consolidation of both voice and data traffic on the same physical connection, thus maximizing bandwidth utilization and minimizing monthly reoccurring costs.

Firewalls are critical in this deployment, providing voice and data traffic security to the enterprise: solving the NAT traversal issues through the corporate firewall, monitoring and providing security to SIP traffic, and protecting the IP-PBX from malicious attacks.

The downside is that the voice communication is only as good as the Internet connection that is being used because that link is not managed from end to end. The advantages of this type of delivery is that it is available anywhere and typically is offered at very attractive rates. With an Internet connection, afirewall at the edge to resolve routing and security concerns, and a good ITSP, SIP trunking may be delivered anywhere in the world.

Port Forwarding for SIP

Port forwarding is a hole in your firewall.

In an attempt to overcome NAT issues, many IP-PBX and ITSP vendors will recommend to “port forward” all UDP and TCP traffic on port 5060 (SIP signaling port) and a range of thousands of media ports on the NAT firewall to the IP-PBX. This is not a good idea at all, as it opens the network to security risks. Port forwarding is a hole in your firewall, now forwarding ALL UDP or TCP traffic to the IP-PBX. This UDP/TCP traffic does not have to be SIP protocol specific; it can be traffic from any malicious hacker attempting to gain access to your network.

Better products monitor the SIP signaling port (5060) and apply routing rules and process policies to only the SIP protocol traffic, where all other UDP/TCP traffic will be discarded and not forwarded to the IP-PBX. In addition, these special firewalls will dynamically open and close media ports based on the negotiated SIP traffic, by carefully monitoring the media ports negotiated and responding and routing media accordingly.

These firewalls can also fix far-end NAT devices. If there is a SIP device behind a remote NAT device, the Ingate (with its Remote SIP Connectivity software module) can correct all of the SIP signaling traffic from the remote SIP device, and ensure ports remain open for future SIP signaling and media.

It’s a cost-effective solution, as this removes the requirement of having SIP-aware firewalls at each remote location, while also allowing traveling SIP users (or remote workers, or satellite offices) access to the main office no matter where they are. Want more information

The Importance of a Firewall

Firewalls perform three very important, crytical functions in relation to SIP.

We discussed what Network Address Translation (NAT) is, its purpose on the network and why this is a problem when adopting SIP in the enterprise. In this issue, we will look at how Ingate SIP-capable security products solve the issues with NAT and do so while maintaining security.

Firewalls perform three very important functions. These functions are critical for any SIP implementation – including SIP trunking — and may provide other benefits as well depending on the construction of the network and the service that the business wishes to employ. The following are the most important of these functions:

  1. The firewall resolves NAT traversal issues and enables the adoption of SIP and SIP trunking by securely permitting SIP signaling and related media to traverse the firewall. Without this function, most companies will have one-way audio only.
  2. The Ingate products also normalize the SIP Traffic so that the IP-PBX at the customer site, and the service provider’s network are fully compatible. While SIP is a standard, each implementation can be slightly different, and the service providers may each require a different level of authentication from the business. With thefirewall in place, these requirements can be met.
  3. Security becomes important with the introduction of SIP trunking and other SIP services because as a server, the IP-PBX is subject to the same types of threats as any other server on the enterprise network. So the properly architected network will include a firewall device to assure that only authorized users are allowed to send and/or receive phone calls using the service, and that no malicious attacks are launched which could render the IP-PBX inoperable.

What is NAT?

Understanding Network Address Translation (NAT) for use with SIP.

We often hear of problems with NAT Traversal and SIP. This week we provide a short synopsis of Network Address Translation and its purpose on the network and why this is a problem when bringing SIP into a network.

Since the addressing and routing of SIP is done at the application layer, the biggest problem the SIP protocol now has is the disconnect between the IPv4 addressing and routing at the application layer versus the IPv4 addressing and routing at the transport and network layers. Network Address Translation (NAT) occurs at the transport and network layers, and thus the challenge.

The purpose of a Network Address Translation (NAT) firewall for businesses is to provide the translation between a single public IP address on the WAN and multiple private IP addresses for all of the workstations, servers and other IP equipment within the LAN. The router running NAT should never advertise the LAN network addresses to the WAN network backbone. Only the networks with global addresses may be known outside the router. However, global information that NAT receives from the border router can be advertised in the LAN network the usual way. Typical or traditional firewalls apply NAT to the TCP/IP protocol at the transport and network layers.

NAT’s basic operation is as follows. The network addresses inside a private domain can be reused by any other private domain. For instance, a single Class A address could be used by many private domains. At each exit point between a private domain and the public WAN backbone, NAT is installed. If there is more than one exit point it is of great importance that each NAT has the same translation table.

In order for SIP to work effectively, the NAT issue must be resolved, and that is where the Session Border Element such as the firewalls are very important for enabling SIP services to an enterprise network.

SIP Routing Rules and Policies

Routing to accomodate SIP applications.

The Deep Packet Inspection capable firewalls offer the ability to apply Routing and Dial Plan rules to all incoming SIP traffic. As the Ingate product has the ability to look at Layer 2 through Layer 7 of the OSI model, Routing and Dial Plan rules can combine the use of several layers at once. Combining such things as the TCP/IP (Transport Layer) with the SIP protocol (Application Layer) ensures that only predefined SIP traffic is processed.

Best Routing Rules:

  1. Match From Header, where the router can match on the From Header SIP URI, (the person making the call). In addition the router can separate the Transport whether UDP, TCP or TLS, and further we can specify which IP address or range of IP addresses at the Network layer from which we can accept calls.
  2. Matching Request URI. The Request URI Header is a routable header of any SIP Request. The router can Match & Remove a Prefix, Match any specific Alpha/ Numeric characters or even range of characters. This also includes Domain matching.
  3. Forward To. The Forward To section defines where to ‘actually’ send the call – perhaps to a predefined account, with Registration and/or Header Replacement requirements/behavior; or to an IP address or Domain. It can also change the call request to a different Transport and port if required, and even dynamically assign the use of our B2BUA if needed.

The actual Dial Plan, then, combines these three attributes to provide the ultimate in flexibility and security in defining:

  • accepting where the call is coming from and
  • where the call is going. If the SIP traffic is not predefined it will be denied.

This also gives the ability to have multiple different IP-PBX vendors and multiple different ITSP accounts. N+1 ITSPs to N+1 IP-PBXs. There is no limit to the customization of call routing in some routers.

Best Policies:

Policies related to SIP have to do with allowing or disallowing SIP traffic based on SIP Methods, SIP Mime Content, SIP Domains and other higher-level rules. A SIP Method policy can be implemented to ensure incoming SIP packets are matched on the particular SIP Method and Traffic to specified domains. If required, Authentication can be applied for processing the packet. Further policies can be applied to filter MIME Content types, to ensure the type of SIP Traffic is allowed. Filtering based on specific Header information is also possible.

Other Routing Rules and Policies can also be applied to allow for SIP Domain forwarding, Static SIP URI forwarding, SIP Registrar Authentication, and more.

The Basics of Sip Trunking

A basic understanding of how Session Initiation Protocol (SIP) works.

SIP Trunking is a term applied to the services offered by LECs (Local Exchange Carriers), ILECs (Independent Local Exchange Carriers), CLECs (Competitive Local Exchange Carriers) and ITSPs (Internet Telephony Service Providers) to terminate Voice over IP (VoIP) calls to the Public Switched Telephone Network (PSTN).

SIP Trunking allows enterprises and small businesses to eliminate a PSTN gateway at their site and outsource that function to a carrier. It is typically a lower-cost alternative to Primary Rate Interfaces (PRIs) because SIP trunks can be purchased in single-trunk increments (as compared to 23 channel increments for a PRI).

Other ways in which SIP trunks decrease costs:

With SIP trunks, a single network can be maintained within the organization, rather than having both a voice and data network.
Internet bandwidth can be used more efficiently.
Moves, Adds and Changes can be completed without major wiring upgrades.

SIP Trunks are delivered in several ways:

Over the Public Internet – SIP Trunking Anywhere: Allows any enterprise, anywhere, to adopt SIP Trunking and assign some, possibly unused, bandwidth to voice at no extra charge for the connection, and providing the highest ROI.

Managed Services: Carriers supply a dedicated, fully managed connection from their Point of Presence to the enterprise site. This service offers quality of service guarantees, but is somewhat more expensive.

MPLS Delivery: The carrier, usually an LEC, ILEC or CLEC, will delivery a managed service using Multi-Protocol Label Switching to insure the highest voice quality and reliability.

The voice quality, even over an un-managed public Internet connection, is excellent. Typical savings over PRIs range from 40-60% with the payback period for the equipment required, which may include an upgrade to the IP-PBX and the installation of an Ingate SIParator or Firewall, has been shown to range from 4 to 12 months.

With these facts in mind, there is no question that SIP Trunking offers compelling advantages for businesses large and small.

What is the SIP Protocol?

Learn how Session Initiation Protocol (SIP) works.

SIP (Session Initiation Protocol) is an Application Layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include telephone calls, multimedia distribution, multimedia conferences and presence. The SIP Protocol is defined
as part of IETF RFC 3261, located at www.ietf.org.

SIP invitations are used to create sessions that carry session descriptions, which allow participants to agree on a set of compatible media types. SIP makes use of elements called proxy servers to help route requests to the user’s current location, authenticate and authorize users for services, implement provider call-routing policies, and provide features for users. SIP also offers a registration function that allows users to upload their current locations for use by proxy servers. SIP runs on top of several different transport protocols, such as UDP, TCP and TLS.

The SIP requests and responses are written in plain text within the datagram of the IP Header. Contained in the SIP requests and responses are the addresses of the source and the destination of the participants. These addresses are SIP URI’s, which have a UserInfo and Host Address, and this host address can either be an IP address or a domain name. Therefore, the routing of SIP is done using IPv4 addresses at the Application layer and does not route at the Transport or Network layer.

As the addressing and routing of SIP are done at the Application layer, the biggest problem the SIP protocol now has is the disconnect between the IPv4 addressing and routing at the Application layer versus the IPv4 addressing and routing at the Transport and Network layers. Network Address Translation (NAT) occurs at the Transport and Network layers, and thus the challenge.

911 Service Over InfoStructure VoIP

How does 911 emergency service work with VoIP telephone service?

InfoStructure provides a safe and reliable means of communication in times of emergency. InfoStructure 911 Dialing service operates differently than traditional 911, and because your safety is important to us, it is important that you provide us the street address where you will be using your InfoStructure VoIP service.

Most of our customers have access to either basic 911 or Enhanced 911 (E911) service. With E911 service, when you dial 911, your telephone number and registered address is simultaneously sent to the local emergency center assigned to your location, and emergency operators have access to the information they need to send help and call you back if necessary.

Customers in locations where the emergency center is not equipped to receive your telephone number and address have basic 911. With basic 911, the local emergency operator answering the call will not have your call back number or your exact location, so you must be prepared to give them this information. Until you give the operator your phone number, he/she may not be able to call you back or dispatch help if the call is not completed or is not forwarded, is dropped or disconnected, or if you are unable to speak. As additional local emergency centers become capable of receiving our customers’ information, InfoStructure will automatically upgrade customers with basic 911 to E911 service. InfoStructure will not give you notice of the upgrade.

You must register the physical location where you will utilize InfoStructure VoIP for each phone line. Also note that if you move your device to another location, you must register your new location. If you do not register your new location, any 911 call you make may be sent to an emergency center near your old location. You will register your initial location of use when you subscribe to the service.

IMPORTANT NOTE: 911 Dialing service over InfoStructure VoIP will not function in the event of a high-speed Internet or power outage or if your high-speed Internet or InfoStructure VoIP service is terminated.

WiFi phone: A WiFI phone is one that enables users to make phone calls from public WiFi hotspots or residential WiFI network environments. Besides voice calls, these phones can be used to send e-mails wirelessly.