What is SIP Trunking? eBookA vast resource for information about all things SIP – including SIP, security, VoIP, SIP trunking and Unified Communications.

Edition 1 June 1 2011

Table of Contents

Edition 1 June 1 2011

3

4

5

6

7

8

9

10

11

What is the SIP protocol?

The Basics of SIP Trunking

What is NAT?

SIP Trunking Bring Your Own Bandwidth

Managed SIP Trunking Service Providers

The Role of an Ingate in a Managed Services Environment

What is SIPconnect and How Does Ingate Work with It?

SIP Security

Routing Rules and Policies

What is the SIP Protocol?

SIP is an Application Layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include telephone calls, multimedia distribution,multimedia conferences and presence. The SIP Protocol is defined as part of IETF RFC 3261, located at www.ietf.org.

SIP invitations are used to create sessions that carry session descriptions, which allow participants to agree on a set of compatible media types. SIP makes use of elements called proxyservers to help route requests to the user's current location, authenticate and authorize users for services, implement provider call-routing policies, and provide features for users. SIP also offersa registration function that allows users to upload their current locations for use by proxy servers. SIP runs on top of several different transport protocols, such as UDP, TCP and TLS.

The SIP requests and responses are written in plain text within the datagram of the IP Header. Contained in the SIP requests and responses are the addresses of the source and the destination of the participants. These addresses are SIP URI’s, which have a UserInfo and Host Address, and this host address can either be an IP address or a domain name. For example, a SIP URI can look like “sip:scott@ingate.com.” Therefore, the routing of SIP is done using IPv4 addresses at the Application layer and does not route at the Transport or Network layer.

As the addressing and routing of SIP are done at the Application layer, the biggest problem the SIP protocol now has is the disconnect between the IPv4 addressing and routing at the Application layer versus the IPv4 addressing and routing at the Transport and Network layers. Network Address Translation (NAT) occurs at the Transport and Network layers, and thus the challenge.

Edition 1 June 1 20113

The Basics of SIP trunking

Edition 1 June 1 20114

SIP Trunking is a term applied to the services offered by LECs (Local Exchange Carriers), ILECs (Independent Local Exchange Carriers), CLECs (Competitive Local Exchange Carriers) and ITSPs (Internet Telephony Service Providers) to terminate Voice over IP (VoIP) calls to the Public Switched Telephone Network (PSTN).

SIP Trunking allows enterprises and small businesses to eliminate a PSTN gateway at their site and outsource that function to a carrier. It is typically a lower-cost alternative to Primary Rate Interfaces (PRIs) because SIP trunks can be purchased in single-trunk increments (as compared to 23 channel increments for a PRI).

Other ways in which SIP trunks decrease costs: With SIP trunks, a single network can be maintained within the organization, rather than having both a voice and data network. Internet bandwidth can be used more efficiently. Moves, Adds and Changes can be completed without major wiring upgrades.

SIP Trunks are delivered in several ways:Over the Public Internet – SIP Trunking AnywhereAllows any enterprise, anywhere, to adopt SIP Trunking and assign some, possibly unused, bandwidth to voice at no extra charge for the connection, and providing the highest ROI.

Managed ServicesCarriers supply a dedicated, fully managed connection from their Point of Presence to the enterprise site. This service offers quality of service guarantees, but is somewhat more expensive.

MPLS DeliveryThe carrier, usually an LEC, ILEC or CLEC, will deliver a managed service using Multi-Protocol Label Switching to insure the highest voice quality and reliability. The voice quality, even over an un-managed public Internet connection, is excellent. Typical savings over PRIs range from 40-60% with the payback period for the equipment required, which may include an upgrade to the IP-PBXand the installation of an Ingate SIParator or Firewall, has been shown to range from 4 – 12 months.

With these facts in mind, there is no question that SIP Trunking offers compelling advantages for businesses large and small.

What is NAT?

Edition 1 June 1 20115

Network address translation (NAT)

We often hear of problems with NAT Traversal and SIP. Following we provide a short synopsis of Network Address Translation and its purpose on the network and why this is a problem when bringing SIP into a network.

Since the addressing and routing of SIP is done at the application layer, the biggest problem the SIP protocol now has is the disconnect between the IPv4 addressing and routing at the application layer versus the IPv4 addressing and routing at the transport and network layers. Network Address Translation (NAT)occurs at the transport and network layers, and thus the challenge.

The purpose of a Network Address Translation (NAT) firewall for businesses is to provide the translation between a single public IP address on the WAN and multiple private IP addresses for all of the workstations, servers and other IP equipment within the LAN. The router running NAT should never advertise the LAN network addresses to the WAN network backbone. Only the networks with global addresses may be known outside the router. However, global informationthat NAT receives from the border router can be advertised in the LAN network the usual way. Typical or traditional firewalls apply NAT to the TCP/IP protocol at the transport and network layers.

NAT's basic operation is as follows. The network addresses inside a private domain can be reused by any other private domain. For instance, a single Class A address could be used by many private domains. At each exit point between a private domain and the public WAN backbone, NAT is installed. If there is more than one exit point it is of great importance that each NAT has the sametranslation table.

In order for SIP to work effectively, the NAT issue must be resolved, and that is where the Session Border Element such as the firewalls and SIParators offered by Ingate, are very important for enabling SIP services to an enterprise network.

SIP Trunking Bring Your Own Bandwidth

Edition 1 June 1 20116

Internet telephony service providers (ITSPs) provide SIP trunking services to all who have Internet connectivity. VoIP communications is just another application provided over the Internet alongside Web, e-mail, FTP and other services commonly found on the Internet.

ITSP companies like Bandwidth, Broadvox, BandTel, BBTelsys, Excel and Babytel provide open access to their telephony services over the Internet. The enterprise leases telephony services such as SIP trunking to provide PSTN numbers and access.

The ISP (Internet Service Provider) is simply the service to gain access to the Internet. The physical connection to the Internet can vary according the enterprise’s needs; it can be as small as DSL or grow to T1, T3, Ethernet, OCx, and more. The advantage is the consolidation of both voice and data traffic on the same physical connection, thus maximizing bandwidth utilization and minimizing monthly reoccurring costs.

Ingate Firewalls and SIParators are critical in this deployment, providing voice and data traffic security to the enterprise: solving the NAT traversal issues through the corporate firewall, monitoring and providing security to SIP traffic, and protecting the IP-PBX from malicious attacks.

The downside is that the voice communication is only as good as the Internet connection that is being used because that link is not managed from end to end. The advantages of this type of delivery is that it is available anywhere and typically is offered at very attractive rates.

With an Internet connection, an Ingate SIParator or Ingate Firewall at the edge to resolve routing and security concerns, and a good ITSP, SIP trunking may be delivered anywhere in the world.

Managed SIP Trunking Service Providers

Edition 1 June 1 20117

Managed SIP Trunking service is offered by facilities-based providers who have local Points of Presence (POPs) from which the “last mile” is delivered to the enterprise customer. Because the service provider has end-to-end control of the network, the quality can be monitored and controlled.

The physical connection to the service provider can vary according to the needs of the enterprise and may range from a single T1 with 1.5Mbps of bandwidth which is sufficient for 23 simultaneous calls, up to and including fiber optic connections with very large capacities. Since voice is very susceptible to delay, often the Managed SIP Trunking Service Provider will deliver service using MPLS (Multi-Protocol Label Switching) which assures that the voice packets will receive delivery precedence over other services being delivered on the same physical connection.

For both of the above reasons, many service providers are willing to write Service Level Agreements (SLAs) that guarantee a certain level of service quality and managed SIP Trunks are often more expensive than those services which are offered over the Public Internet.

The Ingate remains critical in this application as a security device between a foreign network and the enterprise network. The Ingate Firewall/SIParator provides voice and data security for the enterprise, from other foreign networks. Ingate also monitors and secures the SIP traffic, protecting the IP-PBX from malicious attacks which may range from theft of service to Denial of Service attacks. This is important because any malicious issues on foreign networks can quickly become enterprise issues without a security device in between.

Managed SIP Trunks offer the advantage of a closely monitored network maintained to deliver the highest voice quality. The enterprise needs to ensure that its network is robust and that no internal bottlenecks exist that could reduce voice quality. Enterprises should also consider establishing its own security perimeter to maintain control of its network and who is allowed to use the SIP Trunking services.

Edition 1 June 1 20118

The Role of an Ingate in a Managed Services Environment

Previously we outlined managed SIP trunk service offerings, what they were and their advantages. Following we will drill down even further and look at why Ingate is an important part of these deployments to normalize SIP traffic, maintain network security and bridge the voice and data LANs for more effective use of SIP in the enterprise.

In a managed service offering, often the service provider delivers an MPLS (Multi-Protocol Label Switching) interface and delivers a private address space into the organization from their network.This resolves the NAT traversal issues. However, it does not solve SIP normalization issues between the IP-PBX and ITSP. It also doesn’t address security.

Despite the actual delivery mechanism of the SIP trunks, the Ingate unit is still required to normalize the traffic between the business and the service provider when those two implementations are not identical.

From a security point of view, since the service provider is offering the Local Area Network and the private IP addresses from their network space, business must ask themselves: Do I trust theservice provider to protect my IP-PBX and other parts of my network from harm? If the answer is not a definitive “yes” then the company will be well advised to install an Ingate SIParator orFirewall to perform this very important function.

Finally, by delivering service this way, the service provider is in effect creating separate voice and data networks in the customer premise. This means that personal computers are not going to beconnected to the same LAN segment and cannot be used for such services as Presence and Instant Messaging, soft clients cannot be used and the PC cannot be used to self-configure user accounts. In these instances, the Ingate can act as a bridge between the two networks allowing the full capabilities of SIP to be realized, including the promise of Unified Communications.

Edition 1 June 1 20119

What is SIPconnect and How Does Ingate Work with It?

SIPconnect is a set of technical recommendations or best practices for SIP trunking. SIPconnect was developed by the SIP Forum to provide a common method for enterprises to connect to a SIP trunking service provider.

SIPconnect establishes basic minimum supported functionality for both service providers and IP-PBXs, and establishes the preferred method of negotiating those functions where multiple, legitimate options exist within the SIP standard. SIPconnect enables enterprises and SIPtrunking service providers to more easily connect with one another using a reference architecture.

Several service providers have adopted the SIPconnect standard and many more are expected to implement SIPconnect in their networks soon.

However, not all IP-PBXs are compliant with the requirements of SIPconnect. Ingate supports SIPconnect. Ingate is committed to the adoption of SIP-based communications and SIP trunking for enterprises. SIPconnect is a major step forward toward standardizing interoperability among all of the components of a SIP trunking implementation.

Since not all IP-PBXs have enabled all of the features necessary to comply with SIPconnect, Ingate can provide that functionality on behalf of the IP-PBX, allowing the enterprise to successfully connect to SIPconnect-compliant SIP trunking service providers quickly, easily and securely.

The major benefit, of course, is seamless interoperability. Another important benefit is security: when the ITSP and IP-PBX are both truly interoperable, security risks are minimized.

Like any application over Voice-over-IP and all similar applications should be implemented in a way that ensures the continued security and integrity of the enterprise network. With the proper protections in place, SIP applications are very secure. In fact, VoIP calls can be more secure than those made on the PSTN. That’s just an example of how, with the right measures, any SIP application can be secure enough for enterprise use.

The SIP protocol resides in the Application Layer; it is written in clear text within the datagram of a UDP or TCP transport. Because it is in clear text, it is readily readable to any malicious efforts to compromise your VoIP or data traffic. Sensitive IP address information, port address information, contact addresses, usernames, SIP compliance capabilities, media stream attributes and more are all contained in the SIP protocol. In addition, the VoIP media stream is also unencrypted. Common media streams such as G711, G723, and G729 are open for malevolent efforts to record conversations over the Internet.

Given that SIP is a relatively new protocol for VoIP deployment, there have been very few malicious SIP attacks to date. But as popularity grows and SIP becomes more widespread, the possibility for these kinds of events increases.

But since the SIP protocol has been developed by the IETF it has built in capabilities to ensure that the security and control of the enterprise network is maintained, and that measures can be taken to protect the integrity of all Internet-based communications, even for the most sensitive conversations.

The IP-PBX should be deemed a “Mission Critical” server. The IP-PBX is the controller for all of the VoIP phones and SIP applications. Any service outage or degradation would result in the loss of communication and ultimately the loss of business revenue. The IP-PBX must be protected from the Internet and foreign or unknown networks just as any other mission-critical server on the network. That means that the PBX should never be assigned a publicly routable IP address. The Network Address Translation to the private address space provides a layer of security that must be maintained for the IP-PBX.

Measures such as deep packet inspection, encryption and support for TLS and SRTP, authentication, intrusion detection and prevention (IDS/IPS) functionality, DoS attack detection and even SIP (and SIPconnect) compliance are all necessary ways to protect not just the SIP traffic, but also the network.

Edition 1 June 1 201110

SIP Security

Routing Rules and Policies

The Deep Packet Inspection capability of Ingate SIParators and Firewalls offer the abilityto apply Routing and Dial Plan rules to all incoming SIP traffic. As the Ingate product hasthe ability to look at Layer 2 through Layer 7 of the OSI model, Routing and Dial Planrules can combine the use of several layers at once. Combining such things as the TCP/IP(Transport Layer) with the SIP protocol (Application Layer) ensures that only predefinedSIP traffic is processed.

Routing RulesThe Ingate Dial Plan has three main attributes:

1. Match From Header, where the Ingate can match on the From Header SIP URI, (the person making the call). In addition the Ingate can separate the Transport whether UDP, TCP or TLS, and further we can specify which IP address or range of IP addresses at the Network layer from which we can accept calls.

2. Matching Request URI. The Request URI Header is a routable header of any SIP Request. The Ingate can Match & Remove a Prefix, Match any specific Alpha/Numeric characters or even range of characters. This also includes Domain matching.

3. Forward To. The Forward To section defines where to 'actually' send the call – perhaps to a predefined account, with Registration and/or Header Replacement requirements/behavior; or to an IP address or Domain. It can also change the call request to a different Transport and port if required, and even dynamically assign the use of our B2BUA if needed.

The actual Ingate Dial Plan, then, combines these three attributes to provide the ultimate in flexibility and security in defining A) accepting where the call is coming from and B) where the call is going. If the SIP traffic is not predefined it will be denied.

This also gives the ability to have multiple different IP-PBX vendors and multiple different ITSP accounts. N+1 ITSPs to N+1 IP-PBXs. There is no limit to the customization of call routing in the Ingate.

PoliciesPolicies related to SIP have to do with allowing or disallowing SIP traffic based on SIP Methods, SIP Mime Content, SIP Domains and other higher-level rules.

Edition 1 June 1 201111

Case Study

The ROI on SIP TrunkingSecure VoIP Technology Cuts Phone Costs Forty Percent for Kool Smiles

Case Study -- Kool Smiles- a children’s dental management practice in the U.S

Kool Smiles, a children’s dental management practice in the U.S., was an early adopter of SIP trunking technology. SIP trunks have become a simple, cost-effective way for businesses to transition from traditional telephony to Voice-over-IP (or VoIP), whichessentially shifts all phone calls to the Internet.

www.ingate.com

Ingate Systemsinfo@ingate.com P: (603) 883-6569 www.ingate.com