executive guide

EXECUTIVE GUIDE
Voice
over IP
VoIP is fast becoming a strategic business application
Compliments of
EXECUTIVE GUIDE
Table of Contents
Introduction.............................................................................................................................................................................................. 3
VoIP goes mainstream
VoIP trends
VoIP rollouts are becoming mainstream........................................................................................................................................ 4
Voice over IP
IP softphones slowly gain speed. ..................................................................................................................................................... 8
Watch out for Wi-Fi phones...............................................................................................................................................................10
IP telephony deployments struggle with power/heat issues . .............................................................................................. 11
Fixed-mobile convergence improves the economics of IP voice..........................................................................................13
Case studies
Speaking the language of convergence........................................................................................................................................14
UC Berkeley upgrades voice............................................................................................................................................................16
VoIP-based testing
VoIP testing team ventures into new terrain. ............................................................................................................................18
Session border controllers guide VoIP streams....................................................................................................................... 20
VoIP security
How to protect your VoIP network. ............................................................................................................................................... 26
Phishing leverages VoIP in new scam model. ........................................................................................................................... 30
Secure SIP protects VoIP traffic. ...................................................................................................................................................31
Researchers seek to save VoIP from security threats. ......................................................................................................... 32
Executive Guide EXECUTIVE GUIDE
Back to TOC
Introduction
VoIP goes mainstream
V
oIP is moving past the pilot stage, busting out of the contact center and expanding
beyond the branch office. It’s becoming a mainstream enterprise application.
Sales of IP PBXs surpassed TDM PBXs
for the first time last year, and by 2009 IP
PBXs are expected to account for 90% of the
market. The question for IT execs today is
not whether to move to VoIP, but how to do it
efficiently, securely and cost effectively - and
how to demonstrate ROI.
This Executive Guide presents benchmarks for determining VoIP rollout costs
and calculating ROI, advice from industry
experts on VoIP security threats and countermeasures, plus cutting-edge user case
studies, trends and testing.
According to Nemertes Research,
companies spent an average of 16 minutes
per employee planning their VoIP rollouts
in 2004, and that number skyrocketed to
64 minutes per user in 2005. Installation
time and the amount of time spent troubleshooting VoIP rollouts doubled, according to
the survey of more than 90 IT execs.
The conclusion of Nemertes researchers
is that today’s VoIP rollouts are part of a strategic, enterprise-wide convergence effort
that requires more planning across different
departments. For example, Nemertes found
that companies devoted an average of 12
people to convergence projects in 2004, but
that number increased to 27 in 2005.
When it comes to capital expenses, companies averaged $450,000 for their IP PBX
equipment; $580,000 for IP handsets; $50,000
for voice mail or unified messaging; $182,000
for audioconferencing and $100,000 for
management tools. But the largest expenditure was $1.4 million in network upgrades.
On the payback side, a converged
network can mean savings in staff costs
- companies in the survey averaged $80,000
in personnel savings. Investments in IP
videoconferencing have a payback period
ranging from 12 to 38 months. And payback
periods for audioconferencing are even
more impressive - ranging from 1.4 to 5
months.
Other cost savings can come from
moves, adds and changes, and consolidating
WAN links, reducing the need for cabling
and increased productivity.
Issues remain
But deploying VoIP isn’t easy. There are
a variety of security, policy and management
issues that need to be addressed.
When it comes to VoIP security, there’s
a whole host of new threats. Hackers can
attack VoIP endpoints with viruses and
worms, conduct man-in-the-middle attacks
to steal information or hijack a VoIP server,
launch denial-of-service (DoS) attacks
aimed at overwhelming VoIP gear, or disrupt
VoIP conversations through jamming or
broadcast storms.
However, there are countermeasures
you can take. VoIP is simply another type of
IP traffic, so there are tried and true security
tricks at your disposal. They include keeping
patches up to date, requiring strong authentication, installing anti-DoS tools and securely
configuring VoIP applications. In addition,
you can build an in-depth defense by segmenting your network so that VoIP servers sit
on a different physical or virtual LAN from
VoIP endpoints.
Also, consider Session Initiation Protocol (SIP)-aware firewalls, application layer
gateways, session border controllers (SBC)
to manage VoIP traffic flows, and using IPSec
or secure SIP to make sure that VoIP traffic is
protected between endpoints.
In a recent test of SBCs conduced by
Miercom, a variety of products demonstrated
that they can act as traffic cops, controlling
VoIP traffic streams at the edge of the network. However, the testing also showed that
setting up SBCs can be complex and costly.
Interop iLabs tested whether multivendor VoIP interoperability is possible, and
the results were encouraging. The testers
determined that new QoS mechanisms
introduced by the leading vendors do work
effectively.
On the other hand, there are some
tricky aspects to a VoIP deployment, especially when you get into network access
translation, which masks the identity of the
endpoint, and voice over wireless.
There are also issues that arise with
a convergence project that you may have
never even thought about. That’s what happened when Butler University migrated from
a hosted Centrex phone service to a Cisco
CallManager VoIP system.
Staffers from the voice, data and applications groups found that they didn’t even
speak the same language. For example,
when somebody mentioned MACs, the voice
people thought it meant “moves, adds and
changes,’’ the data people thought it meant
“machine access control’’ and the applications people thought it meant Apple laptops.
Then there’s something as simple as
power and heating issues. Companies are
finding that IP telephony equipment is
causing serious heat issues in wiring closets
and that Power over Ethernet switches are
creating an issue in terms of backup power.
Fortunately, there are solutions to all
of these problems. This Executive Guide
will provide guidance from the industry’s
top VoIP experts, cutting-edge research and
product testing, and those who have gone
through the rigors of a VoIP rollout.
Executive Guide EXECUTIVE GUIDE
Back to TOC
Section 1
VoIP trends
VoIP rollouts are becoming mainstream
Voice over IP
Nemertes study shows that as companies broaden their VoIP
rollouts, setup costs increase - but so do savings.
By Robin Gareiss, Network World
When IT executives make the strategic
decision to implement VoIP and other
converged applications, cost savings is one of
the key drivers.
But is VoIP really a money saver? Based on a
Nemertes Research survey of 90 IT executives,
the answer is yes - over time. In other words,
steep start-up costs will be offset in the long
run by significant savings.
One of the key findings in this year’s study
is that companies are spending more time
and money on planning, installation and
troubleshooting, compared with last year.
The reason is that VoIP increasingly is being
deployed as part of a strategic, enterprisewide
convergence project, rather than as a pilot
project or a technology deployed in a limited
setting, such as a branch office or contact
center.
Another important finding of the study is
that VoIP equipment generally costs about
the same as TDM gear, with the exception of
handsets.
It pays to plan
Since 2004, the amount of time spent
planning a VoIP rollout has quadrupled. This
is where participants spend most of their
overall operational start-up time. They have
learned from peers about the nightmares that
result from a poorly planned deployment.
Because VoIP is typically part of a larger
convergence effort, organizations are
spending more time upfront trying to identify
steps in the project - and preparing the
networks for them. Several early adopter IT
executives who participated in the study said
if they had spent more time planning, they
would have had a smoother rollout and spent
less time troubleshooting.
Is your network ready?
As part of planning, IT staffs should perform
or hire someone to perform baseline network
assessments, also known as network readiness
tests. Companies typically spend $3,000 per
location for small implementations (usually
five or fewer sites) or an average of $63,500
for a comprehensive, multisite evaluation.
Comprehensive evaluations range from
$12,000 to $150,000.
Management costs
When measuring management cost per
user by vendor, Nortel deployments are the
most expensive to manage, primarily because
many are hybrid, and customers still require
staffs to maintain the TDM gear.
Nortel costs $268 per user to operate in
smaller rollouts, and $87 in larger rollouts.
ShoreTel is the least expensive to operate, at
$13 per user for smaller rollouts and $10 per
user for larger rollouts.
In reviewing total overall costs for
maintaining a VoIP system, however, Cisco, at
$256,750 per year, is the most expensive for
Management costs
When measuring management cost per user by vendor, Nortel deployments are the most expensive to manage, primarily because many are hybrid,
and customers still require staffs to maintain the TDM gear.
Nortel costs $268 per user to operate in smaller rollouts, and $87 in larger
rollouts. ShoreTel is the least expensive to operate, at $13 per user for smaller
rollouts and $10 per user for larger rollouts.
In reviewing total overall costs for maintaining a VoIP system, however,
Cisco, at $256,750 per year, is the most expensive for implementations with
more than 1,000 units. and, at $124,266 per year, it’s also the most costly for
rollouts with fewer than 1,000 units.
Those four vendors garnered enough statistical response to be broken out
individually.
Executive Guide EXECUTIVE GUIDE
VoIP trends
Management tools are key
Management tools often are an unplanned
expense, but they’re key to the success of a
VoIP project. Only about 15% of organizations
actually budget
for such tools upfront,
but more than half seek specialty
tools within 12 to 18 months of their rollouts.
The amount organizations budgeting for
or buying third-party management tools are
willing to spend has increased in the past
year. This is primarily because they recognize
they need solid tools - and a new class of
tools - to manage a converged network
effectively. Based on that, the recommended
management budget has increased slightly
this year. (See “Benchmarks for VoIP
deployments.”)
Training is another often-overlooked area. IT
executives cited training as one of their key
recommendations to peers based on lessons
learned in their own projects. Value-added
resellers and vendors often will include
training as part of the deal. But several IT
executives suggest that vendors invest more
in consistent, nationwide training programs
- even if they must charge for them.
“Part of the problem is finding training,” says
the CTO of a healthcare company. “We don’t
have a $2,000-per-engineer budget, but we do
provide training piecemeal.”
In fact, the amount organizations are
spending on training has decreased since
2004. For example, small companies were
spending about $2,500 per person on training
in 2004, and they’re now spending closer to
$2,000.
Nemertes recommends internal IT staffs
train users on the new handsets and features
whenever possible. The best approach is to
schedule 20- to 30-minute sessions with small
groups of users and teach them the basics.
Rather than trying to force all users to use
all features and applications at the same time,
companies that have installed additional
features (for example, unified
messaging or real-time communications
dashboards) should solicit tech-friendly trial
users who will build consensus among their
peers. Before long, users will be asking for the
“cool new feature” that Bob in the next cube
has been using.
Cost savings
The specific areas vary in which companies
find cost savings, but companies almost
always do find some. The most important
thing to remember when creating a businesscase analysis is that each company’s savings
depends greatly on architecture, vendor or
carrier selection, application rollout plans
and staffing levels, among other factors.
Generally, organizations save money (or
increase top-line revenue) the most in a
few areas: staffing, ongoing management
and
administration, IP
audioand
videoconferencing, telecom circuits, cabling
new buildings, and employee productivity.
Staffing
When they start using VoIP, organizations
typically save on their staffing requirements,as
well as the money they spend on outsourcers
Executive Guide GIACOMO MARCHESI
implementations with more than 1,000 units.
and, at $124,266 per year, it’s also the most
costly for rollouts with fewer than 1,000 units.
Those four vendors garnered enough
statistical response to be broken out
individually.
As companies install VoIP in more branch
offices and give handsets to more users (as
opposed to simply IP-enabling a TDM PBX),
the amount of time staffs spend installing the
gear increases.
Troubleshooting time also is increasing,
but not at the same rate as planning and
installation.Troubleshooting includes the time
spent repairing problems after installation and
until the system is considered full-production.
Companies
with
higher-than-normal
troubleshooting times typically devoted
lower-than-normal time to planning. So it
makes sense that as IT staffs spend more time
upfront planning the rollout, troubleshooting
time should grow more slowly.
There are three primary reasons behind
the increases in operational start-up time
- and thus, cost. First, organizations are
taking their VoIP projects more seriously
because they are the first step of an overall
convergence effort, and consequently
need to devote more people from different
disciplines (applications, security, voice, data)
to the rollout. In 2004, companies devoted an
average of 12 people to convergence projects,
compared with 27 people by late 2005.
Second, the salaries of IT staff working on
convergence projects have increased. The
average salary with benefits was $96,766 in
2004, compared with $98,621 in 2005.
Third,companies are devoting more money to
consulting costs related to design and
implementation. The median consulting cost
is $23,125, but the range is from $500 to $2
million, according to the survey. The goal is to
take advantage of the experience of systems
integrators and resellers, maintain flexibility
with internal staffs, and improve the rate of
project success.
Back to TOC
EXECUTIVE GUIDE
VoIP trends
and consultants. However, a small
percentage (5%) said they had to
increase their staffs because of
VoIP. In those cases, they added one
to three employees, regardless of
overall staff size.
The average personnel savings
has increased from 2004, when
organizations
reassigned
or
eliminated an average 0.74 positions,
at $76,830 per year. This year the
figure, when averaged among all
organizations, is 0.76 positions, at
$81,240 per year.
Nearly one-third of the participants
said they saved on staffing costs.
When the numbers were run
for only those organizations, the
average staff savings jumped to 1.46
employees, or $192,584 in salaries
and consulting costs.
Participants said they typically
reassign people rather than walk
them to the door. In addition, some
of the personnel savings comes from
cost avoidance.
“If I had to go with TDM, I’d have
to hire more people,” says the global
telecom director of an entertainment
company with a growing, 2,500person VoIP rollout. “I’m working
with 20% to 40% less with IP.”
Management and administration:
Exactly what are these staff
members doing, and how much
time are they spending maintaining
the voice network? First, they
generally don’t distinguish between
maintenance and troubleshooting.
It’s all just managing the voice
network.
What that includes is making sure
IP PBXs, handsets and softphones
are up-to-date on the latest revisions;
troubleshooting
performance
problems or outages; moves, adds
and changes (MAC); and monitoring
overall performance.
Some - typically small and
Back to TOC
midsize
organizations
are
starting to outsource the day-today management of VoIP systems.
“We’re considering eliminating a
person and outsourcing the actual
maintenance of the system,” says
the IT director of a large law firm.
“There’s not enough to do to keep
someone with those skills on-site.”
Savings on MACs are one of the
most important ways organizations
justify their VoIP rollouts. Overall,
participants spend an average of
$124 on MACs.This number includes
MACs done internally and externally.
The cost ranges from $29 to $450:
At the low end are internal MACs
done by an efficient, experienced
and/or low-paid staff. At the high
end - generally in large cities - are
external MACs.
The number of MACs increases
with company size, not surprisingly,
and ranges from 197 to 136,020.
MAC penetration, however, isn’t
as dependent on company size
(penetration is the percentage of
MACs based on the total employee
base).
The big shift this year is that on
average, organizations make 1.28
MACs for each employee.Realistically,
at most organizations employees
don’t change offices more than once
a year. What happens is more like a
chain reaction. One person leaves
the company, and three to five MACs
result - one for the person leaving,
one for the person who wants that
office, one for the person who wants
the next-vacated office, and one for
the replacement.
In moving to VoIP, MACs become
very simple. The time involved for
a TDM MAC is 30 to 90 minutes, but
an IP MAC takes 10 minutes or less.
The total cost savings, depending
on the number of MACs at a given
organization, can therefore be
significant.
Benchmarks for VoIP deployments
There are four spending benchmarks: start-up
costs, capital expenses, training and management.
MEDIAN START-UP COSTS
Fewer.than.100.users
$143.per.user
More.than.100.users
$53.per.user
AVERAGE CAPITAL EXPENDITURES
VoIP implementations, all sizes
IP.PBX
$448,221
IP.PBX,.messaging
included
$562,024
IP.handsets
$580,799
Network.upgrades
$1,398,527
Voice.mail/UM
$54,333
Audioconferencing
$182,463
Management
$100,000
RECOMMENDED TRAINING
Deployment Number of
locations
size
Very.small Fewer.than.5
Users to train
0.to.1.
(0.=.outsourced)
Cost per
user
$2,000
Small
6.to.20
1.to.2
$2,000
Midsize
21.to.250
3.to.5
$1,800
Large
251.to.1,000
10.to.15
$1,500
15.or.more
$1,500
Enterprise 1,001.or.more
RECOMMENDED MANAGEMENT BUDGET
Number of
Budget
Deployment size locations
Very.small
Fewer.than.5 Freeware,.IP.PBX.tools,
carrier.tools.
Small
6.to.20
$25,000.to.$50,000
Midsize
21.to.250
$75,000
Large
251.to.1,000
$100,000
Enterprise
1,001.or.more $100,000+.(depends.on
the.configuration;
requires.consultation)
SOURCE:.NEMERTES RESEARCH
Executive Guide EXECUTIVE GUIDE
VoIP trends
Back to TOC
IP conferencing:
Another area of savings is video- and audioconferencing.
The payback period is six to 12 months when organizations
replace an ISDN-based audio- or videoconferencing system with
an IP system. Typically, companies pay $200 to $300 per hour
for ISDN-based videoconferencing services (and as much as
$2,000 for global calls), and 6 cents to 12 cents per minute for
audioconferencing services.
Several organizations say they’re using IP video- and
audioconferencing for internal communications, which can be
10% to 75% of their audioconferencing calls and 30% to 60% of
their videoconferencing calls, depending on the industry. They
use service providers for external calls; typically these are ISDNbased services, but they’ll use more IP-based services as the
carriers migrate to IP.
By shifting from ISDN to IP videoconferencing, organizations
can see a payback in 12 to 38 months, based on the averages
from the Nemertes study.
Payback periods are even more compelling for
audioconferencing: 1.4 to 5 months, based on averages from the
study (see “Benchmarking VoIP savings”).
Telecom circuits
By integrating access lines and consolidating unused capacity
on WAN links, organizations report they’re saving as much as 50%
on their network service costs.
Cabling
For new offices, cabling costs drop by 40% to 50%, because
there’s no need to run three to four drops per desktop. Instead,
companies can run one or two drops per desktop, eliminating
the cost of the cable and, more significantly, the labor to do the
job.
Employee productivity
Though difficult to measure, organizations are seeing improved
productivity when they roll out VoIP and associated collaborative
applications. These savings are mostly anecdotal, however.
For example, hospitals save on nurses’ salaries by deploying
wireless VoIP phones. They trim 15 to 30 minutes off each eighthour shift of a nurse, nurse technician or unit clerk in a hospital
setting. That translates to 234 to 548 hours per year, per shift, per
employee that can be devoted to other tasks. With an average
loaded hourly salary of $28, hospitals save $6,552 to $13,104 per
nurse, nurse technician or unit clerk per year.
Gareiss is executive vice president and senior founding
partner and CFO for Nemertes Research. She can be reached at
[email protected].
Executive Guide EXECUTIVE GUIDE
VoIP trends
Back to TOC
IP softphones slowly gain speed
PC-based VoIP gains a foothold in call centers
and with mobile workers
By Phil Hochmuch, Network World
Corporate users are talking on IP softphone
clients everywhere - or nowhere, depending
on whom you talk to.
While use of PC-based VoIP software is taking
off in homes and college dorms, the use of
softphones in companies remains somewhat
mixed. They are having some success among
road warriors and telecommuters, as well as
telephone-centric workers such as call-center
agents.
Telephony software on PCs has been
around since the 1990s, but the emergence of
Skype and the wider adoption of broadband
have made the technology more accessible
and familiar than ever. Many companies also
now support pockets of softphone users or
even large divisions of traveling employees
with the technology.
“The IP softclient is a big thing for us,” says
Steve Lydston, network manager for Nissan
North America, whose company is in the
process of installing Siemens softphone
clients on more than 1,000 laptops for
its executives and mobile users. He says
deploying softphones on the laptops of
executives traveling abroad provides
measurable cost savings.
“[Users] could be ringing up hundreddollar cell phone bills by making cell phone
calls overseas,” Lydston says.“If you’re already
paying $10 to the hotel for broadband, the
calls are free over the softclient. Plus, the
quality is about as good as a cell phone’s, and
a lot of times, it’s better.”
Nissan North America also is gaining
productivity and cost savings with softphones
without having to go through an entire
corporatewide VoIP upgrade, which could
add cost and complexity, Lydston says.
Softphone clients on laptops are configured
to connect into one of several large PBXs.
The clients tunnel into the corporate LAN
with VPN links and access IP cards installed
on the PBXs.
Overall, Lydston admits, the financial
payback of softphones won’t blow away the
company’s accountants.“It’s more like found
money,” he says of the savings, which could
run into the tens of thousands of dollars
per month.“That’s a drop in the bucket for a
billion-dollar company like ours.”
What keeps softphones from becoming a
killer app in other companies seems to be
like the proverbial death from a thousand
paper cuts. Some of the many issues include
complicated PC sound configurations,
end users’ dislike of headset devices,
unfamiliarity with softphone interfaces and
the awkwardness of talking to someone over
a PC instead of a handset.
“Quite frankly [softphones] are more of
a novelty than a real value-added type of
application for us,” says Phil Go, CIO for
Barton Marlow, a Chicago construction firm.
VoIP is a mature technology at Barton
Marlow, which installed a Cisco CallManager
IP PBX and more than 200 IP phones four
years ago. Go can rattle off dozens of benefits
that IP telephony has made for his company,
but softphones are not high on the list.
There is no such thing as making a quick
call with a Cisco softphone client, he says. A
user’s laptop must first boot up, and then the
correct PC audio settings must be configured.
The VPN client must log into the network to
connect with the Cisco CallManager. Carrying
around a headset is another negative.
“End users sometimes have a hard time with
all this stuff,” Go says.“Plus, cell phones are so
cheap these days, and it’s so much easier and
faster to pick up your phone wherever you
are and make a call.”
Perhaps the brand most known for bringing
softphone technology to the mainstream is
Skype. The little European start-up, purchased
by eBay last year for $2 billion, has an
installed base of 9 million users. Recently,
the company launched a small-business VoIP
service for organizations with fewer than 10
users.
Skype is used widely at Dickinson College
in Carlisle, Pa., where IT staff has found
interesting ways to use the technology.
The college’s IT department made Skype
part of its standard PC and laptop software
image distributed to computers for staff,
faculty and students.
“We have a lot of offices abroad, with people
doing research who can use Skype even if
they don’t have phone service,” says Todd
Bryant, language program administrator for
the college’s academic technology division.
“The IT staff likes it because they can send
quick messages [via instant message] and
share files as well.”
Skype is a natural fit for the college’s
languages
department, where
Skype
conversations are set up between Dickinson
students studying French, German, Italian,
Russian or Spanish and native speakers from
those countries who are at a similar level in
studying English.
“Language students can make a [Skype
connection] from our PC lab and get
Executive Guide EXECUTIVE GUIDE
VoIP trends
bandwidth priority,” Bryant says. “And if
students want to record the conversations for
credit, we have software for that, too.”
What makes Skype so useful is its simplicity.
Back to TOC
“We started to try to do this before Skype came
around,” Bryant says. “But it’s so far ahead
of other applications, especially in getting
through unpredictable firewall or [network
address translation] configurations. If you’re
calling up a random class somewhere that
might not have good IT support, that’s where
Skype has a big advantage.”
Softphone options
Almost all PBX and IP PBX vendors offer softphone clients for their phone systems. (These include
3Com, Alcatel, Avaya, Cisco, Mitel, Nortel, Siemens, ShoreTel, Inter-Tel, Sphere, Toshiba and Zultys
Technologies, among others.) Depending on what type of phone system is (or isn’t) already installed,
users have several options.
Traditional PBXs
VoIP traffic through.
Users of traditional PBXs can connect workers with
softphone by:
No PBX (client-based only)
• Installing an IP card - such as an NIC for the PBX,
• Download clients such as Skype, Vonage, SIPhone,
supplied by the vendor - which gives the phone switch an IP
address on a LAN.
• Installing softphone clients (proprietary to the vendor) on
laptops and PCs. (Remote users will require a VPN infrastructure to access the PBXs IP internal address.)
• Reconfiguring firewall settings, if necessary, to let all VoIP
traffic through.
• In April, the Federal Trade Commission brought suit
against four Detroit men who used open relays to disguise
their e-mail identities and sent spam promoting bogus diet
aids.
IP PBXs
• No special hardware is required on IP PBXs.
• VPN software and hardware are required to access the
phone system remotely.
• Firewall settings may have to be reconfigured to let all
Net2Phone, FreeWorldDialup, SipXphone and many others.
• Most clients support PC-to-PC calls for free with compatible SIP-based clients (except Skype, which is proprietary).
• Clients can be used internally or externally, since a peer-
to-peer or an external VoIP infrastructure is used to control
calls.
• Calling real public phone numbers could require gateway
hardware or cost extra as a monthly service or minutes
plan.
• Firewall settings may have to be reconfigured for all VoIP
traffic to get through. Windows and open source options
• Windows Communicator clients can act as softphones,
running off a Live Communication Server on the back end.
• Asterisk, a free, downloadable open source IP PBX, has
a softphone client and interoperates with standard Session
Initiation Protocol-based softphones.
Executive Guide EXECUTIVE GUIDE
Back to TOC
VoIP trends
Watch out for Wi-Fi phones
Dual-mode phones could be an IT management nightmare
By Keith Shaw, Network World
Do you remember all of those employees who
brought home wireless LAN (WLAN) equipment and
then started bringing their cards and access points into
the workplace?
If you thought that was a mess, get ready for Wave 2
- the Wi-Fi cell phone.
At the recent CTIA Wireless 2006 show in Las Vegas,
Nokia and Samsung Mobile displayed mobile phones
that included a Wi-Fi radio in addition to the normal
wide-area wireless radio.
These vendors weren’t the first to do this, but these
models were the first ones geared to a consumer
audience. The earlier devices were geared to enterprise
customers who want to use Wi-Fi in an IT-controlled
environment, such as a college campus or warehouse,
as well as integrate with existing VoIP or PBX
infrastructures.
The Nokia 6136 and Samsung T709 are geared to the
Best Buy/Circuit City/mall kiosk crowd. For example, the Samsung
T709 lets calls channel from a Wi-Fi access point, through the Internet
and onto a cellular network to give users uninterrupted connections
when traveling between home and office or while on the road.
A phone that uses Wi-Fi and a cellular connection could mean
trouble for network managers. Imagine this help desk query from the
vice president of sales.“Yeah, I was making a cell phone call with my
spankin’ new cell phone, and I walked into a stairwell and the call
dropped - I just lost the $100 million deal I was working on.”
The vice president might not have realized that the call he was
making connected via the internal Wi-Fi network instead of the
regular cell network - all he knows is that the call dropped, and he
may blame you.
Just like they started asking for WLANs in the workplace, users
will start asking for better WLAN coverage for voice applications. I
The Nokia 6136 (left) and
Samsung T709 are some of the first
consumer-aimed cell-phones with
WI-FI capabilities. You’ve been warned.
discussed this issue with the head of the Wi-Fi Alliance at the CTIA
show, and he admitted that most enterprise WLANs were designed for
wireless data, not wireless voice.
He suggested that the best way for a company to find out where
its wireless coverage holes are is to add Wi-Fi-enabled phones to the
network and have people walk around the office and wait for the
calls to drop.
Last year when Network World tested the ability for WLAN systems
(enterprise switches and access points) to handle wireless VoIP traffic,
the results were dismal. We hope that when we test these systems
again later this year the numbers will improve.
At any rate, the clock is ticking for you to start improving your WLAN
network before other vendors come out with their Wi-Fi cell phones
and you’re inundated with employees pounding your WLAN with
voice traffic.
Executive Guide 10
EXECUTIVE GUIDE
VoIP trends
Back to TOC
IP telephony deployments struggle
with power/heat issues
Power-over-Ethernet switches, servers replacing
key phone systems make data center hotter.
By Phil Hochmuth, Network World
While the IP telephony market heats up,
thermometers are literally spiking in some
wiring closets and computer rooms where
VoIP and power-over-Ethernet (PoE) gear is
being installed, users say.
Equipment density and overheating are
constant issues for data center managers;
beating the heat is also becoming a topmind concern for network and telecom staff
deploying gear in wiring closets, as PoE and
VoIP equipment are set up in places that once
just housed lower-power switches, cooler hubs
and patch panel racks.
“Power in general has been our Achilles
heel in our [IP telephony] deployment,” says
John Haltom, network director at Erlanger
Health Systems, a southeast regional HMO in
Chattanooga, Tenn.
Achilles heel might overstate it, as Erlanger
has deployed over 1,500 IP phones in
production, both wired and wireless, running
off of a Nortel Communication Server 1000 IP
PBX. To support IP telephony, Haltom and his
staff installed PoE switches in wiring closets to
light up the phones, and uninterruptible power
supply (UPS) equipment to allow switches to
run during a power outage.
These redundancy and power requirements
challenged the healthcare organization’s IT
staff, which supports one 112-year-old hospital.
“Trying to retrofit areas that are already
cramped with larger PoE switches, larger
UPSes,” was the challenge, Haltom says.“By the
way, all that gear generates more BTUs, so you
have to upgrade the AC units in those closets.”
By most measures, the biggest heat-boosters
in wiring closets are the PoE switches, which
VoIP environmental fundamentals
When putting an IP PBX or Power over Ethernet (PoE) LAN switch
in a wiring closet to support IP phones on desktops, consider
power and cooling requirements for the equipment, experts say.
A sampling of environmentval/power specifications of some IP PBX/PoE LAN gear:
IP PBX gear
Vendor
Product
Heat (BTU’s
per hour)
3Com
Avaya
Cisco
Nortel
NBX 100
S8700 Media Server
MCS 7825
CS 1000
923
1,000
853
1,024
32 to 104
40 to 110
50 to 95
50 to 95
Heat (BTU’s
per hour)
Operating
temperature
938
32 to 104
534
546
575
32 to 113
32 to 104
32 to 104
Service provider
Vendor
Product
3Com
SuperStack 3 Switch
4400
Catalyst 3750 G-24PS
Summit 400-24p
Switch 460-24T-PWR
Cisco
Extreme
Nortel
Operating
temperature
Executive Guide 11
EXECUTIVE GUIDE
VoIP trends
do double duty in transporting Ethernet
traffic, and acting as AC power supplies for
all IP phones and other PoE-capable gear
plugged into the devices powered ports. For
example, Cisco’s non-PoE 24-port Catalyst
3750 LAN switch generates around 176 BTUs
of heat per hour; add the PoE option, and the
switch heats up to 534 BTUs.Add in a standard
UPS that dissipates 80-100 BTUs, and you’ve
more than tripled the heat output in just one
wiring closet in order to support IP telephony.
Similarly, Nortel’s 24-port Switch 420-T heats
up to 220 BTU; its PoE-capable Switch 460-24TPWR is more than double that.
Planning for how this gear will be cooled off
and kept safe should not be an afterthought,
experts say.
“All network devices should be placed in
Back to TOC
locations with … adequate heat dissipation,
ventilation, and air conditioning,” according
to Salvatore Collora and Ed Leonhardt,
two Cisco Certified Internetwork Experts,
writing in Planning the Cisco CallManager
Implementation, published in 2004 by
Cisco Press. “Although it is surprising, some
deployments actually store servers and
switches in broom closets and under desks.
Improper care of your equipment contributes
to environmental and security hazards
that can disable or degrade your voice
deployment.”
This could especially be true in small
businesses, where an older key telephone
system is being replaced. These devices
combined call processor, phone power supply
and switching and could be stored almost
anywhere. However, companies should have
a cool, dry place ready for newer IP PBX gear.
“In certain climates, you could have very
high humidity, with the ambient temperature
getting above [104 degrees Fahrenheit],” says
Patrick Ferriter, vice president of marketing
for Zultys, a maker of IP PBXs that targets the
small-offices as a key system replacement.
“There are places where it does get hot, and
you’re going to have problems if you don’t
have air conditioning.” How much cooling
will depend on the IP PBX itself, he adds.
“If you have an IP PBX which has built-in
gateways, and if you have a lot of analog
connections - FXS boards which provide
ring voltage - it could start to get even hotter,”
Ferriter says. “It’s going to be hotter than a
traditional key system for sure.”
Executive Guide 12
EXECUTIVE GUIDE
App-centric network management
Back to TOC
Fixed-mobile convergence improves
the economics of IP voice
VoIP convergence used to mean a bunch of
softswitches, media gateways, replacing Class
5 switches and - not accidentally - spending
telecom dollars that used to be spent on
traditional TDM on VoIP voice instead. Not
much of that ever happened. Today, carrier
planners at all levels are focusing on a
new kind of convergence - fixed-mobile
convergence (FMC). This time may be the
charm.
The idea behind FMC is to create a supervoice service that lets customers mingle calls
between fixed-line and mobile handsets. A
customer could set up rules that govern the
conditions under which a call placed to one
or the other line is completed. The easiest
example is a rule that says, “If my mobile
phone is off, ring the call on my fixed line
instead of going to voice mail.” This could
be expanded to include a test for specific
numbers, letting non-critical calls go to
voice mail. It would also be possible to do
the opposite: Ring fixed-line calls through
automatically to the mobile number if the
mobile phone is on.
There is clearly a customer value for all
of this, but the value proposition for service
providers goes beyond making customers
happy. Where the value is found varies
depending upon what kind of voice carrier is
looking at FMC.
An incumbent local exchange carrier
(LEC) could see FMC as a way to futureproof
wireline voice services against broadbandbased VoIP offerings. Most incumbent LECs
(ILEC) also have wireless subsidiaries, and a
VoIP offering based on FMC ties the popular
mobile service to the increasingly pricepressured wireline voice. Because modern
3G services are based on Session Initiation
Protocol calling, just like most VoIP services
(except Skype), FMC would allow for VoIP-
to-mobile calls without going through
a relatively expensive public switched
telephone network gateway. This improves
the economics of IP voice.
For the cable companies, an ILEC drive to
FMC creates competitive pressure to follow
suit, and they have been signing mobile
virtual network operator (MVNO) deals with
wireless carriers to create their own FMC
services. But cable companies have another
reason to like FMC, and that relates to the
dual-mode Wi-Fi/mobile handset.
A dual-mode handset is capable of using
Wi-Fi in the home (or, in theory, in other
hot spots) and standard cellular mobile
frequencies when on the road. With the right
carrier equipment behind it, such a handset
can let a user roam between Wi-Fi and cellular
while keeping a call connected. When the
user is at home (or at work, for a business
version of the service), the calls can be rung
through the VoIP and Wi-Fi connection, so
there would be no airtime charge.
By offering phone connections over home
Wi-Fi, a dual-mode handset eliminates the
need to connect the old phone wiring to a
VoIP service. This reduces installation costs
and potentially increases VoIP penetration.
The cable companies might find this a
critical edge in getting their VoIP services
rolling quickly.
For the overlay VoIP players, such as Vonage,
it might be that dual-mode handsets, FMC and
an MVNO relationship with a cellular carrier
would be the difference between profit and
being marginalized.
By adding features to their FMC offerings,
Vonage and other VoIP players might raise
their margins and attract more customers.
Basic Internet calling clearly is going to be
virtually free, so if you want to make money
you have to look beyond it. FMC certainly is
an option.
For users, FMC is likely to bring about major
changes in calling. In the future, you might not
have a mobile number and home number,
just a personal number and set of rules that
determine which calls placed to that number
are connected on each of the voice services
you have. For outside sales and support
personnel, it could mean more freedom and
flexibility; for home users, a single phone that
works everywhere.
This won’t be an overnight process, but
the pressures of the competitive market are
clearly driving us in this direction. Planning
now for FMC seems a prudent step for
carriers and users alike.
Executive Guide 13
H A L M AY F O RT H
By Thomas Nolle, Network World
EXECUTIVE GUIDE
Back to TOC
Section 2
Case studies
Speaking the language of convergence
Butler University learned to keep an ear out for confusion over the terms
and concepts used when groups collaborated on a VoIP deployment.
By Phil Hochmuth, Network World
When Butler University recently migrated
from an on-campus hosted Centrex phone
service to a Cisco CallManager VoIP system,
one of the first challenges it encountered was
to get more than a dozen staffers from the
voice, data and application groups speaking
the same language.
The Indianapolis-based institution wanted
to integrate its voice and data networks
physically,meld several back-end applications
- such as its PeopleSoft ERP system - and
update its interactive voice-response system
for self-service information-gathering.
The deployment took two years, from
planning to completion in late 2005,
and required a lengthy RFP process, an
independent consultant to provide outside
perspective and advice, and the gradual
merging of four separate staffs: data and
networking, telecom, facilities management
and applications, says Scott Kincaid, CIO for
Butler University.
The integration of the staffs was smooth,
Kincaid says. But after a few meetings with
everyone in the same room, Kincaid realized
how high the barrier of technical language
and jargon was going to be.
Say what?
“First, we started talking about MACs,”
Kincaid says. “I thought it was a PC-vs.Macintosh debate; the voice people are
talking about moves, adds and changes; and,
of course, for the data people, this was about
the Machine Access Control addresses” on
the IP phones and PCs on the network.
In addition to overlapping acronyms,
concepts that are second nature to one group
may mean something different to another. An
instance of this was the idea of an extension.
“In the middle of our project, we kept using
the word extension, and we found it was a
meaningless term,” Kincaid says. To telecom
staff, an extension was a logical endpoint that
could ring in possibly multiple places. Data
staff thought of an extension as a physical
phone, not a programmable port or portable
number that moved around. “Then you had
the PeopleSoft/ERP team members, who
thought we were talking about data fields in
a software product,” he says.
Another concept that needed to be defined
clearly as the project got underway was the
word directory, Kincaid says. To the data
group “this is all about Active Directory and
LDAP,” he says.
For the voice technicians, directories were
lists of phone extensions.To the programmers,
these were the file structure and hierarchy of
the servers and systems on which the ERP
software and applications were running. The
trickiest part about all of this, Kincaid adds,
was that eventually all these concepts would
have to come together: Cisco CallManager
runs Active Directory, which includes phone
extensions and dial-plan data, and is stored
on Microsoft Windows 2003 servers in a
directory hierarchy.
Besides separate definitions of terms,
Kincaid says he found the groups differed
in their approaches to and philosophies
about maintaining and managing a network,
because of habits and tendencies built
up over the years related to the technical
cultures of each group.
“Most voice people I work with seem to
come from a mainframe background, and
they have that kind of mentality. There’s a
centralized mind-set to it; there aren’t that
many of them, first of all,” Kincaid says.“They
like documentation. And there are only so
many things you can do on a PBX. They’re
used to a very stable environment.” Above all,
he adds, “They tend to have this belief that
end users have a God-given right to [a] dial
tone, and you have to respect that.”
As he worked with data people, he found
their approach was more distributed and
decentralized. “The data people were
comfortable and used to pulling different
pieces together. But they’re not used to having
someone come into their network without
them being in the loop.”
Using an outside consultant was key in
helping the converged IT staff at Butler
understand their communication differences
and various philosophical approaches.
“It was important for us to have an
independent consultant, not to make the
decisions or to lead the project, but to guide
us and help keep a level base line,” Kincaid
says. In meetings, the presence of an outside
voice helped encourage the members of
Executive Guide 14
EXECUTIVE GUIDE
Case studies
Back to TOC
each IT faction to clearly describe what they
were talking about in the larger context of the
project.
Above all, a group of users - university staff
and faculty - had the biggest jargon-cutting
role in the combined IT organization. They
were not afraid to raise their hand in meetings
and question what the IT staff were talking
about, Kincaid says.
“We got into all of these discussions about
QoS and data packets and security; none of that
mattered to the user. What mattered to the user
was the phone conversation. The call center
being there. Having availability to information.
Having them involved was probably the most
important step we took.”
Executive Guide 15
EXECUTIVE GUIDE
Back to TOC
Case studies
UC Berkeley upgrades voice
By Ann Bednarz, Network World
University of California, Berkeley, eked all it
could from its legacy voice mail system - and
then some.
Even after Unisys dropped support in 2001
for the university’s Digital Sound voice mail
system, it located a third-party vendor willing
to keep the system alive with components
found on eBay and salvaged from other
retired systems. “They weren’t making any
new parts or upgrading the operating
system. It was a very closed system,” says Terri
Kouba, a systems developer in UC Berkeley’s
communications and network services
department.“But it was maintained.”
The university knew the fix was temporary
and started looking for a replacement to
provide basic voice mail functionality and
unified messaging. None of the available
unified messaging products won them over.
“The industry really wasn’t ready for a system
of our scale at that point,” Kouba says.
UC Berkeley gave it another shot in 2004 and
found the vendors were better equipped to
handle a rollout to tens of thousands of users.
After a lengthy review process, the university
chose Interactive Intelligence and licensed
its Communité unified communications
software last year.
Communité supports a unified in-box so
users can browse and open e-mail, voice mail
and fax messages from a single interface.
The system also lets users retrieve voice, fax
and e-mail messages from multiple devices,
Executive Guide 16
EXECUTIVE GUIDE
Case studies
including desktop PCs, wireless handhelds or
cell phones.
Unified messaging helps break down some
of the walls between voice mail and e-mail
and connects the message streams, Kouba says.
In the past, people tended to reply to voice
mails with another voice call and to e-mails
with another e-mail message.“Now, if someone
sends me an e-mail and I’m listening to my
e-mail over the telephone, I can reply to that
with a voice mail attachment,” Kouba says. The
sender gets back the original e-mail message
with a small .wav attachment. “No matter
how you send me information, I can reply or
communicate in the way that I want to.”
Call-screening features tell users who’s
calling before a call is accepted, and followme/find-me technology lets users set precise
call-handling rules - specifying, for example,
which callers to send to voice mail and which
to forward to certain alternative numbers.
Users also can opt to be alerted by Short
Message Service if parties leave a voice mail
message.
Into production
UC Berkeley started its implementation
last October with a pilot group. To drum up
interest in the new technology, the IT group
asked for volunteers from different campus
departments. Getting volunteers excited about
the new system - and talking it up to their coworkers - was one of the smartest things the
university did, Kouba says.
The pilot allowed Kouba’s group to test the
application under real-world conditions.“One
of the things that we can’t do very well on
the telephony side in a development or test
environment is test-load,” Kouba says.“It’s hard
to generate real-looking calls. So that’s one of
the things that we focused on during the earlyadopter period.”
Kouba also used the pilot to tune the
integration points between the Interactive
Intelligence software and the university’s
existing systems. UC Berkeley didn’t upgrade
its telephony systems for the rollout, but it did
Back to TOC
do some heavy integration: The Communité
software is tied to the university’s Centrex
service, Nortel PBX gear, CommuniGate
Systems e-mail, iPlanet Lightweight Directory
Access Protocol directory, Kerberos security
system and campus storage-area network.
After the pilot, in January the team moved
the remainder of the university’s 10,000 faculty
and administrative staff from the old voice
mail system to the Communité platform.
Because not every user needs all the
available features, the communications group
offers different classes of service, starting with
basic voice mail and traditional telephoneonly message access. Enhanced voice mail
services let users access messages via the
Web, and unified messaging services add the
option to retrieve messages via e-mail. Addons include call screening, call routing, and
incoming and outgoing faxing options.
The communications group makes these
services available to university departments on
a chargeback basis, so department managers
can stretch their budgets by choosing services
for staff judiciously.
This fall, UC Berkeley plans to offer the new
services to residence hall students, which
could increase its implementation to 50,000
users.
In the past, as many as three students in a
dorm room had to share a single phone line.
With Communité, every student can get a
personal phone number, and each can opt
to route calls to the dorm-room phone, a cell
phone or any other phone. “Somebody can
always call that one campus phone number
and ultimately reach the student,” Kouba says.
Attracting student users is important.
Providing dorm-room telephone service is
a moneymaker for UC Berkeley, which, like
many universities, has seen its revenue drop
as students increasingly favored cell phones
over dorm lines. By offering unified messaging
options such as advanced call-forwarding
features and Web-based message retrieval,
the university hopes to regain some of those
customers.
Executive Guide 17
EXECUTIVE GUIDE
Back to TOC
VoIP-based testing
VoIP testing team ventures into new terrain
ILabs testing team finds that VoIP QoS works well, but NAT,
security remain tricky
By David Newman, Network World
By now, basic interoperability is generally
a given in multivendor VoIP settings. What
happens, however, when VoIP devices go to
work in decidedly unfriendly environments,
such as through security devices and across
wireless LANs?
Results of the testing completed by the
InteropLabs VoIP team suggest new QoS
mechanisms can work effectively, but security
remains as tricky as ever to get right. Even
though it’s not a security mechanism, network
address translation (NAT) also proved
especially troublesome.
The team built a complex test bed
connecting the VoIP phones of five
enterprises across a vast armory of firewalls,
IPSec and SSL VPN concentrators, and
intrusion-detection systems.
The security-gear suppliers included
Aventail, BorderWare, Check Point, Cisco,
Juniper and Nokia. Some vendors shipped
multiple security devices: For example,
Juniper supplied a firewall, an intrusionprevention system (IPS), two IPSec VPN
concentrators - and three engineers to get
everything working.
In addition to security boxes at the edge
of each enterprise’s network, the security
apparatus included IPSec and SSL VPN
clients for remote users. Corporate network
managers planning VoIP rollouts will probably
deploy similar setups, configuring IP phones
and security devices and drop-shipping them
to remote users.
All this equipment ensured tight security
- in some cases, a little too tight. For example,
BorderWare’s SIPAssure offered detailed
control over Session Initiation Protocol
(SIP) but didn’t provide the access controls
needed in a general-purpose firewall.
The team redesigned the network by
placing this device alongside another
firewalls. The BorderWare box became a VoIP
session border controller alongside another
BorderWare firewall.
The test bed also comprised numerous
wireless LAN (WLAN) switches, access points
and end-stations, all using the new 802.11e
standards for QoS enforcement. Phones in
this year’s event were equally diverse, ranging
from softphones on PC and Mac clients to
old analog handsets with SIP adapters and
Wi-Fi and Ethernet SIP handsets.
Unlike past years, where the focus was on
interoperability among multiple vendors’
SIP proxies, the InteropLabs team this year
standardized on the open source Asterisk SIP
proxy for four of the enterprises. At the fifth
were two proxies: an Asterisk box and the
SpectraLink SIP proxy, which SpectraLink’s
new SIP-enabled handsets require. In general,
however, the focus wasn’t on the SIP proxy
used but on the diversity of the equipment
around it.
In all, around 20 vendors contributed
equipment and engineering resources to the
effort, making this among the largest VoIP
test beds yet constructed by the InteropLabs
team.
To NAT or not to NAT
One of the most difficult decisions in this
testing demonstration was whether to use
NAT. Network architect and team leader Jim
Martin - his day job is distinguished architect
at Netzwert - initially opposed its use on the
grounds that NAT breaks the end-to-end
principle of Internet communications and
might also introduce interoperability issues.
As it turned out, he was right on both counts.
Other team members argued that
regardless of whether NAT is good or evil,
it’s in widespread use today and should be
included in at least part of the test bed. The
pro-NAT argument prevailed. Team engineers
configured one of the five enterprises to use
private net-10 addresses and enabled NAT on
a Check Point firewall linking this enterprise
to the rest of the test bed.
Enabling NAT proved to be troublesome
from the start. Initially, neither inbound nor
outbound calls reached their destinations.
It took two hours of capturing traffic from
various points and then an hourlong
discussion in front of a whiteboard to lay out
the various issues.
In situations where one side used NAT but
the other didn’t, the SIP proxy received traffic
but didn’t return it. That’s because SIP proxies
get source IP addresses from the SIP header
by default, not from the IP header. In this case,
NAT translated the source IP address in the IP
header, but not in the SIP header. Because the
SIP proxy had no route to the source address
using NAT, there was no way for the proxy to
return traffic (see diagram).
The team set a “nat=yes” parameter on the
Asterisk SIP proxy, forcing it to read addresses
Executive Guide 18
EXECUTIVE GUIDE
VoIP-based testing
from IP rather than SIP headers. This solved the first problem of the
SIP proxy not being able to send return traffic. It did not help with the
second problem: the Check Point firewall not sending return traffic
through an IPsec tunnel (this isn’t a knock on Check Point’s firewall;
virtually any NAT box would do the same thing).
This second problem proved more intractable than the first. Even
though the SIP proxy now processed traffic correctly, the firewall at
the enterprise site forwarded VoIP traffic onto the public network
instead of placing it inside an IPsec tunnel for routing back to the
remote-side caller.
Engineers from Check Point and the InteropLabs team worked to
resolve the problem but couldn’t get VoIP working with NAT during
the HotStage event. Check Point’s engineers believe the problem is
caused by the configuration’s parameters.
Cutting the cord
The WLAN setup comprised a mix of access points and WLAN
switches from such vendors as Aruba Wireless Networks, Cisco (in
IOS and Linksys versions), Extreme Networks and Symbol. In addition,
Check Point and Juniper supplied remote-office devices that combine
firewall and VPN concentrator functions with access points.
Hanging off these devices were softphones and wireless handsets
from Cisco, CounterPath Solutions, SpectraLink, Unex and UTStarcom.
A key goal of the testing was enabling the Wi-Fi Alliance’s Wi-Fi
Multimedia Extensions (WMM) to ensure better treatment for voice
traffic. Based on the IEEE’s 802.11e standard, WMM introduces a new
twist to QoS enforcement. Instead of simply queuing VoIP packets
ahead of others on any given station, it seeks to transmit VoIP packets
first from any station, helping to keep delay and jitter to a minimum.
Back to TOC
Determining which devices supported WMM wasn’t always intuitive.
For example, a consumer-grade Linksys access point offered WMM
support out of the box, but new SIP-enabled handsets did not create
packets with WMM’s QoS headers. The SpectraLink problem could be
caused by the handset or SIP proxy configuration, and at press time
team engineers were continuing to examine it.
Another problem in prioritizing VoIP traffic has to do with lining
up multiple QoS mechanisms. IP-forwarding devices, such as routers,
generally use Layer 3 criteria such as DiffServ code points (DSCP) or
IP precedence flags to classify traffic. In contrast, Layer 2 devices, such
as wireless switches, use WMM access classes found in the 802.11
header.
Most sites will generally use only one WMM access class for VoIP
traffic, but there may well be multiple DSCPs in use. As the team
learned, it’s critical that devices with both IP and WLAN capabilities
(such as WLAN switches) map all the relevant DSCPs to the
appropriate WMM access class.
Yet another issue for WLAN forwarding had to do with virtual
LAN (VLAN) tagging. Network designs often use separate VLANs for
VoIP traffic, and the InteropLabs VoIP network was no exception.
This generally worked fine, with two exceptions: First, a relatively
old Symbol switch supported only VLAN IDs between 1 and 31 - too
narrow a range to accommodate the VLAN IDs between 100 and 300
in use on the show network. To its credit, Symbol promptly supplied
its newer WS5100 switch, which supports any VLAN ID.
Second, the SpectraLink SIP proxy required that handsets reside
in the same VLAN and IP subnet as the proxy. The workaround:
On each access point, the team allocated two VLANs (each with a
unique service set identifier), one for the local subnet and one for the
SpectraLink proxy’s subnet. The
enterprise-grade WLAN devices
all handled this workaround,
but some consumer-grade
access points (such as a Linksys
WRT54GX) don’t support VLANs
at all.
Despite the various hurdles
encountered, team engineers
generally were able to call
from any location to any other
location (including offsite) by
the end of the HotStage testing
period. Team engineers and
vendors continue to work to
resolve the few outstanding
issues, and most agreed that
VoIP is getting easier to deploy,
even in environments that
aren’t necessarily VoIP-friendly.
Executive Guide 19
EXECUTIVE GUIDE
Back to TOC
VoIP-based testing
Session border controllers guide VoIP streams
SBCs are traffic cops that control VoIP traffic at the network edge
By Edwin Mier, Anthony Mosco, Robert Tarpley and Robert Smithers, Network World
Is there a session border controller in your
enterprise’s VoIP future? If you’re looking
to expand your organization’s VoIP reach
- to VoIP-based service providers, to other
enterprises or even to VoIP-interconnected
distributed sites via the Internet - there very
well may be.
Functionally, an SBC is a traffic cop: It
facilitates and mediates VoIP flows in real
time, in both directions between private VoIP
domains: an enterprise and a VoIP-based
service provider - the environment we tested
here - or two service providers. SBCs came
of age by providing peering connectivity
between different carriers’ VoIP services
and only recently have begun penetrating
enterprises.
There is no universal job description for
an SBC. Certainly there has to be versatile
handling of VoIP call-control protocols, such
as Session Initiation Protocol (SIP) and H.323,
especially amid different firewall and network
address translation (NAT) configurations.And
there needs to be some security safeguards
- hiding the network topology of the private
network, for example. But overall, SBCs are
complex and costly components, coming
from diverse backgrounds and offering
widely varying capabilities.
We invited more than a dozen vendors
who were touting new SBC wares earlier
this year to submit their packages for testing
in Miercom’s New Jersey lab. Four accepted
our challenge for this feature-based testing:
Ditech Communications, Ingate Systems, Mera
Systems and NexTone Communications.
Despite many differences in the feature
sets of these products (see “What SBCs do”),
their general orientations lie in a few similar,
basic areas, including VoIP call handling, QoS
handling and security capabilities. Based
on our assessment in these areas, our Clear
Choice Test Award goes to NexTone’s package,
CLEAR CHOICE TEST
the Multiprotocol Session Controller (MSC)
coupled with its iView Management System
(iVMS). NexTone’s dynamic VoIP session
control, real-time monitoring with active
error and threshold-limit notification, calllevel reporting system, and integrated firewall
features make it the best of the enterprisefocused SBCs we tested. We note, though,
that the NexTone package costs considerably
more than the competition (more than
$100,000, compared with $25,000 to $38,000
for the others).
NexTone Communications
One strength of NexTone’s Linux-based
MSC was its exceptional management and
reporting, augmented by the powerful routing
engine of the optional iVMS. NexTone could
be set up to adapt dynamically and to alter
operational behavior involving admission
control, routing priorities and bandwidth
allocation, based on fluctuating network
conditions and changed user or application
behavior. For example, we observed how the
system can be set up to divert traffic from
low-cost VoIP carrier A to carrier B, if the
quality measurements of calls via carrier A
drop below established thresholds. Also, the
parameters that users can apply for routing
decisions by NexTone’s MSC are broader and
include, for example, user profile, time of day
and desired QoS - the example cited earlier.
The iVMS allows routing and rerouting of
calls among carrier services and trunks, and
serves up extensive VoIP-quality reporting,
including statistics on average call duration
and postdial delay. We exercised the routing
capabilities of this product by setting
up multiple trunk groups and changing
conditions to cause rerouting. One way was
to unplug a gateway and see whether calls
would reroute if there was a viable alternate
path. In another case we intentionally
oversubscribed the amount of bandwidth
allocated in Call Admission Control, to
ensure the overflow calls would be blocked.
In both cases, the NexTone product worked
as advertised.
Another capability of NexTone’s SBC is that
it offers seamless connectivity between SIP
phones and applications and H.323-based
IP PBXs. This feature lets users connect
their existing legacy VoIP environments,
which are mostly H.323-based, to VoIP-based
A word about performance
In this inaugural test of session border controllers (SBC), it was not
our intent to get into the minutiae of product performance, because SBCs
have disparate feature sets and deployment options. That said, we can
make some general assessments about SBCs based on the results of our
sending modest levels of Session Initiation Protocol call traffic through
them. SBCs’ effects on call quality varied from essentially no degradation
(mean opinion score [MOS] of 4.5, R-factor of 93) to measurable degradation (MOS of 3.9, R-factor of 85). SBCs also could add to call-setup time
and latency; the extent appears to vary based on the power of the SBC
hardware platform.
Executive Guide 20
EXECUTIVE GUIDE
Back to TOC
VoIP-based testing
carrier services, which are mostly SIP-based.
We tested the MSC’s role in this process by
placing a VoIP call between an H.323 and
a SIP endpoint, and verified that it worked.
The connection setup and quality were
good, despite the mismatch in call-control
protocols.
For security, NexTone does token-based
bandwidth throttling of sessions that exceed
a set threshold, with stepped reinstatement.
Both are sophisticated mechanisms for
protecting against incorrect or unauthorized
IP traffic, which could be denial-of-service
(DoS) attempts. There can be multiple
cycles of allowing or reinstating a suspect to
see whether their intentions are legitimate.
NexTone also can tell whether there is
a mismatched address in the call-setup
process, which normally would prevent
call setup or indicate a possible threat. In
this case NexTone will send call-control
information to the source address - where
the request actually came from - to set up an
audio path and ignore what is the incorrect,
possibly spoofed originating address. Here,
the NexTone package must take over routing
of the call, which it can do only because it
can assume full SIP call control.
The downside to this product is its
complexity. Installation and configuration
require an onsite NexTone team, who
configure the system to be left on its own.
NexTone strongly suggests the NexTone
University for training additional customer
personnel who will configure and tune
the system. Also, unlike some competitors,
NexTone’s package does not interact with
any existing or legacy firewalls. This can be a
major shortcoming for an organization that’s
comfortable with its embedded firewalls.
VoIP (while having another firewall handle
all other firewall functions) or to handle all
firewall processing. There’s no underlying
H.323 support - it’s SIP-only - but the base
firewall has been extended considerably
with SIP-based VoIP features.
We spent the bulk of our testing time
focused on how SIParator’s firewalling
integrated with its QoS capabilities. For
example, we examined its ability to
recognize and appropriately handle type of
service and Differentiated Services values.
We went through screens and configuration
for categorizing call types into queues with
different threshold, QoS and priority settings.
We confirmed the system marked and
handled traffic as expected.
Ingate has detailed SIP-configuration
settings, so it is rich in that regard, but
understanding and applying the appropriate
settings requires more than typical
knowledge of VoIP in general and SIP in
particular, especially if you need to integrate
the Ingate system to work with an existing
firewall. Online help is available on a screen
basis, but that can still be a pretty awesome
task and entails dozens of technical settings.
We checked the configuration screens,
documentation and online help to make sure
that it was clear how to attach this system
behind a legacy firewall, split data from VoIPhandling tasks and route between the two.
We did not integrate this unit with any legacy
firewall as far as our test process. We saw that
deploying it in this manner was supported
and documented.
Ingate Systems
The strength of the Ingate SIParator 60 SBC
centers on its solid firewall platform, which
works with existing, legacy firewalls.
The Ingate firewall is SIP-aware, which
means it understands and accommodates
SIP-protocol flows for opening and closing
ports, address translation and so on. The
SIParator is especially clear in its setup
choices. You can configure it to handle just
Executive Guide 21
EXECUTIVE GUIDE
VoIP-based testing
There’s also a full SIP proxy server on board
the Ingate box, which allows it to participate
in SIP call control. An SBC normally is not
expected to interfere with or modify the SIPcalling information. By containing a full SIP
proxy server, however, the SBC can apply a
higher level of oversight and involvement in
SIP operations. For example, as a proxy server,
the Ingate SBC can rewrite the SIP header of
inbound and outbound call-setup messages
on the fly, to accommodate particular SIP
domain names and name changes.
The Ingate product offers no trend reporting,
no call-quality reporting and no per-call
quality assessment. Ingate monitors what is
going on and provides real-time data, such as
number of active calls and ports open, but it
does not address any sort of cumulative data
collection or reporting. The administrator of
the SIParator can access a monitoring GUI,
but what is available is limited and reported
in real time; it might help troubleshooting
somewhat, but not in facilitating any kind of
trend reporting.
Near- and far-end NAT-traversal support
make the Ingate product adept at getting
VoIP calls through to the right destination,
even with different near- and far-end firewall
and NAT configurations in place. The Ingate
SIParator also offers redundancy and VoIP
survival features, such as alternate gateways,
backup registration for callers, domainavailability checking and failback rerouting.
It is also tightly integrated with Microsoft Live
Communication Server 2005, for handling
VoIP in conjunction with video, IM and
presence applications.
Mera Systems
Mera Systems’ Mera VoIP Transit Softswitch (MVTS) software-only SBC began
life as a softswitch and is extremely rich in
supported VoIP call-handling protocols and
features. MVTS runs atop Red Hat Linux 9
on almost any high-end server platform (the
more the better, as far as RAM and gigahertz).
Sophisticated call routing through this
product employs a panoply of criteria,
including time of day, QoS and precedence,
and route load. Of the products tested, Mera
Back to TOC
Ingate Systems’ SIParator 60 Score: 3.6
This SIParator 60 originated as a firewall, on top of which Ingate added a full
Session Initiation Protocol proxy server and various add-on software modules for
VoIP call handling and routing. We tested the SIParator with several separately priced
add-on modules, including the Remote SIP Connectivity Module, the Advanced SIP
Routing Module, the Quality-of-Service Module and the VoIP Survival Module.
Besides the SBC basics - like individual VoIP-call monitoring, topology hiding, and
caller authentication - the Ingate appliance adds security, survivability and routing
features to an enterprise network. Security-wise, the system employs various
techniques for delivering calls through remote firewalls, and it can work alongside
existing, legacy firewalls.
Survivability is enhanced by software that lets VoIP operations continue around IPconnection failures-by handling reregistration of SIP callers-and alternate-gateway
re-routing. Only SIP-based VoIP calls are supported.
Other notable, though not unique, aspects of the SIParator include: tight integration
with Microsoft’s Live Communications Server 2005 (Microsoft has its own special way
of handling SIP calls, with regards to encryption and call routing); several methods of
authenticating callers (via internal databases or external RADIUS servers); and good
alarm and log capabilities, including SNMP support.
While it was not yet available when we tested the product in February, Ingate
indicated it would add Secure-RTP encryption for VoIP in its next release, expected to
ship sometime this month.
NexTone Multiprotocol Session Controller and iView
Management System Score: 4.2
The core of NexTone’s SBC package is the MSC, a souped-up VoIP-call routing
engine. The extra-priced iVMS is a call-quality rating, performance monitoring, and
reporting system. The set-up of call routing with NexTone’s MSC is extremely granular.
For example, the system can be setup to dynamically change such settings as Call
Admission Control, Routing Priorities, Policy Enforcement and Bandwidth Allocation
based on the usage behavior, service availability and so on.
With its broad protocol support - H.323, including many variants for specific IPPBX vendors, as well as Session Initiation Protocol, and translation between the two
- this SBC is well-suited for mixed-protocol and multi-vendor environments. We tested
this by connecting SIP and H.323-based softphones, which interoperated transparently.
The second part of the NexTone package, the iVMS system, provides collects
and reports session information, and includes an excellent GUI-based monitoring tool
called iView. A short list of the call information that can be collected and reported
includes: origination, destination, IP addresses, endpoint entities, call durations, ring
times, error codes, Mean Opinion Score ratings, latency, dropped packets and total
packets.
Executive Guide 22
EXECUTIVE GUIDE
Back to TOC
VoIP-based testing
supports the most complete transcoding - onthe-fly conversion between high-bandwidth
G.711 VoIP Real-time Transport Protocol (RTP)
streams and low-bandwidth G.729 streams. A
host of other vocoders also are supported. SIP
to H.323 translation is akin to the seamless
gateway interworking that NexTone provides.
To test the translation capabilities of the Mera
product, we placed calls through it between
an H.323 endpoint and a SIP endpoint on the
other side and confirmed that these features
worked as advertised.
Mera’s software collects a lot of useful
details about VoIP traffic and activity. It can
collect and display dozens of parameters
about each call. These are stored in detailed
logs, but in a confusing Linux-style format,
which frustrates the useful consolidation and
consumption of this data. While the product
provides a lot of data, you’ve got to extract it
in an ASCII log file via command-line entry.
It’s by no means a neat, legible graphical
presentation of the information. It also
doesn’t provide much in terms of formatted
reports or trend analysis.
Another shortcoming of the Mera package
is security: There are no firewall capabilities
and no direct protection from a DoS attack,
for example. Enterprise users considering the
Mera package will need to address firewall
and intrusion-prevention system security
separately.
Ditech Communications
Ditech’s PeerPoint C100 is a Linux-based
appliance that supports only SIP-based call
control. Beyond VoIP call handling, this SBC
provides rich firewall capabilities, as well as
strong DoS-attack handling.
Many of these security features were
demonstrated on monitored calls and showed
a detailed level of settings for automatic
protection. DoS-attack profiles can be created
based on standard Internet protocols or
detected call-transmission rates. SIP protocol
header fields also can be filtered actively to
prevent details of the internal network from
being broadcast to the Internet. Intelligent
monitoring is used by the C100 to flag and
monitor suspect incoming connections.
The monitoring uses active scorekeeping
and configurable timers to identify problem
THE TIPJAR: Get to know your VoIP network
1.) Know your VoIP network well in terms of equipment, protocols, traffic load. In
addition to IP phones and VoIP gateways, you’ll need a firm understanding of the
other network components that may affect VoIP flows and your session border
controller (SBC) deployment, including firewalls and intrusion-prevention systems,
DHCP and DNS environments, and possibly some aspects of your Layer 2 and Layer
3 infrastructure .
2.) Plan to test all VoIP flows and routes through the SBC before going live.
3.) Get your carriers and IP telephony vendors involved in the process. The questions
you need input on include: Do they have experience working with the SBC you’ve
selected? Have they worked in combination with other service providers and the IP
PBX vendors you have chosen? What are the preferred setting you need to have in
place with regard to timers, rerouting messages, security setting and the planned
SBC settings?
4.) Remember that your SBC objectives are improving security and saving money.
With the complexities of VoIP networking, it’s possible to lose sight of why you’re
deploying an SBC in the first place. If, for example, VoIP call quality drops to the
point where all or most calls are rerouted over the public switched telephone
network, it may end up costing you a lot more money.
connections from an incoming client,
who is then incrementally prevented and
optionally reinstated for access back into
the local network. This process, which can
be configured by combinations of IP address,
port number and dynamic message failure
ratios, performs automatically without
administrator
intervention.
Additional
protection is provided by enabling
examination of RTP, the standardized Internet
content transmission format, to validate its
declared content (audio and video), thus
preventing a disguised executable from
entering the system.
Other strengths include sophisticated nearand far-end NAT traversal (such as with the
Ingate product), and Secure RTP (sRTP)
encryption and Transport Layer Security
(TLS: encrypted SIP call control) support. To
check out Ditech’s NAT traversal, we used
Ditech’s own method of querying the open
call sessions and problems by sending and
monitoring the results of SIP reinvites to both
sides of the NAT. We captured and examined
call sequences and RTP streams to confirm
TLS and sRTP.
We give kudos to Ditech’s installation
because initial configuration and establishing
settings are based on an embedded relational
database that retains values entered and
propagates the values to other screens and
tabs in the system (to drop-down boxes, for
example). This lets you avoid the arduous
process of having to reenter the same data
multiple times, and helps ensure valid entries
in screens.
The vendor’s adjunct Packet Voice Processor,
which was not included in the configuration
we tested, reportedly adds support for
transcoding and other per-call quality
measurement and reporting, and quality
trend reports and intelligent packet repair.
Other noteworthy aspects of the Ditech
package include its tight compatibility with
Microsoft Live Communications Server 2005;
a special feature for keeping calls connected
(called stateful failover, it worked seamlessly
in our testing, with failover occurring in
less than a second, resulting in no dropped
calls); and what Ditech calls media path
optimization, where the system decides
Executive Guide 23
EXECUTIVE GUIDE
Back to TOC
VoIP-based testing
whether to proxy media streams or allow
direct point-to-point RTP communications.
The four SBCs tested all showed they could
competently process and manage SIP-based
VoIP calls between an enterprise environment
and a simulated service provider, front-ended
by a prominent third-party, carrier-oriented
SBC. Interoperability between the carrierside SBC employed in the test bed and the
enterprise-based SBCs we tested did not
prove to be a concern.
Emerging with the top score from this
Ditech Communications’ PeerPoint C100 Score: 3.4
The PeerPoint C100 is a Linux-based appliance that is - as alluded to in its name usually sold as two redundant units where one runs as primary, the other as secondary
hot standby. There is no hard drive - a design option chosen mainly for reliability and,
secondarily, for security. Instead, the operating image loads from a flash-memory card
and runs in RAM.
The SBC ships with one of its laudable features - near- and far-end NAT traversal
- enabled by default. Because of the complexity of setting up some parameters, such
as security certificates, the vendor is usually engaged for a “pre-provisioning” service.
A separate adjunct subsystem, called the Packet Voice Processor (PVP), adds
many features for massaging VoIP RTP streams, such as noise and echo control,
volume control and intelligent packet restoration. But the PVP was not included in the
configuration tested, a fact which limited the range of features we could give Ditech’s
SBC credit for.
A notable aspect of the PeerPoint C100 that we verified was its ability to diagnose
the network on a per-call basis and determine when to regenerate VoIP streams,
or allow direct media flows between endpoints. It’s important to note that this SBC
addresses Session Initiation Protocol-only call environments. Support for SIP
environments is fairly full, including RTCP features and was fully interoperable with
the carrier-level Sansay VSX SBC with which we tested it.
Mera Systems VoIP Transit Softswitch Score: 3.6
test round was NexTone, whose package
we believe best suits a large enterprise
- because of its high price tag, support for
legacy H.323-based PBXs, and very detailed
reporting that most benefits an organization
with a dedicated VoIP admin staff. Ingate
placed second, with a system that adds good
SIP-based VoIP security to an enterprise that
may want to retain its legacy data-network
firewalls. Closely behind Ingate were Mera
Systems and Ditech, which tied. Mera’s
software-only package favors enterprises with
a lot of legacy VoIP, as it handles many forms
of VoIP protocol and RTP stream conversion.
Ditech’s appliance provides enterprises with
SIP-based VoIP, added security, call- and QoShandling.
Mier is founder and president, Mosco
and Tarpley are lab testers, and Smithers is
CEO at Miercom, a network consultancy
and product test center in East Windsor, N.J.
They can be reached at: [email protected],
[email protected], rtarpley@miercom.
com and [email protected], respectively.
They are also members of the Network
World Lab Alliance, a cooperative of the premier reviewers in the network industry, each
bringing to bear years of practical experience
on every review. For more Lab Alliance information, including what it takes to become a
member, go to www.networkworld.com/alliance.
The Mera VoIP Transit Softswitch is a software-only SBC package, which we
tested on a not particularly high-end laptop (a Pentium 4, 2.4 GHz, 512KB RAM
- running Red Hat Linux 9.0). A separate software module, the Session Initiation
Protocol-H.323 Inter-protocol Translator (SIP-HIT), ran on the same Linux platform.
The setup is extremely tailorable - more than 400 parameters can be defined, mainly
related to routing, protocol handling, and call-load distribution.
There is separate management software, called the MVTS Manager, which we
loaded and ran on a Windows XP laptop. Management access can be accomplished
either as a Windows GUI or via a Web browser. MVTS is natively H.323 based.
The SIP piece adds all the SIP functionality. The package extends from a softswitch base, with features that add to the efficiency of VoIP call handling. Call load
can be distributed to avoid bottlenecks or heavily used routes, which keeps callquality high. The ability of this package to transcode on the fly between different VoIP
coders is impressive.
With the very tailorable settings and SIP and H.323 interoperability, this SBC
package is likely to be able to handle interoperability and inter-connectivity of many
different IP-telephony systems, as well as VoIP-based carrier services.
Executive Guide 24
EXECUTIVE GUIDE
VoIP-based testing
Back to TOC
.ET2ESULTS
0RODUCT
/FY5POF
.VMUJQSPUPDPM4FTTJPO
$POUSPMMFS.4$
BOE
J7JFX.BOBHFNFOU
4ZTUFNJ7.4
*OHBUF4*1BSBUPS
.FSB7P*15SBOTJU
4PGUTXJUDI
%JUFDI1FFS1PJOU
$
.EX4ONE
#OMMUNICATIONS
WWWNEXTONECOM
)NGATE3YSTEMS
WWWINGATECOM
-ERA3YSTEMS
WWWMERASYSTEMSCOM
$ITECH
#OMMUNICATIONS
WWWDITECHCOMCOM
&ROMUP
FOR-3#
DEPENDINGONSERVICEAND
OPTIONSI6-3BASE
PRODUCTSTARTSAT
FORSYSTEM
FORSYSTEMTESTED
FORSYSTEM
0ROS
'REATDETAILEDREPORTS
ONCALLQUALITYAND
PERFORMANCESTATISTICS
BESTADMINISTRATION
INCLUDINGALARMSAND
PROVISIONING(
HANDLINGINTERWORKING
WITH3)0RICHANDFLEXIBLE
CALLROUTING
CONFIGURABILITY
#ONS
6ENDOR
0RICE
CONCURRENTCALLS
ALLSOFTWAREPRODUCT
,INUXBASED
TESTEDCONCURRENT
CALLS
&ULLFEATUREDFLEXIBLE
INTEGRALFIREWALLCAN
DEPLOYWITHEXISTING
LEGACYFIREWALLVARIOUS
NETWORKADDRESS
TRANSLATION.!4
ENVIRONMENTSSUPPORTED
VIAOPTIONALMODULE
"ROADEST6O)0PROTOCOL
SUPPORTFULLTRANSCODING
SUPPORTSSEVERAL
REDUNDANCYCONFIGURATIONS
RICHCALLROUTING
CAPABILITIES
&LEXIBLECONFIGURATION
INCLUDING.!4TRAVERSAL
SUPPORTSTRAIGHTFORWARD
INSTALLATIONSPECIAL
-ICROSOFT,IVE
#OMMUNICATIONS3ERVER
3)0SUPPORT6O)0
ENCRYPTION3ECURE2EAL
4IME4RANSPORT
0ROTOCOLSPECIALSUPPORT
FOR6O)0CONFERENCE
SERVERS
.OTRANSCODINGHIGH
PRICETAG
.O(SUPPORTNO
TRANSCODINGLIMITED
6O)0QUALITYANDTREND
REPORTING
,IMITEDSECURITYNODIRECT
PROTECTIONFROM
DENIALSOFSERVICEATTACKS
NOFIREWALLCAPABILITIES
3)0ONLYPROTOCOL
SUPPORTNOINTEGRAL
FIREWALLLIMITED
6O)0QUALITYREPORTING
3CORE
TESTEDREGISTERED
CALLERSINCLUDING
REMOTE3ESSION)NITIATION
0ROTOCOL
3)0CONNECTIVITY
ADVANCED3)0ROUTING
6O)0SURVIVALAND1O3
OPTIONALMODULES
.EX4ONE-ULTIPROTOCOL3ESSION
#ONTROLLERANDI6-3
)NGATE3)0ARATOR
-ERA6O)04RANSIT3OFTSWITCH
$ITECH0EER0OINT#
6O)0HANDLING
#ONFIGURATION
3ECURITY
!DDITIONALFEATURES
5IF#SFBLEPXO
5PUBMTDPSF
4DPSJOH,FZ%XCEPTIONAL6ERYGOOD!VERAGE"ELOWAVERAGE3UBPARORNOTAVAILABLE
Executive Guide 25
EXECUTIVE GUIDE
Back to TOC
VoIP security
Lab Alliance
How to protect your VoIP network
Beware of phreakers, fraudsters, sniffers, RATS, SPIT,
men in the middle, broadcast storms, Wi-Fi jamming.
VoIP has finally arrived as a mainstream
application. IP PBX equipment sales topped
$1 billion in 2005, for the first time outpacing
traditional TDM PBXs, according to Dell’ Oro
Group.
In fact, analysts predict that IP PBXs will
account for more than 90% of the market by
2009. Before you deploy VoIP, however, you
need to be aware of the security risks and the
countermeasures that you can take.
Security is important in every context,
but especially when you’re replacing the
world’s oldest, largest and most resilient and
available communications network. While no
individual security measure will eliminate
attacks against VoIP deployments entirely, a
layered approach can meaningfully reduce
the probability that attacks will succeed.
The threats
Enterprise VoIP customers and service
providers are vulnerable to many of the same
impersonation-based attacks “phreakers”
attempt against traditional telephone and
cellular services. The goals - identity and
information theft and toll fraud - are the
same.
Many attacks focus on VoIP endpoints.
The operating systems, Internet protocols,
applications and management interfaces of
VoIP hard phones and computers running
softphones are vulnerable to unauthorized
access, viruses and worms, and many denialof-service (DoS) attacks that exploit common
Internet protocols and VoIP protocols
themselves.
VoIP uses the IETF Session Initiation
Protocol (SIP) and the Real-time
Transport Protocol (RTP) for call
signaling and voice-message delivery.
These and complementing session
description and RTP control protocols
(SDP, RTCP) do not provide adequate
call-party authentication, end-to-end
integrity protection and confidentiality
measures on call signaling and call
data (such as media streams containing
compressed and encoded speech). Until
these security features are implemented and
put into service, attackers have many vectors
to exploit.
Today, SIP and RTP protocols do not encrypt
call-signaling packets and voice streams,
so identities, credentials and SIP Uniform
Resource Identifiers (phone numbers) of
callers can be captured using LAN and
wireless LAN (WLAN) traffic-collection tools
(sniffers).
An attacker can use captured account
information to impersonate a user to a
customer representative or self-service portal,
where he can change the calling plan to
permit calls to 900 numbers or to blocked
international numbers. He also can access
voice mail or change a call forwarding
number.
Impersonation attacks commonly are
used to perpetrate toll fraud, but financially
motivated attackers also can capture voice
conversations and later replay them to obtain
sensitive business or personal information.
Flooding VoIP targets with SIP call-signaling
messages (e.g., Invite, Register, Bye or RTP
media stream packets) can degrade service,
force calls to be dropped prematurely and
render certain VoIP equipment incapable of
processing calls entirely.VoIP equipment also
may be vulnerable to DoS attacks against
such Internet protocols as TCP SYN, ping of
death and the recent DNS distributed DoS
amplification attacks.
VoIP systems also can be disrupted by
media-specific attacks, such as Ethernet
broadcast storms and Wi-Fi radio jamming.
Operating systems and TCP/IP stacks used
in new VoIP hardware may be susceptible to
implementation-specific attacks that exploit
programming flaws. This can cause the
Executive Guide 26
GIACOMO MARCHESI
By David Piscitello, Network World
EXECUTIVE GUIDE
VoIP security
system to cease operating or provide the attacker with remote
administrative control of the system.
VoIP softphones pose a unique and thorny problem. Softphone
applications run on user systems (PCs, PDAs) and thus are
vulnerable to malicious code attacks against data and voice
applications. IT administrators must consider the possibility that
an attacker may try to evade conventional PC malware protection
by injecting malicious code via a VoIP softphone application.
Spam often harbors spyware and remote administration tools.
Spam over Internet telephony can carry unsolicited sales calls
and other nuisance messages, and programs downloaded to
softphones could include hidden malware.
Even this partial description should cause IT managers to
assess the risk of introducing VoIP, and to develop a policy and
an implementation plan to reduce the risks using security
technology at hand.
Back to TOC
VoIP vulnerabilities
1. Call tampering
The attacker can tamper with calls in progress; for example,
he could impair the quality of the call by interjecting noise in
the Real-time Transport protocol stream, by withholding
delivery of RTP packets so that conversation elements are
lost or by delaying delivery so participants encounter long
periods of silence during the call.
Internet café hot spot access
point (open authentication,
no encryption)
INTERNET
Risk assessment
Voice is a perennial cash cow for traditional telephony service
providers, a lucrative emerging market for VoIP vendors and
a mission-critical service for businesses. Thus, the most serious
risk public (carrier) and private (enterprise) VoIP operators must
manage is service disruption.
VoIP users will expect no less than the high availability they
are accustomed to receive from the public switched telephone
network (PSTN). Accordingly, a thoughtful VoIP deployment
plan for all would-be VoIP operators must include measures for
reducing the threat of DoS attacks.
Other priority risks include identity theft and toll fraud.
Public operators face a greater challenge than do PSTN and
cellular carriers with identity and endpoint verification in VoIP
deployment because endpoint IP addresses are generally not
validated at Internet ingress points, and unlike public telephone
numbers, there are as yet no widely adopted methods for VoIP
operators to certify or assert cooperatively that a SIP identity is
valid.
VoIP operators must manage trust relationships with other
VoIP operators carefully and should avoid service arrangements
unless they have some confidence that the other providers are
using equivalent identity and endpoint verification methods.This
might be arranged contractually across an extended enterprise
or business-to-business VoIP deployment.
In general, insider attacks are more frequent than outsider
attacks, so enterprise VoIP network operators must consider
impersonation a threat even if they operate in isolation. Enterprise
VoIP managers then must consider methods to detect and block
impersonation attacks, and should maintain accounting and
auditing tools to help detect abuse and identify perpetrators.
While public VoIP infrastructures may be more frequently
targeted for politically motivated attacks and terrorism, private
VoIP networks increasingly are at risk of electronic industrial
Alice’s Session
Initiation Protocolenabled phone
1
Ted
connects to
wireless LAN
at Internet café,
calls Alice from
softphone.
2
RTP media packets
of conversation
Attacker intercepts
voice traffic and degrades
call by injecting noise
and delay.
RTP media packets
containing noise
Attacker-injected delay
2. ‘Man-in-the-middle’ attacks
VoIP is vulnerable to man-in-the-middle attacks. In MITMs,
the attacker intercepts SIP call-signaling traffic and masquerades as the calling party to the called party, or as the called
party to the calling party. Once the attacker has gained this
MITM position, he can hijack calls via a redirection server.
Ty p i c a l V o I P c o n v e r s a t i o n .
1
User IP phone
IP PBX
At t a c ke r i n te rc e p t s S I P s i g n a l i n g t r a ff i c .
2
User IP phone
IP PBX
Hacker
At t a c ke r m a s q u e r a d e s a s t h e c a l l i n g a n d t h e c a l l e d
p a r t i e s , a n d h i j a c k s c a l l s v i a a r e d i r e c t i o n s e r v e r.
3
Fake user
IP phone
IP PBX
Hacker and redirection server
Executive Guide 27
EXECUTIVE GUIDE
VoIP security
espionage and eavesdropping attacks (for example,
employees intercepting privileged calls).
Enterprise customers also must consider help desk and
customer care. Service disruption, subscriber impersonation
and toll fraud are serious support matters. Resolving disputes
and restoring service to employees who are victims of such
attacks sap resources and adversely affect productivity. The
effects that security incidents may have on consumer, user,
management and even shareholder confidence can be
lasting.
Countermeasures
Back to TOC
Anatomy of a VoIP DDoS attack
SI
SI
P
P
IP PBX
IN
IN
VI
VI
TE
TE
>S
>
IP
SIP
INV
INV
ITE
ITE
> SIP
> SI
INVITE
ITE
P INV
Call table entries
INTERNET
2 IP PBX creates a 3 IP PBX sends
VoIP is a new and different type of Internet application, 1 Attack hosts send
multiple simultaneous new entry in local
response and
but ultimately it is another real-time data stream delivered
Session Initiation
call table for each
waits for next message
using IP. Many of the security measures widely used today to
Protocol Invite
Invite message.
from caller’s party.
protect other plain text applications, from telnet and FTP to
messages to IP PBX.
Web, e-mail and instant messaging, can be used to improve
VoIP security.
The majority of VoIP service applications are run on
IP PBX
commercial server operating systems. Hardening servers
and employing antitampering and host intrusion detection
demonstrably improve an organization’s baseline VoIP
security. The most frequently recommended server security
measures that can be applied to voice servers include:
Maintain patch currency for operating system and VoIP
INTERNET
applications.
Run only applications required to provide and maintain
4 Attack hosts ignore response message from IP PBX and continue
VoIP services.
sending Invite messages, overwhelming IP PBX.
Require strong authentication for administrative and user
account access.
infected clients to VoIP servers in monoculture (such as Windows)
Enable only user accounts required for maintenance
networks. This often results in much simpler security policies in
and correct operation to deter forced break-ins.
Implement stringent authorization policies to prevent unauthorized each compartmentalizing firewall than the policy you would have to
maintain in a single firewall.
access to VoIP service and account data.
Segmentation is a powerful security tool, so don’t stop here. The
Audit administrative and user sessions and service-related
same segmentation methods used to heighten security can be used to
activities.
Install and maintain server firewall, antimalware, and antitampering implement QoS: For example, putting SIP phones on their own VLAN
helps restrict VoIP to permitted devices and gives higher priority to
measures to deter DoS attacks.
Securely configure VoIP applications to prevent misuse; for VoIP as IP packets move from network edge to core.
Consider segregating voice user agents (hard phones) from PCs and
example, a whitelist of callable country codes can thwart certain call
forward, transfer and social-engineering exploits that might result in laptops used to access networked data applications. This may prevent
a successful attack against a data segment from spreading to and
toll fraud and unauthorized use.
Once VoIP servers and the applications they run are securely interfering with voice systems. Firewall performance may be an issue
configured, build an in-depth defense by adding layers of security when applying segmentation and policy-based compartmentalization,
around servers. Isolate VoIP servers and required infrastructure so plan carefully to avoid adding latency to paths that will transport
(for example, DNS, LDAP) from client machines (phones, PCs and media streams.
Endpoint security adds an outer layer of security in VoIP
laptops) by using separate physical or virtual LANs (VLAN) to carry
management, voice and data traffic.
deployments. IEEE 802.1X port-based network access control and
Use firewalls to limit types of traffic that may cross VLAN boundaries equivalent network admission techniques provide an additional layer
to only those protocols necessary. This compartmentalization of authorization control by blocking devices from using a LAN or
is especially effective in reducing the spread of malware from WLAN until they pass security checks.
•
•
•
•
•
•
•
•
Executive Guide 28
EXECUTIVE GUIDE
Back to TOC
VoIP security
Administrators can choose to block devices
infected with malware or that do not satisfy
other admission criteria, such as current
patches and appropriately configured
firewalls. They can redirect noncompliant
devices to an isolated LAN segment that
offers limited services or to a LAN where
softphone users can access software, patches
and malware definition updates required
to satisfy admission criteria. In many cases,
these security measures can be performed
before authentication, to prevent malware
(keystroke loggers) from capturing user
credentials.
Companies using firewalls to enforce
security policy may discover that their current
firewall is unsuited to the task of securing
voice and data. Traditional network firewalls
are designed to permit and deny traffic based
on TCP, User Datagram Protocol (UDP) and IP
header information: IP addresses, protocol
types and port numbers, for example.
VoIP protocols use a large range of UDP
ports and allocate them dynamically to
media streams. Many traditional firewalls
cannot accommodate this behavior without
leaving large swaths of port numbers
permanently open for VoIP use and other
misuses. Certain firewalls do not process
UDP efficiently. Others do not support QoS
measures to manage latency and jitter so that
VoIP calls have toll-voice quality.
IT administrators should consider firewalls
that are SIP-aware, that can detect and
counterattack against SIP signaling messages,
and that can process RTP media streams
without adding significant latency.
Application-layer
gateways
(proxies)
can play a useful role in VoIP deployment.
Incorporating SSL tunnels into SIP proxies
is becoming a popular way to improve
authentication and add confidentiality and
integrity protection on signaling messages
exchanged between user agents and SIP
proxies.
Many organizations are considering
chaining SSL connections to protect
signaling traffic between SIP proxies across
their organizations and interorganizationally
as well. RTP proxies may be appropriate if
your organization must relay media streams
among global and local RTP IP addresses
and ports. Other organizations are choosing
to take advantage of their investment in IPSec
to secure VoIP traffic between sites.
In some configurations, organizations
may try to process VoIP traffic preferentially
by creating IPSec security associations
that prioritize voice traffic over data. Some
organizations may want to filter signaling
traffic and RTP media streams through a
Session Border Controller (SBC).SBCs operate
as back-to-back user agents, concatenating
and applying policy to calls between public
and private user agents. In some respects, an
SBC behaves like a secure e-mail proxy. It can
rewrite message headers to hide details of
private networks (such as addresses), strip
unknown and undesirable header SIP fields,
and restrict called-party numbers. Because
media traffic flows through an SBC, RTP
policies can be enforced at them.
These security measures, along with a
proactive security monitoring and intrusiondetection and -prevention plan, not only
improve VoIP security, but can greatly reduce
the risks to data networks as organizations
introduces VoIP. Many of these measures will
continue to be useful in deployments even
after security enhancements are incorporated
into VoIP protocols and architecture.
Executive Guide 29
EXECUTIVE GUIDE
Back to TOC
VoIP security
Phishing leverages VoIP in new scam model
VoIP plays role in new phishing scam.
By Cara Garretson, Network World
Small businesses and consumers aren’t the only
ones enjoying the cost savings of switching to
VoIP; according to messaging security company
Cloudmark, phishers have begun using the
technology to help them steal personal and
financial information over the phone.
Cloudmark recently trapped an e-mailed
phishing attack in its security filters that appeared
to come from a small bank in a big city and
directed recipients to verify their account
information by dialing the included number (the
Cloudmark user who received the e-mail and
alerted the company knew it was a phishing scam
because he’s not a customer at the bank).
Usually phishing scams are e-mail messages
that direct unwitting recipients to a Web site to
capture their personal or financial information.
But because much of the public is learning not
to visit the Web sites these messages try to direct
them to, phishers believe asking recipients to dial
a phone number instead is novel enough that
people will do it, says Adam O’Donnell, senior
research scientist at Cloudmark.
And that’s where VoIP comes in. By simply
acquiring a VoIP account, associating it with
a phone number and backing it up with an
interactive voice recognition system and free
PBX software running on a cheap PC, phishers
can build phone systems that appear as elaborate
as those used by banks, O’Donnell says. “They’re
leveraging the same economies that make VoIP
attractive for small businesses,” he says.
Cloudmark has no proof that in this example the
phisher was using a VoIP system, but O’Donnell
says it’s the only way that staging such an attack
could make economic sense for the phisher.
The company expects to see more of this new
form of phishing. Once a phished e-mail with a
phone number is identified, Cloudmark’s security
network can filter inbound e-mail messages
and block those that contain the number, says
O’Donnell.
Executive Guide 30
EXECUTIVE GUIDE
VoIP security
Back to TOC
Secure SIP protects VoIP traffic
Security mechanism helps fill hole in Session Initiation Protocol.
By Michael Ward, Network World
Session Initiation Protocol has become
the call control protocol of choice for VoIP
networks because of its open and extensible
nature. However, the integrity of call signaling
between sites is of utmost importance, and
SIP is vulnerable to attackers when left
unprotected.
Secure SIP is a security mechanism defined
by SIP RFC 3261 for sending SIP messages
over a Transport Layer Security-encrypted
channel. Originally used for securing
HTTP sessions, TLS can be repurposed to
protect SIP session communications from
eavesdropping or tampering. By deploying
SIP-based devices that support Secure SIP,
network administrators benefit from these
increased levels of security for their VoIP
networks.
Thwarting threats
Companies are concerned about malicious
parties eavesdropping on SIP signaling
information, performing man-in-the-middle
attacks that disrupt service or gaining
unauthorized access to VoIP networks.
RFC 3261 defines mechanisms for providing
increased security for a SIP session.
The most basic level of security, required to
be implemented by all SIP user agents and
SIP proxy servers, is Message Digest (MD5)
authentication. This provides a basic level
of authentication challenge between a SIP
proxy server and SIP user agent. At the other
end of the spectrum, Secure Multipurpose
Internet Mail Extensions (S/MIME) can be
implemented to encrypt data directly within
SIP messages.
SIP support for S/MIME has not been as
widely deployed as HTTP because of the
required public-key infrastructure support
and the added complexity of managing the
security certificates. Secure SIP, running SIP
over TLS on a hop-by-hop basis, provides a
more comprehensive level of security than
that of basic MD5 authentication, without the
additional overhead imposed by S/MIME.
One key difference between the SIP and
HTTP protocols is that a SIP request may
travel across several hops before reaching
its destination. Running SIP over TLS can
provide secure connections on a hop-by-hop
basis.
For Secure SIP communications, RFC 3261
defines the SIPS Uniform Resource Identifier
(URI), used as HTTPS is used for secure
HTTP connections. The SIPS URI ensures that
SIP over TLS is used between each pair of
hops to validate and secure the connection,
and provide a secure endpoint-to-endpoint
connection.
In a Secure SIP session, the SIP user
agent client contacts the SIP proxy server
requesting a TLS session.This SIP proxy server
responds with a public certificate and the SIP
user agent then validates the certificate. Next,
the SIP user agent and the SIP proxy server
exchange session keys to encrypt or decrypt
data for a given session. From this point, the
SIP proxy server contacts the next hop and
similarly negotiates a TLS session, ensuring
that SIP over TLS is used end-to-end.
One might ask why a security protocol such
as IPsec is not used for a direct, secure, endto-end connection between SIP endpoints.
Because IPsec encrypts data end-to-end, the
SIP proxy servers between the SIP endpoints
would not be able to interpret and modify
required information in the SIP messages. TLS
is a lighter-weight and more easily managed
protocol than IPsec,and thus more appropriate
for SIP-based VoIP endpoints, which are
often processing and resource constrained.
The security mechanism between SIP proxy
servers within a network may use TLS, IPsec
or other security mechanisms, as long as the
information is decrypted at each hop.
Secure SIP is an optional item for SIP user
agents, but more SIP-based VoIP endpoints
provide it.VoIP network administrators should
take a look at implementing this technology
within their SIP-based networks to gain from
the added level of security that Secure SIP
can provide.
Executive Guide 31
EXECUTIVE GUIDE
VoIP security
Back to TOC
Researchers seek to save
VoIP from security threats
NSF awards big bucks to investigate
voice spam, other attacks.
By Bob Brown, Network World
With VoIP starting to live up to some of the hype, university
researchers are looking to ensure that the technology’s
momentum in corporate and residential markets won’t be
ruined by myriad security threats.
The National Science Foundation this week said it has
issued $600,000 to the University of North Texas to spearhead
development of a multi-university test bed to study VoIP security.
Other participants are Columbia University, Purdue University
and the University of California-Davis.
VoIP spam, denials of service, 911 services and quality of
service will be among the areas targeted for research during the
three-year project. The research will also look at vulnerabilities
that emerge from the integration of VoIP and legacy networks.
The group of schools plans to disseminate its findings widely
to technology developers, academia and others involved in
network convergence.
The project is being led by Ram Dantu, an assistant professor
at the University of North Texas in the Department of Computer
Science and Engineering. Dantu is co-chairman of an upcoming
workshop on VoIP security to be held in Washington, D.C.
VoIP security is an issue that vendors have been tackling as
well. A group of them joined forces last year to form the VoIP
Security Alliance.
Executive Guide 32