SBC 'traffic cop' controls VoIP streams at the border

Session border controllers, complex and costly, offer widely varying capabilities.

A session border controller may be in your VoIP future, according to our Clear Choice Test of devices that aim to expand your organization's VoIP reach.

Functionally, an SBC is a traffic cop: It facilitates and mediates VoIP flows in real time, in both directions between private VoIP domains: an enterprise and a VoIP-based service provider - the environment we tested here - or two service providers. SBCs came of age by providing peering connectivity between different carriers' VoIP services and only recently have begun penetrating enterprises.

How we tested SBCs

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter

There is no universal job description for an SBC. Certainly there has to be versatile handling of VoIP call-control protocols, such as Session Initiation Protocol (SIP) and H.323, especially amid different firewall and network address translation (NAT) configurations. And there needs to be some security safeguards - hiding the network topology of the private network, for example. But overall, SBCs are complex and costly components, coming from diverse backgrounds and offering widely varying capabilities.

We invited more than a dozen vendors who were touting new SBC wares earlier this year to submit their packages for testing in Miercom's New Jersey lab. Four accepted our challenge for this feature-based testing: Ditech Communications, Ingate Systems, Mera Systems and NexTone Communications.

Despite many differences in the feature sets of these products (see "What SBCs do"), their general orientations lie in a few similar, basic areas, including VoIP call handling, QoS handling and security capabilities. Based on our assessment in these areas, our Clear Choice Test Award goes to NexTone's package, the Multiprotocol Session Controller (MSC) coupled with its iView Management System (iVMS). NexTone's dynamic VoIP session control, real-time monitoring with active error and threshold-limit notification, call-level reporting system, and integrated firewall features make it the best of the enterprise-focused SBCs we tested. We note, though, that the NexTone package costs considerably more than the competition (more than $100,000, compared with $25,000 to $38,000 for the others).

What session border controllers do: Comparative feature checklist Note: A check mark (√) indicates the product fully addresses this feature.
VoIP signaling and call handling

Ditech PeerPoint C100

Ingate SIParator 60


NexTone MSC and iVMS

Call load, bandwidth optimization    
Full-featured firewall traversal 

Session Initiation Protocol (SIP) to H.323 conversion

H.323 gatekeeper services  

SIP proxy, redirect, other services

Real-time Transport Protocol/RTP Control Protocol termination and regeneration

Transcoding (G.711-G.729, etc.)  

IP address resolution/management

Native, integral firewall 


Topology hiding

Authenticate VoIP calls and callers

Open and close legacy firewall ports


VoIP network address translation

Prevention of denial-of-service attacks


QoS, quality monitoring, reporting    
Differentiated Services/types of services QoS handling

Monitors each VoIP call

Per-call quality rating (i.e., mean opinion score)  

Issue call detail records 

TCall-quality trend reports   

Next: NexTone Communications >

NexTone Communications

One strength of NexTone's Linux-based MSC was its exceptional management and reporting, augmented by the powerful routing engine of the optional iVMS. NexTone could be set up to adapt dynamically and to alter operational behavior involving admission control, routing priorities and bandwidth allocation, based on fluctuating network conditions and changed user or application behavior. For example, we observed how the system can be set up to divert traffic from low-cost VoIP carrier A to carrier B, if the quality measurements of calls via carrier A drop below established thresholds. Also, the parameters that users can apply for routing decisions by NexTone's MSC are broader and include, for example, user profile, time of day and desired QoS - the example cited earlier.

The iVMS allows routing and rerouting of calls among carrier services and trunks, and serves up extensive VoIP-quality reporting, including statistics on average call duration and postdial delay. We exercised the routing capabilities of this product by setting up multiple trunk groups and changing conditions to cause rerouting. One way was to unplug a gateway and see whether calls would reroute if there was a viable alternate path. In another case we intentionally oversubscribed the amount of bandwidth allocated in Call Admission Control, to ensure the overflow calls would be blocked. In both cases, the NexTone product worked as advertised.

Another capability of NexTone's SBC is that it offers seamless connectivity between SIP phones and applications and H.323-based IP PBXs. This feature lets users connect their existing legacy VoIP environments, which are mostly H.323-based, to VoIP-based carrier services, which are mostly SIP-based. We tested the MSC's role in this process by placing a VoIP call between an H.323 and a SIP endpoint, and verified that it worked. The connection setup and quality were good, despite the mismatch in call-control protocols.

NexTone Multiprotocol Session Controller and iView Management System

Score: 4.2

The core of NexTone's SBC package is the MSC, a souped-up VoIP-call routing engine. The extra-priced iVMS is a call-quality rating, performance monitoring, and reporting system. The set-up of call routing with NexTone's MSC is extremely granular. For example, the system can be setup to dynamically change such settings as Call Admission Control, Routing Priorities, Policy Enforcement and Bandwidth Allocation based on the usage behavior, service availability and so on.

With its broad protocol support - H.323, including many variants for specific IP-PBX vendors, as well as Session Initiation Protocol, and translation between the two - this SBC is well-suited for mixed-protocol and multi-vendor environments. We tested this by connecting SIP and H.323-based softphones, which interoperated transparently.

The second part of the NexTone package, the iVMS system, provides collects and reports session information, and includes an excellent GUI-based monitoring tool called iView. A short list of the call information that can be collected and reported includes: origination, destination, IP addresses, endpoint entities, call durations, ring times, error codes, Mean Opinion Score ratings, latency, dropped packets and total packets.

For security, NexTone does token-based bandwidth throttling of sessions that exceed a set threshold, with stepped reinstatement. Both are sophisticated mechanisms for protecting against incorrect or unauthorized IP traffic, which could be denial-of-service (DoS) attempts. There can be multiple cycles of allowing or reinstating a suspect to see whether their intentions are legitimate. NexTone also can tell whether there is a mismatched address in the call-setup process, which normally would prevent call setup or indicate a possible threat. In this case NexTone will send call-control information to the source address - where the request actually came from - to set up an audio path and ignore what is the incorrect, possibly spoofed originating address. Here, the NexTone package must take over routing of the call, which it can do only because it can assume full SIP call control.

The downside to this product is its complexity. Installation and configuration require an onsite NexTone team, who configure the system to be left on its own. NexTone strongly suggests the NexTone University for training additional customer personnel who will configure and tune the system. Also, unlike some competitors, NexTone's package does not interact with any existing or legacy firewalls. This can be a major shortcoming for an organization that's comfortable with its embedded firewalls.

Next: Ingate Systems >

Ingate Systems

The strength of the Ingate SIParator 60 SBC centers on its solid firewall platform, which works with existing, legacy firewalls.

The Ingate firewall is SIP-aware, which means it understands and accommodates SIP-protocol flows for opening and closing ports, address translation and so on. The SIParator is especially clear in its setup choices. You can configure it to handle just VoIP (while having another firewall handle all other firewall functions) or to handle all firewall processing. There's no underlying H.323 support - it's SIP-only - but the base firewall has been extended considerably with SIP-based VoIP features.

We spent the bulk of our testing time focused on how SIParator's firewalling integrated with its QoS capabilities. For example, we examined its ability to recognize and appropriately handle type of service and Differentiated Services values. We went through screens and configuration for categorizing call types into queues with different threshold, QoS and priority settings. We confirmed the system marked and handled traffic as expected.

There's also a full SIP proxy server on board the Ingate box, which allows it to participate in SIP call control. An SBC normally is not expected to interfere with or modify the SIP-calling information. By containing a full SIP proxy server, however, the SBC can apply a higher level of oversight and involvement in SIP operations. For example, as a proxy server, the Ingate SBC can rewrite the SIP header of inbound and outbound call-setup messages on the fly, to accommodate particular SIP domain names and name changes.

The Ingate product offers no trend reporting, no call-quality reporting and no per-call quality assessment. Ingate monitors what is going on and provides real-time data, such as number of active calls and ports open, but it does not address any sort of cumulative data collection or reporting. The administrator of the SIParator can access a monitoring GUI, but what is available is limited and reported in real time; it might help troubleshooting somewhat, but not in facilitating any kind of trend reporting.

Near- and far-end NAT-traversal support make the Ingate product adept at getting VoIP calls through to the right destination, even with different near- and far-end firewall and NAT configurations in place. The Ingate SIParator also offers redundancy and VoIP survival features, such as alternate gateways, backup registration for callers, domain-availability checking and failback rerouting. It is also tightly integrated with Microsoft Live Communication Server 2005, for handling VoIP in conjunction with video, IM and presence applications.

THE TIPJAR: Get to know your VoIP network
1.) Know your VoIP network well in terms of equipment, protocols, traffic load. In addition to IP phones and VoIP gateways, you'll need a firm understanding of the other network components that may affect VoIP flows and your session border controller (SBC) deployment, including firewalls and intrusion-prevention systems, DHCP and DNS environments, and possibly some aspects of your Layer 2 and Layer 3 infrastructure .
2.) Plan to test all VoIP flows and routes through the SBC before going live.
3.) Get your carriers and IP telephony vendors involved in the process. The questions you need input on include: Do they have experience working with the SBC you've selected? Have they worked in combination with other service providers and the IP PBX vendors you have chosen? What are the preferred setting you need to have in place with regard to timers, rerouting messages, security setting and the planned SBC settings?
4.) Remember that your SBC objectives are improving security and saving money. With the complexities of VoIP networking, it's possible to lose sight of why you're deploying an SBC in the first place. If, for example, VoIP call quality drops to the point where all or most calls are rerouted over the public switched telephone network, it may end up costing you a lot more money.

Next: Mera Systems >

Mera Systems

Mera Systems' Mera VoIP Transit Softswitch (MVTS) software-only SBC began life as a softswitch and is extremely rich in supported VoIP call-handling protocols and features. MVTS runs atop Red Hat Linux 9 on almost any high-end server platform (the more the better, as far as RAM and gigahertz).

Sophisticated call routing through this product employs a panoply of criteria, including time of day, QoS and precedence, and route load. Of the products tested, Mera supports the most complete transcoding - on-the-fly conversion between high-bandwidth G.711 VoIP Real-time Transport Protocol (RTP) streams and low-bandwidth G.729 streams. A host of other vocoders also are supported. SIP to H.323 translation is akin to the seamless gateway interworking that NexTone provides. To test the translation capabilities of the Mera product, we placed calls through it between an H.323 endpoint and a SIP endpoint on the other side and confirmed that these features worked as advertised.

1 2 Page 1
Must read: 10 new UI features coming to Windows 10