Security and management considerations when deploying OCS

* Acme Packet contends that SBCs are complementary to OCS deployments

We've suggested before that session border controllers (SBC) are necessary within an enterprise network to ensure QoS and security for VoIP and unified communications, and Acme Packet has suggested in a recently published white paper that the need for SBCs is especially acute for Microsoft Office Communications Server (OCS) users. Acme Packet also contends that SBCs are complementary to OCS deployments, and they can improve scalability and reduce total cost of ownership.

As one of the leading SBC providers, Acme Packet has a multi-year history in hundreds of service provider VoIP deployments. Based on the company’s experience, enterprise firewalls are unable to protect the Microsoft OCS edge or core servers. According to Acme Packet “VoIP testing tools operating on any ordinary PC have proven that they can completely disable any popular SIP-enabled firewall (as well as any SIP proxy or PBX) by sending a flood of legitimate or illegitimate SIP messages. These firewalls with SIP Application Layer Gateways (ALG) also have poor topology hiding capabilities. They have been known to expose internal addresses of core SIP servers that are included in SIP message headers.”

Addressing a second issue, Acme Packet points out OCS uses SIP with TLS encryption over TCP and encrypted SRTP for the media. However, SIP PBX vendors have choices in SIP transport protocols (including UDP, TCP, SCTP) choices in signaling and media encryption protocols (including none, TLS, MTLS, IPSec) and choices in DTMF transport (either media or signaling-based). In addition, many installed IP-PBXs still rely on H.323 protocol while others use MGCP or SCCP based endpoints. Therefore, controlling the interoperability of these multiple protocols variations to maximize security and performance between OCS-based SIP protocols, the protocols used by the installed IP-PBX.

Interoperability management between OCS and the IP-PBX should consider:

* Unified dialing plans across multiple, separate IP PBX and OCS deployments.

* Comprehensive security and overload protection for IP PBXs connected to SIP, H.323, MGCP or SCCP-based endpoints.

* The ability to securely bridge heterogeneous IP address spaces.

* Manipulation of telephone numbers, URIs and response codes.

* Transcoding and transrating for a broad range of wireline and wireless codecs.

* Session routing metrics supported for LCR, ENUM, QoS and ASR to minimize costs and maximize session quality.

Our thanks to Acme Packet for their insights on the intricacies of OCS deployments. A copy of their white paper (including more network diagrams and additional details) is available here.

Next time, we’ll hear from some Current Analysis experts on the how the SME and large enterprise have different needs for unified communications, followed next week with an interview of a Microsoft OCS user.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT