SBC 'traffic cop' controls VoIP streams at the border
Session border controllers, complex and costly, offer widely varying capabilities.
A session border controller may be in your VoIP future, according to our Clear Choice Test of devices that aim to expand your organization's VoIP reach.
Functionally, an SBC is a traffic cop: It facilitates and mediates VoIP flows in real time, in both directions between private VoIP domains: an enterprise and a VoIP-based service provider - the environment we tested here - or two service providers. SBCs came of age by providing peering connectivity between different carriers' VoIP services and only recently have begun penetrating enterprises.
How we tested SBCs
Archive of Network World tests
Subscribe to the Network Product Test Results newsletter
There is no universal job description for an SBC. Certainly there has to be versatile handling of VoIP call-control protocols, such as Session Initiation Protocol () and H.323, especially amid different firewall and network address translation () configurations. And there needs to be some security safeguards - hiding the network topology of the private network, for example. But overall, SBCs are complex and costly components, coming from diverse backgrounds and offering widely varying capabilities.
We invited more than a dozen vendors who were touting new SBC wares earlier this year to submit their packages for testing in Miercom's New Jersey lab. Four accepted our challenge for this feature-based testing: Ditech Communications, Ingate Systems, Mera Systems and NexTone Communications.
Despite many differences in the feature sets of these products (see "What SBCs do"), their general orientations lie in a few similar, basic areas, including VoIP call handling, QoS handling and security capabilities. Based on our assessment in these areas, our Clear Choice Test Award goes to NexTone's package, the Multiprotocol Session Controller (MSC) coupled with its iView Management System (iVMS). NexTone's dynamic VoIP session control, real-time monitoring with active error and threshold-limit notification, call-level reporting system, and integrated firewall features make it the best of the enterprise-focused SBCs we tested. We note, though, that the NexTone package costs considerably more than the competition (more than $100,000, compared with $25,000 to $38,000 for the others).
| What session border controllers do: Comparative feature checklist Note: A check mark (√) indicates the product fully addresses this feature. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Next: NexTone Communications >
NexTone Communications
One strength of NexTone's Linux-based MSC was its exceptional management and reporting, augmented by the powerful routing engine of the optional iVMS. NexTone could be set up to adapt dynamically and to alter operational behavior involving admission control, routing priorities and bandwidth allocation, based on fluctuating network conditions and changed user or application behavior. For example, we observed how the system can be set up to divert traffic from low-cost VoIP carrier A to carrier B, if the quality measurements of calls via carrier A drop below established thresholds. Also, the parameters that users can apply for routing decisions by NexTone's MSC are broader and include, for example, user profile, time of day and desired - the example cited earlier.
The iVMS allows routing and rerouting of calls among carrier services and trunks, and serves up extensive VoIP-quality reporting, including statistics on average call duration and postdial delay. We exercised the routing capabilities of this product by setting up multiple trunk groups and changing conditions to cause rerouting. One way was to unplug a gateway and see whether calls would reroute if there was a viable alternate path. In another case we intentionally oversubscribed the amount of bandwidth allocated in Call Admission Control, to ensure the overflow calls would be blocked. In both cases, the NexTone product worked as advertised.
Another capability of NexTone's SBC is that it offers seamless connectivity between SIP phones and applications and H.323-based IP PBXs. This feature lets users connect their existing legacy VoIP environments, which are mostly H.323-based, to VoIP-based carrier services, which are mostly SIP-based. We tested the MSC's role in this process by placing a VoIP call between an H.323 and a SIP endpoint, and verified that it worked. The connection setup and quality were good, despite the mismatch in call-control protocols.
|
For security, NexTone does token-based bandwidth throttling of sessions that exceed a set threshold, with stepped reinstatement. Both are sophisticated mechanisms for protecting against incorrect or unauthorized IP traffic, which could be denial-of-service () attempts. There can be multiple cycles of allowing or reinstating a suspect to see whether their intentions are legitimate. NexTone also can tell whether there is a mismatched address in the call-setup process, which normally would prevent call setup or indicate a possible threat. In this case NexTone will send call-control information to the source address - where the request actually came from - to set up an audio path and ignore what is the incorrect, possibly spoofed originating address. Here, the NexTone package must take over routing of the call, which it can do only because it can assume full SIP call control.
The downside to this product is its complexity. Installation and configuration require an onsite NexTone team, who configure the system to be left on its own. NexTone strongly suggests the NexTone University for training additional customer personnel who will configure and tune the system. Also, unlike some competitors, NexTone's package does not interact with any existing or legacy firewalls. This can be a major shortcoming for an organization that's comfortable with its embedded firewalls.
Next: Ingate Systems >
Ingate Systems
The strength of the Ingate SIParator 60 SBC centers on its solid firewall platform, which works with existing, legacy firewalls.
The Ingate firewall is SIP-aware, which means it understands and accommodates SIP-protocol flows for opening and closing ports, address translation and so on. The SIParator is especially clear in its setup choices. You can configure it to handle just VoIP (while having another firewall handle all other firewall functions) or to handle all firewall processing. There's no underlying H.323 support - it's SIP-only - but the base firewall has been extended considerably with SIP-based VoIP features.
We spent the bulk of our testing time focused on how SIParator's firewalling integrated with its QoS capabilities. For example, we examined its ability to recognize and appropriately handle type of service and values. We went through screens and configuration for categorizing call types into queues with different threshold, QoS and priority settings. We confirmed the system marked and handled traffic as expected.
There's also a full SIP proxy server on board the Ingate box, which allows it to participate in SIP call control. An SBC normally is not expected to interfere with or modify the SIP-calling information. By containing a full SIP proxy server, however, the SBC can apply a higher level of oversight and involvement in SIP operations. For example, as a proxy server, the Ingate SBC can rewrite the SIP header of inbound and outbound call-setup messages on the fly, to accommodate particular SIP domain names and name changes.
The Ingate product offers no trend reporting, no call-quality reporting and no per-call quality assessment. Ingate monitors what is going on and provides real-time data, such as number of active calls and ports open, but it does not address any sort of cumulative data collection or reporting. The administrator of the SIParator can access a monitoring GUI, but what is available is limited and reported in real time; it might help troubleshooting somewhat, but not in facilitating any kind of trend reporting.
Near- and far-end NAT-traversal support make the Ingate product adept at getting VoIP calls through to the right destination, even with different near- and far-end firewall and NAT configurations in place. The Ingate SIParator also offers redundancy and VoIP survival features, such as alternate gateways, backup registration for callers, domain-availability checking and failback rerouting. It is also tightly integrated with Microsoft Live Communication Server 2005, for handling VoIP in conjunction with video, IM and presence applications.
| THE TIPJAR: Get to know your VoIP network | ||||
|
Next: Mera Systems >
Mera Systems
Mera Systems' Mera VoIP Transit Softswitch (MVTS) software-only SBC began life as a softswitch and is extremely rich in supported VoIP call-handling protocols and features. MVTS runs atop Red Hat Linux 9 on almost any high-end server platform (the more the better, as far as RAM and gigahertz).
Sophisticated call routing through this product employs a panoply of criteria, including time of day, QoS and precedence, and route load. Of the products tested, Mera supports the most complete transcoding - on-the-fly conversion between high-bandwidth G.711 VoIP Real-time Transport Protocol (RTP) streams and low-bandwidth G.729 streams. A host of other vocoders also are supported. SIP to H.323 translation is akin to the seamless gateway interworking that NexTone provides. To test the translation capabilities of the Mera product, we placed calls through it between an H.323 endpoint and a SIP endpoint on the other side and confirmed that these features worked as advertised.