SBC 'traffic cop' controls VoIP streams at the border
Session border controllers, complex and costly, offer widely varying capabilities.
Mera's software collects a lot of useful details about VoIP traffic and activity. It can collect and display dozens of parameters about each call. These are stored in detailed logs, but in a confusing Linux-style format, which frustrates the useful consolidation and consumption of this data. While the product provides a lot of data, you've got to extract it in an ASCII log file via command-line entry. It's by no means a neat, legible graphical presentation of the information. It also doesn't provide much in terms of formatted reports or trend analysis.
Another shortcoming of the Mera package is security: There are no firewall capabilities and no direct protection from a DoS attack, for example. Enterprise users considering the Mera package will need to address firewall and system security separately.
|
Next: Ditech Communications >
Ditech Communications
Ditech's PeerPoint C100 is a Linux-based appliance that supports only SIP-based call control. Beyond VoIP call handling, this SBC provides rich firewall capabilities, as well as strong DoS-attack handling.
Many of these security features were demonstrated on monitored calls and showed a detailed level of settings for automatic protection. DoS-attack profiles can be created based on standard Internet protocols or detected call-transmission rates. SIP protocol header fields also can be filtered actively to prevent details of the internal network from being broadcast to the Internet. Intelligent monitoring is used by the C100 to flag and monitor suspect incoming connections. The monitoring uses active scorekeeping and configurable timers to identify problem connections from an incoming client, who is then incrementally prevented and optionally reinstated for access back into the local network. This process, which can be configured by combinations of IP address, port number and dynamic message failure ratios, performs automatically without administrator intervention. Additional protection is provided by enabling examination of RTP, the standardized Internet content transmission format, to validate its declared content (audio and video), thus preventing a disguised executable from entering the system.
Other strengths include sophisticated near- and far-end NAT traversal (such as with the Ingate product), and Secure RTP (sRTP) encryption and (TLS: encrypted SIP call control) support. To check out Ditech's NAT traversal, we used Ditech's own method of querying the open call sessions and problems by sending and monitoring the results of SIP reinvites to both sides of the NAT. We captured and examined call sequences and RTP streams to confirm TLS and sRTP.
We give kudos to Ditech's installation because initial configuration and establishing settings are based on an embedded relational database that retains values entered and propagates the values to other screens and tabs in the system (to drop-down boxes, for example). This lets you avoid the arduous process of having to reenter the same data multiple times, and helps ensure valid entries in screens.
|
The vendor's adjunct Packet Voice Processor, which was not included in the configuration we tested, reportedly adds support for transcoding and other per-call quality measurement and reporting, and quality trend reports and intelligent packet repair.
Other noteworthy aspects of the Ditech package include its tight compatibility with Microsoft Live Communications Server 2005; a special feature for keeping calls connected (called stateful failover, it worked seamlessly in our testing, with failover occurring in less than a second, resulting in no dropped calls); and what Ditech calls media path optimization, where the system decides whether to proxy media streams or allow direct point-to-point RTP communications.
The four SBCs tested all showed they could competently process and manage SIP-based VoIP calls between an enterprise environment and a simulated service provider, front-ended by a prominent third-party, carrier-oriented SBC. Interoperability between the carrier-side SBC employed in the test bed and the enterprise-based SBCs we tested did not prove to be a concern.
Emerging with the top score from this test round was NexTone, whose package we believe best suits a large enterprise - because of its high price tag, support for legacy H.323-based PBXs, and very detailed reporting that most benefits an organization with a dedicated VoIP admin staff. Ingate placed second, with a system that adds good SIP-based VoIP security to an enterprise that may want to retain its legacy data-network firewalls. Closely behind Ingate were Mera Systems and Ditech, which tied. Mera's software-only package favors enterprises with a lot of legacy VoIP, as it handles many forms of VoIP protocol and RTP stream conversion. Ditech's appliance provides enterprises with SIP-based VoIP, added security, call- and QoS-handling.
Mier is founder and president, Mosco and Tarpley are lab testers, and Smithers is CEO at Miercom, a network consultancy and product test center in East Windsor, N.J. They can be reached at: ed@miercom.com, amosco@miercom.com, rtarpley@miercom.com and rsmithers@miercom.com, respectively.
They are also members of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Copyright © 2006 IDG Communications, Inc.