SBC 'traffic cop' controls VoIP streams at the border

Session border controllers, complex and costly, offer widely varying capabilities.

1 2 Page 2
Page 2 of 2

Mera's software collects a lot of useful details about VoIP traffic and activity. It can collect and display dozens of parameters about each call. These are stored in detailed logs, but in a confusing Linux-style format, which frustrates the useful consolidation and consumption of this data. While the product provides a lot of data, you've got to extract it in an ASCII log file via command-line entry. It's by no means a neat, legible graphical presentation of the information. It also doesn't provide much in terms of formatted reports or trend analysis.

Another shortcoming of the Mera package is security: There are no firewall capabilities and no direct protection from a DoS attack, for example. Enterprise users considering the Mera package will need to address firewall and intrusion-prevention system security separately.

Mera Systems VoIP Transit Softswitch

Score: 3.6

The Mera VoIP Transit Softswitch is a software-only SBC package, which we tested on a not particularly high-end laptop (a Pentium 4, 2.4 GHz, 512KB RAM - running Red Hat Linux 9.0). A separate software module, the Session Initiation Protocol-H.323 Inter-protocol Translator (SIP-HIT), ran on the same Linux platform. The setup is extremely tailorable - more than 400 parameters can be defined, mainly related to routing, protocol handling, and call-load distribution.

There is separate management software, called the MVTS Manager, which we loaded and ran on a Windows XP laptop. Management access can be accomplished either as a Windows GUI or via a Web browser. MVTS is natively H.323 based.

The SIP piece adds all the SIP functionality. The package extends from a softswitch base, with features that add to the efficiency of VoIP call handling. Call load can be distributed to avoid bottlenecks or heavily used routes, which keeps call-quality high. The ability of this package to transcode on the fly between different VoIP coders is impressive.

With the very tailorable settings and SIP and H.323 interoperability, this SBC package is likely to be able to handle interoperability and inter-connectivity of many different IP-telephony systems, as well as VoIP-based carrier services.

Next: Ditech Communications >

Ditech Communications

Ditech's PeerPoint C100 is a Linux-based appliance that supports only SIP-based call control. Beyond VoIP call handling, this SBC provides rich firewall capabilities, as well as strong DoS-attack handling.

Many of these security features were demonstrated on monitored calls and showed a detailed level of settings for automatic protection. DoS-attack profiles can be created based on standard Internet protocols or detected call-transmission rates. SIP protocol header fields also can be filtered actively to prevent details of the internal network from being broadcast to the Internet. Intelligent monitoring is used by the C100 to flag and monitor suspect incoming connections. The monitoring uses active scorekeeping and configurable timers to identify problem connections from an incoming client, who is then incrementally prevented and optionally reinstated for access back into the local network. This process, which can be configured by combinations of IP address, port number and dynamic message failure ratios, performs automatically without administrator intervention. Additional protection is provided by enabling examination of RTP, the standardized Internet content transmission format, to validate its declared content (audio and video), thus preventing a disguised executable from entering the system.

Other strengths include sophisticated near- and far-end NAT traversal (such as with the Ingate product), and Secure RTP (sRTP) encryption and Transport Layer Security (TLS: encrypted SIP call control) support. To check out Ditech's NAT traversal, we used Ditech's own method of querying the open call sessions and problems by sending and monitoring the results of SIP reinvites to both sides of the NAT. We captured and examined call sequences and RTP streams to confirm TLS and sRTP.

We give kudos to Ditech's installation because initial configuration and establishing settings are based on an embedded relational database that retains values entered and propagates the values to other screens and tabs in the system (to drop-down boxes, for example). This lets you avoid the arduous process of having to reenter the same data multiple times, and helps ensure valid entries in screens.

Ditech Communications' PeerPoint C100

Score: 3.4

The PeerPoint C100 is a Linux-based appliance that is - as alluded to in its name - usually sold as two redundant units where one runs as primary, the other as secondary hot standby. There is no hard drive - a design option chosen mainly for reliability and, secondarily, for security. Instead, the operating image loads from a flash-memory card and runs in RAM.

The SBC ships with one of its laudable features - near- and far-end NAT traversal - enabled by default. Because of the complexity of setting up some parameters, such as security certificates, the vendor is usually engaged for a "pre-provisioning" service.

A separate adjunct subsystem, called the Packet Voice Processor (PVP), adds many features for massaging VoIP RTP streams, such as noise and echo control, volume control and intelligent packet restoration. But the PVP was not included in the configuration tested, a fact which limited the range of features we could give Ditech's SBC credit for.

A notable aspect of the PeerPoint C100 that we verified was its ability to diagnose the network on a per-call basis and determine when to regenerate VoIP streams, or allow direct media flows between endpoints. It's important to note that this SBC addresses Session Initiation Protocol-only call environments. Support for SIP environments is fairly full, including RTCP features and was fully interoperable with the carrier-level Sansay VSX SBC with which we tested it.

The vendor's adjunct Packet Voice Processor, which was not included in the configuration we tested, reportedly adds support for transcoding and other per-call quality measurement and reporting, and quality trend reports and intelligent packet repair.

Other noteworthy aspects of the Ditech package include its tight compatibility with Microsoft Live Communications Server 2005; a special feature for keeping calls connected (called stateful failover, it worked seamlessly in our testing, with failover occurring in less than a second, resulting in no dropped calls); and what Ditech calls media path optimization, where the system decides whether to proxy media streams or allow direct point-to-point RTP communications.

The four SBCs tested all showed they could competently process and manage SIP-based VoIP calls between an enterprise environment and a simulated service provider, front-ended by a prominent third-party, carrier-oriented SBC. Interoperability between the carrier-side SBC employed in the test bed and the enterprise-based SBCs we tested did not prove to be a concern.

Emerging with the top score from this test round was NexTone, whose package we believe best suits a large enterprise - because of its high price tag, support for legacy H.323-based PBXs, and very detailed reporting that most benefits an organization with a dedicated VoIP admin staff. Ingate placed second, with a system that adds good SIP-based VoIP security to an enterprise that may want to retain its legacy data-network firewalls. Closely behind Ingate were Mera Systems and Ditech, which tied. Mera's software-only package favors enterprises with a lot of legacy VoIP, as it handles many forms of VoIP protocol and RTP stream conversion. Ditech's appliance provides enterprises with SIP-based VoIP, added security, call- and QoS-handling.

Mier is founder and president, Mosco and Tarpley are lab testers, and Smithers is CEO at Miercom, a network consultancy and product test center in East Windsor, N.J. They can be reached at: ed@miercom.com, amosco@miercom.com, rtarpley@miercom.com and rsmithers@miercom.com, respectively.

NW Lab Alliance

They are also members of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

NexTone Multiprotocol Session Controller (MSC) and iView Management System (iVMS)OVERALL RATING
4.2
Company: NexTone Communications. Cost: From $46,000 to $135,000 for MSC, depending on service and options; iVMS base product starts at $85,000. Pros: Great detailed reports on call quality and performance statistics; best administration, including alarms and provisioning; H.323 handling, interworking with SIP; rich and flexible call-routing configurability. Con: No transcoding; high price tag.
Ingate SIParator 60OVERALL RATING
3.6
Company: Ingate Systems. Cost: $25,630 for system tested (1,000 registered callers), including remote-Session Initiation Protocol (SIP)-connectivity, advance-SIP-routing, VoIP-survival and QoS optional modules. Pros: Full-featured, flexible, integral firewall; can deploy with existing, legacy firewall; various network address translation (NAT) environments supported (via optional module). Cons: No H.323 support; no transcoding; limited VoIP-quality and trend reporting.
Mera VoIP Transit SoftswitchOVERALL RATING
3.4
Company: Mera Systems. Cost: $38,400 for system tested (300 concurrent calls); all-software product (Linux-based). Pro: Broadest VoIP protocol support; full transcoding; supports several redundancy configuration; rich call-routing capabilities. Con: Limited security (no direct protection from denials-of-service attacks; no firewall capabilities).
Ditech PeerPoint C100OVERALL RATING
3.4
Company: Ditech Communications. Cost: $27,000 for system tested (250 concurrent calls). Pro: Flexible configuration, including NAT-traversal support; straight forward installation; special Microsoft Live Communications Server (SIP) support; VoIP encryption (Secure RealTime Transport Protocol); special support for VoIP conference servers. Cons: SIP-only protocol support; no integral firewall; limited VoIP-quality reporting.
The breakdown NexTone Multiprotocol Session Controller and iVMSIngate SIParator 60Mera VoIP Transit SoftswitchDitech PeerPoint C100
VoIP handling 40%4443
Configuration 20%4344
Security 20%4424
Additional features 20%5333
TOTAL SCORE4.23.63.43.4
Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2