• United States
by Edwin Mier, Anthony Mosco, Robert Tarpley and Robert Smithers

SBC ‘traffic cop’ controls VoIP streams at the border

Apr 17, 200618 mins
Network SecurityNetworkingSecurity

Session border controllers, complex and costly, offer widely varying capabilities.

A session border controller may be in your VoIP future, according to our Clear Choice Test of devices that aim to expand your organization’s VoIP reach.

Functionally, an SBC is a traffic cop: It facilitates and mediates VoIP flows in real time, in both directions between private VoIP domains: an enterprise and a VoIP-based service provider – the environment we tested here – or two service providers. SBCs came of age by providing peering connectivity between different carriers’ VoIP services and only recently have begun penetrating enterprises.

How we tested SBCs

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter

There is no universal job description for an SBC. Certainly there has to be versatile handling of VoIP call-control protocols, such as Session Initiation Protocol () and H.323, especially amid different firewall and network address translation () configurations. And there needs to be some security safeguards – hiding the network topology of the private network, for example. But overall, SBCs are complex and costly components, coming from diverse backgrounds and offering widely varying capabilities.

We invited more than a dozen vendors who were touting new SBC wares earlier this year to submit their packages for testing in Miercom’s New Jersey lab. Four accepted our challenge for this feature-based testing: Ditech Communications, Ingate Systems, Mera Systems and NexTone Communications.

Despite many differences in the feature sets of these products (see “What SBCs do”), their general orientations lie in a few similar, basic areas, including VoIP call handling, QoS handling and security capabilities. Based on our assessment in these areas, our Clear Choice Test Award goes to NexTone’s package, the Multiprotocol Session Controller (MSC) coupled with its iView Management System (iVMS). NexTone’s dynamic VoIP session control, real-time monitoring with active error and threshold-limit notification, call-level reporting system, and integrated firewall features make it the best of the enterprise-focused SBCs we tested. We note, though, that the NexTone package costs considerably more than the competition (more than $100,000, compared with $25,000 to $38,000 for the others).

What session border controllers do: Comparative feature checklist Note: A check mark (√) indicates the product fully addresses this feature.
VoIP signaling and call handling

Ditech PeerPoint C100

Ingate SIParator 60


NexTone MSC and iVMS

Call load, bandwidth optimization    
Full-featured firewall traversal 

Session Initiation Protocol (SIP) to H.323 conversion

H.323 gatekeeper services  

SIP proxy, redirect, other services

Real-time Transport Protocol/RTP Control Protocol termination and regeneration

Transcoding (G.711-G.729, etc.)  

IP address resolution/management

Native, integral firewall 


Topology hiding

Authenticate VoIP calls and callers

Open and close legacy firewall ports


VoIP network address translation

Prevention of denial-of-service attacks


QoS, quality monitoring, reporting    
Differentiated Services/types of services QoS handling

Monitors each VoIP call

Per-call quality rating (i.e., mean opinion score)  

Issue call detail records 

TCall-quality trend reports   

Next: NexTone Communications >

NexTone Communications

One strength of NexTone’s Linux-based MSC was its exceptional management and reporting, augmented by the powerful routing engine of the optional iVMS. NexTone could be set up to adapt dynamically and to alter operational behavior involving admission control, routing priorities and bandwidth allocation, based on fluctuating network conditions and changed user or application behavior. For example, we observed how the system can be set up to divert traffic from low-cost VoIP carrier A to carrier B, if the quality measurements of calls via carrier A drop below established thresholds. Also, the parameters that users can apply for routing decisions by NexTone’s MSC are broader and include, for example, user profile, time of day and desired – the example cited earlier.

The iVMS allows routing and rerouting of calls among carrier services and trunks, and serves up extensive VoIP-quality reporting, including statistics on average call duration and postdial delay. We exercised the routing capabilities of this product by setting up multiple trunk groups and changing conditions to cause rerouting. One way was to unplug a gateway and see whether calls would reroute if there was a viable alternate path. In another case we intentionally oversubscribed the amount of bandwidth allocated in Call Admission Control, to ensure the overflow calls would be blocked. In both cases, the NexTone product worked as advertised.

Another capability of NexTone’s SBC is that it offers seamless connectivity between SIP phones and applications and H.323-based IP PBXs. This feature lets users connect their existing legacy VoIP environments, which are mostly H.323-based, to VoIP-based carrier services, which are mostly SIP-based. We tested the MSC’s role in this process by placing a VoIP call between an H.323 and a SIP endpoint, and verified that it worked. The connection setup and quality were good, despite the mismatch in call-control protocols.

NexTone Multiprotocol Session Controller and iView Management System

Score: 4.2

The core of NexTone’s SBC package is the MSC, a souped-up VoIP-call routing engine. The extra-priced iVMS is a call-quality rating, performance monitoring, and reporting system. The set-up of call routing with NexTone’s MSC is extremely granular. For example, the system can be setup to dynamically change such settings as Call Admission Control, Routing Priorities, Policy Enforcement and Bandwidth Allocation based on the usage behavior, service availability and so on.

With its broad protocol support – H.323, including many variants for specific IP-PBX vendors, as well as Session Initiation Protocol, and translation between the two – this SBC is well-suited for mixed-protocol and multi-vendor environments. We tested this by connecting SIP and H.323-based softphones, which interoperated transparently.

The second part of the NexTone package, the iVMS system, provides collects and reports session information, and includes an excellent GUI-based monitoring tool called iView. A short list of the call information that can be collected and reported includes: origination, destination, IP addresses, endpoint entities, call durations, ring times, error codes, Mean Opinion Score ratings, latency, dropped packets and total packets.

For security, NexTone does token-based bandwidth throttling of sessions that exceed a set threshold, with stepped reinstatement. Both are sophisticated mechanisms for protecting against incorrect or unauthorized IP traffic, which could be denial-of-service () attempts. There can be multiple cycles of allowing or reinstating a suspect to see whether their intentions are legitimate. NexTone also can tell whether there is a mismatched address in the call-setup process, which normally would prevent call setup or indicate a possible threat. In this case NexTone will send call-control information to the source address – where the request actually came from – to set up an audio path and ignore what is the incorrect, possibly spoofed originating address. Here, the NexTone package must take over routing of the call, which it can do only because it can assume full SIP call control.

The downside to this product is its complexity. Installation and configuration require an onsite NexTone team, who configure the system to be left on its own. NexTone strongly suggests the NexTone University for training additional customer personnel who will configure and tune the system. Also, unlike some competitors, NexTone’s package does not interact with any existing or legacy firewalls. This can be a major shortcoming for an organization that’s comfortable with its embedded firewalls.

Next: Ingate Systems >

Ingate Systems

The strength of the Ingate SIParator 60 SBC centers on its solid firewall platform, which works with existing, legacy firewalls.

The Ingate firewall is SIP-aware, which means it understands and accommodates SIP-protocol flows for opening and closing ports, address translation and so on. The SIParator is especially clear in its setup choices. You can configure it to handle just VoIP (while having another firewall handle all other firewall functions) or to handle all firewall processing. There’s no underlying H.323 support – it’s SIP-only – but the base firewall has been extended considerably with SIP-based VoIP features.

We spent the bulk of our testing time focused on how SIParator’s firewalling integrated with its QoS capabilities. For example, we examined its ability to recognize and appropriately handle type of service and values. We went through screens and configuration for categorizing call types into queues with different threshold, QoS and priority settings. We confirmed the system marked and handled traffic as expected.

There’s also a full SIP proxy server on board the Ingate box, which allows it to participate in SIP call control. An SBC normally is not expected to interfere with or modify the SIP-calling information. By containing a full SIP proxy server, however, the SBC can apply a higher level of oversight and involvement in SIP operations. For example, as a proxy server, the Ingate SBC can rewrite the SIP header of inbound and outbound call-setup messages on the fly, to accommodate particular SIP domain names and name changes.

The Ingate product offers no trend reporting, no call-quality reporting and no per-call quality assessment. Ingate monitors what is going on and provides real-time data, such as number of active calls and ports open, but it does not address any sort of cumulative data collection or reporting. The administrator of the SIParator can access a monitoring GUI, but what is available is limited and reported in real time; it might help troubleshooting somewhat, but not in facilitating any kind of trend reporting.

Near- and far-end NAT-traversal support make the Ingate product adept at getting VoIP calls through to the right destination, even with different near- and far-end firewall and NAT configurations in place. The Ingate SIParator also offers redundancy and VoIP survival features, such as alternate gateways, backup registration for callers, domain-availability checking and failback rerouting. It is also tightly integrated with Microsoft Live Communication Server 2005, for handling VoIP in conjunction with video, IM and presence applications.

THE TIPJAR: Get to know your VoIP network
1.) Know your VoIP network well in terms of equipment, protocols, traffic load. In addition to IP phones and VoIP gateways, you’ll need a firm understanding of the other network components that may affect VoIP flows and your session border controller (SBC) deployment, including firewalls and intrusion-prevention systems, DHCP and DNS environments, and possibly some aspects of your Layer 2 and Layer 3 infrastructure .
2.) Plan to test all VoIP flows and routes through the SBC before going live.
3.) Get your carriers and IP telephony vendors involved in the process. The questions you need input on include: Do they have experience working with the SBC you’ve selected? Have they worked in combination with other service providers and the IP PBX vendors you have chosen? What are the preferred setting you need to have in place with regard to timers, rerouting messages, security setting and the planned SBC settings?
4.) Remember that your SBC objectives are improving security and saving money. With the complexities of VoIP networking, it’s possible to lose sight of why you’re deploying an SBC in the first place. If, for example, VoIP call quality drops to the point where all or most calls are rerouted over the public switched telephone network, it may end up costing you a lot more money.

Next: Mera Systems >

Mera Systems

Mera Systems’ Mera VoIP Transit Softswitch (MVTS) software-only SBC began life as a softswitch and is extremely rich in supported VoIP call-handling protocols and features. MVTS runs atop Red Hat Linux 9 on almost any high-end server platform (the more the better, as far as RAM and gigahertz).

Sophisticated call routing through this product employs a panoply of criteria, including time of day, QoS and precedence, and route load. Of the products tested, Mera supports the most complete transcoding – on-the-fly conversion between high-bandwidth G.711 VoIP Real-time Transport Protocol (RTP) streams and low-bandwidth G.729 streams. A host of other vocoders also are supported. SIP to H.323 translation is akin to the seamless gateway interworking that NexTone provides. To test the translation capabilities of the Mera product, we placed calls through it between an H.323 endpoint and a SIP endpoint on the other side and confirmed that these features worked as advertised.

Mera’s software collects a lot of useful details about VoIP traffic and activity. It can collect and display dozens of parameters about each call. These are stored in detailed logs, but in a confusing Linux-style format, which frustrates the useful consolidation and consumption of this data. While the product provides a lot of data, you’ve got to extract it in an ASCII log file via command-line entry. It’s by no means a neat, legible graphical presentation of the information. It also doesn’t provide much in terms of formatted reports or trend analysis.

Another shortcoming of the Mera package is security: There are no firewall capabilities and no direct protection from a DoS attack, for example. Enterprise users considering the Mera package will need to address firewall and system security separately.

Mera Systems VoIP Transit Softswitch

Score: 3.6

The Mera VoIP Transit Softswitch is a software-only SBC package, which we tested on a not particularly high-end laptop (a Pentium 4, 2.4 GHz, 512KB RAM – running Red Hat Linux 9.0). A separate software module, the Session Initiation Protocol-H.323 Inter-protocol Translator (SIP-HIT), ran on the same Linux platform. The setup is extremely tailorable – more than 400 parameters can be defined, mainly related to routing, protocol handling, and call-load distribution.

There is separate management software, called the MVTS Manager, which we loaded and ran on a Windows XP laptop. Management access can be accomplished either as a Windows GUI or via a Web browser. MVTS is natively H.323 based.

The SIP piece adds all the SIP functionality. The package extends from a softswitch base, with features that add to the efficiency of VoIP call handling. Call load can be distributed to avoid bottlenecks or heavily used routes, which keeps call-quality high. The ability of this package to transcode on the fly between different VoIP coders is impressive.

With the very tailorable settings and SIP and H.323 interoperability, this SBC package is likely to be able to handle interoperability and inter-connectivity of many different IP-telephony systems, as well as VoIP-based carrier services.

Next: Ditech Communications >

Ditech Communications

Ditech’s PeerPoint C100 is a Linux-based appliance that supports only SIP-based call control. Beyond VoIP call handling, this SBC provides rich firewall capabilities, as well as strong DoS-attack handling.

Many of these security features were demonstrated on monitored calls and showed a detailed level of settings for automatic protection. DoS-attack profiles can be created based on standard Internet protocols or detected call-transmission rates. SIP protocol header fields also can be filtered actively to prevent details of the internal network from being broadcast to the Internet. Intelligent monitoring is used by the C100 to flag and monitor suspect incoming connections. The monitoring uses active scorekeeping and configurable timers to identify problem connections from an incoming client, who is then incrementally prevented and optionally reinstated for access back into the local network. This process, which can be configured by combinations of IP address, port number and dynamic message failure ratios, performs automatically without administrator intervention. Additional protection is provided by enabling examination of RTP, the standardized Internet content transmission format, to validate its declared content (audio and video), thus preventing a disguised executable from entering the system.

Other strengths include sophisticated near- and far-end NAT traversal (such as with the Ingate product), and Secure RTP (sRTP) encryption and (TLS: encrypted SIP call control) support. To check out Ditech’s NAT traversal, we used Ditech’s own method of querying the open call sessions and problems by sending and monitoring the results of SIP reinvites to both sides of the NAT. We captured and examined call sequences and RTP streams to confirm TLS and sRTP.

We give kudos to Ditech’s installation because initial configuration and establishing settings are based on an embedded relational database that retains values entered and propagates the values to other screens and tabs in the system (to drop-down boxes, for example). This lets you avoid the arduous process of having to reenter the same data multiple times, and helps ensure valid entries in screens.

Ditech Communications’ PeerPoint C100

Score: 3.4

The PeerPoint C100 is a Linux-based appliance that is – as alluded to in its name – usually sold as two redundant units where one runs as primary, the other as secondary hot standby. There is no hard drive – a design option chosen mainly for reliability and, secondarily, for security. Instead, the operating image loads from a flash-memory card and runs in RAM.

The SBC ships with one of its laudable features – near- and far-end NAT traversal – enabled by default. Because of the complexity of setting up some parameters, such as security certificates, the vendor is usually engaged for a “pre-provisioning” service.

A separate adjunct subsystem, called the Packet Voice Processor (PVP), adds many features for massaging VoIP RTP streams, such as noise and echo control, volume control and intelligent packet restoration. But the PVP was not included in the configuration tested, a fact which limited the range of features we could give Ditech’s SBC credit for.

A notable aspect of the PeerPoint C100 that we verified was its ability to diagnose the network on a per-call basis and determine when to regenerate VoIP streams, or allow direct media flows between endpoints. It’s important to note that this SBC addresses Session Initiation Protocol-only call environments. Support for SIP environments is fairly full, including RTCP features and was fully interoperable with the carrier-level Sansay VSX SBC with which we tested it.

The vendor’s adjunct Packet Voice Processor, which was not included in the configuration we tested, reportedly adds support for transcoding and other per-call quality measurement and reporting, and quality trend reports and intelligent packet repair.

Other noteworthy aspects of the Ditech package include its tight compatibility with Microsoft Live Communications Server 2005; a special feature for keeping calls connected (called stateful failover, it worked seamlessly in our testing, with failover occurring in less than a second, resulting in no dropped calls); and what Ditech calls media path optimization, where the system decides whether to proxy media streams or allow direct point-to-point RTP communications.

The four SBCs tested all showed they could competently process and manage SIP-based VoIP calls between an enterprise environment and a simulated service provider, front-ended by a prominent third-party, carrier-oriented SBC. Interoperability between the carrier-side SBC employed in the test bed and the enterprise-based SBCs we tested did not prove to be a concern.

Emerging with the top score from this test round was NexTone, whose package we believe best suits a large enterprise – because of its high price tag, support for legacy H.323-based PBXs, and very detailed reporting that most benefits an organization with a dedicated VoIP admin staff. Ingate placed second, with a system that adds good SIP-based VoIP security to an enterprise that may want to retain its legacy data-network firewalls. Closely behind Ingate were Mera Systems and Ditech, which tied. Mera’s software-only package favors enterprises with a lot of legacy VoIP, as it handles many forms of VoIP protocol and RTP stream conversion. Ditech’s appliance provides enterprises with SIP-based VoIP, added security, call- and QoS-handling.

Mier is founder and president, Mosco and Tarpley are lab testers, and Smithers is CEO at Miercom, a network consultancy and product test center in East Windsor, N.J. They can be reached at:,, and, respectively.

NW Lab Alliance

They are also members of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to

NexTone Multiprotocol Session Controller (MSC) and iView Management System (iVMS)OVERALL RATING
Company: NexTone Communications. Cost: From $46,000 to $135,000 for MSC, depending on service and options; iVMS base product starts at $85,000. Pros: Great detailed reports on call quality and performance statistics; best administration, including alarms and provisioning; H.323 handling, interworking with SIP; rich and flexible call-routing configurability. Con: No transcoding; high price tag.
Company: Ingate Systems. Cost: $25,630 for system tested (1,000 registered callers), including remote-Session Initiation Protocol (SIP)-connectivity, advance-SIP-routing, VoIP-survival and QoS optional modules. Pros: Full-featured, flexible, integral firewall; can deploy with existing, legacy firewall; various network address translation (NAT) environments supported (via optional module). Cons: No H.323 support; no transcoding; limited VoIP-quality and trend reporting.
Mera VoIP Transit SoftswitchOVERALL RATING
Company: Mera Systems. Cost: $38,400 for system tested (300 concurrent calls); all-software product (Linux-based). Pro: Broadest VoIP protocol support; full transcoding; supports several redundancy configuration; rich call-routing capabilities. Con: Limited security (no direct protection from denials-of-service attacks; no firewall capabilities).
Ditech PeerPoint C100OVERALL RATING
Company: Ditech Communications. Cost: $27,000 for system tested (250 concurrent calls). Pro: Flexible configuration, including NAT-traversal support; straight forward installation; special Microsoft Live Communications Server (SIP) support; VoIP encryption (Secure RealTime Transport Protocol); special support for VoIP conference servers. Cons: SIP-only protocol support; no integral firewall; limited VoIP-quality reporting.
The breakdown NexTone Multiprotocol Session Controller and iVMSIngate SIParator 60Mera VoIP Transit SoftswitchDitech PeerPoint C100
VoIP handling 40%4443
Configuration 20%4344
Security 20%4424
Additional features 20%5333
Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar