Acme Packet session border controllers for mobile service providers

Our SBCs secure the mobile subscriber access border and the interconnect/peering border. They protect themselves and other elements of the service delivery infrastructure from malicious denial-of-service (DoS/DDoS) attacks and non-malicious overloads, and they protect mobile subscriber endpoints and privacy.

SBC DoS/DDoS protection

Protect SBC from DoS/DDoS attack and other malicious attacks
Protect SBC from non-malicious overloads
Allow trusted/authenticated users access while under DoS attack
Dynamically accept or reject traffic based on device behavior

Access control

Filter specific devices or whole networks on a per-application basis
Permit access to known devices or networks
Permit access to authorized/registered users; permit or deny access to mask users
Dynamically accept or reject traffic based on device behavior
Accept media only for authorized sessions

Topology hiding & privacy

Hide core topology to prevent directed attacks and preserve confidentiality
Mask user information for privacy and confidentiality
Protect users and service provider infrastructure from eavesdroppers, identity thieves and fraud
Secure L2 and L3 VPN customers by maintaining security isolation between VPNs
Support inter-VPN sessions; monitor media for intra-VPN sessions for lawful intercept or fraud prevention

Virus, worm & SPIT protection

Protect network from malicious attachments, prevent malformed messages from overloading resources
Restrict usage to prevent automated dialing/unwanted sessions

Service infrastructure DoS prevention

Prevent DoS attacks from reaching core service infrastructure
Protect core from signaling overload attacks by enforcing call rate limiting, message rate limiting and code gapping policies

Fraud prevention

Perform signaling and media validation by authenticating and authorizing users
Enforce service contract per-user/device and prevent piggyback usage

Monitoring and reporting

Monitor and report on alarms for attacks and overloads
Audit trails for attack response & fraud investigation
Provide secure monitoring & management access to protect from unauthorized personnel

The SIP interworking capabilities of a Net-Net SBC ensure interoperability with-and-between SIP subscriber endpoints and femtocells, MSCs, mobile softswitches, IMS CSCF elements, application servers, media servers, media gateways and SBCs in peering networks. They enable sessions to traverse IPv4 and IPv6 networks, public and private networks using overlapping IP addresses, and virtual private networks. Net-Net SBCs mediate between different signaling, transport and encryption protocols, converting between incompatible codecs, and translating signaling-layer telephone numbers, addresses and response codes.

NAT traversal

Enable incoming and outgoing calls to traverse premises-based NAT devices by discovering public/external IP addresses for signaling and media or keeping NAT pinholes open for signaling

Address translation

Bridge IP address spaces—private-public, private-private, IPv4-IPv6
OLIP/VPN bridging and aggregation eliminates the need to backhaul VPN links to core session control elements and signaling NAT function

Telephone number & URI manipulation

Enable prefix, suffix, wildcard and other telephone number manipulations to enhance/control session routing

Protocol translations and fix-ups

Signaling—provide protocol normalization, repair and interworking for SIP to SIP, SIP to SIP-T, SIP to SIP-I, SIP-I to SIP-T
Transport—provide support and interworking for UDP, TCP, SCTP
Encryption—provide support and interworking for none, TLS, IPsec, SRTP
Response codes—correct SIP response code translations between networks/service providers

Transcoding, transrating & DTMF translations

Transcoding—translation for fixed line and mobile codecs
Transrating—mediate between variations in rate (e.g. 10ms to 30ms)
DTMF extraction / interworking—enable conversion from in-band to out-of-band signaling

A Net-Net SBC plays a critical role in assuring session capacity and quality. It performs admission control using local policies and/or external policy servers to ensure that both the network and service infrastructure has the capacity to support a session with high quality. SBCs also control IP network transport, and monitor and report actual session quality to determine compliance with performance specifications set forth in service level agreements between service providers.

Session admission control

Admit sessions based upon signaling and bandwidth constraints per user, network or session agent to ensure resource availability
Interface to external policy servers and bandwidth managers

Overload protection and control

Load balance traffic based on number of sessions or rate of sessions
Reject or divert traffic based upon destination number to control mass calling events

Failure detection, traffic re-route and recovery

Monitor performance and availability of L3 router, SIP registrar, SIP session agent
Re-route or re-distribute traffic based upon performance degradation or failure
Manage avalanche SIP registration events resulting from power outages or registrar failures by statefully managing endpoint re-registration process and load

Transport control

Assign QoS marking/VLAN mapping based on application, source address or destination address
Release peer-peer media between endpoints

Quality reporting and quality-based routing

Route sessions based on observed QoS—jitter, loss, latency—or answer seizure ratio (ASR)
Measure QoS (latency, jitter and packet loss) and ASR per-session
Append QoS and ASR information to CDR

Government-mandated regulations worldwide, including national emergency services such as E911, national security emergency preparedness services such as Government Emergency Telecommunications Service (GETS) and lawful intercept such as the Communications Assistance for Law Enforcement Act (CALEA) in the United States are supported by Net-Net SBCs.

Emergency session handling

Prioritize, retrieve location information and route emergency/E911 sessions with enhanced QoS (3GPP E-CSCF)
Interface to external location servers (3GPP CLF)

Priority session handling for national security/emergency preparedness (GETS)

Prioritize and route priority sessions with enhanced QoS

Lawful intercept

Replicate and deliver signaling (call data) and media (call content) for lawful intercept

Session replication for recording

For quality control and regulatory compliance requirements

A Net-Net SBC helps service providers control costs and increase revenues with options for integrating many IMS functions, by routing sessions optimally to minimize costs, by providing accounting and related mechanisms to maximize billable sessions, and by protecting against both bandwidth and quality of service theft

Integrated IMS functions

Access SBC functions—P-CSCF, E-CSCF, I/S-CSCF-equivalent functions via Net-Net SMX, signaling firewall (SF), BGCF, IMS-AGW and ATCF, ATGW
Interconnect/peering SBC—I-BCF, IWF, I-BGF/TrGW, BGCF
Access & interconnect SBC may be supported on same platform for small scale deployments

Accounting

Generate CDRs for billing or network planning
Diameter, RADIUS or file-based accounting

Service theft protection

Police media bandwidth per-session based upon authorized codec
Terminate inactive sessions with session timers to free-up network and system resources
Ensure only authorized sessions receive correct QoS and resource allocation

Routing

Least cost routing (LCR) enables policy-based session control based on route cost
ENUM-based routing increases routing infrastructure scalability and reduces PSTN costs
Carrier code-based routing enables policy-based session control based on prefix or carrier code
Industry-standard ENUM, SIP, XML and DNS interfaces to third-party routing databases
Large local route tables for static, localized routing decisions

Codec stripping & re-ordering

Normalize codec at border to simplify core service network and routing

SBC controls