MSG features and benefits
Our MSG controls IPsec tunnels transporting SIP interactive communications and packet data services to the endpoint or femtocell access point.
Security
SIP interactive communications and packet data services must be tunneled through an untrusted and unmanaged Internet access network to a core network for dual-mode handsets or femtocell applications. Acme Packet’s MSG provides that secure bridge between the customer premises and the service provider’s network.
3GPP Wm interface to AAA servers |
- Controls access to services
- Authenticates endpoints
|
IPsec tunnel mode encryption/decryption of SIP and packet data services |
- Ensures user confidentiality and prevents identity theft
- Mitigates service theft
|
Hardware-based packet filtering and access control |
- Prevents layer 3 and layer 4 denial-of-service (DoS) attacks on the multiservice security gateway
- Prevents non-malicious overloads
- Dynamically accept or reject traffic based on device behavior
|
Monitoring and reporting |
- Provides alarms for attacks and overloads
- Aids attack response and fraud investigation with audit trails
- Provides secure monitoring and management access to protect from unauthorized personnel
|
Service reach maximization
Subscriber dual-mode handsets or femtocells are generally located behind untrusted access networks not controlled by the mobile operator, presenting challenges in serving that endpoint. Acme Packet Net-Net SG provides NAT traversal and multiservice virtualization to extend subscriber reach and types of services supported.
Multiservice architecture with application virtualization |
- Supports local partitioning and resource dedication specific services
- Reduces the number of network elements
|
NAT traversal |
- Enables services to traverse premises-based NAT devices by using UDP encapsulation
|
Dead peer detection |
- Permits efficient scaling of resources by preventing exhaustion of encryption resources
- Aids troubleshooting by altering administrators of unreachable femtocell access points or dual-mode handsets
|
SLA assurance
Voice quality and service availability can be compromised by oversubscribed network resources. The Acme Packet Net-Net SG uses upstream and downstream policers to ensure availability of femtocell access points, dual-mode handsets and the core network.
Overload prevention for core network elements (DNS servers, media gateways, etc.) |
- Prevents RTP service and bandwidth abuse by endpoints
- Assures network and service availability to subscribers
|
Endpoint overload protection |
- Prioritizes GSM signaling and voice over Internet and data traffic
- Prevents downlink traffic from overwhelming endpoints
|
SBC features and benefits
Acme Packet’s SBC is responsible for controlling SIP sessions between the service core and the endpoint or femtocell.
Security
As IP interactive communication services are delivered over untrusted Internet and WiFi access networks, critical resources can be compromised, elevating the risks of denial-of-service (DoS), eavesdropping and other malicious attacks. To protect service elements such as IMS CSCF servers and application servers in the network, our unique Net-SAFE security architecture helps service providers build trusted and secure access borders. Acme Packet’s security features also protect service provider and customer privacy and ensure network availability.
Hardware-based packet filtering and access control |
- Prevents DoS and DDoS attacks on the SBC and core infrastructure
- Prevents unauthorized access
|
Dynamic trust management |
- Classifies devices or users as trusted, untrusted, or malicious based on signaling behavior
- Prioritizes trusted user traffic over untrusted user traffic
- Allows trusted/authenticated users access while under DoS attack or overload
|
Dynamic, signaled NAPT and back-to-back signaling |
- Deep packet inspection of signaling messages strips out confidential information
- Hides IP layer (layer 3) and signaling topologies (layer 5) from attack
- Allows topology changes in the core without affecting interfaces to customers
|
Signaling rate limiting and code gapping |
- Prevents overload of softswitches, IMS CSCF functions, application servers and other signaling elements
- Protects against SPIT
|
Encryption (TLS, IPsec, SRTP) |
- Protects customer privacy
- Increases scalability by aggregating encrypted connections and offloading processing from the core
|
Programmable header manipulation |
- Removes confidential signaling information
- Matches signatures for intrusion detection and virus/worm/malware scanning
|
Intrusion detection protection and reporting |
- Provides protection against and increases awareness of unknown security threats and suspicious behavior
- Monitors potential security breaches while limiting false positives
- Provides audit trails for attack response and fraud investigation
|
Per-session media bandwidth policing |
- Prevents media-based DoS attacks
- Deters bandwidth theft and fraud
|
Service reach maximization
Service delivery may be impossible at IP access network borders due to firewalls/NATs, use of different signaling, encryption or transport protocols or overlapping IP address spaces and dial plans. Our SBCs provide numerous address and protocol translation capabilities to maximize the types of endpoints, service infrastructure and network topologies supported, allowing service providers to increase their addressable customer base.
Multiservice architecture with application virtualization |
- Allows partitioning and resource dedication to specific services
- Reduces the number of network elements
- Allows for unique service profiles and signaling options
- Provides fine-grained traffic, security and QoS controls per application
|
Interworking signaling (SIP, H.323), encryption (TLS, IP-sec) and transport (TCP, UDP, SCTP) protocols |
- Maximizes number of reachable networks for service delivery
- Eliminates need to change service core
- Mediates differences at network ingress and egress, allowing changes in core network without disrupting service
|
SIP protocol normalization and repair including programmable header manipulation |
- Increases vendor interoperability
- Accelerates time-to-market
|
SIPconnect compliance |
- Ensures enterprise PBX interoperability for SIP trunking services
- Eliminates need for IP PBX or SIP proxy compliance
|
Number normalization and response code translations |
- Allows heterogeneous networks to interconnect without changing core elements
- Performs prefix, suffix and other telephone number manipulations
|
Overlapping IP address domain mediation and VPN bridging |
- Allows direct interfaces to multiple VPNs to minimize equipment costs
- Supports connections to external networks using overlapping private address space
- Securely separates and bridges traffic
|
SLA assurance
Oversubscribed networks and service infrastructure can negatively impact customers. Our SBCs provide session admission control, load balancing and QoS marking and reporting features that deliver assured service quality and network availability during abnormal busy periods or network events.
Flexible session admission control policies |
- Prevents network overload
- Increases network availability
- Admits sessions based upon signaling and bandwidth constraints per user, network or SIP session agent to ensure resource availability
- Interfaces to external policy servers and bandwidth managers for end-to-end service delivery
|
Session agent load balancing |
- Ensures network uptime and service availability during peak call times
|
Failure detection, traffic re-route and recovery |
- Ensures network uptime and service quality
- Monitors performance and availability of routers, SIP registrars and SIP session agents
- Re-routes or re-distributes traffic based upon performance degradation or failure
- Manages avalanche SIP registration events resulting from power outages or registrar failures by statefully managing endpoint re-registration process and load
|
QoS reporting (jitter, delay, packet loss, MOS) |
- Determines quality of session from a media perspective
- Provides data for SLA reporting
- Speeds time to identify and isolate problems for resolution and network optimization
|
Answer Seizure Ratio (ASR) reporting |
- Determines quality of session from a signaling perspective
- Provides data for SLA reporting
- Speeds time to identify and isolate problems for resolution and network optimization
|
Cost and revenue management
In order to optimize ARPU and profitability of service delivered to dual-mode handsets and femtocells, service providers must optimize network utilization, capture accurate billing data, while minimizing fraud and service theft. Acme Packet SBCs deliver call routing, bandwidth policing and accounting features to aid in revenue collection and ensure the most cost effective usage of a service provider’s network.
Bandwidth policing |
- Protects against bandwidth theft
- Polices media bandwidth per-session based upon authorized codec
|
Accounting via call detail records (CDRs) or RADIUS |
- Enables session-based billing and settlement
- Supports traffic planning and performance management
|
Session timers |
- Prevents fraudulent and stranded calls
- Enables audit trails for fraud detection
- Terminates inactive sessions to free-up network and system resources
|
Regulatory compliance
Public safety and law enforcement regulations for traditional phone networks are being applied to VoIP services. Acme Packet SBCs deliver call routing and replication features and interfaces to aid mobile operators in complying with government regulations for IP interactive communications.
Intercept Access Function for signaling and media |
- Enables cost effective compliance with lawful intercept regulations
- Replicates and delivers call data and content for processing by LI mediation platforms
|
Emergency session identification and breakout routing and admission control exemption |
- Enables priority treatment and routing for emergency sessions
|
Diameter interface to Connectivity Session Location and Repository Function (CLF) |
- Retrieves and delivers caller location information for efficient and correct handling of emergency calls in IMS/TISPAN networks
|