Avaya Aura® Session Border Controller, powered by Acme Packet, secures the IP border for the real time interactive communications that flow outside your internal network. With Avaya Aura® Session Border Controller, your Unified Communications and Contact Center Solutions can securely leverage SIP, while simultaneously extending the power of the Avaya Aura® architecture throughout your enterprise to realize the true benefits of open standards.

1. Why Do I Need an SBC ? PacketBase, Inc.

2. MM App App VP App CM Application Platform Application Platform Avaya Aura™ Session Manager Avaya Aura™ SBC Avaya Aura™ SBC and the Reference Architecture Application MX SystemManager PSTN trunking providers, hosted services, federated partners Media Servers SIP Trunks or Connection SIP Trunks Avaya Aura SBC or Acme Packet SBC SIP Avaya one-X® endpoints Internet Access 3rd Party PBXs Avaya CM (branch or standalone) Remote workers via Internet (future) 3rd Party endpoints 2

3. Things to think about… Service Providers maximize revenue by designing their network to be highly optimized with minimal maintenance Their SBC’s, Softswitches, and Media Gateways are widely shared resources Unique customer configuration requirements deviate from this theme For SIP Trunks, each Service Provider has explicitly defined User to Network Interface (UNI) requirements The requirements include supported SIP message types requests/responds, methods, formatting, headers, fields, codec’s, QoS markings etc. Within a single Service Provider, the UNI will differ with each unique service offering. Enterprise customers do not subscribe to the same model, instead focusing on implementing solutions that meet customer needs and differentiate their business Traditional demarcation points, i.e. media gateways, no longer act as natural boundaries to enforce expected service provider behaviors and requirements

4. Why use an SBC? Flexibility Providers layer of independence from Service Provider – allows enterprise to make changes more quickly vs. negotiating / relying on Service Provider if needs change Normalization point for signaling and RTP media streams to multiple SIP stacks in the enterprise Allows for multiple SIP trunk provider access points (now or in future) Support of enterprise-specific call flows that may not be directed supported by SIP trunk provider Security Enforces a customer’s unique security policies SIP trunk provider’s own SBC (if private SIP trunk service) focuses on the provider’s security concerns Complete network topology hiding Addresses set of issues specific to SIP-based communication (deep packet inspection) Accountability Per call status – QoS, SLA monitoring Report on intrusion attempts Session recording 4

5. Analyst View - SBCs and the Enterprise 5

6. The Security Threat - Examples June 2009 – International Phone Fraud Ring busted – Softpedia Eight indicted for stealing calls totaling over 12 million minutes and resulting in phone bills of more than $55 million May 2010 – FBI warns on VoIP attacks TDoS attacks create diversion for information thieves to loot bank account information October 2010 - VoIP Attacks On The Rise! Secure Your VoIP Servers – blog.sipvicious.org Cloud-initiated wave of SIPVicious port 5060 scans lead to €11 million loss December 2010 – Major VoIP Fraud Gang Dismantled in Romania 50 individuals used “Zoiper” program to route calls to premium rate numbers through hacked VoIP accounts in exchange for commission 6

7. Gartner – SBC Evaluation Criteria Has been thoroughly tested and documented as an integral part of the enterprise UC solution Has been incorporated into the certification configurations of the enterprise UC solution with the SIP trunk service provider Provides support and maintenance services for UC Provides a full set of security features, including prevention of DoS and DDoS attacks Source: http://www.gartner.com/technology/media-products/reprints/avaya/vol6/article8/article8.html 7

8. 8 Enterprise and contact center security threats Denial of Service Call/registration overload Malformed messages (fuzzing) Configuration errors Mis-configured devices Operator and application errors Theft of service Unauthorized users Unauthorized media types Viruses & SPIT Viruses via SIP messages Malware via IM sessions SPIT – unwanted traffic Enterprise Adoption of Collaboration Tools Source: Nemertes Research Increased usage of collaboration tools means security threats are more of a concern

9. SBC DoS protection Fraud Access prevention control Service infrastructure Topology hiding DoS & privacy prevention Viruses malware & SPIT mitigation Avaya Aura™ SBC & Acme Packet Net-Net SBC Security Framework SBC DoS/DDoS protection Protect against DoS/DDoS attacks Access control & VPN separation Dynamic, session-aware access control for signaling & media Topology hiding & privacy Viruses, malware & SPIT mitigation Deep packet inspection Encryption and Authentication TLS, SRTP, IPSec Monitoring and reporting Record attacks & attackers Provide audit trails 9

10. GSSCP (Global Service Provider SIP Compliance Program) Program to test and document valid working configurations with SIP trunk providers Tests are tied to 6 defined Avaya reference configurations Avaya has recently published Interoperability Guidelines document SBC testing guidelines Implications of implementing a non-tested configuration 3rd party SBC guidelines 10

11. SBC Feature Summary The SBC will provide the interworking function between the Avaya Aura Communication Core and SP specific SIP methods Faster deployment of Avaya Aura solutions at lower risk and cost Easier integration of Avaya Aura with external third-party applications and services The SBC provides DoS (Denial of Service) protection by rate limiting traffic into the enterprise The SBC provides topology hiding for the enterprise infrastructure The SBC will be the anchoring point for in-bound calls and will consume REFER method indications to redirect traffic internal to the enterprise The SBC may need to fork media for recording purposes The SBC may be required to transcode media Reference point for Interop testing with SIP trunk providers 11