1. Rapid and scalable deployment of Oracle Communications Session Border Controller on OCI
  2. Learn About Protecting Your Telecommunications Network

Learn About Protecting Your Telecommunications Network

With advent of 5G services across geographies and growing needs for session border controllers (SBCs) in their expanding networks, it has become crucial for telecommunications service providers to have a cost-effective, secure, scalable, and rapid deployment platform strategy for SBC in their networks.

5G is designed to connect virtually everyone and everything together including machines, objects, and devices. 5G technology is meant to deliver higher multi-Gbps peak data speeds, ultra low-latency, improved reliability, massive network capacity, increased availability, and a more uniform user experience. Higher performance and improved efficiency from 5G empower new user experiences and connect new industries.

In the rapidly advancing world of real-time communication, organizations no longer rely on voice calls as their primary form of communication. There are many components to today's Unified Communications and Collaboration (UCC) ecosystem, including video conferencing, desktop sharing, instant messaging, presence management, and team collaboration. All of these elements working together flawlessly requires a signaling protocol, called Session Initiation Protocol (SIP). SIP initiates and terminates a communication session, which could be a video conference between a team, or a call between two people. It does this by sending messages in the form of data packets between two or more IP endpoints, or SIP addresses. SIP identifies the presence of the other parties, establishes the connection, and closes it when the session is finished, but has no control over what happens during the connection.

While this is a powerful and integral part of real-time communications, there are challenges including the implementation between various vendors, and security issues involved when moving data across the internet, and this is where session border controllers come in.

A session border controller is a special-purpose device (hardware or software defined) that protects and regulates IP communications flows. Session border controllers are deployed at network borders to control IP communications sessions, helping service providers deliver trusted, carrier-grade, real-time communications such as VoLTE, VoIP, video conferencing and calling, presence, IM, and IPTV, along with the following core functionalities:

  • Security

    Protect against Denial of Service (DoS) and Distributed DoS (DDoS) attacks, safeguard against toll fraud and service theft, and provide media and signaling encryption to ensure confidentiality and protect against impersonation or masquerade.

  • Multi-vendor interoperability

    Normalize SIP (Session Initiation Protocol) signaling stream headers and messages to mitigate multi-vendor incompatibilities.

  • Protocol interworking

    Enable interworking between diverse protocols or diverse codecs.

  • Quality of service (QoS)

    Enforce call admission control (CAC) policies, type of service (ToS) marking, or rate limiting for service quality assurance.

  • Session routing

    Route sessions across network interfaces to ensure high availability or enable least cost routing (LCR).

With so many core network functions, SBCs become a critical network function for any telcommunication service providers and their enablers and consumers.

Architecture

This architecture shows an active-standby pair of Oracle Communications Session Border Controller instances that are deployed in different fault domains in a single availability domain in an Oracle Cloud Infrastructure (OCI) region.

Description of session-border-controller-oci.png follows
Description of the illustration session-border-controller-oci.png

session-border-controller-oci-oracle.zip

This architecture supports the following components:

  • Region

    An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  • Availability domain

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

  • Fault domain

    A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.

  • Virtual cloud network (VCN) and subnet

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • Security list

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • Route table

    Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.

  • Internet gateway

    The internet gateway allows traffic between the public subnets in a VCN and the public internet.

  • Network address translation (NAT) gateway

    A NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.

  • Service gateway

    The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

  • Dynamic routing gateway (DRG)

    The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

  • Site-to-Site VPN

    Site-to-Site VPN provides IPSec VPN connectivity between your on-premises network and VCNs in Oracle Cloud Infrastructure. The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives.

  • Session Border Controller

    Oracle Communications Session Border Controller is the industry-leading session border controller (SBC) for fixed line, mobile, and over-the-top (OTT) services.

    The functions offered by Oracle Communications Session Border Controller satisfy critical service provider requirements in five major areas: security, interoperability, reliability and quality, regulatory compliance, and revenue and cost optimization.

  • VM System

    Oracle Cloud Infrastructure VM (virtual machine) System is a "computer made of software" that you can use to run any software you'd run on a physical computer. Like a physical machine, a virtual machine has its own operating system, storage, networking, configuration settings, and software, and it is fully isolated from other VMs running on that host. A VM system provides secure and elastic compute capacity in the cloud for workloads ranging from small development projects to large-scale, global applications such as real-time communication platforms. Flexible shapes enable you to optimize VM resources with customized processor and memory values for improved price-performance.

  • Bastion VM

    SIPpy Bastion built on an Oracle VM host.

  • VNIC

    A virtual network interface card (VNIC) enables an instance to connect to a VCN and determines how the instance connects with endpoints inside and outside the VCN. Each VNIC resides in a subnet in a VCN and includes these items:

    • A primary private IPv4 address from the subnet the VNIC is in, chosen by either you or Oracle.
    • Optional secondary private IPv4 addresses from the same subnet the VNIC is in, chosen by either you or Oracle.
    • An optional public IPv4 address for each private IP, chosen by Oracle but assigned by you at your discretion.
    • An optional hostname for DNS for each private IP address.
    • A MAC address.
    • A VLAN tag assigned by Oracle and available when attachment of the VNIC to the instance is complete (relevant only for bare metal instances).
    • A flag to enable or disable the source/destination check on the VNIC's network traffic.
    • Optional membership in one or more network security groups (NSGs) of your choice. NSGs have security rules that apply only to the VNICs in that NSG.
    • Optional IPv6 addresses. IPv6 addressing is supported for all commercial and government regions.
  • OCI DevOps

    Oracle Cloud Infrastructure (OCI) DevOps is a continuous integration/continuous delivery (CI/CD) service that automates the delivery and deployment of software to OCI compute platforms for developers to simplify and automate their software development lifecycle.

  • Object storage

    Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

  • Cloud Guard

    You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.