White Paper

Enabling IP Telephony with Juniper Enterprise Solutions

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net

Part Number: 200206-001 Nov 2006

Enabling IP Telephony with Juniper Enterprise Solutions

Table of Contents
Executive Summary ...........................................................................................................3 Introduction and Overview ................................................................................................3 Juniper Networks Enables IP Telephony ............................................................................4 Best-in-class Security ....................................................................................................4 Best-in-class Performance ...........................................................................................4 Best-in-class Reliability and Availability ........................................................................4 Centralized Management .............................................................................................4 Partnerships with Application Vendors .........................................................................5 Enterprise IP Telephony Solution Example .........................................................................5 Headquarters and Campus Users ................................................................................5 Branch Office Users......................................................................................................6 Teleworker ..................................................................................................................8 Mobile Worker .............................................................................................................8 Data Center ..................................................................................................................9 Juniper Networks Enterprise Solutions Portfolio ..............................................................10 Firewall/IP Sec VPN ...................................................................................................10 Intrusion Detection and Prevention (IDP) ..................................................................10 SSL VPN Secure Access .............................................................................................. 11 Application Acceleration............................................................................................. 11 Enterprise Routing .....................................................................................................12 Policy, Control and Visibility .......................................................................................13 Conclusion .......................................................................................................................13

Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions

Executive Summary
Geographically dispersed workers and consolidation of network resources are some of the trends fueling the growth of IP telephony in todays enterprises. Yet to reap the benefits of IP telephony, enterprises must be able to support its unique requirements. This white paper discusses Junipers unique ability to provide the security, availability, and performance demanded by IP telephony applications. The white paper also looks at real-world examples of the needs of IP telephony users in the enterprise, including headquarters basedcampus worker, branch office user, teleworker, and mobile worker.

Introduction and Overview

For various reasons, todays enterprises have a very distributed workforce; research shows that 80% or more employees now work outside their companys headquarters at least part of the time. More people are working at branch offices, from home, or from other remote locations. The mobility and scattering of an organizations employees are some of the reasons deployment of web, collaboration, and other applications requiring IP telephony are becoming more widespread. Regardless of their geographical location, employees need to have fast and consistent access to applications and resources in order to be productive. In comparison to using a regular phone, converged applications facilitate communication and collaboration, helping to maintain productivity and cut costs. These applications are contributing to a more real-time environment in the enterprise. Real-time enterprises demand the most current information to gain strategic, competitive advantages in a constantly changing business environment. Today, IP telephony is more than just a phone on a desk. There is an abundance of solutions that incorporate IP telephony, including video webcasts, contact center applications, mobile IP telephony, and collaboration tools. These solutions incorporating IP telephony allow many discrete applications, such as document sharing and instant messaging, to be consolidated. Consolidating applications reduces the load on servers, while reducing the load on IT managers, and can reduce complexity in data centers. In order to benefit from IP telephony solutions, an enterprise must be able to support IP telephonys unique requirements. The real-time nature and high-availability expectations of IP telephony applications puts them at particular risk from network disruptions due to security breaches, network link or device failures, or performance degradation due to latency, contention for bandwidth among applications, bandwidth congestion, jitter, and packet loss. Users also expect voice conversations to be private, so IP telephony has to meet high standards for security. In order to deploy IP telephony applications successfully, enterprises need network infrastructure and services that provide fast and consistent application performance, availability, reliability, and security.

Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions

Juniper Networks Enables IP Telephony

Juniper Networks leads the industry in enabling secure and assured communications over a single IP network. Purpose-built IP platforms enable customers to support many different services and applications on a large scale, and over a wide area. Service providers, enterprises, governments, and research and education institutions worldwide rely on Juniper Networks to deliver high-performance infrastructure elements that enable security, application acceleration and connectivity in a highly available environment.

Best-in-class Security
Juniper Networks solutions provide complete security for a wide range of IP telephony applications and protocols. These solutions can Detect and prevent threats from impacting service availability Repel attacks targeted at IP telephony equipment Secure call signaling (H.323, SIP etc.) and voice communications from any location using VPN technology and Application Layer Gateways (ALGs) Ensure only appropriate users and devices can access IP telephony resources.

Best-in-class Performance
Juniper Networks platforms are designed to deliver high performance throughput under all network and service conditions. In particular, they deliver the performance required for quality IP telephony communications by Increasing existing bandwidth capacity over wide area links Ensuring minimal latency, jitter, and packet loss, regardless of network conditions, and connectivity over WAN and Expediting VoIP traffic streams using a variety of methods.

Best-in-class Reliability and Availability

Juniper Networks is recognized as an industry leader in providing high availability platforms. All products are built using modular software and hardware architectures that support the high expectations of IP telephony users by Maximizing connection availability via automatic failover mechanisms Providing redundancy by virtualizing and mirroring platforms, and Efficiently and reliably transporting VoIP applications using comprehensive traffic engineering and quality of service (QoS) capabilities.

Centralized Management
Juniper Networks policy, control, and visibility solutions provide appropriate access control, policy creation and management, and network and service management, ensuring secure and reliable networks for all applications, including IP telephony. In this group, Juniper Networks solutions Restrict network access to valid users and devices Validate and enforce compliance policies on users and devices, and Provide centralized management, monitoring and reporting for network services and infrastructure.

Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions

Partnerships with Application Vendors

Juniper Networks partners with best-of-breed application vendors to certify, sell, and develop solutions for enterprises. Juniper Networks, in conjunction with strategic partner Avaya, supports joint solutions that leverage Avayas IP telephony expertise and market leadership with networking, application acceleration and security expertise from Juniper Networks. Together, Avaya and Juniper Networks provide high quality voice and converged communications that protect companies sensitive data while maintaining network integrity and performance. Avaya solutions are referred to throughout this document.

Enterprise IP Telephony Solution Example

The needs of users vary greatly depending on their location. Juniper Networks solutions improve the performance of IP telephony applications for various users, including: users at headquarters and campus; branch offices; teleworkers; and mobile workers (see Figure 1). Since many enterprise applications, including IP telephony applications, reside in the data center, this location will also be examined.
Acce ss Po int

Headquarters

Extended Campus Location

Acce

Inf Contrranet oller

Wireles

IDP

WXC 500

ss Po int

Soft

switch

LAN
Swit ch

Wireles

Voice

SSL VPN

Fire

wall

Fire

wall

Soft

switch

M Ser ie

J S erie

GSM/WiFi IP Softphone

Voice

PSTN

WAN

Internet

Mobile

SSG

J S erie

or

SSG

NS 5GT-

Odysse y Access Client

WX 20

IP Softphone IP Agent

Odysse y Access Client

Odysse y Access Client

GSM/WiFi

Teleworker (Home Ofce)

IP Softphone

Road Warrior

Branch Ofce Users

Figure 1: The connected enterprise

Headquarters and Campus Users

IP telephony requirements in headquarters or campus locations vary widely. Most workers using IP telephony generally have IP phones on their desks (or hardphones) that make and receive calls over the LAN, Internet and the PSTN network (see Figure 1). They may be using certain VoIP applications located in a headquarters or data center server, such as a contact center application, to respond to client queries. Adequate performance and high availability is expected from their voice applications, which is heavily dependent on the underlying infrastructure.

Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions Increasing deployments of wireless LANs are helping fuel the rollout of IP telephony applications by making it easier to roam in a campus or large office environment. For example, employees visiting from other enterprise locations can use an IP telephony application running on their laptops (or softphone) to make phone calls affordably throughout a campus location, either by using an attached headset and speakers, or by forwarding their extension to any handset in a guest office. Campus security guards can use IP mobile wireless radios to keep in touch while doing their rounds. Wireless networking in these locations requires increased security and performance, so that hackers cannot snoop on wireless IP phone calls for malice or for profit. Another trend fueling security requirements in headquarters locations is the need to accommodate guests. Visiting clients and contractors may expect Internet access for their laptop, and they may want to use a telephone. How can their needs be met without compromising the availability and security of the network? Juniper Networks has a range of solutions to address all these requirements for headquarters and campus users (see Table 1). For users at headquarters/campus using real time, business critical, IP telephony applications such as contact center, the Juniper data center application acceleration (DX) and load balancing platforms help improve performance of web based appliactions accessed by contact center workers,. The Juniper Networks M-Series routing platforms also improve VoIP performance via cRTP packet compression, and provide granular control of quality of service (QoS) for VoIP traffic across the WAN network using MPLS or other mechanisms. Users making and receiving calls on a PDA or laptop throughout the campus on a wireless LAN can be assured that no one is listening in. Campus devices, whether on the wired or wireless network, are checked for security compliance, authenticated, and granted device and user privileges via the Juniper Networks Infranet Controller (IC). The IC authenticates users via RADIUS, using either the Steel-Belted Radius (SBR) functionality included on the IC, or via HTTP. In both cases, third-party identity servers are typically consulted for user credentials. Visiting workers or contractors can also be granted access without compromising enterprise security. IP hardphones and their data ports in guest worker offices can be restricted to certain VLANs via standard discovery protocols supported in 802.1X switches and a standalone SBR server. The Juniper Networks Intrusion Detection and Prevention products (Juniper Networks IDP) protect critical VoIP assets from external and internal attacks. Juniper Networks Firewall/IPSec VPN products keep out unwanted traffic, while opening and closing pinholes dynamically to allow IP phone calls to penetrate the firewall.

Branch Office Users

Since most enterprises employ far more users in branch offices than at headquarters, they need branch office infrastructure that performs as well as the networks in headquarters. Most branch offices connect directly to headquarters via either a private WAN link or via a VPN over the Internet. As more branch offices connect directly to the Internet, rather than back-hauling Internet traffic to headquarters, this introduces a new set of security challenges. IP telephony users at branch offices use their IP phone to talk to clients, employees who are local, employees in other locations, and other outside parties. And like users in headquarters, they may also have a computer with converged applications. For example, they may also be answering calls routed to them by a contact center application located in the data center. When they miss calls, they listen to their voice messages located on a server at headquarters. For branch users to experience LAN-like performance for these applications that their headquarters colleagues enjoy, these applications must be optimized to run over wide area links.

Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions Juniper Networks has a suite of branch solutions that provide the services and infrastructure needed to support IP telephony in offices from small to large (see Figure 1 and Table 1). For enterprises using or considering Avaya IP telephony equipment in their branch offices and Avaya Communication Manager software at headquarters, Juniper Networks J4350 and J6350 routers support an integrated Avaya Media Gateway. Consolidating routing, security services, and IP telephony in a single device provides a simple yet highly reliable solution for branch users. The Avaya IG550 Media Gateway supports a variety of traditional telephony interfaces and works with the Avaya Communications Manager to extend IP telephony applications transparently to the branch from headquarters locations. The IG550 Media Gateway protects business critical communications with a range of survivability options that operate under a variety of network conditions. Juniper Networks J-series routers are available with multiple interfaces, supporting simultaneous connections to the Internet, headquarters, and the branch office LAN. The J-series routers are the right choice for branch offices requiring MPLS features in their customer premise equipment. In terms of security, their integral stateful firewall protects the branch office from external threats originating from the Internet. The J-series routers also support IPSec VPNs, providing a highperformance, encrypted tunnel over the Internet for all communications between the branch and headquarters. Branch offices with higher security and performance requirements can add the Juniper Networks SSG Family, which will protect users against new and emerging Internet threats. The SSG Family not only includes the network security features of the J-series router, it also incorporates a host of Unified Threat Management (UTM) features. SSG UTM features such as IPS (with deep packet inspection), Web Filtering, and Antivirus (including Anti-Spyware, Anti-Spam, Anti-Adware, and Anti-Phishing) are all available as an annual subscription. SSG Family UTM features ensure branch users are always protected from the latest threats, since the gateways are automatically updated without IT staff intervention. Branch offices that do not require MPLS support or a media gateway receive excellent protection, routing, and performance by simply deploying an SSG. For enterprises using Avaya IP telephony applications and phones, the SSG Family supports a H.323 and SIP application layer gateway (ALG), which opens and closes pinholes in the firewall to let valid, approved IP phone calls through. Enterprises can ensure high-quality voice communications and fast and consistent response times for real-time applications by leveraging the Juniper WAN application acceleration (WX/ WXC) platforms. By overcoming the technical limitations of WANs, the WX/WXC platforms address the four key performance issues that impact real-time applications bandwidth, latency, jitter, and packet loss. The WX/WXC platforms are typically deployed between branch offices and headquarters or the data center and accelerate applications over the WAN. This dramatically improves response times of all IP-based applications such as email, file services, FTP, Oracle, and SAP; all while freeing up WAN bandwidth and giving voice and other real-time applications the quality of service they require. As a result, IT can successfully roll out VoIP applications to branch offices across the existing IP data network, without increasing WAN capacity.

Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions

Teleworker
Increasingly people are working from home either for some or all of their workweek. According to a recent ComputerWorld survey, 89% of the top 100 US companies offer telecommuting to their employees. These employees need the same network availability as users in corporate locations. They are typically connected to a corporate location over the Internet using a wired solution, perhaps via cable or DSL. For VoIP solutions, they may be using an IP phone connected to their home gateway, or a softphone application on their computer. In terms of security, teleworkers need a solution beyond a firewall. They need a solution that works in the background, protecting against the latest Internet security threats automatically. On the other hand, managers need to know that their workers are complying with business policies for acceptable use of the Internet while working from home. Juniper Networks solutions for teleworkers include the SSG 5/SSG 20 and the SSL VPN Appliance line installed at headquarters (see Figure 1 and Table 1). Juniper Networks SSG 5 and SSG 20 are security solutions specially designed for small offices and teleworkers. These solutions are designed to be deployed quickly and easily by non-technical users. The SSG 5 and SSG 20 optionally integrate an ADSL modem or wireless modem, delivering a complete telecommuter solution supporting high-performance VoIP and data communications at outstanding value. The SSG 5 and SSG 20 integrate the same robust firewall, IPSec/VPN, and UTM security features available at the headquarters and branch office locations. Juniper Networks UTM features not only protect teleworkers from attacks; they also enforce acceptable use of the Internet for workers using company equipment and networks at home. The SSG 5 and SSG 20 also include a broad array of specific security features for wireless. The SSG Family supports a voice-aware Application Layer Gateway that adds an additional layer of security to VoIP calls. While many organizations will choose to run a high-performance IPSec VPN between full-time teleworkers and their corporate location, there may be instances, such as for distributed call center workers, where they choose to run SSL VPN instead. This solution, while available to teleworkers, is discussed in the mobile worker section.

Mobile Worker
A geographically dispersed workforce and the productivity gains resulting from mobile applications are compelling organizations to support remote, mobile employees. There are several types of workers requiring mobile access to an organizations network resources. Sales people may want access to information while at a customer site or in a hotel room. Office workers may occasionally want to access information while at home in the evening. Home care workers and field service agents, on the other hand, spend their days going from one client location to another. A Juniper Networks Secure Access SSL VPN appliance, deployed at a headquarters location, grants secure, reliable access for valid remote or mobile workers. Regardless of their location, validated users can access the specific corporate applications the organizational policy says they are entitled to, including IP telephony applications, using only a standard web browser. Workers traveling with their laptop, their installed softphone application and a headset can make and receive calls over a Juniper Networks SSL VPN encrypted tunnel, whether they are connected to a hotels network or a customers network, either wired or wireless. Field workers, with their dual mode cell phones (WiFi and GSM), can similarly access applications and make calls using their VoIP corporate application when on campus. Third-party solutions, such as Avaya IP Softphone and IP Agent applications, are fully certified and tested with Juniper Networks SSL VPNs.

Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions

Data Center
No discussion of IP telephony solutions in the enterprise is complete without considering the data center, where application servers typically reside. Data centers may be located in headquarters, but often are located outside of headquarters for disaster recovery purposes. Common IP telephony applications housed in the data center include IP PBX, contact centers, and conferencing and collaboration software. Users expect higher availability from voice services, so the data center networking, performance and security must be optimized. Juniper Networks high-performance infrastructure and services solutions address data center requirements for security, application acceleration and load balancing, and connectivity (see Figure 2). Juniper Networks solutions for the data center are listed in Table 1. Juniper Networks data center application acceleration (DX) and load balancing platforms are integral to contact center applications, since they cut web page download times in half. The Juniper WAN application acceleration (WX/WXC) platforms reduce the impact of latency, increase WAN capacity, provide visibility into WAN and application performance, and prioritize VoIP traffic over other applications traffic, to improve application response times for both voice and data traffic. M-Series routers improve bandwidth utilization and minimize latency, jitter, and packet loss, ensuring optimal voice quality. They also contribute to network reliability by diverting traffic to alternate paths if a link fails. Juniper Networks ISG products protect the data center from attack, and secure communications with high-performance, encrypted VPNs.

M Se ries

Internet
s

M Se rie

High Performance Routing

ISG/ ID ISG/ P ID

Private WAN

Integrated IPS/FW/VPN

SSL VPN SL S VPN

Secure Access (SSL)

WX/ W WX/ XC WXC

WAN Optimization

AFE Application Acceleration

DX DX

Web Servers
Apps SIP Vide

App Servers

Databases

Figure 2: Juniper Networks Data Center Solution

Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions

Juniper Networks Enterprise Solutions Portfolio

Juniper Networks offers a full set of best-in-class solutions including routing, security, and application acceleration platforms that secures and assures application delivery for enterprises considering or already deploying IP telephony. Depending on their needs, organizations can choose Juniper Networks solutions that maximize application performance and/or minimize business risks due to downtime or security breaches.

Firewall/IP Sec VPN

The Juniper Networks Firewall/ IPSec VPN appliances, including the SSG Family, NetScreen security systems, and Integrated Security Gateways (ISG), provide not only provide layers of security but also contribute to the performance and availability of IP telephony applications. In some network environments, enterprises need the flexibility to run IP telephony applications over VPNs. Juniper Networks NetScreen Security systems support high-performance IPSec, enabling VoIP applications to be encrypted over insecure transport environments with no discernable reduction in voice quality. In addition, enterprise network managers can use NetScreen to segment or isolate VoIP traffic on their network any way they want. Every standalone or integrated Juniper Networks Firewall/ IPSec VPN appliance incorporates an application-layer gateway (ALG) that further improves the security of enterprise IP telephony communications that cross a firewall. Juniper Networks ALG supports secures voice communications through a firewall by performing deep packet inspection of H.323, SIP, SCCP and MGCP traffic. Based on the results of this inspection, the ALG dynamically opens and closes pinholes in the firewall to let valid, approved IP phone calls through. This method maintains the highest level of security, in contrast to leaving a range of ports open. Voice-aware, deep packet inspection also protects the organization against DoS attacks targeted at IP telephony equipment from known and unknown SIP and other protocol anomalies by only dropping/ blocking spurious packets. Juniper Networks ALGs can also be configured to allow calls that traverse Network Address Translation (NAT) boundaries, maintaining security across zones that are not trusted. SIP is a text-based protocol, which makes it vulnerable to monitoring and spoofing. Hackers may listen in to attempt to find a new destination for spam over IP telephony calls (SPIT), or to gain unauthorized access to voice mail or directory systems. Juniper Networks NetScreen and the SSG Family secure enterprise SIP signaling by authenticating SIP requests, ensuring authenticated requests are authorized to perform the function requested. Finally, Juniper Networks Firewall/ IPSec VPN appliances contribute to the high availability of an enterprise network. High availability hardware and software ensure sub-second recovery in the event of a failure. Juniper Networks IPSec/VPN products also include VPN state failover, which prevents dropped IP phone calls if a VPN connection fails.

Intrusion Detection and Prevention (IDP)

Juniper Networks IDP offers state-of-the-art, comprehensive protection against threats at both the application and network layer. Juniper Networks IDP provides day zero protection against worms, Trojans, spyware, keyloggers, and other malware that could degrade or derail IP telephony applications. Using protocol anomaly detection, attack signature recognition, and regular expression pattern matching. Juniper Networks IDP can identify and stop network and application-level attacks before they inflict any damage, minimizing the time and costs associated with intrusions.

10

Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions Juniper Networks IDP can also identify and prevent attacks specifically targeting or resulting from IP telephony applications. Since Juniper Networks IDP products understand over 60 application-level protocols, including SIP and H.323, they can detect and prevent threats ranging from a DoS attack on a PBX being bombarded with call setup packets, to worms/viruses/trojans attempting to infiltrate IP phones or servers, to toll fraud or unauthorized access to voicemail system. Juniper Networks IDP not only helps protect networks against attacks, it also provides information on rogue servers and applications that may have been unknowingly added to the network (for example, voice-enabled chat or other peer-to-peer voice applications). Juniper Networks IDP provides administrators with visibility into specific applications that are present and/or being used on the network and how, when, and by whom they are being used. A centralized, rule-based management approach offers granular control over the systems behavior with easy access to extensive auditing and logging, and fully customizable reporting.

SSL VPN Secure Access

Juniper Networks leads the SSL VPN market with a complete range of remote access appliances that meet the needs of organizations of all sizes. Organizations can provide access for valid users, such as remote and mobile employees, partners, and customers, from a single platform. Juniper Networks SSL VPN Secure Access Appliances use SSL, the security protocol found in all standard Web browsers. The use of SSL eliminates the need for any client software on the remote device, reducing both cost and complexity. With support for a wide range of mobile phones and PDA devices, Juniper Networks Secure Access SSL VPN can provide access to resources and applications to customers, partners, and employees worldwide. Juniper Networks SSL VPN Secure Access Security Appliances work with other solutions to validate remote endpoints and users, keeping intruders out and contributing to the availability of services on the network. Juniper Networks has certified its SSL VPN implementation to work with third-party VoIP softphone applications, such as the Avaya IP Softphone and IP Agent, providing a secure, encrypted channel for voice communications regardless of location.

Application Acceleration
With the increase in web-based applications, the data center in many enterprises is becoming cluttered with many servers, load balancers, and devices that perform specific functions like SSL termination, data compression, authentication, authorization, and accounting (AAA), and HTTP proxy and caching. As the data center scales, these become complex and costly to both deploy and manage. Juniper Networks data center application acceleration (DX) and load balancing platforms integrate all these web front-end functions into a single, highly available and secure platform. In addition, the DX platforms offload responsibilities from application servers, improving the performance of web-based applications and thereby increasing worker productivity. In the case of voice applications, DX platforms accelerate the web-based components of voice applications, such as contact centers or collaboration tools. Another critical area ripe for optimization in the enterprise is WAN links between locations. As enterprises have expanded their business processes to include real-time applications such as voice, their WAN links are getting congested. Increasing WAN capacity alone doesnt address the performance issues caused by latency, jitter and packet loss. Whats needed is a solution that not only frees up WAN bandwidth but also gives voice and other real-time applications the quality of service they require.

Copyright 2006, Juniper Networks, Inc

11

Enabling IP Telephony with Juniper Enterprise Solutions Juniper Networks WAN application acceleration (WX/WXC) platforms accelerate response times for all IP-based applications running over the WAN, including voice and other real-time applications. Built on the unique WX Framework, the WX/WXC platforms integrate powerful compression and caching, acceleration, bandwidth management and QoS, path optimization, and visibility capabilities. This set of interdependent technologies allows the WX/WXC platforms to overcome the technical limitations of WANs and address the four key performance issues that impact real-time applications: bandwidth, latency, jitter, and packet loss. The WX/WXC platforms create a more controlled environment for IP telephony applications by improving the performance of non-voice applications across the WAN through TCP acceleration and application-specific acceleration technologies. The WX/WXC platforms also make room for voice traffic by increasing available WAN capacity through memory-based compression and diskbased caching. In addition, the WX/WX C platform can compress VoIP headers by as much as thirty percent. By making sure that voice traffic gets higher priority than other data applications using quality of service (QoS) and bandwidth management technologies, the WX/WXC platforms ensure delivery of real-time applications. In locations served by two WAN links, IT staff can use the Policy-based Multipath feature to automatically divert traffic based on performance thresholds, so that lowerpriority traffic is directed over the slower and less expensive links. Lastly, by providing visibility into performance of voice and other real-time applications, the WX/WXC platforms allow IT to quickly identify, troubleshoot, and resolve problems. Working in concert, these capabilities supported by the WX/WXC platforms allow IT can successfully roll out VoIP applications across the existing IP data network, without increasing WAN capacity. The Juniper Networks WX/WXC platforms have been tested and optimized to support Avaya IP telephony applications.

Enterprise Routing
All Juniper Networks routers run the industrys most highly regarded routing operating system. JUNOS is highly modular, available system that offers outstanding performance while simultaneously running services such as Firewall, NAT, and VPN. JUNOS allows full control of the router even when under DoS attacks. Further, Juniper Networks M-series and J-series routers uniquely combine best-in-class IP/MPLS capabilities with unmatched reliability, stability, and security over a wide variety of interfaces. The M-series is ideal for headquarters, campus locations, and data centers, while the J-series is designed for branch and regional offices. The Juniper Networks M-series and J-series routers contribute to excellent quality voice transport both inside and outside the enterprise, while simultaneously delivering consistently high performance. The comprehensive MPLS feature set in these routers, including traffic engineering, auto-bandwidth, and fast reroute, helps ensure the availability critical for IP telephony. Comprehensive quality of service (QoS) functionality prioritizes voice over a converged network, minimizing latency and improving voice quality. Hardware encryption and acceleration built into the J-series and M-series platforms combine to provide the low-latency, low-jitter yet secure transport necessary for high quality voice communications. Bi-directional Forwarding (BDF) provides instant failure recovery if an IP link fails. And unlike most network equipment, link services in Juniper Networks routers efficiently handle voice packets over wide area links using compressed RTP and link fragmentation and interleaving. For secure, optimized IP telephony, the Juniper Networks M-series and J-series fully support the stateful Firewall and IPSec VPN capabilities with little performance impact on routing. Each J-series and M-series optionally supports a stateful firewall with attack detection, keeping all communications secure from external threats. 12
Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions

Policy, Control and Visibility

With both network security and provisioning becoming time-consuming but important issues, network administrators want controlled yet automated access for all devices connected to the network, including IP phones. Juniper Networks works with third-party vendors to further secure and help provision IP telephony on networks. Many IP hardphones support Link Layer Discovery Protocol (LLDP), an open standard protocol enabling secure plug and play device discovery for third-party IP phones. Further, they support authentication methods in 802.1X, an IEEE standard for port-based access control. Once an IP phone is placed on the network and connected to a switch, it is discovered using the LLDP-MED protocol. Using 802.1X based authentication, Juniper Networks Steel Belted Radius (SBR) server places the phone on an appropriate VLAN. For security purposes, IP phones can be grouped together on VLANs, or certain phones (for example for contractors or guest workers) can be placed on separate VLANs. Sometimes, enterprise offices or cubicles support only one network connection, so most IP phones today include an integrated Ethernet bridge with a port connection for a computer. A computer deployed with Juniper Networks Odyssey Access Client (OAC) also supports 802.1X, allowing automatic, secure discovery and authentication for both computers and phones. Laptops of traveling workers can be authenticated via the IC and placed on an appropriate VLAN. Further, managing a network and its devices can be very complex. Setting and enforcing security policy adds another layer of complexity. Juniper has taken a unified approach to security management by addressing five key criteria in a single, centralized solution: Juniper Networks NetScreen-Security Manager. With NetScreen-Security Manager, organizations can Centrally manage all Juniper Networks firewall/IPSec VPN and Intrusion Prevention security devices Use a single, integrated management interface for granular control of configuration, network settings, and security policies Simplify complex management tasks with templates and other tools Further, the WX CMS application provides powerful visibility and reporting capability to centrally monitor network and application performance with easy to read charts and reports that illustrates performance increases and traffic distribution by application.

Conclusion
To benefit from the cost savings and increased productivity that IP telephony offers, enterprises must support its unique requirements for secure and assured performance, on-demand and in real-time. Further, enterprises must continue to secure their networks from both existing and emerging security threats, from both inside and outside the organization. Juniper Networks leverages an open, standards-based environment to deliver both the network services and infrastructure required for IP telephony. Juniper Networks ensures high quality voice by making more room for voice traffic, recognizing and prioritizing voice traffic in ways designed to benefit users, enterprise locations, and specific VoIP applications. Juniper Networks solutions are recognized for their industry-leading resiliency and performance, enabling enterprises to meet the high expectations of IP telephony users and applications. Juniper Networks solutions also include a complete range of security solutions, protecting the enterprise network in every location and specifically protecting against threats targeting VoIP infrastructure.

Copyright 2006, Juniper Networks, Inc

1

Enabling IP Telephony with Juniper Enterprise Solutions Table 1: Juniper Networks Products for IP Telephony deployments
Location Data Center Product ISG 2000* ISG 1000* Functionality in IP Telephony Deployment High performance, purpose built firewall/VPN platform ensures lowlatency and low jitter packet transport required for voice traffic Dynamic, route-based IPSec VPN with stateful failover to ensure no dropped voice calls Policy-based network segmentation for secure separation of VoIP and other network components Supports H.323, SIP, MGCP, SCCP application layer gateway (ALG), to only let valid, approved IP phone calls through the firewall Optional integrated IDP protect against H.323 and SIP-based attacks via protocol decode and attack prevention Protects network resources including IP PBX and associated servers from DoS attacks, worms, viruses, trojans etc. NetScreen-5400 NetScreen-5200 High performance, purpose built firewall/VPN platform ensures lowlatency and low jitter packet transport required for voice traffic Dynamic, route-based IPSec VPN with stateful failover to ensure no dropped voice calls Policy-based network segmentation for secure separation of VoIP and other network components Supports H.323, SIP, MGCP, SCCP application layer gateway (ALG), to only let let valid, approved IP phone calls through the firewall VoIP specific DoS attack protection to protect the network from being flooded with VoIP calls IC 6000 IC 4000 IDP 1100 IDP 600 802.X enforcement of access control policies based upon user identity, endpoint security state or network information. Protect against H.323 and SIP-based attacks via protocol decode and attack prevention Protects network resources including IP PBX and associated servers from DoS attacks, worms, viruses, trojans etc. M320 M120 M10i Provides superior small-packet QoS performance for VoIP - low latency, low jitter and low packet loss using the highly reliable and modular JUNOS operating system Improves bandwidth utilization and VoIP performance via cRTP packet compression Protects/expedites VoIP traffic to achieve voice-grade QoS through MPLS Detects IP link failures quickly through bi-directional Forwarding Detection (BFD) and MPLS Fast Re-Route (FRR) Link Fragmentation and Interleaving (LFI) support improves QoS on lower-speed links to ensure a high-quality user experience. SA 6000 SSL VPN based clientless secure remote access supports Softphone like applications required for remote IP telephone users Dual-mode transport supports both SSL and IPSec transport for latency-sensitive configurations to ensure smooth operations of voice applications WXC-500 stack Increase existing WAN capacity to support voice calls Ensure voice packet delivery through QoS and bandwidth allocations Reduce latency across WAN for high quality voice communications DX 3680 DX 3600 Improves performance of data components of other telephony applications (messaging, contact center, etc.) by cutting web page download times in half Increases server capacity by 3-4x and reduces server costs by up to 80%

14

Copyright 2006, Juniper Networks, Inc

Enabling IP Telephony with Juniper Enterprise Solutions

Campus

ISG 2000* ISG 1000*

High performance, purpose built firewall/VPN platform ensures lowlatency and low jitter packet transport required for voice traffic Dynamic, route-based IPSec VPN with stateful failover to ensure no dropped voice calls Policy-based network segmentation for secure separation of VoIP and other network components Supports H.323, SIP, MGCP, SCCP application layer gateway (ALG), to only let valid, approved IP phone calls through the firewall Optional integrated IDP protect against H.323 and SIP-based attacks via protocol decode and attack prevention Protects network resources including IP PBX and associated servers from DoS attacks, worms, viruses, trojans etc.

NetScreen-5400 NetScreen-5200

High performance, purpose built firewall/VPN platform ensures lowlatency and low jitter packet transport required for voice traffic Dynamic, route-based IPSec VPN with stateful failover to ensure no dropped voice calls Policy-based network segmentation for secure separation of VoIP and other network components Supports H.323, SIP, MGCP, SCCP application layer gateway (ALG), to only let let valid, approved IP phone calls through the firewall VoIP specific DoS attack protection to protect the network from being flooded with VoIP calls

IC 6000 IC 4000 IDP 1100 IDP 600

802.1X enforcement of access control policies based upon user identity, endpoint security state or network information Protect against H.323 and SIP-based attacks via protocol decode and attack prevention Protects network resources including IP PBX and associated servers from DoS attacks, worms, viruses, trojans etc.

M10i M7i

Provides superior small-packet QoS performance for VoIP - low latency, low jitter and low packet loss using the highly reliable and modular JUNOS operating system Improves bandwidth utilization and VoIP performance via cRTP packet compression Protects/expedites VoIP traffic to achieve voice-grade QoS through MPLS Detects IP link failures quickly through bi-directional Forwarding Detection (BFD) and MPLS Fast Re-Route (FRR) Link Fragmentation and Interleaving (LFI) support improves QoS on lower-speed links to ensure a high-quality user experience.

SA 6000 SA 4000

SSL VPN based clientless secure remote access supports Softphone like applications required for remote IP telephone users Dual-mode transport supports both SSL and IPSec transport for latency-sensitive configurations to ensure smooth operations of voice applications

WXC-250 stack WXC-100 stack

Increase existing WAN capacity to support voice calls Ensure voice packet delivery through QoS and bandwidth allocations Reduce latency across WAN for high quality voice communications Improves performance of data components of other telephony applications (messaging, contact center, etc.) by cutting web page download times in half Increases server capacity by 3-4x and reduces server costs by up to 80%

DX 3280 DX 3200

Copyright 2006, Juniper Networks, Inc

15

Enabling IP Telephony with Juniper Enterprise Solutions

Branch Office

SSG 550 SSG 520 SSG 140 SSG 20*** SSG 5***

High performance, purpose built firewall/VPN platform ensures lowlatency and low jitter packet transport required for voice traffic Dynamic, route-based IPSec VPN with stateful failover to ensure no dropped voice calls Policy-based network segmentation for secure separation of VoIP and other network components Supports H.323, SIP, MGCP, SCCP application layer gateway (ALG), to only let let valid, approved IP phone calls through the firewall Provides a full set of UTM security features that includes Anti-spam, Antivirus, IPS and Web Filtering VoIP specific DoS attack protection to protect the network from being flooded with VoIP calls

J6350 J4350 J2300

Provides superior small-packet QoS performance for VoIP - low latency, low jitter and low packet loss using the highly reliable and modular JUNOS operating system Improves bandwidth utilization and VoIP performance via cRTP packet compression Protects/expedites VoIP traffic to achieve voice-grade QoS through MPLS Detects IP link failures quickly through bi-directional Forwarding Detection (BFD) and MPLS Fast Re-Route (FRR) Link Fragmentation and Interleaving (LFI) support improves QoS on lower-speed links to ensure a high-quality user experience.In addition, J4350 and J6350 supports Avaya IG550 gateway and interface modules

IDP 200 IDP 50

Protect against H.323 and SIP-based attacks via protocol decode and attack prevention Protects network resources including IP PBX and associated servers from DoS attacks, worms, viruses, trojans etc.

SA 2000 SA 700

SSL VPN based clientless secure remote access supports Softphone like applications required for remote IP telephone users Dual-mode transport supports both SSL and IPSec transport for latency-sensitive configurations to ensure smooth operations of voice applications

WX 55 WX 50 WX 20 WX 15 Home Office/ Tele-worker SSG 20** SSG 5**

Increase existing WAN capacity to support voice calls Ensure voice packet delivery through QoS and bandwidth allocations Reduce latency across WAN for high quality voice communications High performance, purpose built firewall/VPN platform ensures lowlatency and low jitter packet transport required for voice traffic Dynamic, route-based IPSec VPN with stateful failover to ensure no dropped voice calls Policy-based network segmentation for secure separation of VoIP and other network components Supports H.323, SIP, MGCP, SCCP application layer gateway (ALG), to only let let valid, approved IP phone calls through the firewall Provides a full set of UTM security features that includes Anti-spam, Antivirus, IPS and Web Filtering VoIP specific DoS attack protection to protect the network from being flooded with VoIP calls

Business Partner Office/ Extended Enterprise Mobile Office (Road Warrior)

Standard web browser based Standard web browser based

Support for Softphone application provided through clientless secure remote access through SSL VPN functionality provided through the appliance at the Data center or on Campus Support for Softphone application that runs on PDA, GSM/WiFi cell phones etc. provided through clientless secure remote access through SSL VPN functionality provided through the appliance at the Data center or on Campus

* - Optional Integrated IDP functionality available ** - Optional Wirelesss support available

Copyright 2006, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

16

Copyright 2006, Juniper Networks, Inc