Solution Service

NX-C6000 / NX-C6500 Network Forensic & IDS

NX-C6000/NX-C6500 is the "network forensic and IDS" system targeted for VoIP/IMS core network. Operators can reduce time and effort to analyze security threats as well as detect silent network failure. NX-C6000/NX-C6500 is the ultimate suite for VoIP service operations and maintenance.


Visualization and Detection
 ・Reveal anomaly messages and conditions in real-time.
 ・Explore call sequence of SIP/H.323(※)/Diameter messages captured via mirror port or TAP device.
  Search menu (SIP header values etc.) can be modified.
 ・List out top-caller/callee per src/dst IP address, originator/terminator, etc. with specified filters.
 ・Monitor traffic by graph (select message type, SIP method, request/response, IP address, VLAN IDs etc.).
 ・Release SNMP alarms by increase/decrease of traffic (400% increase traffic compared to average of the last 5 weeks etc.).
 ・Trigger Immediate SNMP alarms on SIP anomaly messages (inspected by RFC compliant BNF syntax + "user defined"
  signature matching).
 (※)Optional license required for H.323 and Diameter support.
Efficient Monitoring of IMS/VoIP Network
 ・Early detection of network failure.
 ・Record specific calls (support lawful interception).
High Performance
 ・Forensic and IDS functions.
  - Capture up to 15,000 SIP msg./sec (approx. 1,300M msg. /day).
  - Peak performance of 33,600 msg./sec when real-time processing is delayed.
  - Behavior Definition over peak performance can be customized on visual GUI.
  - No limitation to the maximum number of storable messages.
  - All dependent on disk storage (able to store to multiple partitions).
 ・IDS function only.
  - 90,000 msg./sec
Operation Improvement
 ・Alarm is set when there is a change in flow rate of various messages and receives abnormal SIP messages.
 ・Implemented a command execution function to indicate time of anomaly detection and failure resolution.
 ・Unlike the customary process receiving a report from the customer, service desk is able to interact and support immediately.
Efficient Verification
 ・Automated specification check for UNI compatibility and terminals.
 ・Automated abnormal message extraction by PCAP file import.
 ・System version control.
 ・Behavioral confirmation to differentiate system version.

Network Connectivity

NX-C6000 is applicable to most VoIP networks. Using the mirror port or TAP device ensures "no impact" to the VoIP service.


NX-C6000 consists of the following components to support expansibility for customer's requirements. Optional service is available to transfer information (from CERT etc.) on the current VoIP related security threats and additional signature rules, in order to recognize illegal SIP messages that pinpoint vulnerabilities of the SIP servers.

IDS Function for VoIP/IMS Network Security Threats
 ・Detect real-time anomaly messages and conditions.
 ・Import signature files to find security threats on VoIP/IMS network.
 ・Create custom signatures on NX-C6000 GUI.
Message Capture
 ・Retrieve SIP/H.323/Diameter/SIP-T messages for database storage.
 ・Collaborate with Nextgen SBC NX-B5000 to analyze encrypted communication on TCP/TLS network environment.
 ・Optimize real-time and DB entry process timing by congestion control algorithm.
Message Search
 ・Examine the accumulated message with details such as IP address, method, and header parameters.
 ・Full-text search function for SIP message with specific character string.
 ・Save search history for long-term investigation.
Statistics & Graph
 ・Graph display function from statistical data.
 ・Specified graph for users and terminal types can be originated on demand.
Message Counter and Compare
 ・Count SIP messages by types (method/request/response), header parameter, phone number, and users.
 ・Detect the changes in message flow-rate by absolute value and relative comparison with the past data.
SIP Message Real-time Analysis
 ・Check real time as IP messages are captured, then detect problematic SIP messages.
 ・Signature based check as well as BNF.
Alarm Notification
 ・Trigger SNMP alarm based on message count and analysis result.
 ・Filtering controls continual transmission of the same alarm.
 ・Alarm information can be downloaded (CSV) with color coordination.
Top-List Viewer
 ・Count and rank the telephone number, IP address, specific header in time unit.
 ・Monitor the target within the most incoming/outgoing calls and release the alarm when the target is ranked.
 ・Protect the system from DoS attacks and problematic SIP messages to entities (SIP server, L2SW, etc.)
  according to the message count and the analysis.
 ・Execute external commands (e.g. executing shell or controlling L2SW ACLs, commands to SIP server)
  to prevent servers from DoS or illegal SIP message attacks.
Voice Quality Monitor
 ・Check RTP jitter and packet loss to evaluate voice quality by R and MOS values.
 ・Search R value and output statistical information.
 ・Summary of statistics, top list, alarm information can be set up weekly and monthly basis in html format.
 ・Output report on the screen, also available in html format.

Distributed Architecture (NX-C6500)

NX-C6500 is the expanded model of NX-C6000, which separates the capture and the management functions. By deploying probes(NX-C6500p) at different sites, each probe can be managed by central controller (NX-C6000c). Foundation will correspond to large-scale network such as the VoLTE network of mobile carriers.

 ・Early discovery of nodes' abnormality in the large-scale network.
 ・Optimize surveillance duties by auditing all VoIP networks.


Web Interface Image

Message Search Screen
 ・SIP message shall be searched by header information AND/OR.
 ・Targeted SIP header can be selected in the beginning of implementation.
Call Flow Diagram Screen
View call flow diagram and message details. Messages are selected for the "call" using standard Call-ID header or combining with Calling/Called party number and Call Identifier for SIP/H.323 interconnection.
Statistical graph screen
 ・Create and monitor captured data and personalize graphs for various purposes. Wide selection to match
  customer's operation style and status.
 ・By visually understanding the flow and capacity, issues can be recognized at earlier stage.