SBCs – Maintaining Your Network’s VoIP Security
Session Border Controllers (SBCs) can greatly enhance VoIP security, all but eliminating toll fraud while also maintaining voice connectivity.
Trefor.net welcomes VoIP Week contributor Simon Horton, the Director of Sales, EU for Sangoma.
The term SBC (short for Session Border Controller) is liberally used in the VoIP industry today, but from my travels around the telecom channel it’s clear that there is significant misunderstanding and distrust on the role played by SBCs and when they are required.
The uptake of Enterprise Session Border Controllers or E-SBCs is being driven by the rise of SIP trunking in the UK. The number of ISDN channels (the traditional way of connecting enterprise to the telephone network, using dedicated copper wire) is shrinking at about the same rate as SIP trunking is growing, so assuming that the market size is static my conclusion is that all of the folks leaving ISDN are going to SIP trunking. In addition to the cost benefit, flexibility, and disaster recovery capabilities of SIP trunking, the proliferation of good quality and value connectivity (e.g., leased lines, EFM) is enabling the market growth.
Why SIP is more inherently risky
In the days of legacy TDM connections (Time Division Multiplexing, or the copper wire) phone calls took place on approved equipment connected to private networks run by the telco. Nothing else was connected or could be connected. Contrast this situation with SIP, where the connection could be across a public network or a network shared with data derived from multiple devices. In addition, calls can be placed and terminated across a wide range of devices such as IP-phones, smart phones, desktops, etc.
Before examining how SBCs can help a typical enterprise it’s worth explaining that SIP consists of two main parts. First, there is the SIP protocol that sets up the call and conveys information about that call. Second, there is the media that carries the voice in RTP packets. Both of these streams need to be considered in order to maintain security.
Attacking the SIP protocol could allow a hacker to gain access to passwords and allow an unwanted intruder to spoof calls and allow toll fraud, a hot topic in our industry today. There are other ways that SIP can be disrupted as well. Denial of Service (DoS) attacks can cause packet overload situations where the legitimate SIP messages cannot be processed and hence calls will not progress.
Media can often be tapped into and heard using tools that are readily available on the internet. The media ports can also be subjected to DoS attacks that can disrupt the audio.
The role of the SBC
The E-SBC sits at the edge of the enterprise network and manages all the voice connections made with SIP. SBCs are very feature rich and there is a lot of information out there discussing the many roles and functions that these flexible devices can perform. The SBC will be able to deal with disruptive DoS attacks by dropping packets at the network level before they become a problem. Encryption is also possible so that media and the call setup messages cannot be tracked. In addition, toll fraud is made much harder with the addition of policy control that allows only certain patterns of traffic to proceed as well as only allowing known users and IP addresses to make and receive calls.
Why not a firewall?
Traditional firewalls are great for protecting data networks, but typically they provide inadequate protection for SIP. Firewalls cannot prevent some of the threats identified here as they are not constructed with an intimate knowledge of SIP. Remember those two parts of SIP we discussed earlier? Well, the average firewall cannot tie the two of those together; this is a key component of the SBC so that only the necessary connections are allowed through the edge of the network. A typical firewall also cannot delve deep within the SIP message, ensure its legitimacy, and if necessary drop it quickly before it gets to the IP-PBX and cause damage.
The recommended best practice is to install an SBC wherever there is a change in SIP network or wherever the WAN connections join the SIP network. A correctly configured SBC can provide piece of mind in that the possibility for toll fraud is eliminated and that voice connectivity will be maintained regardless of whatever else may be happening.