A new set of security concerns arose across enterprises regarding switching over to VoIP communications. In its wake came fresh security concerns due to the nature of VoIP communication method of transmitting packets over open internet paths. Existing firewalls prove inadequate to tackle the unique risks and it becomes an easy task for hackers to tunnel in and play havoc.
This is where the session border controller steps in, sits at the edge of the network and keeps internal networks besides adding a layer of security to packets traveling over open networks. The need for better security increases as unified communication takes over, including in its spread email, fax, voice, instant messaging, video and data.
All this data travels in the form of packets from the internally secure network to the inherently insecure external internet network, introducing vulnerabilities in the process. The need for SBC is paramount for security and functionality too. So what exactly is SBC and how does it protect VoIP Networks?
What is session border controller?
Traditional firewalls are inadequate for security and for handling real time communication sessions. Firewalls typically provide inspection and filtering from layer 2 to 4 in the open system communication model in addition to basic support to VoIP by opening user datagram protocol or transmission protocol ports for H.323 or SIP signals. It also handles UDP ports for RTP media. In short, the firewall simply passes through signals which fact is significant since malware can ride through on packets. Firewalls can carry out network address translation by changing layer 3 IP address and port number of layer 4 but without affecting SIP signals which means misdirection of signal packets.
Firewalls with SIP ALG functionality may translate IP address but cannot carry out dynamic port management or topology hiding which the SBC does to perfection, providing an impenetrable wall guarding internal network against the external one. Firewalls may act as SIP proxy server but do not engage with RTP media path, which again leads to vulnerability and communication gaps. SBC solutions work as back to back user agents handling signal and media paths. The session border controller mediates SIP sessions between calling and called party and manipulates RTP media while inspecting it which leads to better security in call admission, protocol normalization and transcoding. It can add, inspect or modify SIP messages. The way SBCs work in enforcing a latch on a session being signaled to make sure that only media from authorized end point passes through further contributes to security. On session termination it closes media ports.
In a few words one can say that the SBC is a refined firewall specifically for VoIP signals. Firewalls typically handle larger sized data packets whereas VoIP signals are small sized packets, a fact that hackers take advantage of to launch DoS attacks. Firewalls again cannot distinguish between such suspect and legitimate traffic and it may stop all traffic whereas SBCs can identify threats and put a block while permitting authorized signals to flow. You could say the SBC is a smart watchdog and facilitator rolled into one.
SBC solution detects and prevents intrusions
Simple intrusion detection (IDS) and intrusion prevention systems (IPS) may be mapped to a mirrored switch port or configured to generate alarms. The prevention system may take corrective action on detecting unauthorized activity but these introduce performance impairments and latencies as well as block legitimate traffic by false positive matches. Encrypted signals simply bypass IDS and IPS, something that hackers leverage. The session border controller works in conjunction and goes beyond in handing unified communication data packets using anomaly based threat detection which is better than signature based threat detection.
There is no delay or loss of packets and the result is clear audio quality. AI endowed SBCs these days are smarter at analyzing patterns and detecting unfamiliar behavior that may be typical of newer forms of attacks. The SBC does handle a lot of work like inspection of layers 2 to 4, matching against access control list, defragmenting and unencrypting as well as encrypting packets and checking for rate limitation before allowing signals to proceed. It also handles allocation of bandwidth for various queues, distinguishing between trusted and untrusted traffic.
It establishes trusted point to point connection, opens ports and allows flow while hiding internal topology. Strong Dos and DDoS protection takes place through identification of IP packets from untrusted sources and from unsupported or disabled protocols. The SBC also recognizes malformed or non-conforming packets and volume based call requests as well as overloads in call requests. The inbuilt intelligent traffic manager has one channel for trusted and another for untrusted signal path and it handles packets in queues.
Authentication and encryption
As seen above the firewall proves inadequate for real time communication media that are prone to being tampered with, to man-in-the-middle attack and to eavesdropping. Hackers can gather caller identity, insert spam and collect data. SBCs put a stop to such attempts by introducing an online certificate status protocol or something similar. Further, the SBC encrypts all packets making it impossible for hackers to eavesdrop or decrypt data. Hackers may collect streaming data packets but will be unable to make any use of it.
Hiding topology
One of the most crucial roles that the SBC plays is to hide topology. SIP simply employs plain text for signaling information and the headers contain sensitive information that can be hacked with ease and used to tunnel into the internal network. The SBC replaces normal address and removes extra headers from SIP messages.
These are a few ways in which the session border controller plays a crucial role in keeping VoIP communication safe and secure and the user network secured against internal and external threats. It also plays a vital role in media transcoding but that is another story.
