Let me start by stating what is almost obvious today: VoIP is not immune to cyber attacks. Once we produced the convergence of voice and data, security issues arise. That is why the use of Session Border Controllers (SBCs) have become such a great security tool for VoIP. We are all familiar with the concept of a Firewall, since it has been with us since about the 80’s. Basically, a Firewall is a barrier that we place at the entrance of our network to control access from outside. We define a policy for the Firewall and only those “visitors” that comply with that policy are allowed to “enter”. Firewalls were the result of the popularization of the Client-Server Model in networking, where the server became vulnerable to attacks. Session Border Controllers (SBC) might be the equivalent to Firewall within Voice over IP (VoIP). One of our equipment providers uses the following teaser which I think captures the essence of the SBC functionality: “You wouldn’t put your Data Network on the Internet without a Firewall – why would you expose your Voice Network without a Session Border Controller?”. The best way to visualize the SBC is as a gatekeeper that sits at the main entrance or access to your community (network). The term Session is borrowed from traditional telephony and it means, simply, a call. The Internet SIP is inspired on the end-to-end communication between two parties. The SBC breaks this behavior since it is in the “middle” of the parties and, as such, has been the center of much debate, since its detractors consider it the return to the old telephony paradigm of managing communications. SBCs were introduced more than 12 years ago as a way to overcome certain limitations of SIP (Session Initiation Protocol) as a protocol for initiating interactive sessions between users where many elements are processed (video, voice, chat, gaming, and similar), based on requests and responses, the first from clients and the second by servers. Without delving into the technical details, which is not the objective of this article, I wish to pinpoint the deficiencies that SBCs addressed: first, standard protocols that impose a limitation on diversity; second, the failure of SIP on acknowledging NAT (Network Address Translation) traversal as a result of the then commonly held belief that the IP addresses would be quickly exhausted therefore wiping out the need for NATs, something that didn’t happen. As a side note, a NAT is simply the remapping of one IP address onto another. These two reasons, together with some fuzzy definitions for items that are indispensable in the day-to-day telecommunications operation, made the case for the SBCs clear. They also acquired other functionalities, like security, routings, and more recently media processing functions.
Whenever you add end-to-end VoIP or SIP trunking, you are confronted with the Firewall issue: you will have to open a port in your Firewall for the voice traffic to go through. This creates a vulnerability that only an SBC can fix. So, once the SBC is in place, it is actually helping your Firewall do its job. I should mention here the three most important emerging fraud schemes, namely, PBX Hacking, Subscription Fraud, and VoIP Hacking, all of which dissappear with an SBC.
So today, we owe much of the VoIP security to SBCs, since, as I wrote before, they are the “in between” agent of the end points; for this reason, they are commonly considered B2BUA which means Back-to-Back User Agent. And where is the most logical place to collect billing info? Right at the SBC, so they have administrative functionalities, like billing, and some call management, like automatic call disconnection, and others. SBCs play a fundamental role in that they hide vital info of the network, normally listed as “topology hiding”. On the security issue alone, SBCs protect networks from DoS, DDoS, Toll Fraud, QoS, QoE, and many more.
We have been installing SBCs and SBC related topologies for many years. I invite you to visit our website at TelOnline where we have a comparative matrix of all the functionalities of the combination hardware-software that is our SBC, as well as only the software, which is always good to look at. Here’s the link: http://www.telonline.com/en/telonline-technology/session-border-controllers .
The bottom line is that VoIP security, today, is mostly equipment based, both hardware and software and Good Practices acting in concert to produce an almost human-independent protection ring about your network. We have implemented many a solution based on SBCs and once up-and-running, they do the heavy-lifting of VoIP protection. Back to our equipment provider, they have a maxim, that I totally share: Wherever you have a Firewall, add an SBC!
0 comentarios:
Publicar un comentario