By Pierre Jean Chalon
The author, Pierre Jean Chalon is vice president and general manager, Asia Pacific, Sonus Networks
Although there are many reasons why an enterprise might want an SBC, such as SIP trunking, on-net routing, UC enablement, security is the primary reason to own one.
Over the last few years, enterprises have started to shift toward Unified Communications (UC) platforms that bring voice, video and data together, both as a richer user experience and as a more efficient network model using the Internet Protocol (IP) standard. However, these real-time communications present unique considerations in terms of security and delivery that require a more robust solution than those traditionally used for IP-based data communications such as firewalls.
While the positive aspects of moving to a unified, IP-based communications model are well known — so too are the security risks that present themselves once an enterprise opens its real-time communications to the Internet. According to a study by IDC and the National University of Singapore, cyber security breaches are expected to cost enterprises in Asia Pacific nearly $240 bn in 2014 alone, and this figure continues to grow.
To address these risks, networks require a new kind of security device known as a Session Border Controller (SBC). Its primary function is to protect the network and networked communications from IP-based attacks. Voice over IP (VoIP) networks face many of the same risks as data networks—DoS attacks, network hacking, spoofing—as well as new risks such as toll fraud. But while many enterprises rely on conventional network firewalls, security appliances and routers are not designed for real-time communications. Across all VoIP-related use case scenarios, only SBCs meet the requirements for the successful delivery of enterprise and contact center VoIP/UC services and applications.
Although there are many reasons why an enterprise might want an SBC—SIP trunking, on-net routing, UC enablement—security is the primary reason to own one. In fact, a poll conducted by research firm Infonetics found that 88% of CIOs felt security was the most important function of an SBC. If an SBC did nothing but secure real-time communications and protect the network from SIP-based attacks, enterprises would recover their ROI quickly.
Below are the five most important reasons why you need an SBC if you’re running voice or video over an IP network:
1. Keeping Communications Over the Internet Private
Just as unencrypted email can be opened and exploited, voice or video sessions over IP also require encryption and user authentication to protect them from prying eyes and ears.
An SBC can encrypt communications at a session level or encrypt all communications between two different secure network devices (e.g., two SBCs), creating a Virtual Private Tunnel for voice communications (also known as a Voice VPN). Encryption essentially “locks” each IP packet transmitted during a voice or video session, which can only be opened with a special key provided to the specific, trusted endpoint. SBCs use different encryption standards, including IPsec and Transport Layer Security (TLS) to encrypt signaling information, and the Secure RTP (SRTP) standard to encrypt the media (or contents). The importance of encryption is growing as more employees work outside of the traditional office, resulting in more communications that traverse external (and non-secured) networks such as the Internet. Encryption allows these communications to safely travel over the Internet and other external networks (e.g., public WiFi networks) without being exposed to third parties.
Authentication is the process of verifying a user’s identity. In the case of IP communications, this is often done by cross-referencing a device’s IP address against a known database of users/subscribers. SBCs have methods in place for detecting spoofing, which is when an endpoint tries to alter its true identity (a practice common among email spammers).
2. Protecting Your Network from Intrusion/Attacks
As with IP data networks, hackers will often use IP-voice and video networks to look for unsecured entry points into your network. This is a growing concern as enterprises consolidate networks, because it means that someone can enter the network through more devices (e.g., smartphones) and exploit the weakest part of the network. For example, a hacker could exploit an unprotected IP PBX through their smartphone to gain access to credit card information stored on the corporate data network. By shielding the IP PBX from the external world, an SBC makes it “invisible” to unauthorized users.
In addition to targeted attacks, enterprises are also subject to blanket DoS and DDoS attacks that seek to disrupt communications. Why would someone want to flood a network with 10,000 VoIP calls at the same time? In some cases, it is done to look for unsecured ports and holes in network security. The damage of DoS attacks is very real, especially for companies that rely on communications for their revenue. Consider a DoS attack mounted against a call center during its busy period; the lost revenue and added customer frustration can quickly end up costing an enterprise tens of thousands of dollars.
The difficulty of tracking DoS attack sources makes the crime more appealing. Fortunately, SBCs are capable of recognizing and blocking DoS and DDoS attacks within a matter of seconds, using a mixture of rules-based policies and call admission control (CAC) features.
3. Preventing Toll Fraud
An SBC’s policy capabilities also play a key role in preventing toll fraud. Toll fraud is not a widespread problem in so far as the majority of toll fraud originates from and is targeted to those nations where telecommunications are less regulated. Simply using an SBC to enforce a policy that blocks a high number of long-distance calls to/from these nations can significantly reduce the potential for toll fraud with minimal effort.
As the network gatekeeper, an SBC is ideally suited to intercept and reject fraudulent long-distance calls. The SBC “inspects” each SIP signaling packet that enters the voice network, which includes the origination and destination of the call as well as the ID of the device forwarding the request (e.g., an IP softswitch or another SBC). Using this information, an SBC can quickly identify abnormal or suspicious call activity and drop or block the calls based on specific policy rules.
4. Ensuring Secure Endpoints
Within the physical enterprise environment, devices such as phones and laptops are secured through the enterprise WiFi network or a physical local area network (LAN) connection. But what about the millions of mobile devices accessing the network from the outside, whether a service provider’s 4G network or an airport’s WiFi network? These devices may be visible to other users on the same network unless they’re secured. In essence, any information transmitted on a non-secure remote device—passwords, customer information, sales data, emails—can be viewed by another device that shares the same network.
SBCs can ensure the security of endpoints outside the physical network through encryption, authentication and policy enforcement. For example, enterprises may require a Voice VPN connection to remote call agents who work from home, in order to meet industry compliance requirements. Having a centralized policy management solution can also play an important role in security by enabling SBCs to block devices across the network moments after a mobile device or account is de-activated, which can happen as employees change devices or change jobs.
5. Providing High-Quality, Secure Communications
Because voice is a real-time application, it’s highly sensitive to issues such as dropped packets and latency. In the world of data communications, dropped packets can simply be re-sent and latency is little more than a slight lag in time as a Web page downloads. In voice communications, however, these same problems make for a frustrating user experience, as anyone who used Voice over IP (VoIP) in its earliest days can attest.
Although it’s not specifically a security issue, high-quality communications do make customers feel more secure, especially when they’re exchanging personal information over the phone. SBCs can do a number of things to ensure high-quality, real-time communications, including:
- Call Admission Control to prevent network overloads that can result in dropped or delayed calls;
- Media transcoding to provide the best possible voice quality based on the end user’s network and device; and
- Policy-based call routing to ensure that voice and video calls meet service level agreements for quality.
SBCs play an important and unique role in today’s UC networks, helping service providers and enterprises secure SIP trunking services, protect their networks from Internet-based attacks, and provide higher quality communications.
Today, SBC vendors offer a variety of options for enterprises and service providers, ranging from smaller devices best suited to a branch office, to medium-sized devices for active call centers, to the largest SBCs that can support up to 150,000 concurrent SIP sessions for carriers and the largest of enterprises.
As voice, and especially video, become more prevalent on IP-based communications networks, SBCs will need to offer high scalability, flexibility and performance to meet this growing demand for SIP-based communications.