VoIP Knowledge

What is a Session Border Controller (SBC)? Part I: Enhanced VoIP/SIP Security

  • A session border controller (SBC) is a network element deployed to protect SIP-based voice over Internet Protocol (VoIP) networks. SBC secure real-time communications at network borders.
    More and more modern enterprises are switching to all-IP networks and transiting to the digital workplace. IP-based voice, video, conferencing, and unified communications have been widely used. But at the same time, enterprise communications are also facing new challenges, such as system security (Intrusion of services, eavesdropping, denial of service attacks, data interceptions, toll frauds, SIP malformed packets), network-attack defense, cross-network NAT traversal, QoS, SIP signaling compatibility issues.
    SBC has become the de-facto standard for telephony and multimedia services of NGN / IMS. It is essential to deploy SBCs in communication networks, which can effectively solve the security, connectivity, and interoperability issues mentioned above, and guarantee the quality-assured stability and reliability of VoIP and communications services.
    Typical Scenario
    E-SBC(Enterprise Session Border Controller)
    e-sbc.png
    A-SBC(Access Session Border Controller)
    a-sbc.png
    i-SBC (Interconnect Session Border Controller)
    i-sbc.png
    What can SBCs do for security?
    There are abundant security features on SBCs to protect your VoIP environment as a SIP firewall, working on the Application and Services Layer, different from a data firewall. Here are some introductions on key features.
    Security Features.jpg
    DoS (Denial of Service) / DDoS(Distributed Denial of Service) Attack Protection
    (1)ICMP-Flood attack protection: Configure the threshold of ICMP packets per second, if the threshold is exceeded, the packets will be discarded.
    (2)TCP-Flood attack protection: Configure the threshold of TCP packets per second, if the threshold is exceeded, the packets will be discarded.
    (3)TCP-NULL attack protection: TCP packets do not contain any flag bits will be discarded directly.
    (4)TCP XMAS TREE attack protection: Packets with the XMAS flag will be discarded directly.
    (5)Anti-fraud, anti-theft, anti-eavesdropping, dynamic blacklist
    IP Attack Protection
    (1)Bandwidth limitation, fast-positioning of attacks, proactively discovering potential risks and collecting actions, detecting the source of large-traffic attacks within a certain period, effectively ensuring that services are not affected by attacks.
    (2)Access control: SBC can set permissions for web access, SSH access, and ping packet response for each network port, which greatly improves device security.
    (3)Set threshold according to the traffic of source IP or local port and SBC’s CPU usage. If the threshold is exceeded, SBCs will limit the traffics or discard the packets automatically and logs will be recorded.
    SIP Attack Protection
    (1)SIP registration limiting: Limit the SIP registration rate according to IP address or SIP account. Set thresholds, conditional block, blacklist, and traffic control etc.
    (2)SIP call limiting: Limit the call rate according to real-time call CPAS of IP address or SIP account. Set thresholds, conditional block, and blacklist etc.
    (3)TDoS attack protection: A Telephony Denial of Service (TDoS) attack is an attempt to make a telephone system unavailable to the intended user(s) by preventing incoming and/or outgoing calls, consuming all available telephone resources. All TDoS behaviors of the attack conform to the protocol, but the behavior is abnormal, such as high frequency. SBC can do intelligent identification and blockage of callers with frequent ultra-short duration calls and incomplete calls per designated rules.
    (4)SIP malformed packet protection: SBCs will detect and discard the malformed packets caused by attacks or network issues etc., instead of forwarding them to SIP server / IP PBX / Soft switch, protect the core network.
    TLS/SRTP Encryption
    (1)TLS (Transport Layer Security) for signaling encryption
    (2)SRTP (Secure Real-time Transport Protocol) for media encryption provides encryption, message authentication, and attack protection to the RTP media.
    (3)Client/server login authentication, SBCs support RADIUS and Tacacs authentication.
    Traffic Control
    SBCs can limit call traffic of SIP trunks, and sort traffics intelligently according to user level and business priority and allocate bandwidth via priority.
    Overload Protection
    SBCs can deal with high traffic volumes and protect the core network from attacks (intentional or otherwise like hot events/peak hour).
    Dynamic Blacklist/Whitelist

    Whitelist: Static list of IP addresses and numbers that are allowed to access the SBCs.

    Blacklist: Static list of IP addresses and numbers that are discarded.

    Dynamic blacklist: SBCs can detect and block misbehaving IP addresses and numbers.

    IP/Domain Authentication
    IP and domain authentication of source SIP calls and registration message in IP trunks, to avoid toll fraud and malicious attacks.
    Topology Hiding
    In regular SIP traffic, critical IP address data is forwarded to other networks. SBCs translate IP addresses and ports for signaling and media streams to hide the internal SIP network, to avoid expose the internal core network and malicious attacks.
    Product safety certification
    Passed the NSFOCUS RASA scan tests.
    Passed the security red line scanning tests of global renowned telecommunications companies.
    You may want to know
    Click to know more details about our Session Border Controllers.
    Click to learn more about Why do you need an SBC?
    What is a Session Border Controller (SBC)? Part III: High Availability
    What is a Session Border Controller (SBC)? Part II: Connectivity & Interoperability.