Uploaded byPacketBase, Inc.
Why Do I Need an SBC
The document explains the necessity of session border controllers (SBCs) in enterprise communication systems to enhance flexibility, improve security, and enable support for specific customer call flows. It highlights the differences between service provider networks and enterprise needs, emphasizes the security threats faced in VoIP communications, and outlines how SBCs can mitigate these risks through features like call monitoring and encryption. Additionally, it discusses the implications of using SBCs for integration with SIP trunk providers and ensuring compliance with security standards.
More Related Content
Why Do I Need an SBC
- 1. Why Do INeed an SBC ?PacketBase, Inc.
- 2. MMAppAppVPAppCMApplication PlatformApplication PlatformAvayaAura™SessionManagerAvaya Aura™SBCAvaya Aura™ SBC and the Reference ArchitectureApplicationMXSystemManagerPSTN trunking providers, hosted services, federated partnersMediaServersSIP TrunksorConnectionSIP TrunksAvaya Aura SBC orAcme Packet SBCSIPAvaya one-X®endpointsInternetAccess3rd Party PBXsAvaya CM(branch or standalone)Remote workers viaInternet (future)3rd Partyendpoints2
- 3. Things to thinkabout…Service Providers maximize revenue by designing their network to be highly optimized with minimal maintenanceTheir SBC’s, Softswitches, and Media Gateways are widely shared resourcesUnique customer configuration requirements deviate from this themeFor SIP Trunks, each Service Provider has explicitly defined User to Network Interface (UNI) requirementsThe requirements include supported SIP message types requests/responds, methods, formatting, headers, fields, codec’s, QoS markings etc. Within a single Service Provider, the UNI will differ with each unique service offering.Enterprise customers do not subscribe to the same model, instead focusing on implementing solutions that meet customer needs and differentiate their businessTraditional demarcation points, i.e. media gateways, no longer act as natural boundaries to enforce expected service provider behaviors and requirements
- 4. Why use anSBC?FlexibilityProviders layer of independence from Service Provider – allows enterprise to make changes more quickly vs. negotiating / relying on Service Provider if needs changeNormalization point for signaling and RTP media streams to multiple SIP stacks in the enterprise Allows for multiple SIP trunk provider access points (now or in future)Support of enterprise-specific call flows that may not be directed supported by SIP trunk providerSecurityEnforces a customer’s unique security policies SIP trunk provider’s own SBC (if private SIP trunk service) focuses on the provider’s security concernsComplete network topology hidingAddresses set of issues specific to SIP-based communication (deep packet inspection)AccountabilityPer call status – QoS, SLA monitoringReport on intrusion attemptsSession recording4
- 5. Analyst View -SBCs and the Enterprise5
- 6. The Security Threat- ExamplesJune 2009 – International Phone Fraud Ring busted – SoftpediaEight indicted for stealing calls totaling over 12 million minutes and resulting in phone bills of more than $55 millionMay 2010 – FBI warns on VoIP attacksTDoS attacks create diversion for information thieves to loot bank account informationOctober 2010 - VoIP Attacks On The Rise! Secure Your VoIP Servers – blog.sipvicious.orgCloud-initiated wave of SIPVicious port 5060 scans lead to €11 million lossDecember 2010 – Major VoIP Fraud Gang Dismantled in Romania50 individuals used “Zoiper” program to route calls to premium rate numbers through hacked VoIP accounts in exchange for commission6
- 7. Gartner – SBCEvaluation CriteriaHas been thoroughly tested and documented as an integral part of the enterprise UC solutionHas been incorporated into the certification configurations of the enterprise UC solution with the SIP trunk service providerProvides support and maintenance services for UC Provides a full set of security features, including prevention of DoS and DDoS attacks Source: http://www.gartner.com/technology/media-products/reprints/avaya/vol6/article8/article8.html 7
- 8. 8Enterprise and contactcenter security threatsDenial of ServiceCall/registration overloadMalformed messages (fuzzing)Configuration errorsMis-configured devicesOperator and application errors Theft of serviceUnauthorized usersUnauthorized media typesViruses & SPITViruses via SIP messages Malware via IM sessionsSPIT – unwanted trafficEnterprise Adoption of Collaboration ToolsSource: Nemertes ResearchIncreased usage of collaboration toolsmeans security threats are more of a concern
- 9. SBC DoS protectionFraudAccesspreventioncontrolServiceinfrastructureTopologyhidingDoS& privacypreventionVirusesmalware& SPITmitigationAvaya Aura™ SBC & Acme Packet Net-Net SBC Security Framework SBC DoS/DDoS protectionProtect against DoS/DDoS attacksAccess control & VPN separationDynamic, session-aware access control for signaling & mediaTopology hiding & privacy Viruses, malware & SPIT mitigationDeep packet inspection Encryption and AuthenticationTLS, SRTP, IPSecMonitoring and reportingRecord attacks & attackersProvide audit trails9
- 10. GSSCP (Global ServiceProvider SIP Compliance Program)Program to test and document valid working configurations with SIP trunk providersTests are tied to 6 defined Avaya reference configurationsAvaya has recently published Interoperability Guidelines document SBC testing guidelinesImplications of implementing a non-tested configuration3rd party SBC guidelines10
- 11. SBC Feature SummaryTheSBC will provide the interworking function between the Avaya Aura Communication Core and SP specific SIP methods Faster deployment of Avaya Aura solutions at lower risk and cost Easier integration of Avaya Aura with external third-party applications and services The SBC provides DoS (Denial of Service) protection by rate limiting traffic into the enterprise The SBC provides topology hiding for the enterprise infrastructure The SBC will be the anchoring point for in-bound calls and will consume REFER method indications to redirect traffic internal to the enterprise The SBC may need to fork media for recording purposesThe SBC may be required to transcode mediaReference point for Interop testing with SIP trunk providers11
Editor's Notes
- #5 SBC Value within the Avaya Aura Architecture As enterprises are moving rapidly to adopt Session Initiation Protocol (SIP) for connection to service providers (SIP Trunks), hosted application providers, extranet partners and remote workers, a common question is: ‘Since the SIP trunk provider already has an SBC in their network, why does a customer of that provider require an SBC on their premise as well ? SecurityAn enterprise SBC provides essential SIP security regardless of whether the public SIP trunk service is delivered as a dedicated connection from the SIP trunk provider or via a shared MPLS network. VoIP is a service that runs on IP, just like email and web browsing. Enterprises do not rely on their Internet Service Providers to protect those services using a central, communal firewall. An enterprise SBC enforces the customer’s unique VoIP security policies – just like an enterprise firewall does for data – and ensures that any regulatory requirements for data security are met. It provides the enterprise complete network topology hiding, up to Layer 7, meaning all extra-enterprise SIP signaling and RTP media are anchored through the enterprise SBC, mitigating the risk of exposing large ranges of private IP addresses to an externally controlled foreign entity and the associated possibilities of intentional or unintentional (misconfiguration) attack. Unlike an enterprise firewall, an enterprise SBC is specifically designed to parse each SIP message via deep packet inspection and manipulate the SIP headers if necessary to ensure protocol compliant formatting. The SBC is able to enforce signalling rate limiting and media bandwidth policing and reduce the impact of DoS attacks by using dynamic access lists triggered by behavioral analysis of users and traffic. FlexibilityWithout an enterprise SBC, certain configuration changes may need to be done at the central SBC by the service provider. The service providers network operations processes preclude rapid and frequent changes to the central SBC platform configuration – primarily for stability reasons. Most service providers only offer one enterprise-facing configuration and will not change it. Those who will make changes will only do so after extensive regression testing – and this takes place very infrequently – at most 1 or 2 times a year. This means that it is often very difficult to meet the changing needs of customers and/or meet a customer’s specific needs for interfacing their particular communication infrastructure and associated security policy requirements. By installing an enterprise SBC, the customer’s specific communications requirements can be fully addressed, insulating the service providers SBC from any changes. This means that the specific business needs of the customer can be met in a quick and easy way. Also, any adaptation costs are specific to that customer and do not impact the on-going network operations costs. The enterprise SBC provides an ideal reference interface for network border interoperability testing by normalizing the signaling and RTP streams into the enterprise. Additionally, an enterprise may wish to work with multiple SIP trunk providers. The SBC is an enabler if more than 1 SIP trunk provider is terminating to the enterprise, providing common demarcation point for normalization. Finally, an enterprise’s business requirements, now or in the future, will drive enterprise specific call flows that may not necessarily be supported or directly interoperable with a SIP trunk provider. A premise SBC can be configured to meet an enterprise’s specific requirements. AccountabilityAn enterprise SBC can generate per-call statistics including QoS measurements for independent SLA monitoring. It can also provide reports on intrusion attempts (IDT) and provide session replication for call recording to meet industry or regulatory requirements. Thus, for these reasons, Avaya strongly recommends deployment of the Avaya Aura Session Border Controller or Acme Packet-branded SBCs within the Avaya Aura architecture.
- #6 49% growth in Enterprise SBC slaes between 2008 to 2013 estimated by Infonetics (report was written in late 2007).Infonetics acknowledges the momentum of the SBC toward the enterprise for functions previously only addressed by the SP.Gartner acknowledges security and interoperability advantages to an enterprise SBC.The most interesting statement from Gartner is the last, which highlights the partnership of SBC with a session manager. Avaya is unique in the Enterprise with the concept of a session manager, and its inherent ability to broker applications. This session-based architecture makes the need for an SBC much more prevalent than some of our more traditional competitors. In other words, the Aura architecture is different. And this is why SPs are not seeing the demand for a premise SBC from all Enterprise SIP trunking vendors . . . Yet.