or call capacity compromised .... Consider a DoS attack mounted against a call center during its busy period; the lost r
Session Border Controllers: Securing Real-Time Communications
Why do I need an SBC if I already have a firewall? It’s not uncommon for enterprises to believe that the same device that protects their data network— the firewall—will also protect their voice network. Data and voice communications are very different, however, and have unique considerations, both in terms of security and quality-of-service (QoS) requirements. To meet these requirements, an SBC is designed to provide functionality that a firewall cannot, such as:
• Protection against voice-based DoS/DDoS attacks to ensure that calls are not interrupted or call capacity compromised during an attack;
• Media services such as voice/ video transcoding and fax/ DTMF interworking to ensure that different devices can communicate effectively;
• IP Private Branch eXchange (IP PBX) and UC protocol interworking to translate different signaling protocols and provide SIP message manipulation, for the purpose of allowing different networks and network elements to communicate in a UC environment; and
• Enforcement of network policies such as least cost routing paths and Call Admission Control (CAC) settings that ensure calls are routed efficiently. The bottom line is that conventional network firewalls, security appliances and routers are not designed for real-time communications. Across all VoIPrelated use case scenarios, only SBCs meet the requirements for the successful delivery of enterprise and contact center VoIP/UC services and applications.
Introduction Over the last few years, enterprises have started to shift toward Unified Communications (UC) platforms that bring voice, video and data together, both as a richer user experience and as a more efficient network model using the Internet Protocol (IP) standard. As a result of this shift, many enterprises are re-examining network security solutions to accommodate the distinct concerns of IP-based voice and video communications. These real-time communications present unique considerations in terms of security and delivery that require a more robust solution than those traditionally used for IP-based data communications such as firewalls. While the positive aspects of moving to a unified, IP-based communications model are too compelling to ignore—reduced costs, higher quality, more features, improved productivity— so too are the security risks that present themselves once an enterprise opens its real-time communications to the Internet. In particular, the shift from circuit-switched voice networks to an IP-based voice network creates a new entryway for IP-based attacks, including Denial-of-Service (DoS), information/identity theft and toll fraud. If you believe that voice networks are less likely to be targeted than data networks, think again. The Communications Fraud Control Association (CFCA) estimates that fraud alone cost the industry $46.3 billion in 2013, proving that voice communications systems remain a lucrative target for hackers and thieves. In the new lexicon of Unified Communications, the ABCs of network security are different. Enterprises, as well as the communications service providers that serve them, must focus on:
• Access: securing the network border against unwanted/unauthorized intrusion; • Bombardment: preventing network flooding as a result of DoS and Distributed Denial-of-Service (DDos) attacks; and
• Compromise: hardening the security of their network services and connections to remote clients to prevent illegal use (e.g., toll fraud) by external users. To do this, networks require a new kind of security device known as a Session Border Controller (SBC). In this whitepaper, we’ll examine how an SBC works, why it’s necessary for real-time communications, and how it differs from other network security methods that may already be in place in your network.
Session Border Controllers: Securing Real-Time Communications Although SBCs play an important role in ensuring the quality of real-time communications over an IP network (as discussed later in this paper), their primary function is to protect the network and networked communications from IP-based attacks. An enterprise wouldn’t think of connecting its data network to the Internet without a firewall, or performing commerce over the Internet without some kind of encryption enabled, and an SBC is just as critical to real-time IP communications. Voice over IP (VoIP) networks face many of the same risks as data networks—DoS attacks, network hacking, spoofing—as well as new risks such as toll fraud. If enterprises fail to see their voice systems as a target for fraud, hackers have a very different view: illegally hacked voice systems can generate significant revenue for thieves, who use them to re-sell international long-distance service to often-unsuspecting customers. The role of the SBC in a UC environment is much broader than a firewall, however. You can think of an SBC as a network traffic cop, ensuring the smooth flow of traffic in and out of the network, enforcing policies and preventing unauthorized or illegal activities from taking place. In fact, the name Session Border Controller explains its role rather well: it controls real-time communications sessions at the network border. Because of its
2
placement at the network border, an SBC is most often used to interconnect safely with external IP networks and secure SIP trunking services between an enterprise and a SIP service provider. (SIP stands for Session Initiation Protocol, and is the signaling protocol for real-time communications in an IP network.) Additionally, an SBC is used to secure communications from the border of a network to trusted mobile clients.
Five Reasons You Need An SBC Although there are many reasons why an enterprise might want an SBC—SIP trunking, on-net routing, UC enablement—security is the primary reason to own one. In fact, a poll conducted by research firm Infonetics found that 88% of CIOs felt security was the most important function of an SBC. If an SBC did nothing but secure real-time communications and protect the network from SIP-based attacks, enterprises would recover their ROI quickly. That SBCs provide many other opportunities for cost savings beyond security is one reason why sales of enterprise SBCs rose 42% in 2013 (source: Infonetics). Below are the five most important reasons why you need an SBC if you’re running voice or video over an IP network: 1. To keep communications over the Internet private 2. To protect your network from unwanted intrusion 3. To prevent toll fraud 4. To ensure endpoints (phones, laptops, tablets) are secure 5. To provide high-quality communications
We’ll take a closer look at each of these functions in the following sections.
Keeping Communications Over the Internet Private Just as unencrypted email can be opened and exploited, voice or video sessions over IP also require encryption and user authentication to protect them from prying eyes and ears. This privacy may also be mandated by federal or industry agencies, as in the case of a patient conversation with a doctor or pharmacist, or a retail purchase where credit card information is shared. An SBC can encrypt communications at a session level or encrypt all communications between two different secure network devices (e.g., two SBCs), creating a Virtual Private Tunnel for voice communications (also known as a Voice VPN). Encryption essentially “locks” each IP packet transmitted during a voice or video session, which can only be opened with a special key provided to the specific, trusted endpoint. SBCs use different encryption standards, including IPsec and Transport Layer Security (TLS) to encrypt signaling information, and the Secure RTP (SRTP) standard to encrypt the media (or contents). The importance of encryption is growing as more employees work outside of the traditional office, resulting in more communications that traverse external (and nonsecured) networks such as the Internet. Encryption allows these communications to safely travel over the Internet and other external networks (e.g., public WiFi networks) without being exposed to third parties. Authentication is the process of verifying a user’s identity. In the case of IP communications, this is often done by cross-referencing a device’s IP address against a known database of users/subscribers. SBCs have methods in place for detecting spoofing, which is when an endpoint tries to alter its true identity (a practice common among email spammers). Multiprotocol Label Switching (MPLS) networks reduce the exposure to external threats, but they do not negate the need for an SBC. An MPLS network is still vulnerable at the point where it connects to the Internet (i.e., the network border), and so requires the same levels of encryption and authentication for sessions that extend outside the network. You can think of an MPLS network as a garden hose: it has a thick layer to protect the contents inside, but it doesn’t control what enters it at the faucet; that’s the role of the SBC.
Protecting Your Network from Intrusion/Attacks As with IP data networks, hackers will often use IP-voice and video networks to look for unsecured entry points into your network. This is a growing concern as enterprises consolidate networks, because it means that someone can enter the network through more devices (e.g., smartphones) and exploit the weakest part of the network. For example, a hacker could exploit an unprotected IP PBX through their smartphone to gain access to credit card information stored on the corporate data network. By shielding the IP PBX from the external world, an SBC makes it “invisible” to unauthorized users.
3
In addition to targeted attacks, enterprises are also subject to blanket DoS and DDoS attacks that seek to disrupt communications. Why would someone want to flood a network with 10,000 VoIP calls at the same time? In some cases, to look for unsecured ports and holes in network security. More commonly, DoS attacks are a type of corporate vandalism that disrupts or shuts down an enterprise’s communications system for a period of time. The damage of DoS attacks is very real, especially for companies that rely on communications for their revenue. Consider a DoS attack mounted against a call center during its busy period; the lost revenue and added customer frustration can quickly end up costing an enterprise tens of thousands of dollars. Unfortunately, DoS and DDoS attacks are not difficult to mount. DDoS programs and “services” are readily available on the Internet for a nominal fee, providing even inexperienced hackers with the tools to take down a network. The difficulty of tracking DoS attack sources makes the crime more appealing. Fortunately, SBCs are capable of recognizing and blocking DoS and DDoS attacks within a matter of seconds, using a mixture of rules-based policies and call admission control (CAC) features.
Preventing Toll Fraud An SBC’s policy capabilities also play a key role in preventing toll fraud. While toll fraud is a large and growing problem, it’s not a widespread problem insofar as the majority of toll fraud originates from and is targeted to those nations where telecommunications are less regulated. Simply using an SBC to enforce a policy that blocks a high number of long-distance calls to/from these nations can significantly reduce the potential for toll fraud with minimal effort. As the network gatekeeper, an SBC is ideally suited to intercept and reject fraudulent long-distance calls. The SBC “inspects” each SIP signaling packet that enters the voice network, which includes the origination and destination of the call as well as the ID of the device forwarding the request (e.g., an IP softswitch or another SBC). Using this information, an SBC can quickly identify abnormal or suspicious call activity and drop or block the calls based on specific policy rules. A quick response is important in preventing toll fraud, as perpetrators waste little time in exploiting vulnerable systems using illegal international long-distance calling plans. Anecdotal evidence shows that toll fraud can quickly escalate to thousands of calls and tens of thousands of dollars in just a matter of hours.
Ensuring Secure Endpoints Within the physical enterprise environment, devices such as phones and laptops are secured through the enterprise WiFi network or a physical local area network (LAN) connection. But what about the millions of mobile devices accessing the network from the outside, whether a service provider’s 4G network or an airport’s WiFi network? These devices may be visible to other users on the same network unless they’re secured. In essence, any information transmitted on a non-secure remote device—passwords, customer information, sales data, emails—can be viewed by another device that shares the same network. SBCs can ensure the security of endpoints outside the physical network through encryption, authentication and policy enforcement. For example, enterprises may require a Voice VPN connection to remote call agents who work from home, in order to meet industry compliance requirements. Having a centralized policy management solution can also play an important role in security by enabling SBCs to block devices across the network moments after a mobile device or account is de-activated, which can happen as employees change devices or change jobs.
Providing High-Quality, Secure Communications Because voice is a real-time application, it’s highly sensitive to issues such as dropped packets and latency. In the world of data communications, dropped packets can simply be re-sent and latency is little more than a slight lag in time as a Web page downloads. In voice communications, however, these same problems make for a frustrating user experience, as anyone who used Voice over IP (VoIP) in its earliest days can attest. Although it’s not specifically a security issue, high-quality communications do make customers feel more secure, especially when they’re exchanging personal information over the phone. SBCs can do a number of things to ensure high-quality, real-time communications, including:
• Call Admission Control to prevent network overloads that can result in dropped or delayed calls; • Media transcoding to provide the best possible voice quality based on the end user’s network and device; and • Policy-based call routing to ensure that voice and video calls meet service level agreements for quality.
4
Conclusion SBCs play an important and unique role in today’s UC networks, helping service providers and enterprises secure SIP trunking services, protect their networks from Internet-based attacks, and provide higher quality communications. As enterprises implement UC solutions such as Microsoft Lync, they quickly recognize both the necessity and the value of using SBCs to control and secure UC sessions over multiple networks. Today, SBC vendors offer a variety of options for enterprises and service providers, ranging from smaller devices best suited to a branch office, to medium-sized devices for active call centers, to the largest SBCs that can support up to 150,000 concurrent SIP sessions for carriers and the largest of enterprises. In addition, as network infrastructures move toward hybrid Cloud and softwaredefined networking (SDN) models, some vendors have released software-based SBCs that can be deployed on common-off-the-shelf (COTS) hardware and virtualized. As voice, and especially video, become more prevalent on IP-based communications networks, SBCs will need to offer high scalability, flexibility and performance to meet this growing demand for SIP-based communications. These qualities are the hallmark of Sonus SBCs. Sonus has the broadest portfolio of hardware- and software-based SBCs on the market, spanning the SBC 1000 and SBC 2000 for smaller networks; the SBC 5110, SBC 5210 and SBC 7000 for enterprise and service provider networks; and the SBC Software edition (SWe). The Sonus SBC portfolio is Microsoft Lync 2013 qualified, BroadSoft validated and performance-verified by Miercom. To learn more about Sonus and SBCs, visit us online at www.sonus.net or download a free copy of our eBook, “SBCs for Dummies,” at www.sonus.net/dummies.
Sonus Networks North American Headquarters
Sonus Networks APAC Headquarters
Sonus Networks Limited EMEA Headquarters
4 Technology Park Drive Westford, MA 01886 U.S.A. Tel: +1-855-GO-SONUS
1 Fullerton Road #02-01 One Fullerton Singapore 049213 Singapore Tel: +65-68325589
Edison House Edison Road Dorcan, Swindon Wiltshire SN3 5JX Tel: +44-14-0378-8114
To learn more, call Sonus at 855-GO-SONUS or visit us online at www.sonus.net The content in this document is for informational purposes only and is subject to change by Sonus Networks without notice. While reasonable efforts have been made in the preparation of this publication to assure its accuracy, Sonus Networks assumes no liability resulting from technical or editorial errors or omissions, or for any damages resulting from the use of this information. Unless specifically included in a written agreement with Sonus Networks, Sonus Networks has no obligation to develop or deliver any future release or upgrade, or any feature, enhancement or function. Copyright © 2014 Sonus Networks, Inc. All rights reserved. Sonus is a registered trademark of Sonus Networks, Inc. All other trademarks, service marks, registered trademarks or registered service marks may be the property of their respective owners.
DS-1401 9/29 5
