The primary role of an SBC is to protect the enterprise network from Internet-based attacks and to ensure the security and flow of SIP sessions as they traverse between secure and non-secure points. Internet-based attacks can occur for a variety of reasons and from a variety of sources, and can significantly impact enterprise productivity and revenue. Some attacks are designed to bring a network down, such as a denial-of-service (DoS) attack that floods a network with fake requests, which can prevent call centers from receiving calls and result in lost sales. Other attacks are designed to steal confidential information, either by accessing the network under a false identity or by eavesdropping on private communications.
In addition to protecting the network, SBCs can protect communications from prying eyes as they travel non-secure channels by using media and signaling encryption. Encryption is especially important for businesses that handle confidential customer information, such as healthcare agencies and financial companies. In some cases, existing enterprise security measures, such as Network Address Translation (NAT) firewalls, require that SBCs provide secure workarounds to allow SIP sessions to pass through; this is known as NAT traversal and is an important requirement for SBCs, as many enterprises uses NAT firewalls to protect both office-based and remote IP devices in their wider network.
Sonus SBCs are built around these best practices:
- DoS/DDoS Prevention – Sonus SNBCs can identify DoS and DDoS attacks through a mix of end point recognition (e.g., is the request coming from a known attacker?) and pattern analysis (are thousands of devices sending an identical request?).
- Topology Hiding – Sonus SBCs act as a wall that protects the identity of phones, computers and other IP devices behind it–a practice known as topology hiding that prevents attackers from targeting and/or exploiting a specific device that has an IP address (e.g., an IP-enabled phone or PBX) in order to illegally access voicemail or other services.
- Rogue RTP Protection – RTP stands for Real-Time Transport Protocol, the protocol that is responsible for delivering real-time media like voice and video. In the case of toll fraud, unauthorized (or Rogue) RTP communications enter the network illegally. Sonus SBCs include provisions to detect and block Rogue RTP media streams.
- Media Encryption – Encryption refers to cryptography: a system of using complex digital “keys” to lock and unlock information. Media encryption, therefore, refers to locking the media itself (i.e., voice, video or data) so that prying eyes cannot eavesdrop on private communications. Sonus SBCs provide media encryption through the Secure Real-Time Transport Protocol (or SRTP).
- Signaling Encryption—In addition to media encryption, signaling encryption is recommended to authenticate the end points in any SIP-based communication. There are two accepted signaling encryption standards in SIP: TLS (Transport Layer Security) and IPsec (IP Security). Because some industry standards require different signaling encryption methods (e.g., IPv6 recommends IPsec), Sonus SBCs offersboth encryption methods.
- NAT Traversal—A NAT firewall “hides” the IP address of end points (phones, PCs, etc.) behind it, which presents a challenge during SIP sessions because it prevents end points beyond the firewall from establishing a direct connection with an end point inside the firewall. As a workaround, Sonus SBCs can create a secure pinhole in the firewall by “re-pinging” the NAT-protected end point every few seconds; this allows the two end points to keep a consistent connection for the duration of the SIP session.
