The Role of Session Border Controllers
in Safeguarding Your SIP Network
As the popularity of voice over IP networks, including SIP (Session Initiation Protocol), continues to increase dramatically, so does the need to protect those links from external threats.
The number of malicious attacks on phone systems – especially those that send voice traffic over public networks – continues to cost the industry billions. In fact, the Communications Fraud Control Association (CFCA) reported that total fraud losses in 2015 exceeded $38 billion, and IP PBX hacking was second only to PBX hacking as the most popular tool for illegal access to telecom lines. Some of the most common threats include service theft and fraud, whereby organized groups of hackers access an inadequately secured SIP networks system to route traffic across the network without paying for it. With the advent of SIP – where you can have 50 SIP trunks placing 50 calls at a time – the cost can skyrocket quickly.
“The truth is, in the 21st century, criminals are not picking your pocket; they are logging into your phone system,” says Albie Sternberg, Manager, Network Operations for CTI Carrier Partner — MASS Communications. “We’ve seen customers wake up in the morning with an $8,000 bill. About 99% of the toll-fraud tickets that come through MASS Communications are due to this kind of malicious attack,” he says.
And, unlike the credit card industry that lets consumers not pay for fraudulent use of their card, telecom providers cannot absorb these costs, which is why customers are vulnerable to skyrocketing telecom expenses if someone successfully accesses their network.
Secure Your Network with SBCs SIP calls
That’s where Session Border Controllers (SBCs) come in. SBCs act as a traffic cop, monitoring the starting and stopping of all calls over your SIP solution – and directing traffic.
Put simply, SBCs are devices placed at the end points of a network where traffic is handed off from one network to another (called the border). SBCs control a network by admitting (or not admitting) then directing communications between the two points on the network. SBCs ensure that SIP or IP calls are properly routed between network borders and that differing protocols are understood so that calls can be delivered across various networks.
SBCs are part of the upfront solution offered by PBX providers when they sell a voice package. However, some customers not realizing their strategic importance, may opt not to buy SBCs to save IT costs. That’s a mistake, warns MASS Communications networking experts.
“It only takes one breach for the customer to see the value of an SBC. We work with CTI and their customers and always insist that they invest in the SBC because it is vital to their business,” says MASS Design Engineer, Vinny Mongru. One way hackers get into a SIP network is to access a user’s voicemail that wasn’t properly secured with a difficult password.
Among the many important functions of a SBC are:
Security – Protection of the network and other devices from threats such as:
—Hackers attempting a malicious attack through DoS or even DDoS
—— DoS (Denial of Service): flooding the network to disrupt service
—— DDoS (Distributed Denial of Service): Several compromised systems used to target a single system
—Unauthorized access to view the network topology
—Unsecured communication, signaling and media. SBCs will employ encrypt on such as TLS, IPSec and SRTP
—- TLS (Transport Layer Security): Privacy with application communication
—- IPSec (Internet Protocol Security): Secures the exchange of IP packets
—- SRTP (Secure Real-time Transport Protocol): Adds confidentiality, replay protection and message authentication
—Various types of attacks based on malformed packets
—Toll fraud and theft of service
Connectivity – Allowing the network to communicate through various tools such as:
—Establishing IP connections across NAT implemented gateways through NAT Traversal
—Allowing the translation between different SIP devices using SIP Normalization
—Intercommunication between IPv4 and IPv6 networks
—Translation between various protocols such as SIP and H.323
Quality of service – The SBC usually implements the QoS policy of a network and prioritization of flows. This can include:
—Monitoring the network traffic through traffic policing
—Controlling the network traffic through Rate Limiting
—Preventing the oversubscription of VoIP networks through Call Admission Control
—Classifying and managing traffic through DiffServ Code Points (DSCP)
Regulatory – Ensures support is provided for regulatory requirements including:
—Emergency calling and prioritization
—Obtaining signaling or network management data by Lawful Interception (LI)
Media services – Technology is advancing at such a rapid rate that newer SBCs are including DSPs (Digital Signal Processors) to provide support for border-based media control and services such as:
—Converting media between different formats through Media Transcoding
—Dual Tone Multi Frequency (DTMF) relay, tones and announcements
—Data and fax interworking
—Support for voice and video calls
The need for SBCs is simple: to keep SIP and other VoIP networks protected from a host of threats that have long plagued computer networks, from service theft to spoofing and denial of service attacks.
SBCs serve as both a traffic cop and a translator in the SIP environment:
–looking at each individual session crossing between their internal enterprise network and the external network and determining where the session should be routed and what priority the session is assigned when the network is busy
–allowing devices that use different variants of SIP to communicate with each other effectively
While companies like CTI and MASS Communications are focused on 24×7 network monitoring, and will flag calls that look suspicious, the best way to prevent hacking in the first place is to invest in SBCs. “Your phone system is your voice gateway to the world and you are responsible for keeping it under lock and key,” Sternberg says.
CTI is pleased to partner with MASS Communications, a leading connectivity and telecom management provider, that takes a consultative approach to deliver a full suite of voice, data, risk management and security solutions. Founded by engineering innovators, MASS designs custom networks with best-in-class carriers across an international footprint. The New York-based Competitive Local Exchange Carrier made the Inc. 500|5000 List for three years running.