Session Border Controllers - More Than Just a Voice Firewall
By Andre P Ferreira
Session Border Controllers represent a relatively new technology stream, and were born
of the need to adequately secure IP based voice peering traffic between carrier networks in
the 1990s. The carrier core network migration from fixed TDM (Time-Division Multiplexing)
style networks to the more flexible IP based SIP (Session Initiation Protocol) and H.323
networks brought an unexpected security challenge, as carriers now had to peer via the
more vulnerable IP layer as opposed to the predictable physical layer used before.
It was quickly discovered that traditional data firewalls, in use to secure existing
IP data networks at the time, were not up to the job of securing this real-time IP voice traffic.
Something else would be required. This "something else" requirement led to the development
of Session Border Controllers.
Designed to secure IP voice traffic at first
Initial Session Border Controllers focused primarily on SIP and H.323 session security
and were appliance based ultra-fast, fearsomely expensive hardware devices. A Session Border
Controller operates in a similar manner to a traditional firewall in that it has an "inside"
and an "outside". The outside connects to the untrusted side of the network, while the inside
presents a secure traffic stream to internal systems. However, where Session Border Controllers
differ from traditional data firewalls is in how they secure the traffic.
A traditional data firewall is a restricted access, pass though device that essentially
inspects the traffic as it arrives, and then makes a decision as to whether it should be
forwarded on or not. A Session Border Controller, on the other hand is a stop and forward
device that physically terminates every session itself and recreates the onward session if
the security requirements are met. This particular design feature not only allows for excellent
security, but also provides a number of further possibilities that are now being exploited,
not only in the carrier space, but in the enterprise environment as well.
Voice carrier arbitration and aggregation
Many corporate enterprises have moved their voice platforms across to IP based telephony
systems, and in keeping with this shift, voice carriers are now offering enterprises the option
to peer via IP instead of traditional E1 or T1 circuits. This especially true in developed
countries, where new market entrants are seeking to make market inroads by offering IP based
termination bundled in with other IP services.
This shift presents both a challenge and an opportunity to the enterprise customers.
The challenge is that one now needs to terminate the IP voice service on some new device,
as terminating the service directly on the internal IPT system would represent a security
risk of significant proportions. The opportunity exists due to the fact that a Session Border
Controller, by design, can terminate more than one carrier at a time. This allows the
enterprise to "farm" the voice traffic out to competitive carriers, thereby often achieving
cost savings in the variable cost of voice traffic.
Further to this, the Session Border Controller can be programmed to select the best
route for a voice call based on a number of different criteria such as call quality, time of day,
cost per call, destination etc. This specific feature is often the one that builds the business
case for deployment in the first place and can free an enterprise from carrier lock in.
Internet facing SIP connections
One of the benefits of enterprise IPT voice systems is the ability to connect via a variety
of voice endpoints. This gives the user the choice of either a traditional style hard phone
or the more mobile soft phone option. With the increase in worker mobility, many users are
now opting for the soft phone and headset instead of the desk bound hard phone. This option
works fine when the users are inside the trusted network, however, extending this functionality
to outside the corporate network is more complex and generally requires a VPN clients for these
users, a requirement that drastically reduces the user acceptance of such a solution.
The benefits to mobile users, and the enterprise in general, still remain however, and
a Session Border Controller can be used to publish secure voice access to the Internet to solve
this issue. The Session Border Controller will operate as a security proxy on behalf of the
internal IPT platform, securing the connection from the user when they are outside the
corporate network, while still offering them the ease of use and functionality as if they were
located inside the network.
|