Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Session Border Controllers - More Than Just a Voice Firewall

Session Border Controllers represent a relatively new technology stream, and were born of the need to adequately secure IP based voice peering traffic between carrier networks in the 1990s. The carrier core network migration from fixed TDM (Time-Division Multiplexing) style networks to the more flexible IP based SIP (Session Initiation Protocol) and H.323 networks brought an unexpected security challenge, as carriers now had to peer via the more vulnerable IP layer as opposed to the predictable physical layer used before.

It was quickly discovered that traditional data firewalls, in use to secure existing IP data networks at the time, were not up to the job of securing this real-time IP voice traffic. Something else would be required. This "something else" requirement led to the development of Session Border Controllers.

Designed to secure IP voice traffic at first

Initial Session Border Controllers focused primarily on SIP and H.323 session security and were appliance based ultra-fast, fearsomely expensive hardware devices. A Session Border Controller operates in a similar manner to a traditional firewall in that it has an "inside" and an "outside". The outside connects to the untrusted side of the network, while the inside presents a secure traffic stream to internal systems. However, where Session Border Controllers differ from traditional data firewalls is in how they secure the traffic.

A traditional data firewall is a restricted access, pass though device that essentially inspects the traffic as it arrives, and then makes a decision as to whether it should be forwarded on or not. A Session Border Controller, on the other hand is a stop and forward device that physically terminates every session itself and recreates the onward session if the security requirements are met. This particular design feature not only allows for excellent security, but also provides a number of further possibilities that are now being exploited, not only in the carrier space, but in the enterprise environment as well.

Voice carrier arbitration and aggregation

Many corporate enterprises have moved their voice platforms across to IP based telephony systems, and in keeping with this shift, voice carriers are now offering enterprises the option to peer via IP instead of traditional E1 or T1 circuits. This especially true in developed countries, where new market entrants are seeking to make market inroads by offering IP based termination bundled in with other IP services.

This shift presents both a challenge and an opportunity to the enterprise customers. The challenge is that one now needs to terminate the IP voice service on some new device, as terminating the service directly on the internal IPT system would represent a security risk of significant proportions. The opportunity exists due to the fact that a Session Border Controller, by design, can terminate more than one carrier at a time. This allows the enterprise to "farm" the voice traffic out to competitive carriers, thereby often achieving cost savings in the variable cost of voice traffic.

Further to this, the Session Border Controller can be programmed to select the best route for a voice call based on a number of different criteria such as call quality, time of day, cost per call, destination etc. This specific feature is often the one that builds the business case for deployment in the first place and can free an enterprise from carrier lock in.

Internet facing SIP connections

One of the benefits of enterprise IPT voice systems is the ability to connect via a variety of voice endpoints. This gives the user the choice of either a traditional style hard phone or the more mobile soft phone option. With the increase in worker mobility, many users are now opting for the soft phone and headset instead of the desk bound hard phone. This option works fine when the users are inside the trusted network, however, extending this functionality to outside the corporate network is more complex and generally requires a VPN clients for these users, a requirement that drastically reduces the user acceptance of such a solution.

The benefits to mobile users, and the enterprise in general, still remain however, and a Session Border Controller can be used to publish secure voice access to the Internet to solve this issue. The Session Border Controller will operate as a security proxy on behalf of the internal IPT platform, securing the connection from the user when they are outside the corporate network, while still offering them the ease of use and functionality as if they were located inside the network.

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro

Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268