VoIP traffic comprises of a variety of codecs and protocols leading to mismatches affecting communications, areas superbly handled by the session border controller’s ability to transcode codecs and translate protocols.
It can have other functions such as control and monitoring and NAT traversal besides hiding internal topology, proving to be the proverbial Swiss army knife for VoIP functionality.
What is a session border controller and how does it work?
A session border controller (SBC) is a device that regulates and protects IP communications. It sits at the frontier of your VoIP network and plays multidimensional role covering: security regulation, connectivity, quality of service, and compliance. Session border controllers are used to control a user’s IP communications sessions. SBCs were originally created for VoIP networks, but they are now used to regulate all forms of online communication: VoIP, text, video, and other collaboration formats.
Why you need a session border controller in your VoIP network
Voice over Internet Protocol (VoIP) is worlds apart from the standard legacy PSTN lines. Voice is “packetized” and uses IP to travel over open internet lanes until it reaches the final destination where the packets are reassembled. That makes voice traffic vulnerable to malicious attacks such as Denial of Service (DoS).
There’s also the other aspect of media codecs and protocol handling to enable seamless communication. The third is to hide internal network topology from external view and thus maintain security as well as facilitate communications. There are lesser but no less important tasks like scaling and prioritizing traffic that the SBC handles with ease.
In order to understand one of the many roles the SBC plays, one must take a look at SIP or session initiation protocol. Over time several flavors of SIP developed, bringing in their wake issues in VoIP communications. One would have to go into lengthy explanation of how SIP works.
In brief, what happens when SIP session is established is that end points carry information of IP addresses of point of origin and destination. The SIP messages carry “open” headers that proxies in the chain use. This means malicious attackers can use this information to attack proxies and gateways. It is easy to tunnel into networks and launch any kind of attack such as:
- DoS and Distributed Denial of Service (DDoS) leading to blockage of traffic
- Introduce malware
- Tap into data in the organization’s network
- Misuse VoIP to make calls at the subscriber’s expense
What does a session border controller do in this scenario? When the SIP messages go through the SBC it replaces addresses of internal components and encrypts information, making it difficult for hackers to target networks.
- The SBC can limit traffic and prevent DoS
- It can be configured for dynamic blacklist to drop traffic from blacklisted sources.
- Attempts at SQL injection can be forestalled by analysis of incoming SIP messages and rejecting malicious or mal formatted content.
- By hiding internal topology it makes it difficult for hackers to target VoIP networks, Then again, it functions as a back to back user agent and splits SIP transactions into server and client parts, maintains state information and deletes it on call termination.
Apart from the fact that there are several variations of SIP, the main drawback is that SIP ignored the issue of network address traversal or NAT. Most business level networks are behind a firewall and devices use private IP address not routable on the internet. One may use solutions such as STUN and ICE but with mixed results.
On the other hand, SBC acts as the public interface, replacing user agent information with its own. Without the SBC in place there will be issues such as not being able to connect outgoing calls or receive incoming ones. It goes further and sends media for user back to origination point in a symmetrical way to work around NAT.
VoIP is not just voice calls. Networks must handle media and emerging communication services such as OTT services, VoLTE and WebRTC. Traffic becomes complex and connectivity can become an issue, especially when points of origin and destination use different media codecs and protocols. What happens is that a call may not be received, there may be glitches, and you cannot make yourself audible or visible to the other party and, generally, experience issues.
Here again the session border controller plays a key role:
- It takes care of transcoding media codecs and handling protocols, including those for HD and VoLTE as well as 3G/4G mobiles in addition to WebRTC and audio-video. You do away with interoperability issues with a quality SBC in your network. Making calls to anyone over landline, broadband or mobile is an easy task.
- Unified communication and rich communications are becoming the norm. You need to use the same pathway for telephony, instant messaging, audio-video, fax and SMS. It can also include WebRTC. In such present and future use scenario you can expect the SBC to effortlessly handle high data throughputs, carry out encryption and transcoding and enforce quality of service.
The SBC network needs to evolve to be future proof and deliver highest levels of quality of service.
Quality of service
You may have your own definition of quality of service. For those using voice calls, the criterion may be the ability to get through on the first attempt. For some, it is important that audio quality and speech come across crystal clear. The SBC solution should be able to use transport protocol in use by the destination and use IPv4 or IPv6 as the case may be and translate incoming and outgoing protocols.
System administrators may insist that the SBC be capable of integrating signals and media and maintain session state besides being able to handle any load and conduct deep packet inspection to ensure compliance to safety protocols. Managers may wish to derive MOS scores or know routing performance and derive information on usage. Telecom operators and service providers may wish to have billing and accounting linked to calls and derive statistics.
The SBC is capable of all this and more to ensure highest levels of services that the VoIP system must handle.
Telecom operations are subject to a variety of regulations. One such aspect is to monitor calls, track calls, record calls and even intercept calls that you suspect are unauthorized. It is not only calls that must be tracked; you may even need to keep a watch over media. If you use only SIP model then you have access to only the signaling component. Incorporate SBC into the network and you have a handle on media and signals.
It can go further in letting you set up your configuration to give access control and prevent fraud. This can be done by way of whitelist and blacklist. The SBC replaces SDP address with its own to support NAT and, in the process, permits only authorized users can send media traffic.
Service providers may offer flat fee packages that can be misused by subscriber who resells such availability and leads to overload of network besides causing a loss. The SBC tracks user behavior, number of parallel calls and other activities as well as frauds.
You can regulate your VoIP system and you can stay compliant with local regulations, especially as regards confidentiality and security as is insisted upon in specific fields like healthcare.
The SBC solution, if you choose the right one from the right vendor, can do a lot in different areas. How to do it is also something you must know to extract maximum mileage.
How to protect your network with the right session border controller
You might want to go a step further and use the configuration feature to set up custom security for your network. This can be done a few different ways.
The session border controller can be configured to handle only calls from defined user list and reject calls from others. You can set it up to monitor calls and gather user data such as numbers dialled, frequency of such usage and time spent on each call. This will help you define limits of usage. Policing will also detect malicious attempts at simultaneous calls with intent to flood the network.
One of the benefits of having the SBC in place is that you can allocate resources to specific users ranking high in importance, prioritize calls from certain numbers and distribute bandwidth to ensure quality of service. For instance, you can prioritize signals over media so that voice calls do not face issue.
Depending on the type of SBC solution in use the system may be able to handle a certain amount of concurrent calls and media traffic but it is also dependent on available bandwidth and internet speed. In such cases the system may be configured to limit number of simultaneous calls. The SBC may limit registration requests through static means or permit registration for multiple phones. You could also separate signaling and media planes in the softswitch to permit scaling of calls and media.
Call admission control
One way to guard against Denial of Service attacks is to set up call admission control policies. These are based on monitored traffic profiles of registered users and parsing of headers to identify authenticity of calls. It is common to set up transport layer and secure RTP encryption to protect traffic over open networks.
If an attack happens then the system responds by shutting traffic completely. However, AI-powered SBCs can distinguish between legitimate and suspicious activity and permit flow of authenticated traffic.
ToS/DSCP bit setting
Another way to have better security is to focus on Type of Service (ToS) and set up DSCP marking. The ToS information is available as four bit flags in the IP header and you can set only one bit at a time for minimum delay, for maximum throughput, for maximum reliability or for minimum cost. This supports media like audio, video, image, text and data based on protocols like SIP, H.245 and H.225.
The ToS values lets you create media type combination. You can be quite specific by defining and manipulating parameters such as media manager, media policy and settings among others.
RFC 1349 underlies ToS but you can also use RFC 4594 underlying Differentiated Services to define ToS. However, it may apply only to RTP packets. You can map DSCP (DiffServ Code Point) values to ToS values and then pick on ToS setting in the IP bearer profile to fine tune the security aspect. It is best left to an expert to fine tune the system for optimal security and performance based on SBC applications and the SBC network.
In its earlier avatar the SBC had just one main application and that was to provide security for VoIP calls. However, as VoIP usage spread and codecs as well as protocols proliferated, it had to take on another role as facilitator.
- Emergence of VoLTE, HD Voice, Rich communication and WebRTC also saw the SBC evolve to become part softswitch and part media control gateway.
- Service providers and telecom operators also needed to track, monitor, analyze, and bill customers for which a separate billing solution would be impractical. Incorporating the feature in the SBC led to accuracy, speed and reduced burden.
- Volume of traffic keeps increasing for VoIP calls and the SBC takes on the mantle of handling bulk concurrent calls with ease, directing traffic and prioritizing calls while keeping an eye open for unauthorized calls, blacklisted users and attempts at intrusion. At the same time it must maintain low latency while giving a boost to capacity as well as encryption and transcoding.
- It also handles the task of call control, deciding on which calls to admit, which to reject, watch metrics and deliver data to help administrators refine system and control calls as well as costs.
- Today’s SBCs usually incorporate intelligent least cost routing feature as well to route traffic over the lowest cost but good quality network.
- You can expect a well designed SBC to take care of SSRC switching, TCP switching, DPT mapping and TLS tunneling.
Session border controllers may be available in the form of hardware or software, the latter becoming more popular by the day since there is a predefined limit in hardware device whereas software scales. Further, the trend is towards virtualization as a way towards better assimilation and reduced costs.
It is possible to customize SBC to suit specific application areas. For instance, SBCs used between two carriers may have emphasis laid on security, media codec transcoding and high volume of calls. Normalizing SIP is another function that the SBC takes care of effortlessly.
The SBC stands at the edge of network between operator and subscriber.
An enterprise may opt for SBC to safeguard its network and improve performance of calls and media interoperability besides putting in place controls, fraud detection and other measures to control costs and provide security. It also comes in handy for topology hiding and NAT traversal. One concern is to ensure security of the IP PBX system and the SBC addresses this admirably.
The SBC plays a variety of roles when used in the telecom carrier and VoIP service provider segment:
- It normalizes SIP and permits interoperability wit ease, thereby improving reputation of the service.
- It can be set up to handle large number of concurrent calls with no performance deterioration or dropped packets.
- Administrators can set up access control and fraud prevention configuration such as black and white lists and trust levels between peers.
- Hide internal topology and permit NAT traversal
Enterprises are switching over to VoIP based PBX but they may still have existing PSTN lines. Apart from IP PBX there may be unified communications covering email, fax, SMS, voice and video calls and chat. However, phone is the mainstay and even here the flow and usage is complex when there are hundreds or thousands of users trying to call at the same time. So the SBC must be able to handle concurrent calls without any loss in quality of service.
Since the internal network contains precious and sensitive data, it is a prime imperative that the SBC hide the topology and close sessions on call termination while permitting NAT traversal. The PBX connects to the private interface and the public address is used to connect with telecom operator.
Enterprises are increasingly becoming subject to hacking attacks. The SBC simply anticipates and rejects such attempts at DoS, eavesdropping, tunneling, injection and so on, keeping its internal network secure while also encrypting media packets to prevent theft of voice data.
Many consider the SBC to be an unnecessary expense. The assumption is that if the telecom operator or the enterprise at the other end has SBC why bother with one here at this end? This is fallacious reasoning since the SBC at the other end protects that network, not yours. Besides, without the session border controller you will experience issues like call connectivity, media codecs transcoding and protocol handling which take the joy out of internet telephony and video.
The greatest benefit is security of your VoIP network and data in your internal network. The SBC handles all these with ease, never letting you know it is there but working day in and day out to facilitate communications at a lower cost, adding to your revenues. It is an investment, not an expense.
Published at Mon, 09 Nov 2020 22:32:19 +0000