Session Border Controllers – More Than simply a Voice Firewall
Session Border Controllers represent a relatively new technology stream, and were born of the need to adequately secure IP based voice peering traffic between carrier networks in the 1990s. The carrier core network migration from fixed TDM style networks to the more flexible IP based SIP and H.323 networks brought an unexpected security challenge, as carriers now had to peer via the more vulnerable IP layer as opposed to the predictable physical layer used before. It was quickly discovered that traditional data firewalls, in use to secure existing IP data networks at the time, were not up to the job of securing this real-time IP voice traffic. Something else would be required. This “something else” requirement led to the development of Session Border Controllers.
Designed to secure IP voice traffic at first
Initial Session Border Controllers focused primarily on SIP and H.323 session security and were appliance based ultra-fast, fearsomely expensive hardware devices. A Session Border Controller operates in a similar manner to a traditional firewall in that it has an “inside” and an “outside”. The outside connects to the untrusted side of the network, while the inside presents free voice changer a secure traffic stream to internal systems. However, where Session Border Controllers differ from traditional data firewalls is in how they secure the traffic. A traditional data firewall is a restricted access, pass though device that essentially inspects the traffic as it arrives, and then makes a decision as to whether it should be forwarded on or not. A Session Border Controller, on the other hand is a stop and forward device that physically terminates every session itself and recreates the onward session if the security requirements are met. This particular design feature not only allows for excellent security, but also provides a number of further possibilities that are now being exploited, not only in the carrier space, but in the enterprise environment as well.
Voice carrier arbitration and aggregation
Many corporate enterprises have moved their voice platforms across to IP based telephony systems, and in keeping with this shift, voice carriers are now offering enterprises the option to peer via IP instead of traditional E1 or T1 circuits. This especially true in developed countries, where new market entrants are seeking to make market inroads by offering IP based termination bundled in with other IP services. This shift presents both a challenge and an opportunity to the enterprise customers. The challenge is that one now needs to terminate the IP voice service on some new device, as terminating the service directly on the internal IPT system would represent a security risk of significant proportions. The opportunity exists due to the fact that a Session Border Controller, by design, can terminate more than one carrier at a time. This allows the enterprise to “farm” the voice traffic out to competitive carriers, thereby often achieving cost savings in the variable cost of voice traffic. Further to this, the Session Border Controller can be programmed to select the best route for a voice call based on a number of different criteria such as call quality, time of day, cost per call, destination etc. This specific feature is often the one that builds the business case for deployment in the first place and can free an enterprise from carrier lock in.
Internet facing SIP connections
One of the benefits of enterprise IPT voice systems is the ability to connect via a variety of voice endpoints. This gives the user the choice of either a traditional style hard phone or the more mobile soft phone option. With the increase in worker mobility, many users are now opting for the soft phone and headset instead of the desk bound hard phone. This option works fine when the users are inside the trusted network, however, extending this functionality to outside the corporate network is more complex and generally requires a VPN clients for these users, a requirement that drastically reduces the user acceptance of such a solution. The benefits to mobile users, and the enterprise in general, still remain however, and a Session Border Controller can be used to publish secure voice access to the Internet to solve this issue. The Session Border Controller will operate as a security proxy on behalf of the internal IPT platform, securing the connection from the user when they are outside the corporate network, while still offering them the ease of use and functionality as if they were located inside the network.
It has been said that standards are such a good idea that everyone should have at least one of their own. Thus, while SIP and H.323 are established standards today, some inconsistencies do exist between vendors and systems. Again, the Session Border Controller can assist here. Since they terminate and recreate all connections, it is possible for the Session Border Controller to modify components of the connection at the same time. Most Session Border Controllers today incorporate some form of scripting language, allowing the manipulation of the signalling traffic as it passes through the system. This can be used to “fix” many intra-vendor issues that exist. The power of this feature cannot be underestimated when one is dealing with integrating the, often found, multiple vendor voice, video and messaging platforms inside the corporate network.