VoIP security is a complex field of study, which introduces new challenges everyday. Administration of a VoIP network requires not only knowledge and daily reading. Monitoring is of major importance and usually administration team implement new technologies for hiding and monitoring their infrastructure. Especially for VoIP environments it is essential to use what is called a Session Boarder Controller (or SBC).
Most of the administrators, IT managers and security experts today are looking forward to have an extra security counter measure in order to protect their telecom network. In addition to the new security systems they install an SBC for several reasons.
- The most critical information that has to be protected is the one that is being shared through voice calls. Nobody wants to have people eavesdropping on their calls.
- The next major component that has to be secured is the topology of the VoIP network. The more of it we expose to the public network the more susceptible it becomes to attacks; (An attack can have different characteristics since most malicious users will try to get access on your system while others will try to kill the service with DDOS attacks).
- The next component that must be hidden at all times, is the network itself that gives info about the signaling of your calls (in other words who is calling who), so that nobody can discover call flow and routing.
- Remote offices that are connected to the main pbx are a threat to your network. They should be secured as well
- Finally, SIP truncking with the VoIP telcos (the physical connection that passes the calls from your PBX to the rest of the world) must also be protected.
The scope of protecting an IP VoIP network is not only to isolate the IP part of it. Consider the fact that your TDM links are connected to the rest of the VoIP IP network. If malicious users manage to attack and get access to it, then they do have access to your TDM infrastructure. And guess what. They will use ALL available resources of it to make calls in destinations (phone numbers) they own and charge with very high rates. A draft example is that if a call costs 1 euro per minute and your PBX can handle 30 outgoing concurrent calls, you are getting charged 30 euros per minute, 1800 euros per hour, or 43200 euros per day. Since most companies do support a lot more than 30 concurrent calls through TDM and VoIP trunks it is obvious that a massive economic damage can be made during weekend. Even if the phone lines are blocked by your telco provider, because the NOC monitors an unusual traffic volume the cost will be big since the price of 1 euro is an example and those destinations are a lot more expensive than that. So comparing the cost of half an hour of calls that may cost 5000 euros with the cost of buying a Session Border Controller, you can clearly see that your investment will give you an instant ROI as you do not know when attackers will try to attack your network.
It is essential to understand what the Session Border Controller offers and how it works. Since all people are not engineers we will explain how an SBC works in this section using a simplistic language and examples if needed.
- VoIP systems are using SIP or Session Initiation Protocol to achieve VoIP calls between two or more people.
- Every session works only in one direction.
- When two people are talking over the phone they establish a call, which is formed by two sessions.
- Each session handles signaling and media between devices. Signaling is the language the devices “speak” to communicate with each other and servers. Media is the human voice that is digitized and streamed (transferred) through the sessions.
The purpose of the Session Border Controller is to protect all this information by encrypting it, using specialized secured protocols like the TLS for signaling and SRTP for media.
Additionally SBC establishes connections with Telco side or other remote offices by using encrypted connections in such way that it hides all remote ends from public network. The SBC can also handle routing of multiple SIP trunks connected to different Telcos, quality of service, failover of trunks, media transcoding and call routing.
In terms of security if an SBC is installed correctly it makes impossible to attack the protected VoIP network in the sense that it handles all VoIP related traffic dynamically and will not allow to anyone else to interfere with it. The SBC knows when a call is routed to the outer world. Since SIP calls include sensitive information for the inner private network if such a call analyzed it is very easy to extract information about the network behind the firewall. SBC though is smart and will remove this information from the call. Using this methodology the private network will never be revealed. SBC also drives NAT corporate firewalls in a way that when SBC is handling call routing, opens a port in firewall for handling the call (media and signaling) and when the call is finished it closes the connections. So a dynamically allocated port is opened for the duration of the call. Finally the SBC has been designed in such way it can understand suspicious VoIP traffic from a smart phone that has been infected with Trojan and block the connections. This is most applies to the protection of people using their on devices on the network and this is how SBC implements BYOD security into the VoIP network.
SBC can also identify unusual patterns of traffic. In other words it has a detection/prevention system that will block any attempt of DDOS attack against its host network. The SBC will analyze any packet that arrives into it and when it detects that a user is trying to attack will block the traffic originated from the user’s IP. The system also involves a set of configuration rules to handle actions like known hacking methods, number of failed authentication per period so it blocks possible brutal force attacks, limit of concurrent calls per user, blocking suspicious international calls during non working hours and blacklisting of IP’s that have been found to be suspicious.
Additionally SBC can act as a load balancer, which can handle and reroute traffic and calls in case of congestion of one link to a different one. It can also act as a Least Cost Router (LCR) that will choose the most cost effective route to send a call to. The advantage of using an SBC controller is that it will not “lock” the user as it has been designed to be vendor independent. So the IT manager can connect to it various devices, mixing CODECs. All of the SBC in the market support different numbers of concurrent calls and there is a great range, which can support all possible scenarios and combinations.
If you decide to go for an SBC please make sure that your VoIP Telco supports SBC connectivity and keep in mind that you will need one for each remote location, which satisfies the current usage. For example if in HQ you are having 100 concurrent calls but in branch you are having only 25 you may go for different models that will satisfy your capacities. SBC have been also designed to be scalable so in any case you would like to expand your network you can also upgrade the capacity of your SBC. Finally it is noteworthy to know that the SBC can use transcoding cards in any form of hardware to optimize each scenario according to your needs and bandwidth recourses. SBC will handle different CODECs for different devices. That means that you may transfer the transcoding processes from the PBX to the SBC. This will lower the PBX CPU usage dramatically. It is obvious that if you use SBC to handle a software transcoding solution using its CPU resources, this will result in a decreased capacity of concurrent calls for the SBC. It is suggested to use transcoding cards for such purposes and always ask your vendor on how to mix and match or how to go for the next scalable upgrade.
Session Border Controllers today start from 25 and go up to 16000 sessions, which means that there is a great of variety of capacities and features. Please note that different vendors refer to session as a call (two sessions) while others will refer to session as an one-way audio channel, so always ask what do they mean when referring to session. If you prefer to have virtual machines SBC’s also come in VM’s so you can install them and implement it into your current servers. When choosing this option, ask your vendors, understand the requirements and specifications of the hardware. This way you may avoid possible issues after the installation.
Closing the article we will mention the SBC usage:
- You may connect all remote offices with SBCs and the entire infrastructure is also connected to the SBC of your VoIP Telco. Hosted PBX also applies to the scheme.
- Remote devices can be exclusively authorized to register to your network from remote locations securely.
- BYOD users are fully secured and get registered securely to your network.
- SBC can be used as an LCR, load balancer and handle failovers
- Choose your solution as a hardware, software or o a mixture of both to conform your requirement.
- Install and impellent rules
- Learn how to manage the SBC and use correct methodology to set it up
Finally always have a look at the logs and monitor your networks. The fact that your security boxes are considered to be “smart” and that you are having the latest layer 7 WAF’s does not makes the network invulnerable. Monitoring and training of your users in combination with your security countermeasures is the best way to minimize the risk of getting hacked.