Session Border Controller basics
What exactly is a session border controller? Read this whitepaper to get the basics.
A session border controller (SBC) is a technology that is designed to help enable and secure important parts of any business’s telecommunications infrastructure. It controls a network by admitting (or not admitting) and the directing communications between two end devices on the network. These communications are called sessions.
The SBC does this session controlling at the point where traffic is handed off to from one network to another (called the border). Because of where the SBC fits in the network, it can be usefully implemented by both businesses themselves and also by the service providers who serve them.
What does a Session Border Controller do?
Protect and secure the network
The SBC’s main role is protecting and securing the network. Built from the ground up to help eliminate spoofing attacks, denial-of-service attacks, and toll fraud. The SBC secures the network by hiding the architecture and making it difficult for bad guys to gain access to vulnerable parts of the network. It enables encryption that prevents communications from being illegally intercepted or tampered with.
Enable SIP trunking
The SBC is a key element of any SIP trunking solution. The SBC looks at each session crossing between the internal enterprise network and external ITSP network and determines where the session should be routed and what priority the session is assigned when the network is busy. The SBC also determines how much bandwidth should be assigned to a session, based on network utilization and the policies established for the network. Most importantly, the SBC performs SIP interworking, which allows devices that sue subtly different variants of SIP to communicate with each other effectively and efficiently.
Interconnect with topology hiding and protocol translation
The SBC provides a smooth experience in terms of interconnecting and interworking between different networks and the protocols running over them. The SBC can translate between SIP variants between devices, so calls get through with all their features in tact. In addition, because different VoIP solutions may use different audio codecs that aren’t completely supported on both sides of the session, the SBC can translate protocols on the fly.
Session traffic cop
The SBC is the gatekeeper to the VoIP network in an enterprise or in a service provider network. In this role, it performs session admissions control. Session admissions control is the process of determining who has access to the network and who doesn’t. The SBC is the traffic cop of a VoIP network, keeping your VoIP highways safe and orderly and creating and accessing three lists – whitelists, blacklists, and greylists.
Key features of SBCs
There’s more than just security to the role of an SBC. Many in the industry say that it’s the security that causes customers to become interested in SBCs, but it’s the other functionality that really makes the sale.
SIP is the primary protocol that makes the connection between two endpoints and closes the connection when the call is finished. The use of SIP is critical to the ability of disparate network topologies from different vendors to be able to communicate with each other.
SIP is a communications standard authored by global community of engineers known as the Internet Engineering Task Force (IETF). The actual SIP implementations are left up to individual engineers and vendors, resulting in a multiplicity of SIP variations that are technically in compliance with published SIP standards but not necessarily compliant with one another. Enough variations exist in SIP that sometimes two systems connecting to each other using SIP find that they aren’t really speaking the same language. The basics are all there, but with different syntax and dialects in what otherwise appears to be a common language.
Any SBC must be able to speak all the different dialects of SIP and do on-the-fly translations in both directions. So, it a call is crossing a border between a system using Dialect X and another system using Dialect Y, the SC is required to find the parts of Dialect X and Y that don’t quite match up and convert them back and forth as the call moves across the SBC. It’s not rocket science in concept, but it’s hard to do, and the best SBCs make the whole process transparent and seamless.
The SBC’s job is to transcode, or change, codecs as sessions pass through the SBC. The SBC knows which codecs are supporter on each side of the network border, and is required, using a combination of software and special purpose digital signal processors (DSPs), to decode and then re-encode the voice or video signal as it crosses the network border.
Many codecs are in use in various VoIP and UC systems. Low and high quality bandwidth and video and voice codecs are designed to work differently on various devices including computers, tablets, dedicated VoIP phones, and mobile devices.
In a VoIP calls, there are always differing capabilities to support codecs. So, if an enterprise’s PBX supports one specific codec and the incoming call from an important customer is using a different codec, the SBC will understand both codecs and, in real time, and in both directions, modify the codec as the call passes through it.
Dealing with NAT traversal
NAT is a technology service that translates between a single public IP address and the private IP addresses that your router assigns to all the attached devices on your network. NAT is a configuration that’s used because there aren’t enough IP addresses available in the world to assign each and every individual device its own unique address. NAT lets a small pool of IP addresses get used over and over in different private networks while letting the devices attached to that network communication with the broader Internet using a single, unique public IP address.
The problem with NAT is that creating an end-to-end session is difficult because the IP address of a device on a NAT isn’t a public IP address. This creates issues with end-to-end sessions like VoIP and requires some translation to happen between private and public addresses – translation beyond what the private network’s routers can do.
Many SBCs explicitly support what’s known as NAT Traversal, providing the ability to work with VoIP session packets and giving them the instructions they need to get through the NAT routed and to the actual device that’s on the end of the session. NAT Traversal requires a significant amount of computing capacity in the SBC because a large number of devices participating in VoIP and other sessions are being a NAT. An SBC requires a lot of processing power to do all the translating and routing required to traverse NATs.
Fax and tone detection
Often, legacy technologies linger on well past their “sell by” date, and the network needs to support them. A prominent example of this in the VOIP world is fax technology. An SBC can incorporate tone detection – the ability to recognize and act on standard analog telephone touch tones – to recognize and then properly route faxes.
Performance, scalability, resiliency, survivability
SBCs need to be powerful and robust devices with the right degree of extra capacity and redundancy not only to handle the average number of calls coming through the system simultaneously, but also to sale up and handle peak calls. When evaluating an SBC’s performance, scalability, and resiliency, consider the following factors:
- CPU Utilization. The SBC does a lot of computationally complex work. The CPU utilization during peak periods should allow plenty of overhead.
- Concurrent Calls (or Sessions) Supported. How many concurrent calls is the device rated for? How does this match your network’s usage patterns? If your usage grows and begins to exceed the capacity of your SBC, how can you upgrade?
- Redundancy. An SBC is performing a mission critical role for an enterprise or carrier. Are there any elements within the SBC that don’t have a redundant element that can take over a millisecond’s notice? If so, remember downtime means lost money.
- Survivability. This is similar to redundancy, but instead of failing over to another piece of hardware, the SBC routes calls over another interface when its main interface is down.
- Registration Rate. How many clients can the SBC register in a fixed period of time? This relates to registration storms. When a lot of users are connecting at once, make sure the device can handle it.
SBCs and telecom security
SBCs were initially deployed primarily within service provider networks. SBCs ensure that VoIP calls are properly routed between network providers, that differing protocols are understood so the call can be delivered across difference networks, and that calls are secured.
As VoIP has become more common—indeed, has become the dominant mechanism for transporting voice calls—the SBC has become useful in more places in the network, including at the border between an enterprise’s network and the carrier’s.
Securing the network
The most talked about driver for the adoption of the SBC is security – and for good reason. VoIP (as well as other session-oriented applications) is an application that by its very nature is exposed to devices and networks that are out of the control of the enterprise or a network provider. VoIP isn’t like traditional telephony where a very highly circumscribed set of devices, protocols, and private networks is involved in the process of placing and carrying calls. In the old days when you placed a phone call (via landline or cellular), the call was placed on an approved device and carried across the private phone company network.
Like other IP applications, VoIP is often carried over public networks—oftentimes across several public networks—and calls can be initiated or completed on devices, such as person computers (PCs) or smartphones, by using VoIP apps that aren’t under the control and regulation of the phone company. This fact leaves the VoIP world considerably more vulnerable to the same kinds of malicious and fraudulent security threats that any internet service faces.
Facing the issues
Among the threats that an SBC has been developed to help eliminate are the following:
- Service theft and fraud.These attacks happen when a hacker (or organized group of hackers) accesses an inadequately secured VoIP system to route traffic across the network without paying for it. Not only do the hackers use up network resources without paying for them, but also the enterprise or service provider often ends up paying for the unauthorized toll charges.
- Spoofing. These attacks come into play when people deliberately modify or disguise their identities on the network. This threat may occur to intercept calls intended for another (legitimate) party or simply in order to confuse or annoy.
- Denial of Service (DoS) / Distributed Denial of Service (DDoS). DoS attacks and their bigger, badder brother DDoS attacks seek to flood a server or SBC with requests in order to take it out of commission. DoS attacks can involve sometimes hundreds or even thousands of zombified computers (known collectively as botnet, for robot network).
- Registration storms. A registration storm is when thousands or millions of devices attempt to register with the SIP server all at once in a VoIP network. A registration storm can also occur for non-malicious reasons. For example, after a major network outage, there can be many thousands of VoIP devices all trying to reconnect and re-register with the network at the same time.
Stopping attacks with an SBC
Networks are increasingly subjected to both malicious and fraudulent attacks. The common attacks of service theft and fraud, DoS, DDoS, spoofing, and registration storms can be dealt with through SBC tools.
Media and signaling encryption
This approach applies cryptographic scrambling, called encryption, to both the signaling session initiation, protocol (SIP) and media (voice, video, IM, and so on) portion of the call. Encryption provides more than just scrambled data. It also relies on an authentication mechanism, a way of identifying that a client has the proper half of the secret key, known only by that client. A properly implemented encryption system means that malicious parties can’t eavesdrop on VoIP calls, videoconferences, and other SIP-based communications.
Topology hiding with B2BUA
A back to back user facing agent (B2BUA) is a system in which SIP calls are controlled by logical or virtual proxy configured for the call. This agent sets up the pathways across the network for both signaling and data. B2BUA causes all signal and media traffic to run through the SBC and hides the topology, or architecture, of the network so clients aren’t shown things like private IP addresses of servers and devices in the network. The net result is a network that’s easily accessible to clients for making and receiving calls, but the “innards” of the network are effectively invisible, which makes them less vulnerable to attack.
The SBC’s policy management system monitors incoming requests and calls, uses rules to identify people who are and aren’t abusing network resources and maintains certain lists:
- Whitelists. People and devices that always have access to the network
- Blacklists. People and devices that never have access to the network
- Greylists. People and devices that sometimes have access to the network