Session Border Controllers Strengthen IP Telephony Security

Most traffic cops don't need special language training to ensure against 20-car pileups and delays. But then, most of the traffic they direct runs on four wheels, moves in uniform directions, and knows how to take turns.

Things aren't as homogenous on that superhighway known as the Internet. As a real-time medium that's not very tolerant of latency, a voice call needs to be assigned a higher priority than an e-mail or Web-browsing packets. And when the Internet is the communications backbone, enterprises must have a mechanism to guard against the IP equivalent of carjackers.

In IP telephony, that traffic cop is known as the session border controller (SBC). By looking at IP telephony's underlying Session Initiation Protocol (SIP) information, SBCs keep IP telephony flowing more smoothly than a generic data firewall, connecting only the packetized voice calls that meet an enterprise's specified criteria. An SBC controls call admission at the border of the network, and can also perform call control functions. To ensure an appropriate level of security, ShoreTel requires the use of an SBC in any customer installation using SIP trunking.

An SBC is installed as part of the protected zone, either along with an existing firewall or as a standalone SIP-only firewall. Companies can then connect their IP telephony system to their service provider’s SIP trunks, confident that they are maintaining the security and protection of their enterprise network. The SBC then manages the SIP routing. The SBC manages the SIP routing, and can also encrypt signaling and media for added privacy and to help prevent eavesdropping, call hijacking and call spoofing.

Can Your Firewall Handle Voice?
“A typical data firewall may or may not know about SIP,” says Steven J. Johnson, president of Ingate Systems, a ShoreTel certified technology partner and manufacturer of the SIParator, an SBC. “If a firewall is not SIP-conversant, it will block IP telephony traffic. If SIP knowledge has been added, it's probably only at a very high level that still requires SIP to pass through the firewall and undergo network address translation, or NAT.” NAT, Johnson explains, is used to translate a publicly known IP address at the edge of the network into an anonymous address inside the enterprise to protect servers and other end points from hackers and other security risks. However, the use of NAT can cause some incompatibility issues.

The Ingate SIParator is optimized to protect SIP traffic. It performs deep-packet, stateful inspection on every SIP packet and rejects anything that doesn't meet the criteria for proper SIP signaling. “If the packets are not formatted properly, they'll be rejected, with the idea that they might harm the ShoreTel products or other points inside the network,” Johnson says.

Working from an IP address or domain name, the SIParator also allows companies to identify the origin of IP telephony calls they receive. This way, enterprise customers can indicate those places from which they will refuse calls, a practice also known as blacklisting. “We can do blacklisting and white-listing to explicitly refuse or explicity accept calls, respectively, as well as require authentication,” Johnson says. “This not only makes IP telephony more convenient than a public switched telephone network, but also it's more secure and keeps people from making undesired calls into your network.”

With Ingate's unique ability to normalize different versions of SIP signaling, ShoreTel enables customers to interoperate with any SIP trunking service provider. That kind of cooperation obviates any possible compatibility issues for the customer and makes IP telephony services even easier to implement and use.

Learn more about how to boost security with the Ingate SIParator.