In my last post, on First Steps Toward Making Voice over IP Secure and Efficient, we looked at security issues within Voice over IP networks by first considering the threats.   In this post, I'd like to discuss how tools like Session Border Controllers can help address security threats for Voice over IP. 

Let's consider the case of a service provider which has implemented Voice over IP service for retail subscribers.  Let's assume the goal of the service provider is to provide efficient VoIP service for its customers, to keep the topology of its network private and to minimize service outages for their customers.   Let's further assume that the VoIP provider has its own core network between its Points of Presence (PoPs) and that customers can get access to the network by using a SIP phone and gaining access to the network by submitting various credentials such as a user code and password. 

If we look at this at this scenario from a threats perspective, what could go wrong?  First, the service provider wants to provide service only to valid customers.  If a hacker gains access to the network and steals phone service, the service provider makes no money from the hackers and their network can get bogged down by these illegal calls.  So the service provider will want to authenticate the users who are requesting access to the network.   Next, if the service provider wants to keep its topology private - away from the prying eyes of hackers or competitors - then the service provider will want to hide its topology.  Finally, our service provider will also want to keep its network up and running and minimize service outages for their customers.   There are many aspects to keeping a network up and running, which can include having redundant equipment and fast switchovers in the event of network component failures.  When we look at the security aspects of this goal, a key requirement is to protect the network from hackers or other rogue elements by protecting against denial of service attacks.   In other words, we want the network to be available to accept legitimate calls from its customers, but to reject incoming packets which fail to conform to the policy rules for the network.  

So for our example, we've identified several threats and a series of capabilities that are needed to address the threats.  This is where a Session Border Controller (SBC) can come into play.   A key goal of a service provider's SBC is to protect the border between the open Internet and the service provider's own network.  We've already identified three steps the SBC can take to keep the service provider's network up and running. 

First, incoming calls must be authenticated.  There are a number of ways to do this which can range from weak to strong authentication.   An SBC which is controlling access to a network will validate the incoming calls, typically by registering the user and validating their credentials.  Most Voice over IP runs today over SIP without strong (i.e. encrypted) authentication, but an SBC can typically provide such facilities if it supports SIP over Transport Layer Security (TLS).  The SBC may also maintain other tools for authenticating users by checking them during the SIP registration process.  

Next, the service provider wants to keep their topology private.  SBCs typically offer various methods of topology hiding.  One simple approach is to support a back to back user agent (B2BUA) and then use network address translation to convert an incoming public IP address to an internal private address.  In this way, the private IP addresses are not exposed on the public side of the network.  

Finally, SBCs are often the first line of defense to protect against denial of service attacks.  These attacks can take many forms and may happen at any layer of the IP stack.   SBCs will typically have policies which can be established so that only valid, authenticated sessions will be allowed access to the network and all other incoming packets will be rejected.   There is a related area where SBCs can also help and that is for the case of network overload.   In this case, the incoming calls are legitimate, but exceed the network capacity.  To address this issue, the SBCs can implement algorithms which address issues such as SIP overload.  This is one of the areas where standards groups like the Internet Engineering Task Force (IETF) are continuing to devise newer methods to more efficiently address these conditions. 

The wild west aspect of the open Internet has gotten service providers to take serious notice of the various threats that can come into play and disrupt service for their customers.   Service providers who want to protect their networks need to understand the threats and then implement solutions to address the threats.   Enterprises who are implementing Voice over IP also need to review threats and look for effective solutions.   At Dialogic, we offer an extensive range of Session Border Controller and Border Element solutions which can address a wide variety of security and network productivity issues for service provider and enterprise customers.   For more information, a good starting point is the brochure which describes our BorderNet ^TM products.   Another resource is our white paper on Session Border Controllers and Border Elements which we've recently updated.   Voice over IP service has come a long way during the past several years and SBCs can help service providers and enterprises to keep their networks secure and productive.