In order to understand if VoIP is secure or not one must understand how it works and where the SBC enters the network to provide a better customer experience.
A typical system may have IP phones and standard PSTN phones connected through a server to the internal LAN that connects to the internet. VoIP makes use of SIP and H.323 signaling protocols to set up, manage and terminate calls. The Media Gateway Control Protocol handles the interface between PSTN and VoIP gateways. H. 323 includes a set of sub-protocols comprised of H.225 for call control, H.235 for security framework and call setup, H.245 for specifying media paths and H.450 for supplementary services. Transport Layer Security sets up the call and H.323, on top of UDP, uses real-time transport and real-time transport control protocols. Voice packets are encrypted and are inherently more secure compared to PSTN lines. However, SIP presents vulnerabilities in that it is based on HTTP protocol and its requests cannot be encrypted end to end. The text-based file has headers that cannot be encrypted and make the network vulnerable. Further, the process opens up ports that make internal topology visible in a manner of speaking. This vulnerability allows hackers to tunnel into the system and carry out exploits. Where NAT is used then the IP address and port information are not encrypted which raises another security issue. Even secured SIP offers an encrypted tunnel that permits tapping in or intruding into the network. In short, even when it is behind a firewall, VoIP has vulnerabilities leaving the network open to attacks.
– VoIP vulnerabilities can leave the user network open to Denial of Service or Distributed Denial of Service attacks that simply jam the network and make it impossible to receive or make calls.
– Spamming over the Internet or SPIT attacks can take place in which hackers may leave voice messages on IP phones.
– It is possible to hijack identities and steal money in what is known as VoIP phishing. Hackers may introduce malware or steal business data.
– Some may engage in remote eavesdropping and extract data.
Basic countermeasures may be taken to make VoIP securer:
– One way is to use IPSEC, S/MIME, and TLS. An encryption mechanism is applied at lower layers. The drawback is that these tasks are CPU intensive. Further, this introduces latency that affects call quality.
– Another way is to use device authentication and to permit access only to known addresses.
– A third way is to separate voice and data using different logical networks.
– Introduce best practices for users and use anti-virus, anti-malware tools.
However, these are not adequate if hackers employ sophisticated methods. This is where the session border controller steps in and provides vastly improved security besides improving the quality of services and calls leading to user delight.
Session Border Controller – multi-purpose and indispensable
From the security perspective the session border controller proves to be indispensable:
– It identifies and prevents DoS/DDoS attacks
– It hides the internal network topology and keeps the internal network fully protected.
– The SBC plays a crucial role in network address traversal while fully encrypting all VoIP packets.
From the user perspective, session border controllers work in a variety of ways to deliver a superior experience:
– SBCs normalize SIP and prevent headaches that arise due to interoperability problems due to different flavors of SIPs in use.
– The session border controller handles all known codecs and takes care of media transcoding. The SBC is responsible for call admission control policies and handling voice packets as well as prioritization. There are fewer instances of dropped packets and call quality improves dramatically with an SBC in the network.
– SBCs can also reduce the cost of operation since they handle routing of traffic over the least cost route.
A session border controller is essential from the perspective of security and from the perspective of user experience. It is indispensable for all enterprises that use VoIP communications.