[VOIPSEC] Session Border Controller use

Robert Welbourn robert at welbourn.com
Wed Jun 21 14:43:36 CDT 2006 

You'd want to deploy an SBC in either scenario for a number of important reasons:


   NAT traversal.  Even if you mandate that your customers use approved terminal adapters with some form of NAT support, you probably don't have complete control over the broadband routers used by your customers, which may negate the NAT support in the terminal devices.  (And I'm sure you don't want your support folks telling customers how to turn on UPnP in their routers, for example.)

   To protect against DDoS attacks on your softswitches and media gateways.  You want to hide them from the outside world as much as possible.

   As an additional security measure to protect your VoIP infrastructure against hacking.  I have been in touch with one of the telecom operators affected in the recent case of VoIP fraud that has been much in the news, and it transpires that one of his media gateways was hacked.

You'd place the SBC at the border between your access network and your VoIP intrastructure.  If your softswitch is hosted in someone else's network, you would want to keep the SBC as near as the customers as possible to cut down on router hops and delay.

Rob Welbourn
Product Manager
Aastra Telecom
Billerica, MA, USA
+1-978-436-4125

"Kaalund, Bruce" <Bruce_Kaalund at Cable.Comcast.com> wrote: I have questions about the use and placement of Session Border
Controllers.  I have a rather general understanding of their purpose and
use, but I am being questioned about placement in the network.  My
questions are as follows:
 
1.  When the end user and the Layer 2 Switch (CMS, Media gateway, etc.)
reside on the same network, and the calls are passed to the PSTN, is
there a need for the SBC?  If so, where should the SBC be placed?
 
2.  When the end user resides on one network, and the Layer 2 Switch
resides in a hosting facility on a different network, is there a need
for the SBC?  If so, where should the SBC be placed?
 
3.  I see a lot of value in the SBC for the protection of signaling
traffic.  However, I have not been convinced of the value of using the
SBC for bearer traffic.  I believe an attack on a particular call is
dependent upon either obtaining and replicating, or corrupting the
signaling traffic, in order to affect the bearer traffic of a particular
call.  Why would I want to run the bearer traffic through the SBC?
 
Any and all opinions would be greatly appreciated.  Thanx.
 
Bruce A. Kaalund
Director, Product Security Architecture
National Engineering & Technical Operations
Comcast Cable
1500 Market Street
Philadelphia, PA 19102
Telephone -- 215-851-3303
e-mail -- bruce_kaalund at cable.comcast.com
Doveryai No Proveryai - Trust but Verify
 
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list