[VOIPSEC] Session Border Controller use

Andre Fucs de Miranda afucs-listas at mandicmail.com
Wed Jun 21 19:44:57 CDT 2006 

Bruce,

> 1.  When the end user and the Layer 2 Switch (CMS, Media gateway, etc.)
> reside on the same network, and the calls are passed to the PSTN, is
> there a need for the SBC?  If so, where should the SBC be placed?

Yes and no. It should be place between the user and the Switch. Never trust
your user. CPEs can be "hacked" (like it happened with cable modem uncaping)
so never trust your subscriber. Also plan yourself for the products your
company plans to offer. While for some cable operators the PacketCable's EMTA
is the "natural way", the market may pressure for SIP based mobility, SIP
business subscribers, etc.

> 2.  When the end user resides on one network, and the Layer 2 Switch
> resides in a hosting facility on a different network, is there a need
> for the SBC?  If so, where should the SBC be placed?

Yes and no.

Should be place between the user and the Switch and between the Switch and
possible peers.

> 3.  I see a lot of value in the SBC for the protection of signaling
> traffic.  However, I have not been convinced of the value of using the
> SBC for bearer traffic.  I believe an attack on a particular call is
> dependent upon either obtaining and replicating, or corrupting the
> signaling traffic, in order to affect the bearer traffic of a particular
> call.  Why would I want to run the bearer traffic through the SBC?

In theory the SBCs are a "must have security device" for VoIP services,
practice shows that although some SBCs will have some protocol integrity
checks, rate controls and topology hiding (including NAT traversal, etc) some
of them have poor session control, faulty redundancy mechanisms and every
single thing you dont expect that a system between you and your customer will
have.

IMHO SBCs are going to be as firewalls are now. You don't need them but they
help you to hide the day-by-day network mess. Like firewalls they will failt
to provide long lasting security.

Experience shows that you don't need to pass the bearer traffic through the
SBC. But according to some people if you jump into this scenario you are not
using a SBC anymore. :-)

Best regards,

Andre Fucs

More information about the Voipsec mailing list