Sonus In Session

Session Border Control and Security, Part 1: Your Defensive Line

  

 Email Article  

Tweet  

  

By Bob Bradley, Product Line Manager, Security Solutions at Sonus Networks

In my last blog, I likened the selection and deployment of a Session Border Controller (SBC) to a football team preparing for Opening Day. Now that we’re at midseason in the football schedule, I thought I would write about the need to review your SBC’s performance, particularly as it relates to your network’s defensive line.

In the early days of Voice over IP (VoIP), carrier networks were protected only by SBCs at their peering points. (You can think of the peering point as the line of scrimmage between a carrier and the outside world.)  These SBCs were standalone devices that were each provisioned with local routing information, served a very limited and specialized role in VoIP applications, and were not integrated with the rest of the network elements.  And carriers believed their networks would remain secure because the SBCs created a defensive line against attacks. As VoIP became more popular and VoIP-based network attacks became more sophisticated, however, the standalone defense-perimeter-only model created by these SBCs proved inadequate.

Just as a football team’s defensive line is made up not just of different players but different roles, the SBC plays a specific role in an overall VoIP/Unified Communications network security architecture.  In today’s world, a holistic security architecture enforced by best defensive practices is mandatory.  This holistic security strategy is known as “defense-in-depth,” and provides an overlay of security (i.e., a defensive game plan) beyond the front-line defense of SBCs to create a meshed security architecture with no holes.  This approach ensures that carriers can continue to provide carrier-class reliability and integrity play after play in the IP-enabled world.

There are many reasons behind the increasing popularity of the defense-in-depth model for VoIP networks.  From the network operator’s perspective, as the Defensive Captain, the most significant advantage is the newfound ability to detect and mitigate targeted threats in real time against any core network element, regardless of attack vector. In football terms, we would think of it as an offensive team sending their receivers on different patterns to stretch the field in order to weaken the security at key points. Choosing a more holistic approach to network security represents a coming of age for VoIP communications as more carriers (and, increasingly, enterprises too) are selecting and deploying multiple security products with unique but complementary roles to fortify their network defense against just these sorts of attacks.

Choosing The Holistic Approach

So what does it take to build a holistic network defense?  Start by examining your security needs across these three dimensions:

1. Security and access control at the network border (your defensive linemen)
2. Security and integrity of the network border element itself (your linebackers)
3. Hardened core elements such as media gateways, route servers, feature servers, management systems, etc. and their inter-element communications (your defensive backs)

By addressing these three areas, VoIP network operators can build an overall security architecture that provides threat detection, prevention and mitigation across their entire network.  At Sonus, we encourage our customers to “look beyond the box” and consider holistic security not just as a defensive strategy but as a way to score points with customers (better voice quality, commerce enablement, etc.).

For more on this subject, stay tuned for Part 2 of this blog, where I tackle the need for topology hiding, fraud protection and more.