Session border controllers were originally designed to overcome an issue with VoIP traffic and firewalls. Many...
VoIP implementations, especially SIP-based ones require a large number of ports to be opened on a firewall. While they use specified ports for the signaling, the media is transported through ports dynamically assigned during the signaling process. This meant that the original firewall implementations required large ranges of ports to be opened for the media traffic, reducing their efficiency. SBC vendors designed their products to address this firewall deficiency allowing 'pinholes' in the perimeter to be dynamically assigned which reduces the security risk by taking care of the NAT/PAT.
However, SIP-enabled firewalls have addressed this deficiency, allowing VoIP implementations to utilize a standard firewall at the perimeter without an SBC. In response, many SBC vendors have increased the functionalities of their products, moving closer to the capabilities found in a SIP-based firewall and providing limited application layer security on top of a NAT/PAT solution. Full application layer security can be provided by a SIP-based firewall that provides full authentication and protection against both transport and protocol attacks. DOS, DDOS, impersonation, hijacking, SPAM/SPIT and other attacks can be prevented by utilizing this approach.
Related Q&A from Andrew Graydon
For best practices, what traffic logging should be performed at firewalls? Is there an encryption for Voice over IP -- for example, to protect ...continue reading
A law enforcement professional charged with understanding the ways that crimincals might abuse VoIP, gets expert advice from Andrew Graydon, Chair of...continue reading
Expert Andrew Grayson of VoIPSA explains some cost-efficient alternatives to keeping data and VoIP traffic on separate VLANs.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.