Session border controllers were originally designed to overcome an issue with VoIP traffic and firewalls. Many VoIP implementations, especially SIP-based ones require a large number of ports to be opened on a firewall. While they use specified ports for the signaling, the media is transported through ports dynamically assigned during the signaling process. This meant that the original firewall implementations required large ranges of ports to be opened for the media traffic, reducing their efficiency. SBC vendors designed their products to address this firewall deficiency allowing 'pinholes' in the perimeter to be dynamically assigned which reduces the security risk by taking care of the NAT/PAT.
However, SIP-enabled firewalls have addressed this deficiency, allowing VoIP implementations to utilize a standard firewall at the perimeter without an SBC. In response, many SBC vendors have increased the functionalities of their products, moving closer to the capabilities found in a SIP-based firewall and providing limited application layer security on top of a NAT/PAT solution. Full application layer security can be provided by a SIP-based firewall that provides full authentication and protection against both transport and protocol attacks. DOS, DDOS, impersonation, hijacking, SPAM/SPIT and other attacks can be prevented by utilizing this approach.
This was first published in November 2005