Session Border Controller and Its Role in VoIP Communications

VoIP traffic comprises a variety of codecs and protocols leading to mismatches affecting communications, areas superbly handled by the session border controller’s (SBC) ability to transcode codecs and translate protocols.

VoIP providers can help resolve these mismatches and provide a seamless experience. It can have other functions such as control and monitoring and NAT traversal besides hiding internal topology, proving to be the proverbial Swiss army knife for VoIP functionality. 

Session border controllers are used to control a user’s IP communications sessions. SBCs were originally created for VoIP networks, but they are now used to regulate all forms of online communication: VoIP text, VoIP instant messaging, VoIP video, and other collaboration formats.

Why you need a session border controller in your VoIP network

Voice over Internet Protocol (VoIP) is worlds apart from the standard legacy public switched telephone network (PSTN) lines, which are traditional circuit-switched telephone networks or a collection of voice-oriented public telephones.

Voice is “packetized” and uses IP to travel over open internet lanes until it reaches the final destination where the packets are reassembled. That makes voice traffic vulnerable to malicious attacks such as Denial of Service (DoS).

There’s also the other aspect of media codecs and protocol handling to enable seamless communication. The third is to hide internal network topology from external view and thus maintain security as well as facilitate communications. There are lesser but no less important tasks like scaling and prioritizing traffic that the SBC handles with ease.

Security

In order to understand one of the many roles the SBC plays, one must take a look at the session initiation protocol (SIP). Over time several flavors of SIP developed, bringing in their wake issues in VoIP communications. One would have to go into a lengthy explanation of how SIP works.

In brief, what happens when a SIP session is established is that endpoints carry information of IP addresses of point of origin and destination. The SIP messages carry “open” headers that proxies in the chain use. This means malicious attackers can use this information to attack proxies and gateways. It is easy to tunnel into networks and launch any kind of attack such as:

• DoS and Distributed Denial of Service (DDoS) leading to blockage of traffic
• Introduce malware
• Tap into data in the organization’s network
• Misuse VoIP to make calls at the subscriber’s expense

What does a session border controller do in this scenario? When the SIP messages go through the SBC it replaces addresses of internal components and encrypts information, making it difficult for hackers to target networks.

• The SBC can limit traffic and prevent DoS
• It can be configured for dynamic blacklists to drop traffic from blacklisted sources.
• Attempts at SQL injection can be forestalled by analysis of incoming SIP messages and rejecting malicious or malformatted content.
• By hiding internal topology it makes it difficult for hackers to target VoIP networks, Then again, it functions as a back-to-back user agent and splits SIP transactions into server and client parts, maintains state information, and deletes it on call termination.

Connectivity

Apart from the fact that there are several variations of SIP, the main drawback is that SIP ignores the issue of network address traversal or NAT. Most business-level networks are behind a firewall and devices use private IP addresses not routable on the internet. One may use solutions such as STUN and ICE but with mixed results.

On the other hand, SBC acts as the public interface, replacing user agent information with its own. Without the SBC in place, there will be issues such as not being able to connect outgoing calls or receive incoming ones. It goes further and sends media for the user back to the origination point in a symmetrical way to work around NAT.

VoIP is not just voice calls. Networks must handle media and emerging communication services such as OTT services, VoLTE, and WebRTC. Traffic becomes complex and connectivity can become an issue, especially when points of origin and destination use different media codecs and protocols.

What happens is that a call may not be received, there may be glitches, and you cannot make yourself audible or visible to the other party and, generally, experience issues.

Here again, the session border controller plays a key role:

• It takes care of transcoding media codecs and handling protocols, including those for HD and VoLTE as well as 3G/4G mobiles in addition to WebRTC and audio-video. You do away with interoperability issues with a quality SBC in your network. Making calls to anyone over a landline, broadband or mobile is an easy task.
• Unified communication and rich communications are becoming the norm. You need to use the same pathway for telephony, instant messaging, audio-video, fax, and SMS. It can also include WebRTC. In such present and future use scenarios, you can expect the SBC to effortlessly handle high data throughputs, carry out encryption and transcoding, and enforce quality of service.

The SBC network needs to evolve to be future-proof and deliver the highest levels of quality of service.

Quality of service

You may have your own definition of quality of service. For those using voice calls, the criterion may be the ability to get through on the first attempt. For some, it is important that audio quality and speech come across crystal clear.

The SBC solution should be able to use the transport protocol in use by the destination and use IPv4 or IPv6 as the case may be and translate incoming and outgoing protocols.

System administrators may insist that the SBC be capable of integrating signals and media and maintaining session state besides being able to handle any load and conduct deep packet inspection to ensure compliance with safety protocols.

Managers may wish to derive MOS scores or know routing performance and derive information on usage. Telecom operators and service providers may wish to have billing and accounting linked to calls and derive statistics.

The SBC is capable of all this and more to ensure the highest levels of services that the VoIP system must handle.

Regulatory

Telecom operations are subject to a variety of regulations. One such aspect is to monitor calls, track calls, record calls, and even intercept calls that you suspect are unauthorized.

It is not only calls that must be tracked; you may even need to keep a watch over the media. If you use only the SIP model then you have access to only the signaling component. Incorporate SBC into the network and you have a handle on media and signals.

It can go further in letting you set up your configuration to give access control and prevent fraud. This can be done by way of whitelist and blacklist. The SBC replaces the SDP address with its own to support NAT and, in the process, permits only authorized users can send media traffic.

Service providers may offer flat fee packages that can be misused by a subscriber who resells such availability and lead to an overload of the network besides causing a loss. The SBC tracks user behavior, number of parallel calls, and other activities as well as frauds.

You can regulate your VoIP system and you can stay compliant with local regulations, especially as regards confidentiality and security as is insisted upon in specific fields like healthcare.

The SBC solution, if you choose the right one from the right vendor, can do a lot in different areas. How to do it is also something you must know to extract maximum mileage.

How to protect your network with the right session border controller

You might want to go a step further and use the configuration feature to set up custom security for your network. This can be done in a few different ways.

Traffic policing

The session border controller can be configured to handle only calls from a defined user list and reject calls from others. You can set it up to monitor calls and gather user data such as numbers dialed, frequency of such usage, and time spent on each call.

This will help you define limits of usage. Policing will also detect malicious attempts at simultaneous calls with the intent to flood the network.

Resource allocation

One of the benefits of having the SBC in place is that you can allocate resources to specific users ranking high in importance, prioritize calls from certain numbers, and distribute bandwidth to ensure quality of service. For instance, you can prioritize signals over media so that voice calls do not face issues.

Rate limiting

Depending on the type of SBC solution in use the system may be able to handle a certain amount of concurrent calls and media traffic but it is also dependent on available bandwidth and internet speed.

In such cases, the system may be configured to limit the number of simultaneous calls. The SBC may limit registration requests through static means or permit registration for multiple phones. You could also separate signaling and media planes in the softswitch to permit the scaling of calls and media.

Call admission control

One way to guard against Denial of Service attacks is to set up call admission control policies. These are based on monitored traffic profiles of registered users and parsing of headers to identify the authenticity of calls. It is common to set up a transport layer and secure RTP encryption to protect traffic over open networks.

If an attack happens then the system responds by shutting traffic completely. However, AI-powered SBCs can distinguish between legitimate and suspicious activity and permit the flow of authenticated traffic.

ToS/DSCP bit setting

Another way to have better security is to focus on Type of Service (ToS) and set up DSCP marking. The ToS information is available as four-bit flags in the IP header and you can set only one bit at a time for minimum delay, for maximum throughput, for maximum reliability or for minimum cost. This supports media like audio, video, image, text and data based on protocols like SIP, H.245, and H.225.

The ToS values lets you create media type combination. You can be quite specific by defining and manipulating parameters such as media manager, media policy, and settings among others.

RFC 1349 underlies ToS but you can also use RFC 4594 underlying Differentiated Services to define ToS. However, it may apply only to RTP packets. You can map DSCP (DiffServ Code Point) values to ToS values and then pick on ToS setting in the IP bearer profile to fine-tune the security aspect.

It is best left to an expert to fine-tune the system for optimal security and performance based on SBC applications and the SBC network.

SBC applications

In its earlier avatar, the SBC had just one main application and that was to provide security for VoIP calls. However, as VoIP usage spread and codecs as well as protocols proliferated, it had to take on another role as facilitator.

• Emergence of VoLTE, HD Voice, Rich communication, and WebRTC also saw the SBC evolve to become part softswitch and part media control gateway.
• Service providers and telecom operators also needed to track, monitor, analyze, and bill customers for which a separate billing solution would be impractical. Incorporating the feature in the SBC led to accuracy, speed, and reduced burden.
• Volume of traffic keeps increasing for VoIP calls and the SBC takes on the mantle of handling bulk concurrent calls with ease, directing traffic, and prioritizing calls while keeping an eye open for unauthorized calls, blacklisted users, and attempts at intrusion. At the same time, it must maintain low latency while giving a boost to capacity as well as encryption and transcoding.
• It also handles the task of call control, deciding on which calls to admit, which to reject, watch metrics, and deliver data to help administrators refine system and control calls as well as costs.
• Today’s SBCs usually incorporate intelligent least cost routing feature as well to route traffic over the lowest cost but good quality network.
• You can expect a well designed SBC to take care of SSRC switching, TCP switching, DPT mapping and TLS tunneling.

Session border controllers may be available in the form of hardware or software, the latter becoming more popular by the day since there is a predefined limit in hardware device whereas software scales. Further, the trend is towards virtualization as a way towards better assimilation and reduced costs.

It is possible to customize SBC to suit specific application areas. For instance, SBCs used between two carriers may have emphasis laid on security, media codec transcoding and high volume of calls. Normalizing SIP is another function that the SBC takes care of effortlessly.

The SBC stands at the edge of network between operator and subscriber.

An enterprise may opt for SBC to safeguard its network and improve performance of calls and media interoperability besides putting in place controls, fraud detection and other measures to control costs and provide security. It also comes in handy for topology hiding and NAT traversal. One concern is to ensure security of the IP PBX system and the SBC addresses this admirably.

Carrier-carrier-subscriber

The SBC plays a variety of roles when used in the telecom carrier and VoIP service provider segment:

• It normalizes SIP and permits interoperability wit ease, thereby improving reputation of the service.
• It can be set up to handle large number of concurrent calls with no performance deterioration or dropped packets.
• Administrators can set up access control and fraud prevention configuration such as black and white lists and trust levels between peers.
• Hide internal topology and permit NAT traversal

Enterprise application

Enterprises are switching over to VoIP based PBX but they may still have existing PSTN lines. Apart from IP PBX there may be unified communications covering email, fax, SMS, voice and video calls and chat. However, phone is the mainstay and even here the flow and usage is complex when there are hundreds or thousands of users trying to call at the same time. So the SBC must be able to handle concurrent calls without any loss in quality of service.

Since the internal network contains precious and sensitive data, it is a prime imperative that the SBC hide the topology and close sessions on call termination while permitting NAT traversal. The PBX connects to the private interface and the public address is used to connect with telecom operator.

Enterprises are increasingly becoming subject to hacking attacks. The SBC simply anticipates and rejects such attempts at DoS, eavesdropping, tunneling, injection and so on, keeping its internal network secure while also encrypting media packets to prevent theft of voice data.

Conclusion

Many consider the SBC to be an unnecessary expense. The assumption is that if the telecom operator or the enterprise at the other end has SBC why bother with one here at this end? This is fallacious reasoning since the SBC at the other end protects that network, not yours. Besides, without the session border controller you will experience issues like call connectivity, media codecs transcoding and protocol handling which take the joy out of internet telephony and video.

The greatest benefit is security of your VoIP network and data in your internal network. The SBC handles all these with ease, never letting you know it is there but working day in and day out to facilitate communications at a lower cost, adding to your revenues. It is an investment, not an expense.

This article was originally published in 2020. It has been updated with new information.