Hardened Security for an Untrusted Boundary | Ribbon SBCs – Protecting Enterprise Unified Communications
Now more than ever, enterprises are migrating from TDM to IP-based communications technology in order to best fit the way their customers and employees communicate in today’s digital world. SIP communications is a simple, cost-effective method of accelerating the deployment of unified communications (UC) and gaining new efficiencies. SIP should be thought of as a core building block to secure UC — as important as the underlying IP network. Ribbon’s session border controller (SBC) solutions allow a seamless and secure migration to SIP. With Ribbon, enterprises can quickly, easily and securely deploy new UC applications with centralized management across their UC networks.
The Threat to Unified Communications
Session Initiation Protocol (SIP) attacks can occur for a variety of reasons and from a variety of sources, and can significantly impact an enterprise’s productivity and revenue. Some attacks, such as a denial-of-service (DOS), are designed to bring communications networks down. By constantly flooding the network with SIP messages, bad actors can disrupt or even shut down operations, and much like kidnapping, will only stop once they have extracted ransomware payments from the target. To stop these SIP-based attacks enterprises need an SBC to protect their UC network and to ensure the security and flow of SIP sessions as they traverse between secure and non-secure endpoints.
Ribbon's Solution to Protect your Unified Communications
To protect voice networks against the widest possible range of attacks, an enterprise UC security strategy should protect both the endpoint and the media itself. This can be achieved with network border security elements such as Ribbon’s session border controllers (SBCs), which provide privacy and compliance, protection for UC assets and securing UC networks.
Protecting your Unified Communication Assets
Hacking into UC sessions requires that the malicious party intercept signaling and/or media flowing between two endpoints at any of several points along the communications path. Several potential points of attack — or attack vectors — exist in RTC sessions, including:
- UC application servers
- Call control elements, such as PBXs and automatic call distributors (ACDs)
- Session-layer servers and proxies, such as SBCs
- Transport and network layer elements, such as routers
- Link-layer elements, such as Ethernet switches and wireless LANs
- Endpoints, such as desktop and laptop PCs, mobile devices, IP phones and video conferencing terminals
Ribbon SBCs protect UC assets from various threats and anomalies. They maintain their scale, quality and performance in processing known UC users, while leveraging several methods to pre-vent bad actors from initiating attacks and penetrating an enterprise’s UC network.
Network Topology Hiding
Ribbon SBCs hide your network topology by acting as a back-to-back user agent (B2BUA) as defined by the Internet Engineering Task Force (IETF) RFC 3261. Serving as a B2BUA, Ribbon SBCs divide a SIP session into two distinct segments: one between the endpoint and the SBC; the other between the SBC and the IP private branch exchange (PBX) or unified communications (UC) server.
Trunk Groups are employed at the network edge to manage call admission, traffic controls, and other functions between the enterprise and service provider network. Accordingly, all call signaling traffic is routed through the SBC.
Similarly, real-time transport protocol (RTP) relay allows media flows to be proxied through the SBC. Thus, the Ribbon SBC translates IP addresses and ports for signaling and media streams that traverse the system to hide the core network addressing schemes and translations
Malformed Packet Protection
Bad actors may attempt to send malformed packets to cause the UC application or service to crash, or exploit a vulnerability that pro-vides unauthorized access. Ribbon SBCs maintain full session state information and is therefore able to detect and stop attempts to send malformed packets over the UC network.
Adaptive Overload Controls
Call admission control limits the number of UC sessions that can be simultaneously active in order to prevent network overload. An overload can degrade the performance of other calls on the network, or crash an RTC environment — in effect, a self-inflicted denial of service.
Ribbon SBCs allow the overload threshold parameters to be configured on the SBC based on CPU and memory utilization. When a threshold is reached, the SBC adjusts the system call and registration acceptance rate up or down to maintain the target CPU usage configured for that level. This capability maximizes the system throughput without exceeding the desired CPU utilization threshold. During adaptive throttling, the Ribbon SBC can assign different preferences (priorities) to normal calls, emergency calls, and initial SIP registrations.