SHARE



ABOUT THE AUTHOR


Andrew Prokop
Andrew Prokop has been heavily involved in the world of communications since the early 1980s. He holds five United States...
Read Full Bio >>
SHARE



Andrew Prokop | January 05, 2016 |

 
   

Where Have All the SBCs Gone?

Where Have All the SBCs Gone? Should you place the SBC on the network edge or within the DMZ behind an enterprise firewall?

Should you place the SBC on the network edge or within the DMZ behind an enterprise firewall?

"We all tend to make zealous judgement, and thereby close ourselves off from revelation."
-Madeleine L'Engle

A few weeks ago, I wrote the first of my teaser articles for the Enterprise Connect 2016 session, Understanding and Leveraging SIP for Your Enterprise. Admittedly, it was pretty nerdy and protocol intensive. While I will certainly be delving into the low-level aspects of SIP during my EC16 presentation, I plan on doing much more than that.

Today, I would like to take the conversation a few thousand feet higher and delve into an important aspect of SIP as a solution.

Get me to the Church on Time

I am surrounded by zealots. No, I am not talking about dedicated followers of organized religions. I am talking about the secular zealots who approach technology as if it was religion. You know what I am taking about: Mac vs. Windows. Firefox vs. Chrome. Android vs. iPhone.

My latest struggle has to do with those who proselytize their views on Session Border Controller (SBC) placement. Does it belong on the network edge or within the DMZ behind an enterprise firewall? You might think that this would be a fairly straightforward decision, but I've found that the "experts" fall into two different camps (or dare I say it, pews).

First Pew: Sitting on the Network Edge

The argument employed by these folks is that an SBC is a standalone security device. It was designed to keep the bad guys out and let the good guys in. An SBC is a Back-to-Back User Agent that does a deep packet inspection of every SIP packet that enters or leaves an enterprise's network. It can detect and reject badly formed or suspicious SIP messages. It can stop denial-of-service (DOS) and distributed denial-of-service (DDOS) attacks. It can detect bad login attempts and block hackers. An SBC maintains a blacklist of malicious IP addresses and prevents rogue users from accessing your communications system.

In other words, an SBC is a SIP firewall. It does not need a traditional data firewall to pre-process packets before it sees them.

How SIP messages get to the SBC depends on the network topology. If the SIP packets arrive on a dedicated WAN connection, then you simply send everything straight to the SBC. However, if SIP packets share the same WAN connection as other data packets (e.g. HTTP), then some sort of VLAN separation is necessary. One VLAN would be dedicated to SIP, and the SBC and the other VLAN would be used by the data firewall.

portable


Second Pew: Behind an Enterprise Firewall

In this case, SIP traffic hits the data firewall before being passed to the SBC. It's important that any and all SIP processing be disabled within the firewall. By this I mean that all "SIP detection," "SIP inspection," and "SIP ALG (Application Layer Gateway)" functionality must be turned off. Anything that arrives on ports 5060 (SIP) or 5061 (TLS) will be sent directly to the SBC for processing. The SBC will direct the firewall to send all subsequent RTP and SRTCP traffic to the SBC.

Once the SIP traffic has been handed off to the SBC, all the "First Pew" benefits are realized. A data firewall does not inhibit an SBC from performing its role as a security agent.

There are multiple arguments employed by the "Second Pew" followers to state their case.

First, most modern enterprises already employ a DMZ flanked by internal and external firewalls. A session border controller should fit into an enterprise's existing security architecture and not be treated as an anomaly.

Second, security should be applied in layers, and an SBC's VoIP features are simply additional layers in a comprehensive and cohesive security process.

Lastly, as enterprises move from basic SIP trunks to remote SIP users, protocols outside of SIP become necessary. The data firewall will handle the non-SIP protocols (e.g. HTTPS), and the SBC will deal with SIP. The remote user sends all its packets to a single IP address, and the firewall acts as the traffic cop.

portable


My Homily

I understand the arguments on both sides and appreciate their thoughts, reasons, and concerns. To me, it comes down these points:

  • If an enterprise's policy is to send everything through the DMZ and corporate firewall(s), then do so. Firewalls and SBCs can be configured to play together nicely.
  • If you are using remote users that require more than SIP to function properly, put the SBC behind the firewall. Let each security element deal with what it knows how to deal with.
  • If you are only looking at SIP trunks and have no strict DMZ policy, put the SBC where it makes sense. Distinct SIP and non-SIP circuits make it easy to decouple an SBC from the data firewall. A single data circuit requires you to either implement VLAN separation or configure the SBC and firewall to work together. Pick the configuration that works best for you.
  • As I stated earlier, always disable SIP processing on the firewall. It causes more harm than good and typically results in one-way audio and lost signaling messages.
Can I Get a Witness?

As I said in the beginning, some of this is religious, but there are also practical reasons as to why you would go one way or the other. Like most things in life, don't approach this blindly. Think about what you are trying to accomplish, fully understand existing security policies, and make an intelligent, informed choice.

Andrew Prokop writes about all things unified communications on his popular blog, SIP Adventures.

Register now for Enterprise Connect 2016, taking place March 7 – 10 at the Gaylord Palms in Orlando, Fla., to take advantage of reduced rates. Use the code NJPOST to receive $200 off the current conference price.

Follow Andrew Prokop on Twitter and LinkedIn!
@ajprokop
Andrew Prokop on LinkedIn





COMMENTS



Enterprise Connect Orlando 2017
March 27-30 | Orlando, FL
Connect with the Entire Enterprise Communications & Collaboration Ecosystem


Stay Up-to-Date: Hear industry visionaries in Keynotes and General Sessions delivering the latest insight on UC, mobility, collaboration and cloud

Grow Your Network: Connect with the largest gathering of enterprise IT and business leaders and influencers

Learn From Industry Leaders: Attend a full range of Conference Sessions, Free Programs and Special Events

Evaluate All Your Options: Engage with 190+ of the leading equipment, software and service providers

Have Fun! Mingle with sponsors, exhibitors, attendees, guest speakers and industry players during evening receptions

Special Offer - Save $200 Off Advance Rates

Register now with code NOJITTEREB to save $200 Off Advance Rates or get a FREE Expo Pass!

March 8, 2017

Enterprise IT's ability to innovate is critical to the success of the business -- 80% of CIOs agree. But the CIO role has never been more challenging than it is today, with rising operational respo

February 22, 2017

Sick of video call technology that make participants look like they're in the witness protection program? Turns out youre not alone. Poor-quality video solutions can give users an unprofessional ap

February 7, 2017

Securing voice communications used to be very simple since it was generally a closed system. However, with unified communications (UC) you no longer have the walled protection offered by a dedicate

February 24, 2017
UC analyst Blair Pleasant sorts through the myriad cloud architectural models underlying UCaaS and CCaaS offerings, and explains why knowing the differences matter.
February 17, 2017
From the most basics of basics to the hidden gotchas, UC consultant Melissa Swartz helps demystify the complex world of SIP trunking.
February 7, 2017
UC&C consultant Kevin Kieller, a partner at enableUC, shares pointers for making the right architectural choices for your Skype for Business deployment.
February 1, 2017
Elka Popova, a Frost & Sullivan program director, shares a status report on the UCaaS market today and offers her perspective on what large enterprises need before committing to UC in the cloud.
January 26, 2017
Andrew Davis, co-founder of Wainhouse Research and chair of the Video track at Enterprise Connect 2017, sorts through the myriad cloud video service options and shares how to tell if your choice is en....
January 23, 2017
Sheila McGee-Smith, Contact Center/Customer Experience track chair for Enterprise Connect 2017, tells us what we need to know about the role cloud software is playing in contact centers today.