Are you looking to secure VoIP networks against security attacks without compromising call quality in the process? As customers migrate to IP PBXs and unified communications (UC) solutions, understanding the differences between enterprise session border controllers (E-SBCs) and firewalls is critical to avoiding the conflicts that can arise between the two.
What are E-SBCs and firewalls?
An E-SBC is deployed in the session layer and connects the enterprise communications infrastructure to the public Internet, session initiation protocol (SIP) trunk service providers and/or private networks. It terminates and reassembles received communications to manage traffic while ensuring that the entire UC solution is secure.
Conversely, firewalls prevent unauthorized access to or from a private network. These systems can be implemented as either a hardware and software solution and are commonly used to stop unauthorized Internet users from accessing private networks and data stores that are connected to the Internet.
All messages entering or leaving a network pass through the firewall, which reviews each message and blocks notifications that do not comply with an enterprise’s security criteria. In addition, every time a change is made within the firewall, it could affect the quality of enterprise communications.
How do E-SBCs and firewalls work?
An E-SBC can be deployed as a back-to-back user agent (B2BUA) that processes both the signaling and media paths. This agent terminates a session from one SIP entity (a calling party) and establishes a unique session with another SIP entity (a called party), which enables an E-SBC to inspect and manipulate the contents of the entire session to enforce security policies and manage enterprise communications.
On the other hand, a firewall is deployed as an SIP proxy server that relays and controls SIP signaling information. However, this server is not actively involved in the real-time transport protocol (RTP) media path (the audio and video streams).
What do E-SBCs and firewalls offer users?
E-SBCs are designed to minimize IT security, interoperability and service quality issues when an enterprise implements VoIP and UC solutions. These controllers manage and manipulate SIP signaling plus associated RTP media streams. They also keep pinholes open for the duration of a communications session and ultimately offer users secure access to:
- Cloud and hosted IP communications services
- Consolidated VoIP and UC networks
- IP contact centers
- SIP trunking
On the other hand, firewalls provide users with basic SIP security support. These systems offer access control lists that can be configured to authorize or reject SIP traffic based on the information contained in the SIP. Firewalls will close and reopen a pinhole using different port numbers, which can disrupt a session.
VoIP solutions require full orchestration of the Session Layer (5) along with Network and Transport Layers (3 and 4), aka the firewall’s domain. Without accounting for the special requirements introduced by VoIP and RTC, every time a change is made within the firewall, it can interrupt communications.
Which do you need: E-SBCs or firewalls?
Clearly, companies need every advantage when it comes to security. The real problem lies in the differences in how each impacts traffic patterns.
Firewalls and other conventional IP networking devices cannot effectively manage real-time communications as they are not able to control the Session Layer. On the other hand, E-SBCs manage all three layers together to ensure that VoIP communications are properly prioritized for their higher QoS classifications.
E-SBCs protect against DoS attacks in a way that doesn’t disrupt traffic flows. And when new security protocols are enacted via an E-SBC, traffic on all layers remains orchestrated – when changes are made at the firewall level, they can disrupt the network’s orchestrated response to VoIP service requests.
Additionally, E-SBCs add value to the entire communications stack – ensuring greater interoperability between disparate VoIP, IP PBX and UC systems.
There are a few methodologies for resolving the conflicts between E-SBCs and firewalls:
- Connect SIP trunks directly to the E-SBC and allow it to take the lead for security and traffic management
- Implement a TAP that allows administrators to move firewalls out of band for rapid troubleshooting of QoS issues
- Invest in sophisticated management tools to enable granular control over traffic management
- Manually attempt to troubleshoot issues after the CEO complains that their important video conference was just dropped
Enterprises need real-time IP communications across network borders, but deploying communications solutions usually requires companies to consider various security, interoperability and service quality. With E-SBCs, enterprises can reap the rewards of first-rate, uninterrupted communications at all times.