Over the past year or so, we’ve written a good deal here at Enterprise VoIPplanet about a VoIP-focused device called an enterprise session border controller, or E-SBC (to distinguish it from carrier-class SBCs).
They’ve been popping up all over the landscape as an offshoot of the widespread adoption of the session initiation protocol—SIP—as a signaling standard for IP-based communications technologies, and the growing popularity of SIP trunks—direct SIP-compliant connections from the enterprise IP PBX to the carrier/service provider.
SIP trunks are popular because they cost a lot less than the T1/E1 or PRI trunks supplied by the traditional telephone carriers. The E-SBC comes into the picture because, although SIP is an open standard protocol, many details of implementing the protocol are not standardized. One of the things an SBC is designed to do is to mediate those implementation differences. Another is to provide a demarcation point between the softswitch and the enterprise IP PBX. All E-SBCs provide these functions.
But as we learned in a recent conversation with Adam Boone, the vice president of marketing at Richardson, Texas-based Sipera Systems, there’s another vital session border control function that many E-SBC do not perform: security. SIP trunks without application-layer security leave enterprises open to toll fraud, intrusion, data breaches, and a depressingly long list of other attacks, he warns.
Unlike most SBC vendors, Sipera is first and foremost a security company, Boone explained. It maintains a security laboratory that does ongoing primary research into the threats emerging in the marketplace, and bakes the resulting knowledge gained into its products.
“It became clear, about five years ago, when SIP was first being deployed widely, that session border control is an essential feature in a SIP deployment,” Boone told VoIPplanet, “so we built that into our UC-Sec platform”—the company’s primary product line, a solution that secures the full gamut of SIP-based unified communications technologies.
Sipera’s E-SBC is of much more recent origin. “What we saw, as we were getting involved in more and more SIP trunk termination projects,” Boone explained, “was, time and again, we were pulled into projects where they had deployed another vendor’s SBC, and they were subject to breaches, subject to toll fraud attacks—they had basically been laid wide open.”
“Essentialy, we took the session border control functionality from our existing UC-Sec platform and packaged it up as a new product,” Boone said. “It is intended very much to compete with the other E-SBCs that you see out there. The difference is, ours handles security; it’s designed around security and providing security for the enterprise.”
So, how do SIP-related attacks occur?
“When a fraudster decides to commit toll fraud, for example,” Boone explained, “the way they do that is by probing and scanning for unprotected enterprise servers and PBXs—a VoIP server or IP PBX that at some point in its network connections, is exposed to the Internet. That’s extremely common.
“They’ll be scanning for open SIP ports or other ports that are open that are not being protected by a firewall—because the firewall can’t handle the performance requirements of that application.
“If they find an open PBX, they will attack it, they’ll take control of it, and then they’ll use it to make long distance calls or connect to premium rate lines. It’s very simple for them to monetize that.”
The result is that, out of the blue, the enterprise in question will get a horrendously large phone bill from the carrier. “Literally thousands of enterprises are hit with this every year,” Boone commented.
The typical SBC can’t recognize such probing traffic as an attack, as there’s nothing in the packets that appears illegitimate. What Sipera’s application-layer security scanning does is monitor for telltale behaviors it calls ‘attack signatures’ or ‘attack markers.’
For example, one technique used in probing or ‘reconnaissance’ attacks is known as ‘call walking.’ “They hit your PBX and literally start walking from extension to extension. They may log in ten calls a second,” Boone explained.
“We look at that behavior and say, ‘Wait a minute, no human being is calling my enterprise, dialing ten extensions every second and walking sequentially through the enterprise. This is an attack under way.’ We detect it; we block it. We’re able to understand how a user is behaving, as opposed to what traffic looks like.”
That’s application-layer security at work.
Not only don’t most competing E-SBCs protect against security breaches, many are prohibitively expensive, Boone suggested. “We did some analysis, using some of our competitors’ products, and found it would take longer than a year of the SIP trunk savings before they recouped the cost of that SBC.
“We saw the business case out there as being really broken. It was actually delaying a lot of companies from moving to SIP trunks, because the cost of the E-SBC was so high. So, we set the price of our E-SBC at 10 percent of the cost of SBCs that are typically being pitched to enterprises out there.”
That sounds like a pretty persuasive value proposition to us.