The ABC of SBC: definition, characteristics and advantages

wireless lan controllerThe Firewall is the quintessential element providing network security when you need to interconnect with other networks, allowing outgoing traffic and blocking unsolicited incoming traffic. The Firewall is a necessary element, although it is insufficient for security purposes since some threats are hidden from network firewalls within legitimate-appearing traffic, thus resulting in the need for other specialized protective elements such as antivirus or antispam.

The case of Voice over IP is even more special. Firewalls are generally based on NAT but, unfortunately, VoIP connections are incompatible with NAT. A possible solution would be to open exceptions in the NAT Firewall for Voice over IP. This this is not a good idea, though, because it compromises security and does not protect against Denial of Service and intrusion attacks. Intrusion control deserves special mention, not only at the network layer (which a Firewall could perform) but, primarily, at the application layer, aimed at ensuring legitimate call traffic, avoiding attacks, intrusions and fraud. On top of this and to make matters worse, the VoIP sessions are created randomly as calls are established, further complicating control.

A new element is required to address these risks. This element should monitor and be actively involved in the VoIP sessions established between the internal and external network, ensuring that these connections are properly established and that they are legitimate, secure and reliable. This element is the Session Border Controller (SBC).

What is SBC?

An SBC is basically a Firewall for voice traffic and its job is to ensure that the sessions are legitimate, detecting and blocking potential attacks and intrusions. Another important safety feature (similar to what a Firewall does for data services) is concealing voice services on the internal network from the outside. To perform all of these functions, the SBC sits, like the Firewall, on the border between the internal and external network (hence the name “Border Session Controller”), but at a more internal layer than the Firewall (usually in an intermediate network between the Firewall and the internal network, or DMZ -“Demilitarized Zone” -).

The SBC doesn’t just monitor and control sessions between the internal and external network, it reconstructs them in order to have complete control. That is, when a session is established between the internal and external network, two sessions are actually established, one from the internal element to the SBC, and the other from the SBC to the external element; with the SBC negotiating the call parameters to both ends separately. Not only does this allow for full control of the sessions (who can connect, to where, when, how, detection of attacks and intrusions…) but it also conceals the internal network from the outside. This is a basic SBC behavior that is known as Back to Back User Agent (B2BUA).

Characteristics and advantages

While the SBC’s main feature is usually security, it is by no means the only one. The SBC is usually responsible for the following functions, among others:

  • Interoperability: Establishing sessions even with internal and external network elements that have different signaling (due to the use of different SIP versions or signaling protocols or because of additional security requirements on one side)
  • Numbering plan management: Allowing legitimate connections and blocking attacks and intrusions
  • Transcoding: Converting incompatible codecs
  • Admission Control: Limiting the number of sessions established to avoid exceeding the WAN line capacity
  • Remote user connectivity: For example, using VPNs
  • Quality of Service Management
  • Others…

SBCs arose out of need, catching standards bodies off balance, which created some ambiguity about their roles and limits. Initially SBCs were dedicated devices located at the border between provider networks and their customers or the Internet, evolving towards virtualized networks at times integrated with Firewall and routers. Today it is common to deploy SBC functions even in remote areas to protect the central office’s internal network, especially where there is a direct connection to the internet.

SBCs in Teldat

Teldat routers implement an advanced, comprehensive SBC using various functions included in the software, such as the B2BUA functionality that allows complete control of Voice over IP sessions established between the internal and external network, ensuring interoperability and security, together with other security features like IPSec and securitization of RTSP, TLS and SRTP voice sessions, plus complete control of the IP Quality of Service, Admission Control for VoIP calls based on various parameters, routing table/call screening or codec selection.

Marcel Gil: graduated in Telecommunication Engineering and Master in Telematics (Polytechnic University of Catalunya), is a SD-WAN Business Line Manager at Teldat.

Virtual Private Networks, types and characteristics

In essence a Virtual Private Network (VPN) consists in using a normally public network (IP) but at such a level of abstraction the said network is only used as a transport mechanism between two ends over which a private network has been constructed.  The inherent fact of using a public network requires security, up to the point where both concepts, VPN and security, become one, independently of whether the core of the network providing connectivity is public or private.  For this purpose, the connections between the points are often called “tunnels” thus concealing the private information being transported over the public network.

Security being a key element in these communications, it’s essential to know the different VPN techniques, understanding which is the best to apply to each scenario.  The problem arises when handling the amount of acronyms associated to the VPN, which on occasions seem as cryptic as the protocol itself it’s referring to (GRE, L2TP, IPSec, DMVPN, GDOI, SSLVPN, WebVPN, etc.).

VPN at the network layer

This consists of the implantation of the VPN at the OSI layer level 3; this means that the devices and the applications at either end of the “tunnel” can see each other (at level 3) in the same way as they can through a direct connection; consequently this type is VPN is transparent to any protocol and application:

  • GRE (Generic Router Encapsulation) and L2TP (Layer 2 Tunneling Protocol) are simple protocols that permit you to construct VPNs at the network layer, despite being both proven compatible and standardized protocols, they do not have a sufficient security level developed for them and consequently are not widely used except for an auxiliary protocol for VPN interconnection.
  • IPSec (Internet Protocol Security) is an alternative standardized, fully compatible protocol for VPNs over which a suitable security level has been developed, being the standard de facto as a security protocol and VPN and widely used in the routers at the exterior of the network
  • DMVPN (Dynamic Multipoint Virtual Private Networks) is a VPN architect based on the simultaneous use of GRE and IPSec. GRE is used for connectivity and IPSec for security.  The advantage of using GRE for connectivity is that it allows you to send routing information so the tunnel ends in the private networks talk to each other thus reducing the effort of configuration to construct VPNs for a high number of points.  DMVPN is based on a central point (Hub) that all the remote points (Spokes) connect to, and that distribute the routing information between them.  DMVPN is based on the RFC 2332 NBMA Next Hop Resolution Protocol (NHRP).
  • GETVPN (Group Encrypted Transport Virtual Private Networks) or GDOI (Group Domain Of Interpretation) is an additional mechanism to IPSec that simplifies key management.  Also based on RFC and interoperable, this is based on a central server that generates and sends keys to all the points.  GETVPN does not construct “tunnels” consequently this only operates if the host addressing is public.

Branch office routers establish VPNs at the network layer which are transparent to the local network devices although it’s also possible to find implementations (typically IPSec and L2TP) in hosts, either as part of the operating system (Windows, Linux, Android, IOS), or as additional network services developed for third parties.

VPN at the application layer

This consists of establishing the VPN without the intermediate routers or the host network stack intervening.  The base is SSL (Socket Security Layer) protocol from an HTTP session.  In the most basic version (clientless), the SSL server maintains a safe session with the HTTP browser through the public network and presents resources from the internal network (applications, file servers, etc.), in a web format to the client; this is known as HTTP Reverse Proxy.

A more advanced version (Full Network Access) downloads in the client applet creating virtual interfaces to intercept private traffic to exchange between the client and the private network, thus efficiently achieving the establishment of a VPN between the host and the private network connected to the server.

SSL is an original Netscape implementation; version 3.0 has been standardized by the IETF, now know as TLS (Transport Layer Security) 1.0, however the standardized part consists of the security protocol but not the reverse HTTP Proxy features nor the applets, which are proprietary.

Which VPN is the best?

This depends on one’s needs.  VPNs at the application layer are the solution to individually interconnect a device from any point on the public network outside the branches; for example mobile users that connect their portable devices from Internet (PCs, tablets, telephones, etc.), or even public PCs.  The VPN servers at the application layer are usually found at head offices and not in the access routers.

To establish VPNs between different company branches, the solution consists of VPNs at the network layer from the access routers in each branch office, IPSec being the standard de facto.

Teldat is world class leader in VPN technology interoperability for networks (L2TP, GRE, DMVPN, GETVPN), with ample references from large corporations and clients .We offer you all the advice you need about VPN networks. Because the best way to earn your trust, is to offer you the best service.

Marcel Gil: graduated in Telecommunication Engineering and Master in Telematics (Polytechnic University of Catalunya), is a SD-WAN Business Line Manager at Teldat.

Router and Server for onsite applications

routers and servers for branch offices   It is quite obvious to say that corporate communications have evolved. Not so long ago, a few decades ago, “dumb” terminals were connected to a mainframe. A significant evolution followed with the introduction of X25, Frame Relay and ISDN. We could say it had the same level of importance to corporate communications, as the discovery of fire had within prehistoric man. However, more recently, IP networks then totally changed the communication landscape again. So much so, that this could be compared to the invention of the wheel in history. Of course, high-speed connections such as DSL and fiber in recent times can be said to be “the Industrial Revolution” of the network communication, making broadband accessible anywhere at all. Finally, today’s trend toward “Cloud Computing” is in some way returning communications to where they started, as the intelligence is once again being centralized within “the Cloud”.

The “Cloud Computing” and its implementation in companies

Cloud Computing is at an initial stage as far as corporate communications are concerned, but nobody doubts that it will grown significantly in a short period of time, as it has grown and is still growing within residential user communications with applications such as Google Apps, Microsoft Office 365 or Dropbox. Moreover, it should not surprise anybody that the residential market is more advanced than the corporate market in ICT and communications. This already occurred with ADSL, FTTH and 4G connectivity. The question is whether corporate  clouds will be public, private or hybrid and the pace of corporate migration to the Cloud. However, it is clear that virtualization is here to stay as the advantages that this offers are obvious so what are the benefits of virtualization in companies?

  • Reduced CAPEX and OPEX in the network periphery because of hardware and software resource are being centralized in the Cloud.
  • A clear improvement in the control, security and reliability of data and applications
  • Flexibility in resource allocation.
  • License control

Problems which you can find in virtualization

The evolution of applications towards the Cloud is not necessarily problem free. Firstly, connectivity requirements for a proper user experience are more demanding than those required when local processing and storage are in place. So special attention should be paid to issues such as redundancy, security and network optimization. Secondly, some applications that create a large amount of data volume traffic at local level, such as Digital Signage or Content Management, do not scale well in the Cloud and the problem is that we no longer have a local server for those tasks at the local site. The same occurs when non-IP devices such as printers, alarms, access control, web cameras, etc. … requiring a USB o perhaps even a serial port are taken into account. Obviously these require a local interface and local processing to be conducted, so they are adapted to the Cloud. Regardless of all the above, there is a device in the middle of all that has been mentioned above, that needs to be maintained and if all the above is taken into account, it is of utmost importance; that is the router.

The “router” as solution to various problems in Cloud Computing

The router at the branch office is what connects users and applications, so that user experience is entirely dependent on the router’s efficiency and stability. However, what role is the router going to play in the new Cloud Computing scenarios? At first sight, a minimal amount of involvement could be valid, but … could the router expand its role to evolve into a more efficient player within Cloud Computing scenarios? Certainly, this is the way forward. Due to the router’s strategic situation connecting users to applications, it is able to provide the extra security and optimization required in these scenarios, and because of its positioning within the branch office, it could be the extension of Cloud Applications to interact with local devices. Now, the remaining questions are: Does it have the ability/power to run applications? Does it have the storage capacity required by certain applications? Does it have a management tool to safely conduct local processes? In the past, these tasks had not been necessary to be conducted by a router, so the previously mentioned features in routers were not available or were very limited. At most, some artificial solutions were integrated using additional hardware (mini-PC) into the router chassis. Today,  fully converged solutions based on multicore processors are possible, integrating in one physical device two virtual devices, Router + Server, each with its own software and Operating System including HDD or SSD and USB interfaces for local devices. These new “Cloud Ready” routers support applications that are not able to run anymore on local servers, such as security (Antivirus, Antispam, SIEM Probes, Content filtering), optimization (Webcache, Videoproxy, Cloud-Replicated-NAS and Virtual Desktops Repository), Local Audit or digital signage (DLNA based). Teldat is specialized in “Cloud Ready” routers, supporting the above mentioned applications which are currently available in our portfolio. What is more, without placing any restrictions on possible applications, as the router has a standard Linux operating system, allowing the development of client or third party apps.

Marcel Gil: graduated in Telecommunication Engineering and Master in Telematics (Polytechnic University of Catalunya), is a SD-WAN Business Line Manager at Teldat.