Securing SBC Core Services in the Customer Network

The Ribbon SBC Core is the central element of a Ribbon secure network providing protection from attacks either entering or leaving the core IP network. Collectively, all Ribbon elements, including the SBC, form a distributed “system” for VoIP/Unified Communications and related applications. The scalability, robustness, and ease of extension of this distributed approach directly contribute to Ribbon’ continued success. IP peering is becoming more prevalent as carriers migrate from circuits, and Ribbon’ multipurpose SBC system provides the increasingly necessary media migration capabilities with access control, security, and privacy required for carriers and subscribers alike. Additionally, as Ribbon continues delivery of IMS functions, required security features such as encryption, key exchange, advanced authorization and authentication are enabled using SBC software upgrades.

The fundamental architectural basis for the SBC to meet these security goals is its B2BUA (Back-to-Back User Agent) model – all signaling and media is received and terminated at the SBC itself and then regenerated on another interface of the SBC. This model prevents malformed messages (or message sequences, message floods, etc.) from propagating from untrusted/unmanaged interfaces to networks and systems the SBC protects. B2BUA also provides topology hiding and supports the application of SBC policy-based controls on access and resource utilization.

Ribbon provides a holistic security approach to its solution that incorporates multiple security mechanisms and procedures within its product line. Security features supported by, but not limited to, the Ribbon SBC include:

• IP Trunk Groups
• Call Admission Control
• Rate Limiting
• Access Control Lists
• Traffic Policing
• IPsec
• Topology Hiding
• Split DMZ
• TLS Signaling
• SRTP
• Firewall/NAT
• DoS/DDoS Protection
• SIPS
• Dynamic Blacklisting
• Rogue RTP Protection
• Encrypted Communication
• Malformed Packet Protection

The Ribbon SBC provides rich session management and robust security including media and signaling encryption (TLS, SRTP, IPsec), DoS and Distributed DoS (DDoS) protection, media transcoding, NAT traversal, topology hiding, Access Control Lists (ACLs) and more-all in a highly scalable design that provides industry-leading performance even under extreme workloads.

Providing protection for all packet interfaces, Ribbon delivers DoS and automatic Rogue RTP protection through metering and policing. Access control has been expanded for permitting or denying access of specific peers via its ACLs and dynamic micro-flow policers for SIP Access deployments. Granular Call Admission Controls (CAC) are available on its IP Trunk Groups (IPTG) to protect against call setup and registration floods. In addition, SBC provisioning is performed over secure communications channels (SSH, HTTPS), be it through the web-based  Embedded Management Application (EMA) or the Command Line Interface (CLI).

To augment the secure IP solution provided by the SBC, users can enhance internal security and protection using a select set of tools to protect against internal attacks (policing, metering on internal packet network interfaces), verify authentication using digital certificates, intra and inter domain encryption (TLS, SRTP, IPsec), detect network intrusion (IDS), and perform security event management (SEM).