For years the way users at small or home offices (SOHO) typically gained secure access to corporate networks was through virtual private networks (VPNs). But as unified communications technologies take hold and more traffic is based on the session initial protocol (SIP), session border controllers (SBCs) are replacing VPNs as the preferred way to provide secure communications in a SOHO environments.
This is essentially the point behind a blog post I recently ready by SIP expert Andrew Prokop, director of vertical industries at Arrow Systems Integration, which specializes in unified communications, voice and data technologies, contact center and network security.
The Old Days, When VPNs Ruled
Prokop recounts how things have changed in the way we deal with working remotely:
I clearly remember the days when I would go home, start my PC, fire up my VPN, and start working on the day’s unfinished tasks. Now, I go home, tuck my PC bag under my desk, pull my iPhone out of my pocket, and get back to emails, IMs, and telephone calls without the use of a VPN. Yes, there are still times when I need a PC for its screen and keyboard, but even then I rarely start up my VPN.
The reason he rarely fires up that VPN is because his UC client on his smart phone instead points to an SBC at company headquarters. The SBC ensures that only SIP traffic can get through on the connection in either direction.
Why SBCs are More Secure than VPNs
In many ways, as Prokop points out, this setup is actually far more secure than a VPN. A VPN essentially forms an encrypted tunnel through the public Internet over which user scan securely send traffic. But, as his post point out, there is an issue with VPNs:
The downside is that not only does Microsoft Office have full access to my corporate LAN, so does everything else on my PC. Any virus or ill-behaved application that sneaks onto my PC has that same unfettered access.
The problem is that VPNs protect the connection between points A and B, but not the applications on either side. SBCs, on the other hand, are application-aware and will only let legitimate SIP-based traffic pass through, says Mykola Konrad, VP of Go To Market and Strategic Alliances for SBC-maker Sonus Networks.
++++++++++++++++++++++++++++++++
Dig Deeper: Download SBC’s for Dummies
++++++++++++++++++++++++++++++++
SBCs also provide Network Address Translation (NAT) tunneling, which is important in corporate networks that use NAT to extend the reach of their IP addresses. “SIP is not NAT-aware, so you need a way to get to the real end point on the other side of the NAT device,” Konrad says.
Benefits of Securing at the Application Layer
Konrad agrees that SBCs largely obviate the need for VPNs in many instances because they provide security for any SIP-based session, including voice or video calls, chat, IM, and the like. “The SBC encrypts media and signaling as well as providing border security – not allowing packets that shouldn’t be entering the network to enter,” he says. It would not provide security for pure data applications such as email, but increasingly Web connections can be used for such applications, which can be secured via secure HTTP (HTTPS).
In fact, HTTPS provides a good example of the benefits of providing security at the application layer, as Prokop notes in his post:
The next time you use Outlook Web Access (OWA), make note of the fact that your Web browser is using secure HTTP (HTTPS). Similar to the SIP messages to and from my iPhone, the browser’s stream of data has been secured and not the device the browser is running on.
The benefits of securing the application instead of the device are significant. My IT department can provide me access to the company’s SIP communications system without having to worry about anything malicious sneaking into the corporate network. I can load up my iPhone with as many games as I want, and not one of them will get past the SBC.
Konrad agrees the HTTPS analogy holds water. And he notes that the typical end user would not need to have an SBC on his side of the connection; it’s only required at the corporate end.
That said, there are some instances where users may want to deploy an SBC in their home or small office, he says, such as for remote call center agents.
“They need to be reachable all the time and it’s possible for someone to launch a denial of service attack against the agent’s home IP address and cut them off,” Konrad says. “An SBC would prevent that. In situations where it’s critical to get through to workers at home, then you may want an SBC on premise.”