Newport Networks Sesson Border Controller
Home Company Investors Solutions Product News Contact White Papers
Search Site Map

White Papers

IPsec and VoIP
 Security and IMS
 Emergency Calls in VoIP
 UK Interconnect
 Session Control in IMS
 NAT Traversal
 QoS, Bandwidth
 SIP Security
 Lawful Intercept
 VoIP Bandwidth

Resources

What is a Session Border Controller?
 Glossary
 Bandwidth Calculator

SIP, Security and Session Controllers - White Paper

How do I make myself visible?

A Public Address - A Public Liability

Firstly, you need a public IP address so you can receive VoIP calls; this must be advertised so that you can be found. This takes care of the signalling. Secondly, you need a second IP address to exchange media. This is the address you will invite callers to send their media to.

As your VoIP client is sitting behind a Firewall, these addresses have to be on the public side of the Firewall. The Firewall must link these addresses back to your client on the inside. This means leaving two holes in the Firewall permanently linked to your client. Now, far from being an anonymous Web user, you have advertised your presence to the world and invited them in. Unfortunately, this is like advertising your real address and leaving the front door open. All your sensible Internet security precautions are bypassed.

Make your Firewall Work

The Firewall is there to protect you and your network so you should make the best use of it. You can achieve this by making your VoIP phone call work more like your browser. That means ensuring all signalling and media connections are started outwards - even incoming calls. This may sound impossible, but that is what session controllers do.

How can a Session Controller Help?

The session controller sits within the public network and is the point to which you send your signalling. When you start your client, it registers with a server in the public network. This registration message is sent via the session controller, which modifies the message and registers one of its own addresses with the server. Your public address is now on the session controller. So, this is like having a PO box number; you can be reached but your real address is only known to the post office.

Now you can change your Firewall to allow the signalling to be started as an outgoing connection. You can also restrict the destination of this connection to be only the session controller.

Session Controller working with the Firewall

Figure 2 - Firewall Working with Session Controller

The session controller can also protect the public address of the media. When you receive an invitation, the signalling travels via the session controller. The session controller modifies the invitation substituting one of its own addresses as the media address. This means you will send your media to the session controller. The reply is also modified in a similar way so your caller also sends media to the session controller. Now both clients send media to the session controller. The session controller learns the source addresses when the media emerges from the Firewall. This means you can change your Firewall to allow media ports to be dynamically allocated as outgoing connections. You can also restrict the destination of these connections to be only the session controller.

Session Controller Benefits

A session controller in the public network allows you to create stricter Firewall rules:

  • All signalling and media connections can be dynamically opened
  • All signalling and media connections are started as outbound connections
  • The Firewall can restrict connections to just the session controller

The session controller improves security by:

  • Hiding your real address
  • Dynamically allocating media ports
  • Policing signalling connection
  • Policing media connection


Continued
1 | 2 | 3 | 4 |Next Page

Page 2 of 4


See Also

SIP Security and the IMS Core

Session Control in the IMS


VoIP security and session controllers
Copyright © 2007 Newport Networks Ltd. All rights reserved. RSS | Site Map | Extranet | Blog | Terms of Use | Privacy