SIP User's Manual
19
Session Border Controller
19.1
SBC Overview
This section provides a detailed description of the device's SBC application. This
application performs transparent transcoding of voice coders for IP-to-IP calls without
affecting the SIP signaling messages. The SBC application supports up to 1,008
concurrent SBC sessions and provides the following main features:
NAT traversal: The device supports NAT traversal, allowing, for example,
communication with ITSPs with globally unique IP addresses, for LAN-to-WAN VoIP
signaling (and bearer), using two independent legs. In addition, it also enables
communication for "far-end" users located behind a NAT on the WAN. The device
supports this by:
•
Continually registering far-end users in its dynamic database
•
Maintaining remote NAT binding state by frequent registrations, thereby, off-
loading far-end registrations from the LAN IP PBX
•
Using Symmetric RTP (RFC 4961) to overcome bearer NAT traversal
VoIP firewall and security for signaling and media:
•
SIP signaling:
♦
♦
♦
•
RTP:
♦
♦
♦
♦
♦
Topology hiding: The device intrinsically supports topology hiding, limiting the amount
of topology information displayed to external parties. For example, IP addresses of
ITSPs' equipment (e.g. proxies, gateways, and application servers) can be hidden
from outside parties. The device's topology hiding is provided by implementing back-
to-back user agent (B2BUA) leg routing:
•
Strips all incoming SIP Via header fields and creates a new Via value for the
outgoing message
•
Each leg has its own Route/Record Route set
•
Modifies SIP To, From, and Request-URI host names (must be configured using
the Message Manipulations table)
•
Generates a new SIP Call-ID header value (different between legs)
•
Changes the SIP Contact header to the device's own address
•
Layer-3 topology hiding by modifying source IP address in the SIP IP header
Version 6.4
Deep and stateful inspection of all SIP signaling packets
SIP dialog initiations may be rejected based on values of incoming SIP
INVITE message and other Layer-3 characteristics
Packets not belonging to an authorized SIP dialog are discarded
Opening pinholes (ports) in the device's firewall based on Offer-Answer SDP
negotiations
Deep packet inspection of all RTP packets
Late rouge detection - if a SIP session was gracefully terminated and
someone tries to "ride on it" with rouge traffic from the already terminated
RTP and SIP context, the VoIP Firewall prevents this from occurring
Disconnects call (after user-defined time) if RTP connection is broken
Black/White lists for both Layer-3 firewall and SIP classification
359
19. Session Border Controller
November 2011