Securing Enterprise Networks with AudioCodes Multi-Service Business Gateway

Securing Enterprise Networks with AudioCodes Multi-Service Business Gateway
Israel Hershko
AudioCodes, Director, Product Marketing, Session Border Controllers

Multi-Service Business Gateway Security Framework

AudioCodes Multi-Service Business Gateway (MSBG) provides small and medium sized businesses (SMB) with an economical way to benefit from converged voice and data services. The MSBG integrates multiple network elements and applications into the same box.

The MSBG enables voice and data services by combining broadband WAN access, routing and switching capabilities, firewall, VPN, media gateway for connecting to legacy TDM elements, session border controller and last but not least, can serve as a platform for running an IP-PBX application using the built-in Open Solution Network (OSN) server module.

Click to enlarge
Diagram 1- main components of AudioCodes MSBG
(Click on image to enlarge)

As an integrated device, the MSBG needs to address multiple security aspects, starting from the IP network infrastructure and up to the application level.

Enterprises face serious security risks both internally and externally. Converged IP data and voice allow for unprecedented economical and efficient ways to conduct business, however new threats should be addressed in order to obtain the real benefits from the technology. Security threats, if not addressed properly, can affect the uptime of networks, cause the loss of valuable data, and even compromise the organization’s ability to protect its intellectual property.

MSBG Firewall and VPN
Enterprises have been relying on Firewalls for many years in order to protect their networks. The Firewall regulates the flow of data between the enterprise and external networks. The firewall operates according to a set of provisioned “rules” that block unwanted traffic but at the same time allows employees to be able to access and share data, internal and external to the enterprise network, along with maintaining productivity.
 

 

Click to enlarge
Diagram 2- MSBG deployment in the SMB network
(Click on image to enlarge)

 

Additionally, Firewalls serve to mitigate Denial of Service (DoS) attacks. A DoS attack is an attempt to prevent legitimate network users from being able to perform network operations normally, affecting the level of service to these users. Primitive DoS attacks consist of heavy traffic bombardment of certain IP address or port, hoping to “choke” network or compute resources.

More sophisticated attacks try to exploit protocol behavior or implementations (usually software implementations) in order to cause some form of resource starvation, which affects the way service is delivered to users. 

Apart from firewalls which are a fundamental element in any IP security solution, an additional component for network level security is the Virtual Private Network.

Virtual private networks (VPNs) are commonly used by enterprises for two main purposes: allowing users external to the organization (employees who travel, employees working from home, etc.) to access the organization’s internal network resources and allowing inter branch connectivity, all of this while preserving the highest level of security. VPNs can be viewed as a virtual extension of the organization LAN into employees home and remote locations. VPN technology relies on tunneling protocols like the IPSec protocol (and others) in order to secure the traffic flowing to and from the enterprise.

MSBG SBC
The SBC element within the MSBG is designed for enhancing the level of protection delivered to voice, video and instant messaging users.

The SBC performs “Topology Hiding” when routing SIP signaling across enterprise boundaries. Topology hiding is used for hiding the internal network topology of the enterprise network.

Before establishing a communication session, the SBC employs a set of operations to decide whether to allow the session to commence or deny it.

 

Click to enlarge
Diagram 3- The Pinhole Concept
(Click on image to enlarge)

The SBC performs user authentication and authorization. For example, the SBC can be configured to accept new sessions (calls) from a specific network address, subnet or domain.

The SBC can also be configured to use certificates in order to authenticate users. The SBC protects SIP traffic transferred over the TCP protocol using a Transport Layer Security (TLS) protocol and associated X.509 certificates. These certificates are used to prevent man-in-the-middle attacks, eliminating the possibility of a 3rd party impersonating another party in a secure communication session establishment. The SBC performs another important task known as protocol validation. Communication messages (SIP, RTP, etc) that do not conform to the standard implementation or to a predefined policy will be dropped by the SBC. This is a way to protect against DoS attacks that make use of malformed messages and requests, in order to exploit software bugs or put a heavy load on call processing elements such as the IP-PBX.

To summarize, security mechanisms in AudioCodes’ MSBG span from basic network protection and up to application aware protection. Since the MSBG is the cornerstone of the Enterprise VoIP network, it is essential to work with a vendor with extensive knowledge and experience in delivering enterprise VoIP solutions. It is also important to understand that new threats are constantly emerging, especially since VoIP has become so mainstream. Therefore, when selecting an MSBG device you need to take into account the options for upgrading its hardware and software in order to address new threats.