In the Patton Security webinar, we explained the three key functionalities of an eSBC: Fraud Prevention, Survivability, and Quality of Service.

Some great questions came up at the Patton Security webinar today and we’d love to share the answers with all of you who may have the same questions! If you missed the webinar, don’t forget to check out the presentation slides here!

Should the eSBC be used with a firewall or replace the firewall?

Answer: The best practice is to put the eSBC on the edge of the network (in front of the firewall) so that it gets the first look at the voice traffic coming into the network.  This is where the back-to-back-user-agent and other VoIP security features can be most effective at detecting suspicious SIP messages, preventing DOS/DDOS attacks, and doing deep packet inspection.  So yes, the eSBC can be used with a Firewall, just don’t put it behind the firewall. I prefer to replace my existing firewall with the Patton eSBC since the eSBC has a built-in stateful firewall.

 

I already have a firewall, why do I need an eSBC?

Answer: Unfortunately, your firewall might not be as strong and reliable as you thought. For example, your firewall won’t protect you from potential hackers who commit toll fraud by hijacking a phone service and placing unauthorized long-distance calls. But an eSBC can!

 

Does the eSBC support transcoding.  For example, can it go between G.711 and G.722HD codecs?

Answer: Yes Patton eSBCs support transcoding as well as the G.722HD codec.  In order to do transcoding just be sure to choose a model that has transcoding listed as a feature.

There are several product families in the eSBC product line; SN5200, SN5300, SN5400, and SN5500.  Both the SN5400 and SN5500 product families support transcoding

 

What is the difference in the models as price increases?

Answer: The price of Patton’s eSBCs scale with the size of the deployment and the types of additional interfaces that may be required.  For example, you can get a pure eSBC with 4 simultaneous calls enabled for MSRP around $500. You can then add additional simultaneous calls for MRSP of $11.00 each.  

In another scenario you may have a need for FXS/FXO or PRI; those ports are available on some models, but are sold at a premium due to the additional hardware resources.  The hybrid eSBCs with that added TDM ports are all reasonably priced and eliminate the need for additional gateways in your network. Everything can be handled in one unit, with the same security policies.

Patton offers a wide variety of eSBC options to fit your business needs. The price point starts at as low as $500. Be sure to visit their product page or read more about how to choose a right eSBC! If you have more questions, call one of our VoIP experts at 1-800-398-8647 today!

Are you on board and benefiting from VoIP? Greate! But do you have protections for your VoIP network? You may have heard that, like other Internet-based systems, VoIP networks are also vulnerable to IP-based attacks such as denial-of-service (DoS) attacks and identity/information theft. Luckily, with a proper security measure, you will be able to effectively block out the unwanted intruders!

Patton’s SmartNode SIP Session Border Controllers enable Unified Communications for SIP-to-SIP environments and contain built-in security features and Stateful Firewall. They secure the LAN networks from fraud strikes on the Internet. Even better, Patton products come with free post-sales technical support and a 1-year warranty. All products are made in USA. Let’s check out their four most popular SN selections!

patton-comparison-chart

The SN5200

The SN5200 Enterprise Session Border Router is designed to ensure security and a high level of efficiency in the VoIP network. Connecting the Enterprise’s LAN to an Internet Telephony Service Provider (ITSP), the SN5200 creates a single conduit for multimedia components including voice, video, and data. This solution also includes SIP-aware NAT and access control list ACLs for maintaining secure communications when SIP traffic crosses the Enterprise edge. See more features:

  • 1 10/100BaseT WAN port, 4 10/100 LAN Ethernet Portssn5200
  • Complete IP Access Router
  • Quality of Service Voice priority
  • DownStreamQoS
  • Traffic management, shaping and policing
  • Web/HTTP, CLI with local console and remote Telnet access
  • Secure auto-provisioning for both firmware and unit/subscriber configuration
  • Built-in diagnostic tools (trace, debug, call generator)

The SN5300

Consider the SN5300 if you are searching for a powerful solution to create a reliable VoIP and data network. This solution is a CPE-based Enterprise Session Border Router with four SIP sessions and it can be upgraded to 256 SIP sessions when needed. The SN5300 is designed to give users greater network flexibility and assist in easier deploying, troubleshooting, logging, and security. Check out more features:

  • IP Routing —Policy Based Routing, Protocol Based Routing, Packet Length Routing, Packet Filteringsn5300
  • QoS and Security—Deliver secure, toll-quality voice communications routing
  • SIP Registrar – License is included in ALL ESBR products.
  • NO Transcoding
  • Ethernet— Intelligent 4 port Fast Ethernet BaseT 10/100 (routable and switchable)
  • WAN Access—Support for G.SHDSL EFM/ATM 4-wire and 8-wire interfaces
  • Trinity OS—Patton’s Linux based multi-service OS with call control and signaling features

The SN5540/5541

If you are looking for an all-in-one solution for your VoIP system, you won’t want to miss the SmartNode 5541 Series! This solution acts as a VoIP gateway, eSBC, access router and QoS CPE all in one device. It supports up to 8 simultaneous calls for a new standard in toll-bypass, remote/branch office connectivity, and enhanced All-IP carrier services. The SN5541 also undertakes network assessment and monitoring at the customer premise to prevent, reduce and resolve network issues. A truly cost-effective solution! Find more highlighted features:

  • Embedded Packet Smart Agent for network monitoring and assessment 24×7sn5540
  • Secure zero-touch provisioning (HTTPS) for ease of use
  • WebWizard, HTTPS zero touch provisioning, SNMP, command line interface
  • SIPv2, SIPv2 over TLS, ISDN, T.38, G.722 HD Voice, RTP Security with SRTP, fax and modem bypass, DTMF relay.
  • Interoperable for voice and T.38 fax with leading SIP service providers, softswitch vendors, and major IP-PBX manufacturers

Access to SN5541 Datasheet

The SN5570

As is consistent with all Patton SmartNode products, the SN5570 Series are state of the art ESBRs and also provides policy-based IP routing. This Patton ESBR accommodates 1 E1/T1/PRI, up to 30 VoIP calls or 15 SIP Sessions (SIP B2B calls). It is also upgradable, contains SIP-TLS, SRTP and can support 16 Transcoded Calls, 2x Gig Ethernet and contain an external UI power source. Learn more features:

  • Supports 30 VoIP Callssn5570
  • Full VoIP Protocol Support
  • Full Telephony Features
  • Outstanding Interoperability
  • Class A Compliance
  • High Precision Clock (HP) Option
  • Supported by SmartNode Redirection Service

Now, take a look at the comparison chart again to see the four products side by side!

See More Patton eSBCs

top-5-benefits-of-netvanta-3140

The NetVanta Series is a comprehensive portfolio of enterprise-class networking equipment designed to cut costs in your network without compromising performance. Recently, ADTRAN released a new NetVanta family member – the NetVanta 3140, a fixed-port, high-performance Ethernet router supporting converged access and high-quality voice services.

This brand new router is an excellent selection for fast-growing small-to-mid-sized businesses looking for a fast, easy, and extremely flexible solution. It is ideal for carrier-bundled service offerings, and enterprise class Internet access for secure, high-speed, corporate connectivity. Let’s see what hot features it has to offer!

c-fakepath-netvanta-3140-1

Top 5 Benefits of The NetVanta 3140

#1 Flexibility and Redundancy

The NetVanta 3140 is ideal for multiple applications where Ethernet redundancy is needed given the three Gigabit ports that can be either LAN or WAN facing. This solution also features a USB interface that can be used for 3G/4G backup. If your deployment still separates voice and data network, the NetVanta 3140 will be a perfect fit with a single WAN link and the other two Gigabit interfaces.

#2 Feature-rich ADTRAN® Operating System (AOS)

The ADTRAN Operating System (AOS) allows for the support of static and default routes, demand and policy based routing, and provides fast, accurate network convergence using routing protocols such as BGP, OSPF, RIP, and PIM Sparse Mode for multicast routing.

The AOS provides a powerful inspection firewall that can protect against common Denial of Service (DoS) attacks like TCP syn flooding, IP spoofing, and more. Its Web-based GUI comes with step-by-step configuration wizard, management capability, and the ability to upload firmware updates.

#3 Enterprise Session Border Controller (eSBC)

As having an eSBC became mandatory for most VoIP deployments, the NetVanta 3140 also includes an optional eSBC to secure and troubleshoot your SIP to SIP communications. This featured eSBC builds strong, robust network security and enables voice interoperability, delivering a truly converged application platform at the customer premises.

#4 Voice Quality Control

The NetVanta 3140 uses Low Latency Queuing, Weighted Fair Queuing (WFQ), Class-based WFQ, and DiffServ marking to prioritize mission-critical traffic and control network congestion. It also deploys Voice Quality Monitoring (VQM) to capture, MOS, jitter, delay, and packet loss statistics to troubleshoot VoIP calls over the WAN. This diagnostic tool is extremely valuable because it isolates the network issues in real-time and ensures superior call quality at all times.

#5 VoIP Ready

The NetVanta 3140 highlights a specialized SIP ALG that allows SIP traffic to traverse NAT-enabled firewalls. This interoperability allows IP PBXs, phones, and other SIP-based devices to set up, tear down, and pass voice and call control messages seamlessly through the integral NAT-enabled firewall. In combination with the QoS and VQM features, the NetVanta is truly VoIP ready and is available as either a desktop or rack-mountable platform.

Access to the NetVanta 3140 Datasheet

More Benefits to See!

netvanta-3140-benefits

Check out ADTRAN 3140 Now!

esbc

Cost saving is one of the main reasons for many businesses and enterprises to move to VoIP. For businesses that deploy SIP trunks, it may be tempting to cut corners by using lower cost network elements, or by omitting some devices they considered “non-essential” but nice-to-have.

One question we often hear is “Why can’t I just connect my IP Phone or IP PBX to a SIP trunk?” Well, to answer that question, let’s take a look at the risks you are exposed to without an extra protection.

Issue #1 – Security

You may encounter unexpected high phone bills. According to the Communications Fraud Control Association (CFCA) report, the Internet-based toll fraud cost small business victims $6.08 billion in 2015. Hacking, spamming, and tampering are difficult to prevent without an extra layer of protection.

Failing to encrypt the SIP signaling data can expose such information as user credentials, phone numbers, IP addresses and aspects of the company network topology to malicious intruders.

Solution:

Both SIP signaling information and media content (digitized voice) must be protected (hidden) by encryption.

A high-quality eSBC like Patton’s SN4451 Series will provide a rich set of security features that protect the provider WAN network and the customer LAN from each other, as well as from external security vulnerabilities.

Issue # 2 – Reliability 

IP telephony operates over a complicated computer-based network and it can have network failure and downtime if it’s not protected. Such network failures can cause gaps in a company’s phone service resulting in disrupted communications and loss of business continuity.

Solution:

Patton’s SN4511 eSBCs provides a failover mechanism, and that also provides media gateway and IP routing functions, can deliver survivability for voice and data over a fallback connection to the local phone company (PSTN).

Issue #3 – Service Quality

Bad service quality is the worst. You could lose customers or subscribers because of the poor voice quality or unreliable service.

Solution:

Patton’s SN4451 eSBCs provide dual Quality of Service (QoS) mechanisms that include:

  • Bandwidth Reservation – minimum link capacity allocated for voice packets
  • Downstream QoS – throttling mechanisms that limit and slow down large downstream data bursts to prevent flooding the capacity of the link.

Issue #4 – Interoperability

Potential business customers have selected innumerable brands of (traditional or IP-based) PBXs and phones. How many can you realistically certify for guaranteed interoperability with your network elements, protocols, and services?

Solution:

Patton’s eSBCs provide legacy interfaces that IP-enable existing ISDN and POTS business phone systems helps businesses preserve the value and extend the useful life of their capital investments in traditional telephony solutions. While taking advantage of the cost-saving and operational benefits of IP telephony, such solutions enable companies to migrate to converged communications at the pace they deem most comfortable and cost-effective.

Download Patton’s full white paper here.

More Benefits from Patton’s SN5541 eSBCs

Patton’s SN5541 Series acts as VoIP gateway, eSBC, access router and QoS CPE all in one device. It also monitors, prevents, reduces, and resolves network and voice quality problems. Learn more here!

sn5541

  • Up to 8 FXS interfaces
  • Advanced Local Call Switching
  • Network Monitoring
  • Auto-Provisioning
  • Easy Management & Provisioning
  • Full VoIP protocol support
  • Made in the USA
  • Free Software Upgrades

mobile-phone-1875813_1920VoIP security is a hot topic, and rightfully so. A compromised system can cost you $$$ in phone bills, so how do you prevent a breach? Well, the answer isn’t as complicated as you’d expect. There are a lot of opinions floating around on the subject, so let me address some truths and falsehoods that may be of importance when securing your VoIP system.

 

Fiction: You NEED a session border controller (SBC)

If you are a small business or are installing a VoIP system in your home, there is no need for an SBC. An SBC is a great device (or virtual appliance) because it masquerades your internal VoIP infrastructure. In basic terms, a SIP trunk from a provider terminates to the SBC, which then connects to your phone system via a SIP trunk.  The SBC acts as the middleman in the transaction. To an outsider, SIP header information sources from the SBC and not your internal equipment. Although an SBC is a great extra layer of security and reduces overall attack vectors, it’s not required to make VoIP reliably secure for the majority of small deployments. Terminating a SIP trunk directly to your phone system behind a hardware-based or virtual firewall provides the security that would be deemed required to keep you incurring fraudulent toll charges.

 

Fact: You NEED a firewall

On the same topic as above, if you are going to be using SIP trunks to talk to the outside world, you’ll need a hardware or virtual firewall appliance to secure what is allowed in and out. In addition to the basics of protecting SSH, Telnet, and HTTP/HTTPS access to your phone system, you should always restrict what IP addresses can communicate directly to the phone system when it comes to SIP, and IAX (if you use it). What that means is only allowing IP addresses from your SIP provider, any remote extensions, or remote branches. Never ever expose your system directly to the internet without some type of firewall in front of it.

 

Fiction: Remote extensions MUST use a VPN

This is not true but isn’t a bad idea. A VPN will allow you to bypass NAT, which is the culprit in most one-way audio issues. The trick here is to tell the phone system all of the local IP subnets that it will be talking SIP. You’ll find this to be configurable on just about every Asterisk based phone system. A VPN also allows you to encrypt your session if you’re worried about the NSA listening in. An alternative would be using TLS and SRTP without a VPN, but you’ll just lose the benefit of avoiding NAT. The best way to securely deploy remote extensions is to use either a VPN or TLS. If you’re not using a VPN, make sure to define your inside IP subnets (as mentioned before), as well as your external IP address. These are all also configurable on just about any Asterisk system. Make sure you port forward SIP and RTP in your firewall to your phone system and secure your inbound rules by source IP addresses. Every system is a little different, but most Asterisk systems use 5060 UDP (SIP), and 10000-20000 UDP (RTP).

 

Fact: VoIP is NOT set it and forget it technology

If you’re going to take on the task of managing an IP phone system in your IT infrastructure, you need to adopt the mindset of monitoring it. Especially if you have port 5060 open to the outside world, you need to be logging and enabling alerts. In the past, phone systems have been bolted to a wall in a closet that no one ever went into except the PBX vendor. Now your system is racked next to your switches and servers. For those of you who are FreePBX users, Sangoma has just started to release their RMS platform, which simplifies centralized remote monitoring of multiple FreePBX and PBXAct systems. Stay tuned for a review on this!

 

Fiction: Not using port forwarding makes your phone system more secure

This isn’t actually a common belief, but it comes from a post I recently read on Spiceworks. It was claimed that a system has been made more secure by not forwarding port 5060 UDP from the firewall to the actual PBX. If this configuration was actually working, it was a minor miracle. The fact is there are usually two components of sending SIP traffic through your firewall. There is a firewall rule, allowing the traffic, and a fixed NAT association with the protocol and a device within your network. As long as you’ve made appropriate rules allowing SIP to your system, the port forwarding is simply a mechanism to help keep consistent NAT associations. In general, SIP and NAT do not play well with each other. Pro TIP: when you experience one-way audio, always look at NAT first.

 

Fact: You do not need to restrict RTP traffic to specific source IP addresses

I bet you never thought of this one. If you have, bonus points. While you should ALWAYS restrict SIP traffic by source IP address, it’s not necessary to do so with RTP. RTP is simply a media stream and doesn’t have the capability of initiating a SIP session, or any kind of session. Dare I say, you can leave the RTP port range open on your firewall. However, it doesn’t really hurt anything to place a source IP restriction on it.