The Security Model

The Oracle Communications SBC is a purpose built device providing customers both centralized and distributed control of the management and security of UC networks. The SBC is a critical network security element for VoIP services designed to effectively manage sessions and protect core network elements from various types of DDoS attacks, including malicious and non-malicious signaling overload attacks. The SBC is the sole ingress and egress point for all signaling messages (SIP/H.323) and media streams to/from the core network and is therefore generally the demarcation point between trusted and untrusted network boundaries. Hence it is vital that the SBC be as secure and available as possible.

Oracle provides a number of industry leading techniques through SBC configuration to secure the network border. Some of these features are enabled “out of the box” and some require further analysis of the network architecture to determine the most optimal configuration for security.

For example, the SBC performs access control based on layer 5 signaling messages as one of its primary functions. The SBC is designed to allow authorized VoIP communications into the core network by opening/closing firewall ports and by performing NAPT (network address and port translations) on all signaling and media IP packets as one of its core functions. Signaling messages, going to and from the SIP core servers and residential gateways and/or peering affiliate infrastructure is therefore inspected and rewritten as necessary by the SBC.

The SBC follows a “closed” philosophy where ports and interfaces are closed by default and opened on an as-needed basis. Therefore the system will generally have ports, services and processes disabled unless configured.