UC Firewall and Session Border Controller Security within and beyond the boundaries
Security within and beyond your network s boundaries Our connected world We are living and working in a new world that is defined by global connections, where mobility and collaboration are the norm. Technologies that allow us to work in a more fluid, dynamic and collective manner are defining the age. This new communicative era heralds a multitude of opportunities for businesses. But with the unprecedented opportunities come unprecedented risks. Security threats are emerging quicker than the new technologies are being adopted. In recent month s large organisations have been hit by security breaches that have compromised their customers data and damaged their brands and stock values. Safe and secure Information security is the number one priority for any business. Unified communications are no different to any other areas of technology and are vulnerable to risks such as toll fraud, call interception, Denial of Service (DoS), or spam over IP telephony, to name just a few. So enterprises need connectivity solutions that allow relationships between staff and customers to deepen and flourish while at the same time delivering security and control. All IP-based systems require protection built into the heart of any infrastructure in the form of security controls that can protect data and ensure reliable enterprise communication. Beyond borders Companies are increasingly relying on web-based applications for collaboration and communication outside the organisations boundaries. In simple terms, this means more complex connections within applications are being made. Information flows to and from customers are increasing, and companies data centers are under growing strain. Perimeter security controls are constantly required to be kept up-to-date with the rapid changes in the communications environment yet such controls can quickly become outdated. Many enterprises use traditional firewalls to secure their data network. But these firewalls have a raft of limitations and are simply inadequate when it comes to VoIP and UC security. The consequences have far deeper ramifications then isolated security breaches. Trust in the Unified Communications system itself can diminish among staff and customers. As relationships suffer, so do business brands. Yet Unify s next-generation UC Firewall and Session Border Controller provide enhanced security features and performance levels that resolve these issues and bring the benefits of VoIP/UC collaboration securely into your network. 3
Security built into your solutions, not tacked on as an afterthought Unify believes the most reliable security solutions should be integrated and not bolted on. UC Firewall and Session Border Controller are specifically designed to protect VoIP/ UC. Both may be used independently or in conjunction with each other. The result is a two-tier security controls that boosts the defenses of your network. UC Firewall and Session Border Controller help to keep your VoIP/ UC system safe from both IP-based attacks and unauthorized access from untrusted networks. Working in harmony Whatever your specific security needs, UC Firewall and Session Border Controller can be used flexibly. Both can be perfectly integrated into your company s infrastructure to complement your security policy. And it is worth knowing that all Unify s products, solutions and services provide sophisticated functionality, reliable operation and high quality. And of course they all comply with internationally recognized standards. Getting Technical Traditional Firewalls protect IP data networks, servers and applications against threats by using stateful filtering of IP data traversing through the IP firewall. Some firewalls add gateway functionality to extract the information necessary to set up and maintain the call. This allows the firewall to create and maintain a single end-to-end SIP session on both sides of the firewall. By comparison, a Session Border Controller (SBC) is a VoIP session-aware device that controls call admission to a network at the boundary of the network. SBC securely connects multiple locations and extends communications to remote workers and agents. 5
UC Firewall secure communications, safe data UC Firewall overview: Globally available Proven compatibility with Voice and UC solutions Professional support Managed services Trust and security UC Firewall provides the most fundamental security measures that not only protect an Voice and UC infrastructure but also data infrastructures and applications against unauthorized access, unwanted traffic and (SIP-based) attacks. It is both firewall and Intrusion Prevention System (IPS) that ensures a reliable and secure communication exchange to/from your solution. UC Firewall handles all traffic types including voice, UC and data. It guarantees a secure interaction between all existing applications and Voice. UC Firewall scenarios Data Center Data Center Scenario Voice Centralized Applications SIP Trunking Scenario SIP SIP PSTN SSP Media Gateway UC Firewall SBC UC Firewall UC Firewall = SIP Firewall + Data Firewall WAN/ Internet SIP + UC Decentralized Branch Firewall Scenario SIP + UC UC Firewall Access Areas PSTN Branch Branch 6
Getting to know you Furthermore, groups, departments and stakeholders are recognised by the UC Firewall according to their responsibilities and access permission. Entry to specific areas, networks and devices can therefore be granted or denied. In short, UC Firewall secures all areas of trust according to an enterprise s security policy. Furthermore, UC Firewall is capable of real-time intrusion prevention. So it scans voice traffic for malicious content and block the traffic where necessary. A security solution for every project and company size World leaders in security solutions Fortinet a world leader in unified threat management appliances is Unify s trusted partner in offering UC Firewall. Fortinet provides a broad, flexible and scalable product platform called FortiGate. In simple terms, Fortigate provides an appropriate security solution for every type of project and company size. The platform minimizes the necessary investment, and maximises the opportunity for securing communications. Fortinet an overview: A market leader in Unified Threat Management Strong increase of Fortinet market shares in the past years Innovation, high-performance ASIC technology cost efficient Clear commitment and integration of VoIP and UC Security Strong experiences with Voice / SIP and UC in Carrier / Service Provider Business Certified. Tested. Approved. UC Firewall complies with all requirements of contracting authorities and is Common Criteria EAL 4+ certified. Furthermore, it supports all Voice features. This guarantees a quick and reliable implementation and ensures a smooth interaction with Voice and UC. 7
8
Session Border Controller beyond the enterprise s boundaries Extending communications Session Border Controller (SBC) was developed by Unify as a solution component of the award-winning solution portfolio. It allows VoIP networks to securely extend communications beyond an enterprise s network boundaries. Focus on VoIP SBC dynamically opens and closes firewall pin holes, allowing controlled access to your protected network. SBC performs the necessary inter-operability, security, management, and control capabilities to support SIP trunking applications. It also supports the SIP endpoint registration services that are necessary to facilitate remote-user and remote-branchoffice applications. SBC supports all Voice features and is fully manageable via the same Common Management Platform (CMP) that is used to manage other network elements in the Solution Set. Session Border Controller use case scenarios PSTN Remote User SSP Internet SIP Trunking SBC Common Management Platform Voice SBC review Linux-based operating system Designed specifically for Voice solution Single point of administration for Voice and SBC Provides highly secure unified communications solutions Supports secure calls by encrypted signalling Supports secure calls by encrypted media Secure Real-Time Transport Protocol (SRTP) Intrusion detection, topology hiding and strict SIP validation Delivers Network Address Translation (NAT) and Port Address Translation (PAT) for remote worker/agent access PSTN Branch (Proxy Mode) 9
10
A flexible pair in a secure relationship When two become one Both UC Firewall and SBC are state-of-the-art security solutions that perfectly complement one another and work in harmony. UC Firewall protects voice, UC and data infrastructures and applications against unauthorized access, unwanted traffic and (SIP-based) attacks. Meanwhile, SBC controls call admission at the border of the network. Both may be used independently or in conjunction with each other. Typical use-case scenarios for UC Firewall: Protecting critical centralized servers within a data center Protecting a local or de-centralized network such as corporate branches Customers that require Common Criteria EAL4+ certified security protection Typical use-case scenarios for SBC: SIP trunking to a SIP service provider (SSP) Secure remote-user access regardless of location or public/private network Two-level security UC Firewall and SBC are ideal solutions in a two-level security strategy. This is often required by large enterprises and governmental organizations that have strong, and often unique, security requirements and policies. For SIP trunking, SBC functionality is a fundamental requirement that can t be substituted by pure firewall functionality. The UC Firewall offers enterprise-grade firewalling to the IP connection as a first line of defence while SBC sits behind offering further protection. 11
12
The security you require Use-case scenarios for both UC Firewall and SBC can widely differ as every organization has specific security requirements. However, in SIP-trunking scenarios we consider SBC to be mandatory regardless of the enterprise size. Meanwhile, the UC Firewall should be a basic requirement for medium-tolarge enterprises wishing to protect a data center. UC Firewall and SBC offer the flexibility you need and the level of security you require for your network. Functional Differentiation UC Firewall SBC UC Firewall Web collaboration Protect UC (HTTP/HTTPS) traffic Unified security for voice/sip and UC/HTTP Legacy firewalling for management traffic Load balancing Network segmentation / security zone separation SIP & RTP protocol inspection Dynamic pin-holling SIP message limitation SIP/TLS support beginning with UC Firewall V1 R2 SBC Far end-nat/ Hosted NAT traversal Adaption, manipulation, and repair of SIP protocol (SIP-Trunking) Media anchoring Transcoding between codecs or RTP/SRTP UC Firewall vs. SBC: Data Center Data Center UC Firewall Voice SBC Voice Transparent for signaling & Session Description Protocol (SDP) Single session across system Inspects SIP header, body and protocol conformance as defined by firewall policy of the SIP-ALG and IPS Dynamically open / close RTP media ports Terminates, re-initiates and initiates signaling & SDP Two sessions one on each side of system Inspects and modifies any application layer header info (SIP, SDP, etc.) Able to resolve interworking issues Dynamically open / close RTP media ports 13
14
Unify a global leader in corporate communications World beaters Unify has long been a global leader in corporate communications. And when it comes to communications security, nobody knows better than us. Relying on Unify as your single contact for all voice, UC and security-related matters makes business life more convenient. Relationships become easier, staff become happier, customers become more satisfied. Unify offers a highly qualified service worldwide. Meanwhile, our security solutions are based on an open architecture that complies with the most rigorous government standards. Depending on the vulnerability of the business areas, customers can choose between different Service Level Agreements (SLA). It all comes down to our customers specific business needs. In short, Unify can provide the appropriate support to solve any security issues. Leading you to security As a global leader in communications security, our years of experience uniquely position us to offer the best-in-class and most secure products, solutions and services allowing executives to focus on their core businesses. As already mentioned, we provide security that is built in, not bolted on a system that works in harmony with your infrastructure and needs. Be secure in the knowledge our offering is the best on the market. 15
About Unify Unify is one of the world s leading communications software and services firms, providing integrated communications solutions for approximately 75 percent of the Fortune Global 500. Our solutions unify multiple networks, devices and applications into one easy-to-use platform that allows teams to engage in rich and meaningful conversations. The result is a transformation of how the enterprise communicates and collaborates that amplifies collective effort, energizes the business, and enhances business performance. Unify has a strong heritage of product reliability, innovation, open standards and security. unify.com Copyright Unify GmbH & Co. KG, 2015 Hofmannstr. 63, D-81379 Munich, Germany All rights reserved. The information provided in this document contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. Availability and technical specifications are subject to change without notice. Unify,, OpenStage and HiPath are registered trademarks of Unify GmbH & Co. KG. All other company, brand, product and service names are trademarks or registered trademarks of their respective holders.