Is your Zero Trust strategy falling short? Chances are, your solutions aren’t addressing your enterprise network’s needs. Dan Teichman, director of solutions marketing at Ribbon Communications, explains why voice communications could be leaving your company vulnerable.
With hybrid-remote workforces becoming a fixture in business, organizations are—sensibly—turning to Zero Trust Architectures (ZTAs) to protect data in the expanding attack surface created by mobile work connections and cloud/edge computing environments. But many zero-trust service providers and on-premises network solutions aren’t addressing all the needs of enterprise networks. They fall short in protecting voice networks, creating a gap that could lead to seriously damaging attacks.
A ZTA takes a “never trust, always verify†approach to cybersecurity, focusing on continuous authentication and authorization. As defined by the National Institute of Standards and Technology,Opens a new window it covers users, devices, networks, infrastructure, applications and data, using automation and orchestration to provide visibility and analytics. When properly deployed, a ZTA can improve security while reducing complexity.
However, if you’re not addressing voice communications, you’re leaving your company vulnerable.Â
See More: 4 Tips To Get Buy-in From Your IT Team for Zero Trust
Need for Speed Kills Firewall Protections
Many organizations rely on next-generation firewalls to secure unified communications (UC), including voice and video calls, meeting applications, collaboration channels, file sharing, and more. But the problem is that firewalls don’t properly protect UC networks or support real-time communications (RTC) flows. Although firewalls perform essential services, they don’t provide the highly stateful tracking and port control necessary with Session Initiation Protocol (SIP)-based communications, where mid-session additions and changes are common.
The quality of voice traffic requires fast, end-to-end processing, but firewalls process packets on a first-come-first-served basis. This puts real-time communications, which generate more packets than other types of network traffic, in the queue along with all other traffic, slowing things down.Â
Many enterprises “solve†this problem by disabling the SIP Application-Level Gateway (SIP ALG) and opening firewall ports to let RTC traffic through. But that creates major security risks because it leaves more than 16,000 potential RTC media ports open to attack. The gaps in protection from firewalls can open a network to threats such as Denial of Service (DoS) and theft of service attacks while negatively affecting performance. Firewalls’ limited inspection of voice over IP (VoIP) packets makes them vulnerable to VoIP spoofing attacks.
SBCs Give Voice to Zero Trust
The way to close those gaps and bring RTC security up to the zero-trust level applied elsewhere in the enterprise is with a Session Border Controller (SBC). Unlike a firewall, an SBC processes RTC at near-wire speed and is designed to monitor the SIP signaling message between two endpoints. When a call comes in, the SBC knows what ports to open and closes them when a call is finished. An SBC provides a policy-based control layer to secure UC dynamically.Â
Regardless of an endpoint’s location, an SBC enables multiple security features, including:
Access: An SBC provides access control that matches a zero-trust environment when the voice network is configured to send SIP access registration for all users, regardless of location, through the SBC. Before forwarding the SIP registration to a Private Branch Exchange (PBX) or a UC Server, the SBC acts as a Back-to-Back-User Agent (B2BUA), hiding the connection to the PBX or UC Server. If the registration fails, the endpoint will be blocked.Â
Authentication: An SBC will pass the required portions of an authorization—typically a combination of username, password or PKI certificate—to the SIP registrar. Once authenticated, it will require a re-registration if there is any change in the endpoint, such as an IP or MAC address change.Â
Encryption: An SBC can ensure security by being configured for any of three encryption standards: Transport Layer Security (TLS), Secure RTP (SRTP) or IP Security (IPsec). It also can use two standards required for most voice providers in the United States since June 2021: Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN). The standards use Caller ID to confirm the origin of a call, providing another layer of security against Caller ID spoofing.
See More: Is Zero Trust the Catalyst for a Successful Digital Transformation?
Extra Benefits
In addition to making RTC faster, simpler and more secure, SBCs offer other benefits, including the ability to scale as the remote/hybrid workforce grows. SBC providers typically provide a range of SBCs, including those that can accommodate thousands of sessions. SBCs also improve a voice network’s performance by providing a number of intelligent session controls, such as selecting the optimal route for delivering calls.
SBCs ensure SIP interoperability. Different IP-PBX vendors implement SIP in different ways, but an SBC provides translation (known as SIP normalization) to ensure that signaling instructions are properly communicated.Â
SBCs and Firewalls in Tandem
The purpose of a zero-trust approach is to close the gaps in security—many of them unseen—that result from operating in highly distributed networks that extend well beyond traditional network perimeters into the cloud and to the edge. Adopting a ZTA while leaving voice networks unprotected can defeat that purpose.Â
SBCs add a critical layer of protection that firewalls, which are built to perform specific security functions, do not. SBCs won’t replace firewalls—you need both—but they are necessary to bring comprehensive security to your voice network.
How are you protecting your hybrid workplace? Tell us about innovative strategies that have helped you on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!