Differences between an e-SBC and a Firewall

10 October 2022

E-SBCs do things that firewalls don't.

It is common to compare what an SBC (Session Border Controller) with a Firewall, as a way to simplify the concept of an SBC for people not familiarized with voice networks infrastructures. Both share the mission of protecting a network against external attacks, but we must be aware that it is a simplification that hides behind important differences between the two technologies.

In addition to protecting the network, SBCs also deal with other tasks such as transcoding, traffic monitoring, interoperability with legacy network elements, interconnection with operator networks, etc.

e-SBCs manage sessions, Firewalls block data flows:

It is important to understand the fundamental differences between an E-SBC, which is designed to manage and control voice and video communication sessions in real time, and a conventional security product such as a firewall, which is designed primarily to block or allow data streams.

Most IP firewalls offer only basic support for SIP; Sufficient access control lists (ACLs), which can be configured to allow or deny SIP traffic based on addressing information contained in SIP signaling flows. Firewalls cannot actively manipulate or control IP communication sessions in real time the way an E-SBC can.

IP communications sessions are made up of signaling information (data used to configure and control sessions) and media information (digitized voice and video). Signaling information and media information flow under the direction of different IP protocols and move on separate paths:

  • The SIP protocol is used to establish and manage sessions. SIP servers (there are several types) are responsible for enabling sessions between two or more parties.
  • Real Time Transport Protocol (RTP) is used to deliver the associated audio and video streams.

Unlike a firewall, an e-SBC maintains session status and controls and manipulates SIP signaling plus associated RTP media streams. For example, an e-SBC keeps channels open during a communications session, while a firewall will close and reopen a channel using different port numbers, which can bring down a session.

With the ability to maintain session state and manipulate RTP media streams as well as SIP signaling, the E-SBC can apply dynamic trust levels based on observed endpoint behavior.

A firewall does not intervene in the RTP media path:

A SIP firewall is implemented as a SIP proxy server, which is responsible for transmitting and controlling SIP signaling information, but does not actively participate in the RTP media path (the audio and video streams).

An e-SBC, on the other hand, is implemented as a back-to-back user agent (B2BUA), which actively processes both signaling and media paths. A B2BUA ends a session with a SIP entity (who makes the call) and establishes a different session with another SIP entity (who receives the call). This allows an E-SBC to inspect and manipulate the content of the entire session to enforce security policies and efficiently manage business communications.

Next article

Happy birthday to SIP

June of this year marked the 20th anniversary of the publication of RFC 3261, marking the beginning of the “Session Initi[...]