Secure architectures
Design of resilient, segmented and compliant VoIP infrastructure
Three-zone architecture
A secure VoIP architecture relies on separating the network into three distinct zones: the external zone (carriers and partners), the DMZ zone (where the SBC resides) and the internal zone (PBX, communication servers, endpoints). The SBC controls all flows between these zones.
External zone
Interconnection with SIP carriers, partners and Internet. Incoming flows are filtered, authenticated and normalized by the SBC before reaching the internal network.
DMZ zone
The SBC resides in this buffer zone. It terminates external SIP sessions, validates them and re-establishes new sessions to the internal zone with secure parameters.
Internal zone
Communication equipment (PBX, UC servers, endpoints) are isolated in the internal network. They are never directly exposed to external flows.
Network segmentation
Segmentation uses dedicated VLANs to isolate signaling flows, media flows and administration. Each segment has its own filtering and QoS rules. SBC interfaces are assigned to specific realms, each with its own security policies.
Encryption and security
All signaling flows are protected by TLS (SIP over TLS). Media flows are encrypted with SRTP using key exchange via SDES or DTLS-SRTP. Certificates are managed by an internal PKI or recognized certificate authorities.
High availability
Production architectures deploy the SBC in 1+1 high availability mode. The secondary node continuously monitors the primary node via a dedicated heartbeat link. In case of failure, failover is automatic and transparent to ongoing sessions.
Secure administration
SBC equipment administration is isolated on a dedicated management network, accessible only via VPN. Access is authenticated, logged and restricted to authorized operators only. All configuration changes are recorded in an audit system.