An exclusive feature of Khomp SBC for the security of your network
Khomp has expanded its KMG MS line of media gateways to make Register Authorization available on the SBC for all SIP calls simultaneously. This way, Register Authorization works on scenarios with incoming SIP calls from internal and external networks, allowing for authorization or denial of SIP registration requests.
Registration requests can come from home-based agents, virtual offices, and remote agent-desks, for example. They are received and handled by the SBC at the edge of the internal network, so that only authorized requests are forwarded to the internal network and all others are rejected.
Rejected requests may receive an error message or they may simply be ignored, like the OPTIONS messages. These messages test whether there is any SIP service responding at a particular IP; in such case, even a faulty response might risk the network security and it is best to ignore it.
Requests are authorized or rejected based on user authentication in the PBX system, while preserving the status of the record and of the registered users transactions.
Register Authorization also enables the creation of policies for accepting or rejecting other SIP packets. For example, you can configure it to only accept requests from registered users, or to reject all packages sent by a particular user agent.
Some exclusive advantages of Khomp Register Authorization include:
● It can perform authentication by querying an external LDAP database before it reaches the PBX, or it can delegate authentication to the PBX. In the case of an LDAP database server, you can count on server redundancy to fail proof the communication with the former.
● It can work as a Back-to-Back User Agent (B2BUA), i.e., it intermediates all SIP signaling, from the moment the call is received up until it is finalized. It is comprised of two components, the User Agent Client (UAC) and the User Agent Server (UAS), and, unlike a proxy server, the B2BUA preserves the status of the transactions and registers, and it gets involved in all the requests of a call.
● It allows the creation of media profiles for choosing codecs and transcoding options. This allows you to create specific settings for the IP telephone or softphone that is trying to make a call through the KMG, by using a specific codec there and another one within the network, between the KMG and the PBX server, for example.
● It allows the conversion between different transport types (UDP/TCP/TLS). The SBC can communicate with the User Agent Client (UAC) and the User Agent Server (UAS) on each side having different transport types, and these will be converted in order to be used.
● It supports different TLS certificates per network interface. As a security protocol, TLS is responsible for data privacy and integrity between two applications that communicate with each other through the Internet. By using security certificates, it encrypts all data transmitted between the user web browser and the server, so data cannot be captured along the way. This way, even if such applications use different TLS certificates, the register authorization allows all requests to be safely fulfilled.
● It provides mobile users with secure access to the voice network, with no need to use a VPN (Virtual Private Network).
● It supports NAT (Network Address Translation) traversal. NAT translates IP addresses between public and private networks, allowing requests received through a public IP to be correctly answered to their source, even when the source is within a private network.
● It hides the topology of the internal network (topology hiding). Thus, should the client suffer an attack of any kind, the internal network will be protected and “invisible” to the hacker.
● It can perform registering in multiple PBXs (redundancy). In this case, there must be more than one server configured to receive external requests, so that when a server becomes unavailable, the other can continue to receive and register requests.
