The short answer is a resounding "YES!"
An Enterprise SBC is a crucial element in enabling and securing SIP deployments.
One common misconception about E-SBCs, and a question we receive often, is: why should a customer purchase a separate E-SBC when their service provider likely has their own? Won't the service provider's E-SBC provide adequate security?
The answer is a wholehearted, "no." Although the service provider may have its own SBC, it is in place to protect the service provider network, not the customer. An SBC at the customer edge assures that the customer's network is fully protected from any potential breach or attack.
And we also hear the question: I am getting my service from a provider that offers an MPLS connection directly from their cloud. Doesn't this mean that I am completely safe and don't need the SBC at my site?
Again, the answer is no.
While MPLS connections do offer advantages, at a price, over an open Internet connection, they do not guarantee security for the customer. Recently heard a great analogy: a submarine is partitioned into several spaces, and each space or compartment can be sealed from the others with a watertight bulkhead door. Why? Because in the event that one compartment is breached in battle, the other compartments will stay dry and the boat and crew will have a chance to survive.
The same is true in the VoIP installation. Placing an E-SBC at the edge of the enterprise network, the firm can install its IP-PBX on the inside of the network and not give it a public IP address. This is the first step in implementing a secure SIP trunking installation.
Once that is done, the enterprise can then use the tools on the SBC to ensure that only the traffic they want, from whom they wish to receive it, is permitted. With the extensive set of settings available on an Ingate SBC this means that there is a great deal of fidelity that can be worked into the installation, at an affordable price.
But the E-SBC can do much more than this also. For example, the Ingate SBC called the SIParator can:
Normalize the SIP signaling between the IP-PBX at the customer site and the service provider's network. This allows any IP-PBX to be connected to any service provider easily and quickly.
Enable disaster recovery. In the event a customer's main office goes down, the E-SBC can reroute SIP traffic to a secondary office to keep business up and running. The SBC can also be used to shift traffic to alternate service providers, or to load balance to multiple PBXs on the customer's network.
Intrusion Detection/Prevention (IDS/IPS) is also important, as it enables the E-SBC to detect DoS attacks based on SIP, and to block malicious SIP signaling packets designed to attack certain SIP phones, servers or other devices on the enterprise LAN. This secures the enterprise network as the E-SBC handles the attacks while the servers and other SIP devices in the network can still be used and calls can be routed via alternate connections.
In short, the E-SBC is an integral part of a good Voice-over-IP implementation providing the necessary tools to enable SIP and the features to eliminate vulnerabilities.