Eltex ESBC for telephony: secures, manages, connects

If you ask network engineers in Russia or the CIS, what they associate with the Eltex brand, you'll most likely hear about hardware. Something tangible, metallic, with flashing indicators. And this is true in a historical context: for over 30 years, we've been designing reliable hardware platforms that have become the foundation of thousands of networks.

However, there is another aspect. Eltex has significant experience in developing complex software and offers a wide range of solutions. Since the early 2010s, the idea of replacing hardware with software solutions for network management has been actively promoted. They’ve gradually evolved from experimental developments into powerful tools for a wide variety of business tasks. Eltex has been actively involved in this process, creating such solutions. For example, ECSS-10 Softswitch, the software IP PBX: the system was released at that time and continues to be successfully used in large carrier and enterprise networks for internet telephony.

In this article, we’ll focus on Eltex Session Border Controllers of ESBC series, that is designed for comprehensive security and optimization of IP telephony network. We’ll discuss similarities and differences between software and hardware versions and scenarios each solution is suitable for.

Before delving into the technical details of our solutions, let's outline why this class of devices appeared and what tasks it solves.

The transition of telephony to IP has provided businesses and service providers with enormous flexibility and savings, but it has also created a challenge: how to ensure free VoIP traffic flow from the internal to the external network and vice versa, while guaranteeing security for network and subscribers. Edge network firewalls are unable to cope with this task because they do not understand the SIP protocol specifics, whose transmission mechanisms are fundamentally different from those used for regular traffic.

For this very reason, the telecom industry has come to the need for a "gatekeeper" — a Session Border Controller (SBC), specialized hardware or software, with a deep understanding of VoIP protocols and network telephony specifics. The SBC performs a range of functions that can be roughly divided into three groups.

Network protection

Security is the first thing that comes to mind when discussing SBC. The Session Border Controller acts as a barrier to protect VoIP infrastructure from external threats:

• Topology hiding. The SBC splits SIP connection into two segments, completely hiding internal IP addresses and ports from the external network, preventing scanning of the internal infrastructure.
• Attack defense. The SBC controls the SIP message rate and blocks suspicious traffic, protecting against DoS/DDoS, SIP flooding, and other threats.
• Fraud prevention. The SBC prevents unauthorized outgoing calls and controls the SIP device registration process.
• Encryption. The SBC provides cryptographic protection for signaling and media traffic.

Compatibility

The most important task of the Session Border Controller is to ensure uninterrupted interaction between telephony networks using different standards and protocols:

• NAT Traversal. Dynamically modifies IP addresses and ports in SIP/SDP headers, providing correct passing of VoIP traffic through the NAT.
• Normalization and interworking. Acts as a translator, converting SIP dialects from different hardware and software vendors into a format understandable to the receiving side. It also converts signaling protocols for connectivity between diverse environments, such as for interfacing with protocols such as SIP-I/T, H.323, and others.
• Transcoding. Converts voice codecs (e.g, from G.729 to G.711 and vice versa) in real time, when end devices or networks use different formats.

Call management and quality control

The SBC ensures the complete control of call flows:

• Routing. Makes call routing decisions based on a variety of parameters (node availability, lowest cost, membership in a specific resource pool, etc.).
• Load balancing. Dynamically distributes incoming traffic between VoIP infrastructure nodes.
• Call prioritization. The SBC is capable of applying policies that prioritize certain traffic types, such as emergency calls over regular calls, ensuring they receive guaranteed quality and minimal latency.
• Monitoring. Collects detailed statistics and quality parameters of VoIP flows for billing, quality control, and prompt issue resolution.

Security, compatibility, management, quality control — each of these tasks is critically important, and a Session Border Controller should solve them all simultaneously, without compromise. When creating our own ESBC series solutions, we relied on exactly this foundation.

Eltex has extensive experience in developing hardware Session Border Controllers. Since 2012, when the first solutions were released, the company has accumulated unique expertise that enables it to create solutions that are resilient to loads and capable of operating effectively in both enterprise and carrier networks.

ESBC-3200, as a representative of the third generation of Eltex Session Border Controllers, combines the best practices of previous models with new capabilities, making it an ideal choice for modern communication systems. Our solutions are characterized by stability, simplicity, and fault-tolerance due to their Active-Standby architecture. They can handle up to 150 calls per second, supporting up to 6,000 concurrent sessions thanks to an optimized platform.

For many, choosing hardware solutions remains the only viable option. Some customers' regulations explicitly prohibit hosting critical services on virtual platforms, and in these cases, a hardware solution is the best choice. Furthermore, in geographically distributed networks with dozens of remote sites, deploying compact hardware controllers is often simpler than setting up a server infrastructure.

Moreover, it’s a matter of defining responsibility areas: "This device is responsible for VoIP traffic security only". The hardware solution is predictable: fixed performance, no dependency on virtual infrastructure, simple deployment and maintenance. In short, you install it, configure, and forget about it.

At the same time, there are scenarios where a software solution becomes the optimal, and sometimes the only choice.

At the end of 2022, we launched a large-scale project to develop ESBC functionality as a software product. This is how vESBC was born — the same core, the same functional capabilities and processing algorithms, the same operating logic as hardware ESBC has, but as a virtual solution. It can be easily deployed on servers using popular hypervisors such as VMware ESXi, KVM, VirtualBox, and others.

This may raise the question: why is another server with installed software required if one can use a hardware version that takes up very little space? The answer lies in how modern data centers are designed and what expectations the people who operate such infrastructure have.

• Performance. While ESBC-3200 can handle up to 150 calls per second and 6,000 concurrent sessions due to hardware limitations, vESBC performance depends on the resources allocated to the virtual machine. The current 1.7 version has been confirmed to operate stably at loads of up to 300 calls per second and 19,500 concurrent sessions. This is already a level suitable for large service provider and enterprise services.

   

• Flexibility. The virtual machine with vESBC can be allocated exactly as much capacity as needed for the current load. If your business grows and the number of concurrent calls increases, you can simply purchase the necessary licenses, add virtual processors and memory — without replacing hardware, downtime, or capital expenditures. This approach is relevant not only for service providers but also for businesses, including small and medium-sized ones.
• Deployment speed. Sometimes, there is a need to quickly deploy a new VoIP network segment. Creating a new virtual machine takes minutes, if the server infrastructure is already developed on-site. There is no need to wait for hardware delivery: just download the image, activate the licenses, configure it for your needs — and the service is up and running.
• Fault tolerance. If a physical server fails, vESBC can be migrated and launched on another host with minimal service disruption.

Regardless of their form factor — hardware or software — the ESBC series Session Border Controllers offer a unified feature set that covers the needs of most scenarios, including inter-carrier communications and large-scale enterprise telephony networks. At the same time, new features and improvements are being implemented in parallel across both products

At the time of publication, the current version is 1.7, the capabilities are given for it and are applicable to both products — ESBC-3200 and vESBC.

Routing and call control

The Eltex’s Session Border Controllers use B2BUA architecture for complete control of signaling and media flows. All interactions from the external network to infrastructure elements, such as an IP PBX, occur through an intermediary, which is ESBC.

The system provides intelligent routing to destination groups with automatic load balancing and call redirection during failures. Remote subscriber registration is supported, with destination availability monitored using the OPTIONS method.

The platform handles dynamic IP addresses at the transport layer and supports dynamic SIP trunks, which is especially important for interactions with remote branches and mobile personnel. A flexible system of conditional modifiers and context variables allows creating complex call processing scenarios upon business requirements.

Protocols

The basic set of SIP standards with enhanced security features has been implemented. UDP, TCP, and TLS transport protocols are used for signaling.

SIP traffic normalization ensures interoperability with multi-vendor equipment. The system allows SIP header manipulation using regular expressions, and SIP profiles provide extensive capabilities for fine-tuning signaling processing for each call direction.

The WebRTC technology with ICE mechanism enables interaction with web clients and modern applications. Integration with Elph, unified communications system by Eltex, is implemented. Subscriber authentication via RADIUS is supported for centralized access management.

SIP-I/SIP-T signaling transit is provided for interoperability with traditional telephone networks.

In upcoming releases, we plan to add the H.323 protocol to support VoIP equipment and software based on it.

Media traffic processing

RTP/RTCP traffic proxying with real-time audio and video codec transcoding (Opus, G.711, G.729, G.722, VP8, VP9, H.264) is supported. This allows subscribers using different codecs to connect without loss of call quality. Fax communication via the T.38 protocol is supported.

Media traffic is secured via SRTP using SDES and DTLS mechanisms for encryption key negotiation. Media profiles allow flexible configuration of media types, transcoding, and stream processing parameters for each direction.

Security

ESBC features multi-layered protection against DoS attacks and specific VoIP threats, including SIP flooding and fraud attempts. The controller supports operation with subscribers behind NAT (NAT co-media). TLS encryption is used to protect signaling traffic, and media traffic is protected via SRTP.

Logging

Subscriber registration data is stored in a database with ability to quickly recover in case of failures. Dynamically adjusting the number of available modules enables efficient management of system load and performance scaling upon demand.

ESBC collects call detail records (CDRs) for billing, analytics, and call quality monitoring, storing them in a local database and allowing uploading to third-party monitoring systems.

Flexible customization

ESBC offers extensive customization options. It supports SIP header manipulation via regular expressions, number parameter changes (CgPN/CdPN), and SDP conversion using media profiles for managing media sections and codecs.

SIP profiles allow configuring the signaling processing parameters for different directions. Trunks are logically separated by SIP domains to isolate traffic from different clients and departments.

Web interface

The ESBC web interface is actively developing — a list of supported parameters has significantly expanded over the past year. Currently, the web interface enables to upgrade firmware, to download, upload and apply configuration files and licenses, to configure syslog settings, to monitor a list of active subscriber registrations with filters and sorting, and call quantity by trunk and transport, and much more.

With each release, new features are added to the web interface to simplify system administration and monitoring.

In 2026, we plan to implement a number of important features to enhance the functionality, reliability, and ease of system management.

These include:

• H.323 support
• traffic performance indicators (KPIs)
• tunneling (IPsec VPN)
• routing: via LDAP, by least cost route, by call source address (dynamic trunks)
• dynamic number rotation in requests
• further development of web interface functionality

In the Eltex ecosystem, we are responsible for the entire call handling: from the handset the user holds to the connection with the provider. It's important to understand that ESBC controllers don't exist in a vacuum: they are part of a larger ecosystem of Eltex telephony products.

The controllers integrate with the ECSS-10 Softswitch PBX, the core of a VoIP network with multiple services. It works in conjunction with TAU subscriber gateways and SMG trunk gateways, providing secure connectivity for the Elph, corporate unified communications system.

And this is its value. When the infrastructure uses a single-brand solution, you get a single point of responsibility for the entire network segment and comprehensive technical support, predictable component compatibility, and the ability to evolve the system without the risk of conflicts between multi-vendor components.

We invite you to test Eltex Session Border Controllers under the real conditions of your network and evaluate their performance. Testing not only ensures that the solution meets your requirements but also provides an opportunity to refine product development. User feedback directly influences feature development priorities. Your operational experience helps us improve the controller and adapt it to the real needs of carrier and enterprise networks.

Our specialists will provide technical support during implementation, assist with configuration, and answer questions about integration into your infrastructure.

Contact us to learn more about using the controller in your projects and leave a request for testing: foreign.sales@eltex-co.ru.

The Session Border Controller is a critical element deployed to secure VoIP infrastructure. It protects telephony from external threats, ensures compatibility between diverse equipment, and provides tools for diagnostics and management.

Eltex offers both the hardware ESBC-3200 for those who prefer dedicated devices and software vESBC for virtualized environments. Functionally, they are identical, differing in form factor, deployment method, and performance. All you need is to select the one that best suits your needs.

To learn more about ESBC, please contact Eltex Sales Department at foreign.sales@eltex-co.ru.