Reliable protection and routing of VoIP traffic with the ESBC session border controller

Comprehensive Eltex solution for VoIP security with ESBC and vESBC

Description

Telephony has long evolved into IP, bringing operators flexibility, scalability and cost efficiency. But it has also introduced new vulnerabilities. An unprotected VoIP network becomes a target for attackers: from DDoS attacks to unauthorized calls, traffic interception, and internal infrastructure breaches.

The security challenge is particularly critical for telecom operators, government agencies, industrial enterprises, and corporate customers with distributed branch networks. They require a solution that:

isolates the internal network from external threats;
enables transparent VoIP traffic routing;
maintains interoperability between equipment from different vendors;
supports scalability and centralized management.

Our journey in the telecom industry started with IP telephony solutions. A natural step in this evolution was the development of the ESBC session border controller, designed to meet these challenges. Let’s explore the architecture.

Solution architecture

The Eltex session border controller is available as the ESBC-3200 hardware appliance and the vESBC software version, which can be integrated into existing virtualization systems (KVM, Oracle VirtualBox, VMware ESXi). Both versions provide identical functionality.

Security

The controller provides comprehensive protection of the VoIP infrastructure from unauthorized access, attacks, and data interception attempts. Built-in security mechanisms, including a dynamic firewall, mitigate DoS/DDoS attacks and VoIP-specific threats such as SIP-flood. ESBC operates as a Back-to-Back User Agent (B2BUA), hiding the internal network topology and isolating internal systems from external impact.

To protect signaling encryption uses TLS, and media traffic is transmitted over SRTP.

Routing

ESBC manages signaling and media routing using the B2BUA peering architecture, enabling flexible call distribution and controlling route availability.

Load balancing between trunk groups and automatic rerouting during failures are supported. SIP OPTIONS signaling is used to monitor node status, enabling timely switching without call loss.

Performance

The controller is designed for high-load environments: large corporate deployments and service provider networks. It processes up to 300 calls per second and supports up to 6,000 and 19,500 simultaneous calls (for ESBC-3200 and vESBC respectively).

Media traffic handling

Real-time multimedia transmission is ensured via RTP and RTCP media proxying. To support interoperability between different devices and services, transcoding of audio/video codecs is implemented, including G.711, G.729, G.722, Opus, H.264, VP8, and others. Codec control and media negotiation are handled via media profiles.

Redundancy

To ensure uninterrupted operation, ESBC-3200 supports 1+1 (Active-Standby) redundancy. Configurations, versioning, and timing are synchronized between units in case of failure.

ESBC stores subscriber registration data in a recoverable database, preventing session loss during restart.

Additional VoIP network components

An ESBC/vESBC-based solution is part of the comprehensive Eltex ecosystem, including VoIP and trunk gateways, IP phones, the ECSS-10 Softswitch core, and the Elph client application.

General solution scheme

Fig. 1 Interoperator interaction

A session border controller can be used in a classic peering scenario, where hardware or virtual ESBC is placed at the junction of service provider networks. This scheme illustrates how ESBC becomes the central security and traffic control element, creating a trusted zone between operators and ensuring standardized and secure interoperability between different networks.

A public network in the center enables VoIP traffic exchange between three independent segments – operator local networks. Each network includes its own telephony tools, for example, ECSS-10 Softswitch as the VoIP infrastructure core.

ESBC operates as a Back-to-Back User Agent (B2BUA), reassembling SIP messages, hiding internal network topology, and protecting it from unauthorized access. ECSS-10 manages routing logic and performs the functions of a Softswitch core – distributing calls between subscribers, controlling services, and billing. ECSS-10 also interacts with SMG IP-PBX, which is connected to the PSTN.

This architecture unifies VoIP and traditional telephony into a single system. ESBC acts as an IP network border controller and performs SIP signaling and media normalization.

Fig. 2 Enterprise telephony

This scenario demonstrates the access architecture, where the ESBC session border controller is deployed between the public network and corporate infrastructure. Its primary role is to ensure controlled access, security, and correct routing for numerous remote subscribers and branches using different devices and protocols.

A public network connects subscribers to the operator's VoIP platform. Several scenarios are shown, demonstrating different ways to access the “Virtual PBX” service implemented with ECSS-10 Softswitch and ESBC.

For example, SIP access is provided through TAU subscriber gateways. Analogue phones and Eltex VP-series IP phones connect to them, forming a unified VoIP environment. In such setups, ESBC becomes a central registration and call control point, protecting the network from SIP-flood or unauthorized registrations.

Mobile or web clients such as Elph can also be used – a UC solution connected via WebRTC. The user can make audio/video calls via mobile internet or Wi-Fi while staying within the IP environment. WebRTC supports Eltex and third-party browser/desktop apps.