Bill-IT
Bill-IT
FR

VoIP Architectures

Design of robust, segmented and controlled VoIP infrastructure

Three-zone architecture

A controlled VoIP architecture relies on separating the network into three distinct zones: the external zone (carriers and partners), the DMZ zone (where the SBC resides) and the internal zone (PBX, communication servers, endpoints). The SBC controls all flows between these zones.

SBC Architecture OverviewInternet / OperatorsSIP Trunk ProviderITSP / CarrierPSTN GatewayVoice TrunkRemote UsersSIP ClientsWebRTCBrowser ClientsSession BorderControllerSIP NormalizationTopology HidingTLS / SRTP EncryptionRate Limiting / ACLMedia TranscodingCall RoutingInternal LANIP-PBXAsterisk / 3CXUC PlatformTeams / Opr.IP PhonesSIP EndpointsMonitoringCDR / AnalyticsSIP/TLSSIP/UDPSIP/TCPSIP/TLSDual-homed SBC deployment separating external and internal network segments

External zone

Interconnection with SIP carriers, partners and Internet. Incoming flows are filtered, authenticated and normalized by the SBC before reaching the internal network.

DMZ zone

The SBC resides in this buffer zone. It terminates external SIP sessions, validates them and re-establishes new sessions to the internal zone with controlled parameters.

Internal zone

Communication equipment (PBX, UC servers, endpoints) are isolated in the internal network. They are never directly exposed to external flows.

Network segmentation

Segmentation uses dedicated VLANs to isolate signaling flows, media flows and administration. Each segment has its own filtering and QoS rules. SBC interfaces are assigned to specific realms, each with its own control policies.

Network Segmentation ArchitecturePUBLIC ZONEUntrusted NetworkInternet TrafficSIP / RTP InboundExternal SIP TrunksCarrier ConnectionsRemote EndpointsVPN / WebRTCFWFirewall 1ACL + IPSDMZ ZONESemi-TrustedSBCSession Border CtrlSIP ProxyKamailio / OpenSIPSMedia RelayRTPEngine / RTPProxyFWFirewall 2App LayerPRIVATE ZONETrusted NetworkIP-PBX / UCCore telephonyVoicemail / IVRApp ServersIP Phones / SoftphonesUser EndpointsHigh RiskMedium RiskLow RiskFirewall / Security GatewayTraffic flows left to right

Encryption and security

All signaling flows are protected by TLS (SIP over TLS). Media flows are encrypted with SRTP using key exchange via SDES or DTLS-SRTP. Certificates are managed by an internal PKI or recognized certificate authorities.

High availability

Production architectures deploy the SBC in 1+1 high availability mode. The secondary node continuously monitors the primary node via a dedicated heartbeat link. In case of failure, failover is automatic and transparent to ongoing sessions.

Secure administration

SBC equipment administration is isolated on a dedicated management network, accessible only via VPN. Access is authenticated, logged and restricted to authorized operators only. All configuration changes are recorded in an audit system.

VoIP Architecture | Network Segmentation & High Availability | Bill-IT