SBCs (Session Border Controller) and data firewalls are complementary. The SBC has integrated firewall capabilities on both access and core side and therefore exists in its own DMZ (Demilitarized Zone) for SIP signaling and RTP (Real-time Transport Protocol)/SRTP (Secure Real-time Transport Protocol) media, while the data firewall handles data protocols.
Voice and data traffic should be separated by edge routers into different Virtual LANs (VLANs). The voice VLAN is routed to the SBC and the data VLAN is routed to the data firewall.
If the Enterprise security policies mandate firewalls in front of the SBC then the SBC can use procedures to keep the necessary VoIP ports open through the firewall, e.g., short registration refresh intervals on the access side of the SBC, or TLS (Transport Layer Security)/TCP keep alive procedures. Alternatively the necessary VoIP ports may be opened statically at the firewall.
Parent topic: Additional SBC (Session Border Controller) Capabilities