Yes, we know 3CX have its own SBC. But 3CX sbc is only a private tunnel tool, which could create a channel between your branch and your headquarters 3CX. In this situation, we must have a device where, we install this sbc software. But when the customer have multiple branches. It is not easy to manage. Thought, it is a economic secure tool.the point of the 3CX SBC  is used so phones on the LAN connect to the SBC, and the SBC connects to the 3CX server that is not on the LAN. So:
phone -> SBC -> tunnels over Internet -> 3CX server in data center
Mobile apps and web browsers connect to the 3CX server not to an SBC. If 3CX and physical phones are on the same LAN there is no need for an SBC.

sbc归档- 58VOIP-3CX

But in some scenario, the customer need to open SIP connection between remote IP Phones and 3CX, what could we do?Even though, an certificated 3CX Engineer with years experience, deployed the 3CX configuration. The 3CX could still be hacked. Check the following.

Don’t be “THAT” Guy: Monitor your PBX Instance (Volume 4) (3cx.com)

If we consider a base of 600,000 installs currently active worldwide,
255 (breaches) /600,000 (installs) *100 = 0.04 % got hacked.

This can translate to 1 in every 2400 installations getting breached.
Or in other words, we can say that 99.96% of our customers’ installations are secure and we are quite proud of this statistic!

Personally, If 3CX is deployed publicly in Internet, and SIP port must be open. It is a really a must to use SBC such as audio codes, ribbon and Anynode.

We could find The Threats>>

Denial of Service (DoS) attacks
• Malicious attacks designed to cripple your VoIP network by overloading it with calls or
service requests
• Overload events
• Non-malicious periods of intense activity can also cause an increase in call signaling rates
that exceed what your infrastructure can support
• Network abuse and fraud
• An unauthorized user gaining access to your VoIP network by mimicking an authorized
user or seizing control of a SIP proxy and initiating outbound calls for free
• Viruses and malware
• Computer viruses, worms, trojan horses, and other malware can degrade performance or
completely disrupt service

Therefore, if an administrator wants to truly deal with and solve these threats, relying only on a single 3CX system is not the most secure method. We really need to add an extra line of defense in front, that is, SBC.

  • Classify incoming calls based on any layer 3,4 and SIP attribute
  • Block all unclassified calls
  • Allow only known clients by verifying any User-Agent header
  • Ignore requests as oppose to rejecting them to prevent information gathering