The best solution, from a security perspective, is to block all VoIP traffic from crossing the border. This is not a practical solution for most enterprises. Even though VoIP calls may initially occur within the enterprise, eventually users on the Internet or in other enterprise divisions will want to make VoIP calls across the border. There is a menu of techniques and technologies available to protect VoIP systems, networks and phone calls that cross the perimeter/border.
Data firewalls are the border patrol for the trusted network. They have been and will be a necessary tool. They cannot be removed and will still need to be resident to protect against data attacks. However, there are some factors to consider when using the data firewall for VoIP call protection:
- Data firewalls usually do not read the QoS labels that will give preferential treatment to voice packets. The VoIP packets will have to compete for firewall processing with the data packets.
- Firewalls may cause some increased delay, jitter and possibly packet loss as the voice packets traverse the firewall, competing with the data traffic, thereby reducing the call quality.
- The data firewall will have to dynamically assign UDP ports on a per-call basis -- something that most data firewalls cannot accomplish.
- To process the UDP port assignments, the data firewall must be able to read the VoIP signaling protocol (H.323, SIP, Skinny).
- Less expensive and software versions of firewalls automatically block all UDP traffic, thereby preventing VoIP calls and SIP signaling from working.
- Data firewalls perform network address and port number translation. The VoIP signaling packets carry the network and port number addresses of the call. If the addresses are changed by the firewall but the signaling packet addresses are not changed, then VoIP signaling and call packets will not work. Both sides of the firewall will be processing incorrect addresses.
Intrusion detection system (IDS)
The IDS is a passive device that watches the traffic entering the trusted network after that traffic has passed through the data firewall. It flags/alerts the security staff to possible intrusions, but does not block the intrusions. The IDS has to be updated for VoIP. If it is not modified, then the IDS will produce a number of false positive intrusion alerts because the VoIP traffic may look like malicious traffic.
Intrusion prevention system (IPS)
The IPS is an active device that watches the traffic entering the trusted network after that traffic has passed through the data firewall and has passed the IDS. Think of the IPS as a second, more thorough processing firewall. The IPS does further packet inspection in addition to the inspection performed by the data firewall. The IPS must be modified for VoIP traffic as well. The IPS also has been shown in laboratory tests to reduce the VoIP call quality significantly. Turn up the security on the IPS and the voice call quality will suffer. Turn down the security of the IPS and the voice quality improves. This is not a great tradeoff.
There are a few VoIP-specific firewalls on the market. There are also SIP-specific firewalls. These do not replace the existing data firewalls. The VoIP/SIP firewall should be placed in parallel with the data firewall. The data firewall should process data traffic and block the voice traffic. The VoIP/SIP firewall should process the voice traffic and signaling and block the data traffic. The VoIP/SIP firewall is probably expensive and has to have high performance (low latency, low jitter and no packet loss). It will also be designed for specific VoIP signaling (H.323, SIP and Skinny).
Session border controller (SBC)
The SBC is an alternative to the VoIP firewall. The SBC has primarily been a security and control tool implemented by carriers and service providers. It can also be applied to the enterprise. The VoIP caller interacts with the SBC to set up a call. The SBC then calls the other party, acting as a call receptionist. The caller does not pass directly through the SBC but uses the SBC as a proxy to assist in the call setup. There are usually no performance problems with voice quality. The SBC has to be able to process the signaling protocols used. The SBC would be more attractive to larger enterprises because it is an expensive solution designed to handle considerable VoIP traffic.
The last solution is to set up a VPN tunnel through the data firewall to carry the VoIP traffic. This eliminates the need for the data firewall to dynamically support UDP ports and the need to process the VoIP signaling. The VPN will, however, add some overhead. There will be a higher bandwidth required for the VoIP call. The VPN tunnel also encrypts the QoS labels so that the voice traffic will not be given preferential treatment.
Protecting the VoIP perimeter is possible. Planning and design will be required for successful operation. There will also be compromises between security protection and voice quality.
About the author:
Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks as well as VoIP and IP convergent networks in the U.S., Canada, Europe, Australia and Asia.
This was first published in June 2007