Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of October 2005 

[an error occurred while processing this directive]

 Home > Vendor Voice
 Print Friendly Page ||  Email this story

Creating a secure VoIP infrastructure

Companies deploying VoIP should note the security risks associated with it. by Bhaskar Bakthavatsalu

With the growing demand for converged networks where voice, video and data co-exist, organisations are embracing VoIP to reduce costs and improve their offerings in delivering voice services and lower operational costs for long distance and other phone services. Companies adopting VoIP should also note the inherent security risks associated with VoIP as each element in the infrastructure is accessible on the network like any computer and can be exposed to worms, buffer overflows, and more.

Traditional security solutions are unable to cope with the requirements of voice on the data network because of the complex and diverse nature of VoIP protocols, and the need is for a perimeter security solution which is VoIP aware and that can make intelligent security decisions to protect the VoIP network from attack.

Organisations embracing VoIP should check for a solution that delivers the advanced technologies needed for organisations to deploy VoIP without sacrificing security.

Enabling VoIP protocols

VoIP implementations use multiple protocols like H.323, SIP, MGCP, and SCCP—all of which function completely differently and interact with security in ways that traditional firewalls cannot handle. Also the need is to inspect both parts of a VoIP call—the call setup messages and the actual call media stream. Added to this is the usage of both static ports and random dynamic ports, coupled with

encoding of H.323 traffic. This clearly demands the need for a security solution that is highly aware of VoIP protocols and how these protocols work. A deeper awareness of VoIP combining broad protocol support with dynamic opening of ports based on the state and context of the conversation is an essential feature. Incorporating detection and stoppage of malicious VoIP activity without administrator interaction, recognition and enforcement of context on traffic supporting VoIP features such as call forwarding, hold and call transfer is required.

In converged networks

A VoIP infrastructure may comprise private branch exchange systems, gateways, proxies, phones and more. The components may be embedded or off-the-shelf servers running a commercialised operating system, and are addressable and accessible over the data network and are vulnerable to DoS attacks, gateway hacks might be used to make unauthorised free telephone calls and sniffing, eavesdropping and more attacks are possible.

If traffic deviates from the norm—when an attacker tries to exploit vulnerability—detection and shifting should be done automatically and steps should be taken to preemptively prevent the attack from taking place. This should include validation of VoIP sessions to an expected pattern of behavior, prevention of DoS attacks, reduction of the ability for outside parties to access VoIP conversations for theft of service or call hijacking through the use of VoIP handover domains.

A deeper understanding of how VoIP protocols are supposed to operate is essential

Delivering voice quality

A major concern for VoIP deployments is maintaining a high level of voice quality people are used to from traditional phone services. Two main reasons that degrade the quality of VoIP services are latency caused due to the way routers process the packets and jitter due to delay in receiving VoIP packets being irregular causing packets to arrive out of order or not arrive at all and encryption done at the endpoint or at the security gateway.

Enterprises should be able to gain integrated Quality of Service to minimise jitter and latency caused by applying the needed security. It should also provide a number of different strategies through which companies can ensure high-quality voice communications. By the use of these methods in combination, organisations should be able to deliver high voice quality. Likewise, the option for organisations to use weighted priorities to ensure that VoIP traffic is allocated a larger amount of bandwidth than discretionary traffic is desirable. Additionally hardware acceleration to enhance encryption performance is required in order to reduce jitter caused by cryptographic processes.

Solving the NAT problem

Network Address Translation (NAT)—one of the most prevalent security measures in use today—poses a special problem for VoIP. Commonly used in perimeter firewalls to conserve IP addresses and disguise the internal network structure, NAT converts internal IP addresses into a single, globally unique IP address for routing across the Internet. In the process it modifies the address at the network layer (layer 3) of a packet to reflect the mapping.

However, VoIP protocols embed the IP addresses at the application level as well as the network level, thus creating difficulties in routing signaling or media traffic from an endpoint behind a NAT gateway. For incoming calls this is a problem as the externally routable address can be shared between many hundreds of endpoints.

The ideal solution should enable companies to use their existing network architecture to coexist with VoIP without the need to stop using NAT and privately routable IP addresses. The solution should maintain a VoIP user database that is synchronised with the information found on a signal routing device. This calls for an IP phone to register itself with a signaling device before placing calls, and with this, the solution should recognise the registration request and record the necessary information in its internal database. This registration enables calls from outside the protected network to phones whose addresses are translated using Hide NAT (many-to-one NAT).

The author is Sales Manager (Indian Sub-continent), Checkpoint Software Technologies Ltd


- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.