10 things your VoIP Firewall should do

When voice joins applications and data on you network, there are a few things you should know

March 12, 2010

By Martin Tassev, MD, LOOPHOLD Security Distribution

When voice joins applications and data on you network, there are a few things you should know

With the adoption of digital telephony and teleconferencing expanding, Voice over Internet Protocol (VoIP) has entered the IT mainstream. This means voice, and perhaps fax, voicemail, and video, now joins data and application traffic in the corporate network.

No matter the size of the organisation, VoIP requires certain changes in the management and protection of the network.

When making the move to VoIP, there are a few key considerations that should be taken into account:

1. Security is more than physical

Before VoIP, a PSTN (public switched telephone network) connection, physical access to the PBX (private branch exchange) or the telephone line itself was required to intercept or disrupt a call. However, because VoIP uses an Internet connection and no ‘physical wire’ is needed, it does not have the same security as telephone lines. Interception and disruption don’t need to be physical to cause damage, and these attacks can come from anywhere on the network.

That’s why VoIP firewalls are important. They provide the same level of protection for VoIP traffic as ordinary firewalls do for applications and data traffic.

2. Priority means clarity

VoIP works by converting analogue voice traffic to digital, sending it over the network in packets.  A single VoIP phone conversation will be divided into thousands of packets that can take different routes to their destination VoIP is susceptible to Quality of Service (QoS) concerns – such as latency, jitter, packet loss and echo. A VoIP Firewall avoids these disturbances by tagging and recognising VoIP traffic tags, and giving them the highest priority when receiving, assembling and accepting content.

3. Managing the bandwidth pipe

Because VoIP makes up only a portion of network traffic, it can’t be prioritised at the expense of other traffic. One solution is to manage the bandwidth of all of the traffic (data, applications and voice). This can be done by restricting the bandwidth given to non-VoIP applications and data – such as limiting bandwidth to sites such as YouTube or blocking access to peer-to-peer sites. This frees up bandwidth for essential traffic.

This strategy is best when the IT department has a good sense of how and who uses the available bandwidth.

4. The bandwidth guarantee

Another strategy is to guarantee a minimum amount of overall bandwidth to VoIP traffic. The remaining bandwidth can either be assigned to other applications, or left unassigned.

This strategy is best in situations when the IT department does not have a clear idea of how bandwidth is being used and who is using it.

5. Keep connections clean

Denial of Service (DoS) attacks are aimed at disrupting the ability of the firewall to receive and process packets in a timely fashion. VoIP traffic can be affected by two types of DoS attacks: VoIP Spoofing Attacks and Service-Level Attacks.

VoIP Spoofing Attacks involve malformed and invalid packets, which masquerade as VoIP traffic and obstruct the processing of all traffic.

Service-Level Attacks such as Syn Flood, Ping of Death and LAND (IP) attacks attempt to use up firewall connections directly affecting VoIP traffic throughput.

A VoIP Firewall prevents these attempts by:

– Validating packet sequence for VoIP packets
– Using randomised TCP sequence numbers to validate TCP session data flow
– Conducting stateful inspection of VoIP signaling and media packets
– Monitoring attempts to open too many TCP/IP connections

6. Connect, protect and disconnect

A VoIP Firewall tracks each VoIP session from call inception to call end, enabling the firewall to control, manage, and protect each VoIP session based on the unique characteristics of that call. It takes the following actions during a VoIP session:

– Control incoming calls using H.323 or SIP Proxy authorization and authentication methods
– Open media ports only if a valid request if received and the call is fully connected Protect
– Validate headers and inspect all VoIP traffic
– Dynamic set-up and tracking of both signaling and media streams Disconnect
– Close ALL open connections when call is complete
– Make inactivity time-outs configurable by the admin and enforce them
– Change ports for each call, don’t use static mappings

7. The Signature Wall

IPS signatures are used to block application-layer attacks. Regular updates to the IPS Signature list enable a VoIP Firewall to block these attacks and stay ahead of attacks trying to exploit the latest vulnerability.

8. Partial protection is not protection

In the past, VoIP Firewalls were expected to ‘stay out of the way’. However, because network attacks have found vulnerabilities to exploit, and are just as varied as those affecting other types of traffic, VoIP traffic demands the same protection services.

9. Know what’s going on

A VoIP Firewall will provide visability into all network traffic – voice, data and applications. This includes logging signaling and media streams.

It allows insight into the past, present and future of your VoIP traffic.
– Past: for each VoIP connection, audit logs were kept for caller and called parties, call duration, total bandwidth used etc.
– Present: dynamic live reporting of active VoIP calls (including caller and calling party, bandwidth used etc) is possible.
– Future: able to get clear and concise reports that allow you to ‘predict’ the future, by examining trends over hours, days, weeks or months.

10. Adding, moving and removing devices

Thankfully, adding, moving and removing devices from the network does not mean more work every time these actions need to be initiated and completed.

The advanced tracking and monitoring technology in a VoIP firewall ensures that devices are automatically protected – as soon as they are plugged into the network.

Before looking for a VoIP Firewall, one should scrutinise the functionality offered by the current firewall – it’s possible your existing firewall is already meeting these requirements. If not, you may have a firewall not suited to your changing network traffic needs, which are likely to include more and more voice traffic along with data and applications.