Securing the enterprise VoIP perimeter
How to make VoIP work without sacrificing firewalls or network perimeter security.
Traditional perimeter security methods such as firewalls and IPS can interfere with VoIP call operation and performance, which can cause many organizations to bypass or break through firewalls to make VoIP work or to decide that VoIP is too problematic to implement while maintaining network security. Here, Gary Audin explores methods of securing the enterprise VoIP perimeter, along with considerations for how to achieve security without sacrificing performance.
In previous tips, we discussed the tools that can be used to attack VoIP/IP telephony systems and networks. This tip focuses on the perimeter -- the border around an enterprise network -- and how to protect against malicious behaviour. The perimeter will probably be the border between the trusted network (the enterprise) and the untrusted network (the Internet). The border could also be between two divisions or subsidiaries of the same enterprise. Traditional security protection technologies may actually cause problems for VoIP call operation and performance. This tip will also provide cautions for the implementation of the suggested protection technologies.
The best solution, from a security perspective, is to block all VoIP traffic from crossing the border. This is not a practical solution for most enterprises. Even though VoIP calls may initially occur within the enterprise, eventually users on the Internet or in other enterprise divisions will want to make VoIP calls across the border. There is a menu of techniques and technologies available to protect VoIP systems, networks and phone calls that cross the perimeter/border.
Data firewalls
Data firewalls are the border patrol for the trusted network. They have been and will be a necessary tool. They cannot be removed and will still need to be resident to protect against data attacks. However, there are some factors to consider when using the data firewall for VoIP call protection:
- Data firewalls usually do not read the QoS labels that will give preferential treatment to voice packets. The VoIP packets will have to compete for firewall processing with the data packets.
- Firewalls may cause some increased delay, jitter and possibly packet loss as the voice packets traverse the firewall, competing with the data traffic, thereby reducing the call quality.
- The data firewall will have to dynamically assign UDP ports on a per-call basis -- something that most data firewalls cannot accomplish.
- To process the UDP port assignments, the data firewall must be able to read the VoIP signaling protocol (H.323, SIP, Skinny).
- Less expensive and software versions of firewalls automatically block all UDP traffic, thereby preventing VoIP calls and SIP signaling from working.
- Data firewalls perform network address and port number translation. The VoIP signaling packets carry the network and port number addresses of the call. If the addresses are changed by the firewall but the signaling packet addresses are not changed, then VoIP signaling and call packets will not work. Both sides of the firewall will be processing incorrect addresses.
Intrusion detection system (IDS)
The IDS is a passive device that watches the traffic entering the trusted network after that traffic has passed through the data firewall. It flags/alerts the security staff to possible intrusions, but does not block the intrusions. The IDS has to be updated for VoIP. If it is not modified, then the IDS will produce a number of false positive intrusion alerts because the VoIP traffic may look like malicious traffic.
Intrusion prevention system (IPS)
The IPS is an active device that watches the traffic entering the trusted network after that traffic has passed through the data firewall and has passed the IDS. Think of the IPS as a second, more thorough processing firewall. The IPS does further packet inspection in addition to the inspection performed by the data firewall. The IPS must be modified for VoIP traffic as well. The IPS also has been shown in laboratory tests to reduce the VoIP call quality significantly. Turn up the security on the IPS and the voice call quality will suffer. Turn down the security of the IPS and the voice quality improves. This is not a great trade-off.
VoIP firewalls
There are a few VoIP-specific firewalls on the market. There are also SIP-specific firewalls. These do not replace the existing data firewalls. The VoIP/SIP firewall should be placed in parallel with the data firewall. The data firewall should process data traffic and block the voice traffic. The VoIP/SIP firewall should process the voice traffic and signaling and block the data traffic. The VoIP/SIP firewall is probably expensive and has to have high performance (low latency, low jitter and no packet loss). It will also be designed for specific VoIP signaling (H.323, SIP and Skinny).
Session border controller (SBC)
The SBC is an alternative to the VoIP firewall. The SBC has primarily been a security and control tool implemented by carriers and service providers. It can also be applied to the enterprise. The VoIP caller interacts with the SBC to set up a call. The SBC then calls the other party, acting as a call receptionist. The caller does not pass directly through the SBC but uses the SBC as a proxy to assist in the call setup. There are usually no performance problems with voice quality. The SBC has to be able to process the signaling protocols used. The SBC would be more attractive to larger enterprises because it is an expensive solution designed to handle considerable VoIP traffic.
VPN transmission
The last solution is to set up a VPN tunnel through the data firewall to carry the VoIP traffic. This eliminates the need for the data firewall to dynamically support UDP ports and the need to process the VoIP signaling. The VPN will, however, add some overhead. There will be a higher bandwidth required for the VoIP call. The VPN tunnel also encrypts the QoS labels so that the voice traffic will not be given preferential treatment.
Protecting the VoIP perimeter is possible. Planning and design will be required for successful operation. There will also be compromises between security protection and voice quality.
About the author:
Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks as well as VoIP and IP convergent networks in the U.S., Canada, Europe, Australia and Asia.