With the adoption of digital telephony and teleconferencing expanding, Voice over Internet Protocol (VoIP) has entered the IT mainstream, writes Martin Tassev, MD of Loophold Security Distribution.
This means voice, and perhaps fax, voicemail, and video, now joins data and application traffic in the corporate network.
No matter the size of the organisation, VoIP requires certain changes in the management and protection of the network. When making the move to VoIP, there are a few key considerations that should be taken into account:
* Security is more than physical – Before VoIP, a PSTN (public switched telephone network) connection, physical access to the PBX (private branch exchange) or the telephone line itself was required to intercept or disrupt a call. However, because VoIP uses an Internet connection and no 'physical wire' is needed, it does not have the same security as telephone lines. Interception and disruption don't need to be physical to cause damage, and these attacks can come from anywhere on the network. That's why VoIP firewalls are important. They provide the same level of protection for VoIP traffic as ordinary firewalls do for applications and data traffic.
* Priority means clarity – VoIP works by converting analogue voice traffic to digital, sending it over the network in packets. A single VoIP phone conversation will be divided into thousands of packets that can take different routes to their destination. VoIP is susceptible to Quality of Service (QoS) concerns – such as latency, jitter, packet loss and echo. A VoIP Firewall avoids these disturbances by tagging and recognising VoIP traffic tags, and giving them the highest priority when receiving, assembling and accepting content.
* Managing the bandwidth pipe – Because VoIP makes up only a portion of network traffic, it can't be prioritised at the expense of other traffic. One solution is to manage the bandwidth of all of the traffic (data, applications and voice). This can be done by restricting the bandwidth given to non-VoIP applications and data – such as limiting bandwidth to sites such as YouTube or blocking access to peer-to-peer sites. This frees up bandwidth for essential traffic. This strategy is best when the IT department has a good sense of how and who uses the available bandwidth.
* The bandwidth guarantee – Another strategy is to guarantee a minimum amount of overall bandwidth to VoIP traffic. The remaining bandwidth can either be assigned to other applications, or left unassigned. This strategy is best in situations when the IT department does not have a clear idea of how bandwidth is being used and who is using it.
* Keep connections clean – Denial of Service (DoS) attacks are aimed at disrupting the ability of the firewall to receive and process packets in a timely fashion. VoIP traffic can be affected by two types of DoS attacks: VoIP Spoofing Attacks and Service-Level Attacks. VoIP Spoofing Attacks involve malformed and invalid packets, which masquerade as VoIP traffic and obstruct the processing of all traffic. Service-Level Attacks such as Syn Flood, Ping of Death and LAND (IP) attacks attempt to use up firewall connections directly affecting VoIP traffic throughput. A VoIP Firewall prevents these attempts by: validating packet sequence for VoIP packets; using randomised TCP sequence numbers to validate TCP session data flow; conducting stateful inspection of VoIP signaling and media packets; and monitoring attempts to open too many TCP/IP connections.
* Connect, protect and disconnect – A VoIP Firewall tracks each VoIP session from call inception to call end, enabling the firewall to control, manage, and protect each VoIP session based on the unique characteristics of that call.
* The Signature Wall – IPS signatures are used to block application-layer attacks. Regular updates to the IPS Signature list enable a VoIP Firewall to block these attacks and stay ahead of attacks trying to exploit the latest vulnerability.
* Partial protection is not protection – In the past, VoIP Firewalls were expected to 'stay out of the way'. However, because network attacks have found vulnerabilities to exploit, and are just as varied as those affecting other types of traffic, VoIP traffic demands the same protection services.
* Know what's going on – A VoIP Firewall will provide visability into all network traffic – voice, data and applications. This includes logging signaling and media streams.
* Adding, moving and removing devices – Thankfully, adding, moving and removing devices from the network does not mean more work every time these actions need to be initiated and completed. The advanced tracking and monitoring technology in a VoIP firewall ensures that devices are automatically protected – as soon as they are plugged into the network.
Before looking for a VoIP firewall, one should scrutinise the functionality offered by the current firewall – it's possible your existing firewall is already meeting these requirements. If not, you may have a firewall not suited to your changing network traffic needs, which are likely to include more and more voice traffic along with data and applications.