VoIP
510
SonicOS Enhanced 4.0 Administrator Guide
VoIP Security
Companies implementing VoIP technologies in an effort to cut communication costs and extend
corporate voice services to a distributed workforce face security risks associated with the
convergence of voice and data networks. VoIP security and network integrity are an essential
part of any VoIP deployment.
The same security threats that plague data networks today are inherited by VoIP but the
addition of VoIP as an application on the network makes those threats even more dangerous.
By adding VoIP components to your network, you’re also adding new security requirements.
VoIP encompasses a number of complex standards that leave the door open for bugs and
vulnerabilities within the software implementation. The same types of bugs and vulnerabilities
that hamper every operating system and application available today also apply to VoIP
equipment. Many of today's VoIP call servers and gateway devices are built on vulnerable
Windows and Linux operating systems.
Firewall Requirements for VoIP
VoIP is more complicated than standard TCP/UDP-based applications. Because of the
complexities of VoIP signaling and protocols, as well as inconsistencies that are introduced
when a firewall modifies source address and source port information with Network Address
Translation (NAT), it is difficult for VoIP to effectively traverse a standard firewall. Here are a
few of the reasons why.
• VoIP operates using two separate protocols - A signaling protocol (between the client
and VoIP Server) and a media protocol (between the clients). Port/IP address pairs used
by the media protocols (RTP/RTCP) for each session are negotiated dynamically by the
signaling protocols. Firewalls need to dynamically track and maintain this information,
securely opening selected ports for the sessions and closing them at the appropriate time.
• Multiple media ports are dynamically negotiated through the signaling session -
negotiations of the media ports are contained in the payload of the signaling protocols (IP
address and port information). Firewalls need to perform deep packet inspection on each
packet to acquire the information and dynamically maintain the sessions, thus demanding
extra firewall processing.
• Source and destination IP addresses are embedded within the VoIP signaling
packets - A firewall supporting NAT translates IP addresses and ports at the IP header
level for packets. Fully symmetric NAT firewalls adjust their NAT bindings frequently, and
may arbitrarily close the pinholes that allow inbound packets to pass into the network they
protect, eliminating the service provider's ability to send inbound calls to the customer. To
effectively support VoIP it is necessary for a NAT firewall to perform deep packet inspection
and transformation of embedded IP addresses and port information as the packets traverse
the firewall.
• Firewalls need to process the signaling protocol suites consisting of different
message formats used by different VoIP systems - Just because two vendors use the
same protocol suite does not necessarily mean they will interoperate.
To overcome many of the hurdles introduced by the complexities of VoIP and NAT, vendors are
offering Session Border Controllers (SBCs). An SBC sits on the Internet side of a firewall and
attempts to control the border of a VoIP network by terminating and re-originating all VoIP
media and signalling traffic. In essence, SBCs act as a proxy for VoIP traffic for non-VoIP
enabled firewalls. SonicWALL security appliances are VoIP enabled firewalls that eliminate the
need for an SBC on your network.