The Voice Over Internet Protocol (VoIP) communications platform unites essential elements of Centrex and on-premise IP-PBX systems into a coherent, integrated telephony configuration. VoIP provides users basic calling features such as – unlimited local/long-distance calls, unified messaging, call waiting/forwarding/ID/transfer, and dial-by-name, among many other basic call functions. With hosted PBX, the service provider owns and administers the technology required for system operation, minimizing the substantial capital outlays needed to implement and maintain alternatives like Centrex or on-premise IP-PBX systems.
The Secure SIP Aware Firewall Protects VoIP Traffic
The extensible and open quality of Session Initiation Protocol (SIP) has enhanced its value and use as a call-control protocol for VoIP networks. SIP-generated, interactive VoIP-user sessions expand the network’s audio/chat/voice capabilities. Application of a SIP aware firewall enables safe transmission of messages and data over Transport Layer Security (TLS)-encrypted channels.
SIP RFC 3261 articulates the security mechanisms used to ensure better SIP-session security. These standards protect SIP communications from eavesdropping and other tampering with message content or transmission. Their application helps companies establish a virtual worldwide presence by,
- connecting enterprise communications’ systems to the outside world, while
- establishing real-time VoIP, SIP-protected messaging and data exchange.
Like VoIP, SIP also generates
- lower operating costs for the enterprise,
- greater flexibility in ordering service, and
- enhanced operating features.
However, these features depend on IP-based protocols opened to a wide area network (WAN) that is not always secure. The SIP-aware firewall generates a flexible and reliable network safeguard.
SIP security takes many forms. Message Digest (MD5) authentication is the most fundamental category of SIP security, producing a confirmation challenge between a proxy-server and user-agent. In contrast, at maximum complexity, SIP security directly encrypts data within SIP messages via Secure Multipurpose Internet Mail Extensions (S/MIME). However, the most comprehensive variety of SIP protection is Secure SIP. Working on a TLS/hop-by-hop basis, SIP over TLS greatly expands MDS coverage while avoiding S/MIME’s need for additional overhead. However, it also requires common CA (Certificate Authority) which may not be the ideal option in some cases. Nevertheless, SIP-based communication from outside the enterprise must first traverse firewalls and/or routers implementing Network Address Translation (NAT). The firewalls’ objective is preventing inbound communications from unknown sources. An essential component of the firewall security fabric, NAT hides private IP addresses on the LAN, inhibiting access for LAN users by stopping them from being addressed from the outside. The SIP-aware firewall provides a long-term solution for safe enterprise NAT traversal.
SIP Application Level Gateway (ALG) and VoIP Gateway’s Proxy Architecture
Most SIP-aware firewalls utilize SIP Application Level Gateway (ALG) architecture. Suitable for most basic call scenarios, ALG’s functionality for real-time placements of enterprise SIP communications is constricted by firewall traversal problems. In addition, limits on ALG’s overall security protection can be compounded by packet loss, jitter, or similar transmission obstacles that interfere with calls going through or reaching the right destination. Thus, enterprise communication strategies may not be appropriately served with the standard ALG-based SIP-aware firewall solution.
In contrast, a proxy-based SIP-aware firewall generates a more comprehensive solution to the NAT-traversal issues presented by the enterprise firewall. A proxy briefly stops packet transmission, allowing inspection of each signaling packet on an individual basis, prior to rewriting header information; only then are packets delivered to the appropriate and designated endpoints. The result is flexible, controlled implementation of SIP-based enterprise communications. In this way the SIP proxy can offer benefits not available with the ALG architecture.
Modern VoIP Gateways also may have more advanced features such as application steering, real-time failover and broadband bonding, whereby 2 or more WAN resources are orchestrated for optimizing MOS (Mean Opinion Score) for the calls as well as optimizing call capacity.
Implementing SIP-aware firewall technology is recommended for VoIP network administrators seeking an added level of security for their network performance. In all cases, SIP-aware routers generate considerable support for firewall capacity, connection, dependability, and performance quality related issues. Therefore a more comprehensive strategy that includes incorporating modern VoIP Gateways into the design is recommended.
Cahit Akin, CEO, Mushroom Networks, Inc.
Mushroom Networks is the provider of the VOIP Armor device that enables self-healing WAN networks for VOIP / SIP traffic by routing around network problems such as latency, jitter and packet loss.