The Voice Over Internet Protocol (VoIP)
communications platform unites essential elements of Centrex
and On-premise IP-PBX systems into a coherent, integrated telephony configuration. VoIP provides users the same basic calling features – unlimited local/long-distance calls, unified messaging, call waiting/forwarding/ID/transfer, and dial-by-name, among many other basic call functions. With hosted PBX, the service provider owns and administers the technology
required for system operation, minimizing the substantial capital outlays needed to implement and maintain alternatives like Centrex or On-premises IP-PBX systems.
The Secure SIP Aware Firewall Protects VoIP Traffic
Application of SIP aware firewalls (modern VoIP gateways) improve overall security for enterprise VoIP networks.
The extensible and open quality of Session Initiation Protocol (SIP) has enhanced its value and use
as a call-control protocol for VoIP networks. SIP-generated, interactive VoIP-user sessions expand the network’s audio/chat/voice capabilities. Application of a SIP aware firewall enables safe transmission of messages and data over Transport Layer Security (TLS)-encrypted channels.
SIP RFC 3261 articulates the security mechanisms used to ensure better SIP-session security. These standards protect SIP communications from eavesdropping and other tampering with message content or transmission. Their application helps companies establish a virtual worldwide presence,
- connecting enterprise communications’ systems to the outside world, while
- establishing real-time VoIP, SIP-protected messaging and data-exchange.
Like VoIP, SIP also generates
However, these features depend on IP-based protocols opened to a wide area network (WAN) that is not always secure. The SIP aware firewall generates a flexible and reliable network safeguard.
SIP security takes many forms. Message Digest (MD5) authentication is the most fundamental category of SIP security, producing a confirmation-challenge between a proxy-server and user-agent. In contrast, at maximum complexity, SIP security directly encrypts data within SIP messages via Secure Multipurpose Internet Mail Extensions (S/MIME). However, the most comprehensive variety of SIP protection is Secure SIP. Working on a TLS/hop-by-hop basis, SIP over TLS
greatly expands MDS-coverage while avoiding S/MIME’s need for additional overhead, however, requires common CA (Certificate Authority) which may not be the ideal option in some cases.
Nevertheless, SIP-based communication from outside the enterprise must first traverse firewalls and/or routers implementing Network Address Translation (NAT). Firewalls’ objective is preventing inbound communications from unknown sources. An essential component of the firewall security fabric, NAT hides private IP addresses on the LAN, inhibiting access for LAN-users by stopping them from being addressed from the outside.
The SIP aware firewall provides a long-term solution for safe enterprise NAT-traversal.
SIP Application Level Gateway (ALG) and VoIP Gateway’s Proxy Architecture
Most SIP aware firewalls utilize SIP Application Level Gateway (ALG) architecture. Suitable for most basic call-scenarios, ALG’s functionality for real-time placements of enterprise SIP communications is constricted by firewall traversal problems. In addition, limits on ALG’s overall security protection can be compounded by packet loss, jitter
, or similar transmission obstacles that interfere with calls going through or reaching the right destination. Thus, enterprise communication strategies may not be appropriately served with the standard ALG-based SIP aware firewall solution.
In contrast, a proxy-based SIP aware firewall generates a more comprehensive solution to the NAT-traversal issues presented by the enterprise firewall. A proxy briefly stops packet transmission, allowing inspection of each signaling-packet on an individual basis, prior to rewriting header information; only then are packets delivered to the appropriate and designated endpoints. The result is flexible, controlled implementation of SIP-based enterprise communications. In this way the SIP proxy can offer benefits not available with the ALG architecture.
Modern VoIP Gateway
‘s also may have fancy features such as application steering, real-time failover and broadband bonding
, whereby 2 or more WAN resources are orchestrated for optimizing MOS (Mean Opinion Score) for the calls as well as optimizing call capacity.
Implementing SIP aware firewall technology is recommended for VoIP network administrators seeking an added level of security for their network performance. In all cases, SIP aware routers
generate considerable support for firewall capacity, connection, dependability, and performance- quality related issues, therefore a more comprehensive strategy that includes modern VOIP Gateways into the design is recommended.
Cahit Akin, CEO, Mushroom Networks, Inc.
Mushroom Networks is the provider of the VOIP Armor
device that enables self-healing WAN networks for VOIP / SIP traffic by routing around network problems such as latency, jitter and packet loss.