Is Your Network Ready for VoIP?
Evaluating firewalls for VoIP access, control
and security.
CONTENTS
The Network Will Never be the Same 2
A VoIP-Ready Firewall Criteria Checklist 2
Control Considerations for VoIP 3
Access Considerations for VoIP 3
Security Considerations for VoIP 4
SonicWALL Converged Network Security Solution 5
Case Study: Glentel 6
2 Abstract
To achieve expected benefits from Voice or Video over Internet Protocol (VoIP), organizations must first consider the significant implications for administrative control, end-user access and overall network security. A preliminary step in this process is determining whether the existing firewall is effectively capable of supporting and securing VoIP networking. Fortunately, for some organizations, the firewall they currently have deployed may be capable of providing the functionality required to support and manage a VoIP network. This white paper explores the capabilities required for a VoIP deployment, and demonstrates how SonicWALL® VoIP Firewall solutions provide the levels of control, access and security necessary for converged networks that support voice, video and data.
The Network Will Never be the Same
With the convergence of voice and video over IP (VoIP), traditional networks will never be the same. The growing acceptance of IP telephony means that people will increasingly place, receive, forward or reject calls based on identity, location or preference. Remote teleworkers will appear to be “plugged in” to the corporate voice and data network. Organizations will source talent from any location, as remote access capabilities enable teleworkers to operate as an integral part of the corporate network. Video and data will accompany calls as content-rich communications become more commonplace. People will use PCs and netbooks to sort and arrange responses using either data “attachments” or non-voice components directly embedded in the stored communication. Adoption of IP communications will accelerate dramatically, based on its increased effectiveness, as well as its superior cost position. VoIP provides a smaller company the ability to operate and appear as a larger company, and the scalability to expand communications across a growing organization quickly.
Before reaping these benefits, however, organizations of all sizes first need to consider significant implications for administrative control, end-user access and overall network security. A preliminary step in this process is determining whether an organization's existing firewall—or its prospective replacement—is effectively capable of providing a converged VoIP network with adequate control, access and security.
A VoIP-Ready Firewall Criteria Checklist
Fortunately, for some organizations, the currently deployed firewall may already be capable of providing the functionality required to support and manage a VoIP network. As detailed in the following sections, besides offering all the standard features of a business class firewall, a VoIP Firewall should be able to provide:
Quality of Service (QoS)
Application Management Firewall
Comprehensive Security against VoIP and common security threats Reassembly-Free Deep Packet Inspection
Robust Manageability Site-to-Site IPSec VPN
3
Access Considerations for VoIP
VoIP Firewalls can extend access to resources and reduce communications costs by connecting workers at distributed and remote locations via Virtual Private Network (VPN) technology. Remote access is also crucial in business continuity and disaster recovery scenarios.
Site-to-Site IPSec VPN
Organizations can extend access and reduce communications costs by connecting workers at distributed and remote locations with digital telephony devices. A VoIP Firewall can provide IPSec VPN functionality to support site-to-site VoIP traffic between distributed locations over one converged Virtual Private Network (VPN), as opposed to separate networks for each location. For example, a sales representative located in a regional branch may have the same area code and phone number prefix as one located at corporate headquarters, and be able to access four-digit dialing, call forwarding and teleconferencing between sites.
Control Considerations for VoIP
Performance is crucial for voice traffic and other streaming data. To ensure effectiveness, however, a VoIP firewall must include granular control features, without adding latency or burdensome administrative overhead.
Quality of Service (QoS)
Performance is crucial for voice traffic and other streaming data. When VoIP traffic does not receive enough bandwidth, the Quality of Service (QoS) can be degraded, resulting in choppy, echoing, or dropped calls and videoconferences. By garbling business telecommunications, degraded QoS can significantly diminish workforce productivity.
In simple terms, VoIP breaks up phone conversations into separate segments (packets) that can take different routes through network firewalls to their final destination on VoIP phones. A VoIP-ready firewall is able to identify VoIP traffic coming across the network. This allows the firewall to apply policies that give VoIP traffic the highest priority when receiving, inspecting, assembling and accepting VoIP content.
VoIP traffic will only make up part of all of network traffic, so it may not be enough simply to give priority to VoIP traffic to prevent issues. A VoIP firewall will also need to ensure minimum levels of available bandwidth for VoIP by managing how bandwidth is allocated to all network traffic— data, applications and voice. To ensure QoS, VoIP firewalls should be able to block or manage the bandwidth allocated to non-VoIP applications and data (e.g., limiting the bandwidth given to peer-to-peer or streaming video sites such as YouTube), or give VoIP traffic a guaranteed minimum amount of the overall bandwidth available.
Application Management Firewalls
4
Easy Comprehensive Management
A VoIP firewall should provide visibility into all network traffic: voice, data and applications, including logging signaling and media streams. For each VoIP connection, audit logs, as well as dynamic live reporting, can enable IT to track call senders and recipients, call duration and total bandwidth used, and extrapolate future traffic trends over hours, days, weeks and months. Dynamic reporting assists management in data analysis, system optimization, policy definition and strategic planning. To streamline administration, a VoIP Firewall should dynamically update whenever someone deploys, relocates or removes VoIP devices (such as IP-enabled telephones). Dynamic updates enable plug-and-play deployment of VoIP phones, eliminating the need for hands-on configuration and significantly reducing the costs of administrative overhead.
Security Considerations for VoIP
VoIP-related vulnerabilities and attacks are just as varied as other types of traffic and demand the same protection services. Many of today’s VoIP call servers and gateway devices use vulnerable Windows and Linux operating systems. Recent industry advisories1 have highlighted additional VoIP vulnerabilities in Cisco®, Apple®, and Linksys® systems.
In order to protect both VoIP and non-VoIP network resources effectively, a VoIP firewall must maintain adequate performance levels, deliver comprehensive security, and conduct Reassembly-Free Deep Packet inspection of the entire data stream.
High Performance
A VoIP firewall must be able to scan traffic comprehensively, yet not inhibit network performance or business productivity by restricting latency-sensitive applications such as voice and video. Modern firewall technologies, that use multi-core processor architecture and real-time data stream inspection, can greatly enhance a VoIP Firewall’s performance.
Comprehensive Security
A VoIP Firewall should provide comprehensive integrated security to prevent a wide range of sophisticated threats. Of particular threat to VoIP are attacks that aim to cripple network performance and business productivity. These include Denial of Service (DoS) attacks, such a Syn Flood, Ping of Death and LAND (IP), and VoIP SpiTing attacks, consisting of malformed and invalid packets masquerading as VoIP traffic. VoIP traffic is also inherently vulnerable to interception and eavesdropping attacks. A comprehensive security feature suite, as well as frequent and reliable updates to intrusion prevention signature (IPS) lists, can enable VoIP Firewalls to block these attacks and stay ahead of attacks trying to exploit the latest vulnerabilities.
1
5
Reassembly-Free Deep Packet Inspection
Malware attacks can be located anywhere in streaming data. A VoIP firewall should be able to track each VoIP session, from call inception to call end. To provide full traffic scanning without latency, this requires real-time deep packet inspection technology. Because it does not have to reassemble packets or application content, reassembly-free deep packet inspection is not memory-restrained, nor does it have to proxy traffic, resulting in greater performance. This inspection method can analyze files and content of any size in real time, and therefore is ideal for today’s real-time applications and latency sensitive traffic. Administrators also should be able to configure and automatically enforce time-outs based on inactivity, as well as bypass static mappings and automatically change ports for each call.
SonicWALL Converged Network Security Solutions
SonicWALL VoIP Firewall solutions provide the control, access and security necessary for networks that support voice, video and data. SonicWALL offers unparalleled levels of security for the VoIP infrastructure, standards-based VoIP compatibility, and interoperability with many of the world’s leading VoIP gateway and communications devices. All SonicWALL E-Class Network Security Appliances (NSA) and NSA firewalls feature the same comprehensive level of VoIP security. These SonicWALL VoIP Firewall solutions can seamlessly combine SonicWALL Network Security Appliances and Secure Remote Access solutions with third-party VoIP telephony solutions (such as Avaya) offering the highest-performance, multifunction solutions for VoIP control, access and security.
SonicWALL Solutions for VoIP Network Control
SonicWALL VoIP Firewalls ensure QoS with built-in bandwidth optimization, featuring support for VoIP-ready H.323 and SIP, as well as full VoIP over Wireless LAN (WLAN).
SonicWALL Application Management Firewall enables data leakage prevention, custom signature creation, and control over Web 2.0 applications such as social networking sites. For instance, an administrator could prioritize bandwidth for VoIP, multimedia services, and business-critical applications, while restricting bandwidth for instant messaging and peer-to-peer file sharing. Featuring highly granular bandwidth control and integrated quality of service, SonicWALL Application Management Firewall consolidates bandwidth management and application-specific security into one easily managed solution.
SonicWALL's management and reporting solutions, including award-winning SonicWALL Global Management System (GMS) and SonicWALL ViewPoint™ reporting tool, provide a comprehensive architecture for centrally creating and managing security policies across multiple SonicWALL VoIP Firewalls, delivering real-time monitoring and alerts, as well as intuitive compliance and usage reports, all from a single management interface.
SonicWALL Solutions for VoIP Network Access
Offering integrated IPSec and SSL VPN technologies on select models, SonicWALL VoIP firewalls deliver access to VoIP business resources (such as voicemail and teleconferencing) for employees, distributed office sites, partners and contractors from anywhere.
6
SonicWALL Solutions for VoIP Network Performance
SonicWALL VoIP Firewalls deliver breakthrough performance with SonicWALL’s high-speed Reassembly-Free Deep Packet Inspection™ (RFDPI) (U.S. Patent 7,310,815D-A), which delivers critical protection as well as industry-leading performance by evaluating streaming VoIP data in real time, and leveraging up to 16 multi-core processors.
The SonicWALL and Comprehensive Gateway Security Suite (CGSS) include an expanding array of seamlessly integrated Unified Threat Management (UTM) services for gateway anti-virus, anti-spyware, intrusion prevention, Application Management Firewall, content filtering and more. SonicWALL has extended its IPS signature database with VoIP-specific signatures designed to prevent malicious traffic from reaching protected VoIP phones and servers. In addition, SonicWALL’s Comprehensive Anti-Spam Service delivers advanced spam protection at the network gateway to eliminate spam, phishing and other productivity threats.
Case Study: Glentel
Glentel (TSX: GLN) is a leading provider of innovative and reliable telecommunications services and solutions in Canada and the United States. While Glentel has more than quadrupled the number of locations and revenue, its IT staff has grown at only half that rate. Therefore, when Glentel decided to update its 20-year-old internal PBX system at its corporate offices to VoIP PBX, the company required centralized control of all voice and data traffic and security, as well as minimal deployment costs and complexity. The conversion to VoIP also presented Glentel with a new IT priority: voice security. Because VoIP uses IP as its conduit, it is vulnerable to the same sorts of attacks as other Internet traffic, including viruses, Trojans, eavesdropping and denial-of-service attacks. Glentel needed a way to protect its VoIP traffic as thoroughly and rigorously as it protected the rest of its network data.
To minimize costs and enhance the return on its investment in technology, Glentel chose to build its VoIP solution upon its existing infrastructure, which included SonicWALL network security appliances with built-in VoIP capabilities. This provided Glentel with real-time deep packet inspection combined with dynamically updated gateway anti-virus, anti-spyware, intrusion prevention, Application Management Firewall, enforced desktop anti-virus, and Web content filtering. The complete VoIP solution integrated SonicWALL VoIP firewalls with HP ProCurve® switches, Mitel® phones, and Microsoft® Office Communication Server (OCS). SonicWALL is interoperable with all leading VoIP vendors, and plug-and-protect support automatically accommodates any added or removed VoIP device.
Glentel configured the SonicWALL network security appliance to segment off separate VLANs for voice and data. Today, the IT group operates out of two offices, but appears as a singular entity via one telephone number. The combined solution allows the seamless transfer and escalation of calls and issues within the IT department.
7
Conclusion
The traditional role of the firewall in a VoIP network is undergoing a radical evolution. The role of the firewall has evolved from ‘behaving nicely’ in a VoIP environment to fully enabling and protecting the entire VoIP infrastructure with granular administrative controls, broader end-user access and more comprehensive network security.
Organizations may find their currently deployed firewall is already capable of providing the functionality required to support and manage a VoIP network. SonicWALL VoIP Converged Network Security Solutions deliver unparalleled levels of security ensured QoS, greater ease-of-management, and secure remote access, for the VoIP network.
