This section provides an overview of VoIP. It contains the following sections:
The remainder of the chapter describes how to configure and use ADTRAN VoIP:
Voice over IP (VoIP) is an umbrella term for a set of technologies that allow voice traffic to be
carried over Internet Protocol (IP) networks. VoIP transfers the voice streams of audio calls into data packets as opposed to traditional, analog circuit-switched voice communications used by the public switched telephone network (PSTN).
VoIP is the major driving force behind the convergence of networking and telecommunications
by combining voice telephony and data into a single integrated IP network system. VoIP is all about saving cost for companies through eliminating costly redundant infrastructures and telecommunication usage charges while also delivering enhanced management features and calling services features.
Companies implementing VoIP technologies in an effort to cut communication costs and extend
corporate voice services to a distributed workforce face security risks associated with the convergence of voice and data networks. VoIP security and network integrity are an essential part of any VoIP deployment.
The same security threats that plague data networks today are inherited by VoIP but the
addition of VoIP as an application on the network makes those threats even more dangerous. By adding VoIP components to your network, you’re also adding new security requirements.
VoIP encompasses a number of complex standards that leave the door open for bugs and
vulnerabilities within the software implementation. The same types of bugs and vulnerabilities that hamper every operating system and application available today also apply to VoIP equipment. Many of today's VoIP call servers and gateway devices are built on vulnerable Windows and Linux operating systems.
VoIP is more complicated than standard TCP/UDP-based applications. Because of the
complexities of VoIP signaling and protocols, as well as inconsistencies that are introduced when a firewall modifies source address and source port information with Network Address Translation (NAT), it is difficult for VoIP to effectively traverse a standard firewall. Here are a few of the reasons why.
|
|
•
|
VoIP operates using two separate protocols
- A signaling protocol (between the client and VoIP Server) and a media protocol (between the clients). Port/IP address pairs used by the media protocols (RTP/RTCP) for each session are negotiated dynamically by the signaling protocols. Firewalls need to dynamically track and maintain this information, securely opening selected ports for the sessions and closing them at the appropriate time.
|
|
|
•
|
Source and destination IP addresses are embedded within the VoIP signaling packets
- A firewall supporting NAT translates IP addresses and ports at the IP header level for packets. Fully symmetric NAT firewalls adjust their NAT bindings frequently, and may arbitrarily close the pinholes that allow inbound packets to pass into the network they protect, eliminating the service provider's ability to send inbound calls to the customer. To effectively support VoIP it is necessary for a NAT firewall to perform deep packet inspection and transformation of embedded IP addresses and port information as the packets traverse the firewall.
|
To overcome many of the hurdles introduced by the complexities of VoIP and NAT, vendors are
offering Session Border Controllers (SBCs). An SBC sits on the Internet side of a firewall and attempts to control the border of a VoIP network by terminating and re-originating all VoIP media and signalling traffic. In essence, SBCs act as a proxy for VoIP traffic for non-VoIP enabled firewalls. firewalls are VoIP enabled firewalls that eliminate the need for an SBC on your network.
VoIP technologies are built on two primary protocols, H.323 and SIP.
H.323 is a standard developed by the International Telecommunications Union (ITU). It is a
comprehensive suite of protocols for voice, video, and data communications between computers, terminals, network devices, and network services. H.323 is designed to enable users to make point-to-point multimedia phone calls over connectionless packet-switching networks such as private IP networks and the Internet. H.323 is widely supported by manufacturers of video conferencing equipment, VoIP equipment and Internet telephony software and devices.
H.323 uses a combination of TCP and UDP for signaling and ASN.1 for message encoding.
H.323v1 was released in 1996 and H.323v5 was released in 2003. As the older standard, H.323 was embraced by many early VoIP players.
An H.323 network consists of four different types of entities:
|
|
•
|
Terminals
- Client end points for multimedia communications. An example would be an H.323 enabled Internet phone or PC.
|
|
|
•
|
Gatekeepers
- Performs services for call setup and tear down, and registering H.323 terminals for communications. Includes:
|
|
|
•
|
Gateways
- Interoperation between H.323 networks and other communications services, such as the circuit-switched Packet Switched Telephone Network (PSTN).
|
The Session Initiation Protocol (SIP) standard was developed by the Internet Engineering Task
Force (IETF). RFC 2543 was released in March 1999. RFC 3261 was released in June 2002. SIP is a signaling protocol for initiating, managing and terminating sessions. SIP supports ‘presence’ and mobility and can run over User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).
Using SIP, a VoIP client can initiate and terminate call sessions, invite members into a
conferencing session, and perform other telephony tasks. SIP also enables Private Branch Exchanges (PBXs), VoIP gateways, and other communications devices to communicate in standardized collaboration. SIP was also designed to avoid the heavy overhead of H.323.
A SIP network is composed of the following logical entities:
|
|
•
|
Proxy Server
- Acts on behalf of UA in forwarding or responding to requests. A Proxy Server can fork requests to multiple servers. A back-to-back user agent (B2BUA) is a type of Proxy Server that treats each leg of a call passing through it as two distinct SIP call sessions: one between it and the calling phone and the other between it and the called phone. Other Proxy Servers treat all legs of the same call as a single SIP call session.
|
The following sections describe ADTRAN’s integrated VoIP service:
|
|
•
|
Traffic legitimacy
- Stateful inspection of every VoIP signaling and media packet traversing the firewall ensures all traffic is legitimate. Packets that exploit implementation flaws, causing effects such as buffer overflows in the target device, are the weapons of choice for many attackers. firewalls detect and discard malformed and invalid packets before they reach their intended target.
|
|
|
•
|
Application-layer protection for VoIP protocols
- Full protection from application-level VoIP exploits through ADTRAN Intrusion Prevention Service (IPS). IPS integrates a configurable, high performance scanning engine with a dynamically updated and provisioned database of attack and vulnerability signatures to protect networks against sophisticated Trojans and polymorphic threats. ADTRAN extends its IPS signature database with a family of VoIP-specific signatures designed to prevent malicious traffic from reaching protected VoIP phones and servers.
|
|
|
•
|
DoS and DDoS attack protection
- Prevention of DoS and DDoS attacks, such as the SYN Flood, Ping of Death, and LAND (IP) attack, which are designed to disable a network or service.
|
|
|
•
|
Stateful monitoring
- Stateful monitoring ensures that packets, even though appearing valid in themselves, are appropriate for the current state of their associated VoIP connection.
|
|
|
•
|
Encrypted VoIP Device Support
- ADTRAN supports VoIP devices capable of using encryption to protect the media exchange within a VoIP conversation or secure VoIP devices that do not support encrypted media using IPsec VPNs to protect VoIP calls.
|
|
|
•
|
Application-Layer Protection -
ADTRAN delivers full protection from application-level VoIP exploits through ADTRAN Intrusion Prevention Service (IPS). ADTRAN IPS is built on a configurable, high performance Deep Packet Inspection engine that provides extended protection of key network services including VoIP, Windows services, and DNS. The extensible signature language used in ADTRAN’s Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. Signature granularity allows ADTRAN IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives.
|
|
|
•
|
VoIP over Wireless LAN (WLAN)
- ADTRAN extends complete VoIP security to attached wireless networks with its Distributed Wireless Solution. All of the security features provided to VoIP devices attached to a wired network behind a ADTRAN are also provided to VoIP devices using a wireless network.
|
|
|
•
|
Bandwidth Management
(BWM)
and Quality-of-Service (QoS)
- Bandwidth management (both ingress and egress) can be used to ensure that bandwidth remains available for time-sensitive VoIP traffic. BWM is integrated into ADTRAN Quality of Service (QoS) features to provide predictability that is vital for certain types of applications.
|
|
|
•
|
WAN redundancy and load balancing
- WAN redundancy and load balancing allows for an interface to act as a secondary or backup WAN port. This secondary WAN port can be used in a simple active/passive setup, where traffic is only routed through it if the primary WAN port is down or unavailable. Load balancing can be performed by splitting the routing of traffic based on destination.
|
|
|
•
|
High availability
- High availability is provided by SonicOS high availability, which ensures reliable, continuous connectivity in the event of a system failure.
|
|
|
•
|
Plug-and-protect support for VoIP devices
- With SonicOS, VoIP device adds, changes, and removals are handled automatically, ensuring that no VoIP device is left unprotected. Using advanced monitoring and tracking technology, a VoIP device is automatically protected as soon as it is plugged into the network behind a firewall.
|
|
|
•
|
Full syntax validation of all VoIP signaling packets
- Received signaling packets are fully parsed within SonicOS to ensure they comply with the syntax defined within their associated standard. By performing syntax validation, the firewall can ensure that malformed packets are not permitted to pass through and adversely affect their intended target.
|
|
|
•
|
Support for dynamic setup and tracking of media streams
- SonicOS tracks each VoIP call from the first signaling packet requesting a call setup, to the point where the call ends. Only based on the successful call progress are additional ports opened (for additional signaling and media exchange) between the calling and called party.
|
Media ports that are negotiated as part of the call setup are dynamically assigned by the
firewall. Subsequent calls, even between the same parties, will use different ports, thwarting an attacker who may be monitoring specific ports. Required media ports are only opened when the call is fully connected, and are shut down upon call termination. Traffic that tries to use the ports outside of the call is dropped, providing added protection to the VoIP devices behind the firewall.
|
|
•
|
Validation of headers for all media packets
- SonicOS examines and monitors the headers within media packets to allow detection and discarding of out-of-sequence and retransmitted packets (beyond window). Also, by ensuring that a valid header exists, invalid media packets are detected and discarded. By tracking the media streams as well as the signaling, ADTRAN provides protection for the entire VoIP session.
|
|
|
•
|
Configurable inactivity timeouts for signaling and media
- In order to ensure that dropped VoIP connections do not stay open indefinitely, SonicOS monitors the usage of signaling and media streams associated with a VoIP session. Streams that are idle for more than the configured timeout are shut down to prevent potential security holes.
|
|
|
•
|
SonicOS allows the administrator to control incoming calls
- By requiring that all incoming calls are authorized and authenticated by the H.323 Gatekeeper or SIP Proxy, SonicOS can block unauthorized and spam calls. This allows the administrator to be sure that the VoIP network is being used only for those calls authorized by the company.
|
|
|
–
|
Detailed syslog reports and ViewPoint reports for VoIP signaling and media streams.
ADTRAN ViewPoint is a Web-based graphical reporting tool that provides detailed and comprehensive reports of your security and network activities based on syslog data streams received from the firewall. Reports can be generated about virtually any aspect of firewall activity, including individual user or group usage patterns and events on specific firewalls or groups of firewalls, types and times of attacks, resource consumption and constraints, etc.
|
firewalls support transformations for the following protocols.
SonicOS provides the following support for H.323:
SonicOS provides the following support for SIP:
The following is a partial list of devices from leading manufacturers with which ADTRAN VoIP
interoperates.
SonicOS supports media streams from any CODEC
- Media streams carry audio and video signals that have been processed by a hardware/software CODEC (COder/DECoder) within the VoIP device. CODECs use coding and compression techniques to reduce the amount of data required to represent audio/video signals. Some examples of CODECs are:
firewalls do not currently support deep packet inspection for the following protocols; therefore,
these protocols should only be used in non-NAT environments.
SonicOS provides an efficient and secure solution for all VoIP call scenarios. The following are
examples of how SonicOS handles VoIP call flows.
The following figure shows the sequence of events that occurs during an incoming call.
The following describes the sequence of events shown in the figure above:
|
7.
|
Phone B registers with VoIP server -
The firewall builds a database of the accessible IP phones behind it by monitoring the outgoing VoIP registration requests. SonicOS translates between phone B’s private IP address and the firewall’s public IP address used in registration messages. The VoIP server is unaware that phone B is behind a firewall and has a private IP address—it associates phone B with the firewall’s public IP address.
|
|
8.
|
Phone A initiates a call to phone B -
Phone A initiates a call to phone B using a phone number or alias. When sending this information to the VoIP server, it also provides details about the media types and formats it can support as well as the corresponding IP addresses and ports.
|
|
10.
|
Phone B rings and is answered
- When phone B is answered, it returns information to the VoIP server for the media types and formats it supports as well as the corresponding IP addresses and ports. SonicOS translates this private IP information to use the firewall’s public IP address for messages to the VoIP server.
|
The following figure shows the sequence of events that occurs during a local VoIP call.
The following describes the sequence of events shown in the figure above:
|
1.
|
Phones A and B register with VoIP server
- The firewall builds a database of the accessible IP phones behind it by monitoring the outgoing VoIP registration requests. SonicOS translates between the phones’ private IP addresses and the firewall’s public IP address. The VoIP server is unaware that the phones are behind a firewall. It associates the same IP address for both phones, but different port numbers.
|
|
4.
|
Phone B rings and is answered
- When phone B is answered, the firewall translate its private IP information to use the firewall’s public IP address for messages to the VoIP server.
|
|
6.
|
Phone A and phone B directly exchange audio/video/data -
The firewall routes traffic directly between the two phones over the LAN. Directly connecting the two phones reduces the bandwidth requirements for transmitting data to the VoIP server and eliminates the need for the firewall to perform address translation.
|
For information on setting up VOIP, see
Configuring ADTRAN VoIP Features
.