10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network



Similar documents
Is Your Network Ready for VoIP?

Securing the Small Business Network. Keeping up with the changing threat landscape

An outline of the security threats that face SIP based VoIP and other real-time applications

Recommended IP Telephony Architecture

1110 Cool Things Your Firewall Should Do. Extending beyond blocking network threats to protect, manage and control application traffic

10 Cool Things Your Firewall Should Do. A firewall that blocks threats is only the beginning

How To Control Your Network With A Firewall On A Network With An Internet Security Policy On A Pc Or Ipad (For A Web Browser)

SIP Security Controllers. Product Overview

Security & Reliability in VoIP Solution

SonicWALL Corporate Design System. The SonicWALL Brand Identity

Securing SIP Trunks APPLICATION NOTE.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Providing Secure IT Management & Partnering Solution for Bendigo South East College

VoIPon Solutions Tel: +44 (0) Ranch Asterisk VoIP Solution

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

SIP Trunking with Microsoft Office Communication Server 2007 R2

ETM System SIP Trunk Support Technical Discussion

Voice Over IP (VoIP) Denial of Service (DoS)

SIP Trunking Configuration with

Intro to Firewalls. Summary

VOICE OVER IP SECURITY

Deep Security Vulnerability Protection Summary

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Cisco Virtual Office Unified Contact Center Architecture

Voice Over IP Performance Assurance

VOIP THE ULTIMATE GUIDE VERSION /23/2014 onevoiceinc.com

10 Strategies to Optimize IT Spending in an Economic Downturn. Wong Kang Yeong, CISA, CISM, CISSP Regional Security Architect, ASEAN

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Question: 3 When using Application Intelligence, Server Time may be defined as.

Network Connection Considerations for Microsoft Response Point 1.0 Service Pack 2

VOIP TELEPHONY: CURRENT SECURITY ISSUES

IP Telephony Basics. Part of The Technology Overview Series for Small and Medium Businesses

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Wireless Network Quality of Service WHITE PAPER

DoS/DDoS Attacks and Protection on VoIP/UC

ACD: Average Call Duration is the average duration of the calls routed bya a VoIP provider. It is a quality parameter given by the VoIP providers.

Voice Over IP and Firewalls

Multi-layered Security Solutions for VoIP Protection

Deploying Firewalls Throughout Your Organization

NAT TCP SIP ALG Support

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Gigabit Multi-Homing VPN Security Router

Gigabit Content Security Router

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

Encapsulating Voice in IP Packets

INTRODUCTION TO FIREWALL SECURITY

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Chapter 9 Firewalls and Intrusion Prevention Systems

VoIP / SIP Planning and Disclosure

DEPLOYING VoIP SECURELY

VoIP Trunking with Session Border Controllers

nexvortex SIP Trunking Implementation & Planning Guide V1.5

TDC s perspective on DDoS threats

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

How to make free phone calls and influence people by the grugq

Application Notes for Configuring SIP Trunking between Metaswitch MetaSphere CFS and Avaya IP Office Issue 1.0

The Cisco ASA 5500 as a Superior Firewall Solution

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Business Phone Security. Threats to VoIP and What to do about Them

IxLoad-Attack: Network Security Testing

Receiving the IP packets Decoding of the packets Digital-to-analog conversion which reproduces the original voice stream

Is Your Network Ready for VoIP? > White Paper

Next-Generation Firewalls: Critical to SMB Network Security

Requirements of Voice in an IP Internetwork

An Introduction to VoIP Protocols

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

DLink-655 Router Configuration Guide for VoIP

Security and Risk Analysis of VoIP Networks

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Load Balancing for Microsoft Office Communication Server 2007 Release 2

About Firewall Protection

Chapter 8 Security Pt 2

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Abstract. Avaya Solution & Interoperability Test Lab

Frequent Denial of Service Attacks

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

Deployment of Snort IDS in SIP based VoIP environments

Stateful Firewalls. Hank and Foo

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

SonicOS 5.9 One Touch Configuration Guide

Network Simulation Traffic, Paths and Impairment

How Traditional Firewalls Fail Today s Networks And Why Next-Generation Firewalls Will Prevail

TECHNICAL CHALLENGES OF VoIP BYPASS

Denial Of Service. Types of attacks

CS5008: Internet Computing

Project Code: SPBX. Project Advisor : Aftab Alam. Project Team: Umair Ashraf (Team Lead) Imran Bashir Khadija Akram

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Secure Voice over IP (VoIP) Networks

Transcription:

10 Key Things Your Firewall Should Do When voice joins applications and data on your network

Table of Contents Making the Move to 3 10 Key Things 1 Security is More Than Physical 4 2 Priority Means Clarity 5 3 Managing the Bandwidth Pipe 6 4 The Bandwidth Guarantee 7 5 Keep Connections Clean 8 6 Connect, Protect, Disconnect 9 7 The Signature Wall 10 8 Partial Protection is Not Protection 11 9 Know What s Going On 12 10 The Add, Move and Remove Blues 13 Oh No, Not Another Gateway Appliance 14 A Real Firewall 15 Learn More 16

Making the Move to The expanding adoption of digital telephony and teleconferencing in today s business has brought Voice over Internet Protocol () technology to the IT mainstream. Moving to means that you will add voice and perhaps fax, voice mail and even video traffic to your network which is already busy with applications and data. Whether you are a small business installing your first phone system or a larger organization replacing an existing PBX system, will change the way you manage and protect your network. Let s take a deeper look at some of the changes you can expect. 1

1st Key Thing: Security is More Than Physical The Good Old Days With a PSTN (public switched telephone network) connection, physical access to the PBX (private branch exchange) or the telephone line itself is required to intercept or disrupt a call. More Places to Clip typically uses the public Internet which does not provide the same physical wire security as telephone lines. In addition, interception and disruption doesn t need to be physical to cause damage with attacks coming from anywhere on the network. Introducing the Firewall Firewalls understand how to provide proper access, control the traffic which passes through and protect that traffic by removing threats. A Firewall provides the same level of scrutiny for traffic as it does for applications and data. 2

2nd Key Thing: Priority Means Clarity Mixing it Up converts traffic to digital and sends it over the network in packets. For example, a phone conversation will be divided up into thousands of packets that can take different routes to their eventual destination your Firewall. 44 42 41 45 47 Data 19 Data 18 Data 17 46 43 Data 16 Data 15 43 Data 14 Data 13 Data 12 Quality of Service traffic is susceptible to Quality of Service concerns such as latency, jitter, packet loss and echo. A Firewall tags and recognizes the tags of traffic. This allows the firewall to give the highest priority when receiving, inspecting, assembling and accepting content. 3

3rd Key Thing: Managing the Bandwidth Pipe Managing Data and Applications traffic will only make up part of all of your network traffic, so it may not be enough to simply give priority to traffic to prevent issues. You have to manage the bandwidth of all of the traffic data, applications and voice. Streaming Video Bandwidth Desired Streaming Video Bandwidth Provided Restricting Bandwidth You can block or manage the bandwidth allocated to non- applications and data. For example, restricting the bandwidth given to a streaming video site such as Youtube or blocking access to peer-to-peer sites. This frees up bandwidth for other uses such as. 4

4th Key Thing: The Bandwidth Guarantee Managing Traffic Another strategy is to give traffic a guaranteed minimum amount of the overall bandwidth available. The remaining bandwidth can be assigned to other applications or left unassigned at your discretion. Account App Sales App Choosing Between Management and Guarantees n Try bandwidth management if you have a good sense of how and who uses your bandwidth. See the 9th Key Thing for how you can see bandwidth usage trends over time. n Try a bandwidth guarantee if you don t have a good idea of how your bandwidth is being used and who s using it. 5

5th Key Thing: Keep Connections Clean Protection Starts at the Connection OK, so now your firewall is ready for traffic, right? Not yet you need to consider Denial of Service (DoS) attacks aimed at disrupting the ability of the firewall to receive and process packets in a timely fashion. Spoofing Attacks Malformed and invalid packets, which masquerade as traffic, are directed at the firewall to gum up the processing of all traffic. Service Level Attacks DoS attacks such a Syn Flood, Ping of Death and LAND (IP) attacks attempt to use up firewall connections directly affecting traffic throughput. A Firewall Does Which of the Following to Protect Against DoS Attacks? a. Validate packet sequence for packets b. Use randomized TCP sequence numbers to validate TCP session data flow c. Conduct stateful inspection of signaling and media packets d. Monitor attempts to open too many TCP/IP connections e. All of the Above 6

6th Key Thing: Connect, Protect, Disconnect End-to-End Protection Each session, from call inception to call end, is tracked by the Firewall. This enables the firewall to control, manage and protect each session based on the unique characteristics of that call. Connect Control incoming calls using H.323 or SIP Proxy authorization and authentication methods Open media ports only if a valid request is received and the call is fully connected Protect Validate headers and inspect all traffic Dynamic set-up and tracking of both signaling and media streams Disconnect Close ALL open connections when call is complete Make inactivity time-outs configurable by the admin and enforce them Change ports for each call, don t use static mappings 7

7th Key Thing: The Signature Wall IPS Signature Updates IPS signatures are used to block application-layer attacks. Regular updates to the IPS Signature list enable a Firewall to block these attacks and stay ahead of attacks trying to exploit the latest vulnerability. SIP CSeq BO Attempt SIP Invalid Response Code Invalid RTP Payload Type IPS Signature List 4977 1627 3398 Signature Updates T.38 Buffer Overflow Exploit sipxtapi Remote Buffer Overflow Cisco IP Phone SIP INVITE Message DoS 3363 4868 3406... 8

8th Key Thing: Partial Protection is Not Protection Firewall Requirements There was a time when the requirement for a Firewall was to stay out of the way. Unfortunately network attacks have found vulnerabilities to exploit, especially in systems that provide a subset of the protection needed. related vulnerabilities and attacks are just as varied as other types of traffic and demand the same protection services. A sampling of H.323 and SIP Vulnerabilities (Source: www.kb.cert.org) VU#438176 Cisco IOS fails to properly handle SIP packets VU#430969 Cisco Firewall Services Module vulnerable to DoS via inspection of malformed packets VU#969969 Apple Macintosh OS X Video Conference SIP heap buffer overflow VU#621566 Linksys RT31P2 router denial of service vulnerabilities VU#726548 Voice mail systems allow administrative access based on Caller ID VU#353956 Microsoft Windows H.323 implementation fails to handle malformed requests Quality of Service Bandwidth Management Bandwidth Guarantee IDS/IPS Anti-Virus Anti-Malware Content Filtering 9

9th Key Thing: Know What s Going On Looking at the Past, Present and Future of Traffic A Firewall will provide visibility into all network traffic voice, data and applications. This includes logging signaling and media streams. The Past For each connection, audit logs keep caller and called parties, call duration, total bandwidth used and more The Present Dynamic live reporting of active calls include caller and calling party, bandwidth used and more Status Call Status Caller IP Caller ID Called IP Called ID Protocol Bandwith Time Started 192.168.5.209 Mary Smith X213 192.168.2.11 Tom Jones X502 H.323 6.1 Mb 11:21:52AM PST 192.168.3.103 Phil Adkins X219 192.168.4.68 Jessie Wu X322 H.323 5.0 Mb 11:20:15AM PST 192.168.3.221 Tanya Faldo X102 192.168.4.133 Tony Ko X122 H.323 2.8 Mb 11:18:35AM PST Bandwidth Usage 200 180 160 140 120 TOTAL VOIP The Future OK, maybe not the future, but you get clear and concise reports which allow you to predict the future by examining trends over hours, days, weeks or months 100 80 60 40 20 0 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 10

10th Key Thing: The Add, Move and Remove Blues Plug-and-Protect Adding devices to your network doesn t have to mean more work every time something changes. Advanced tracking and monitoring technology in a Firewall ensures that such devices are automatically protected as soon as they are plugged into the network. Adding After plugging in a new phone, to add to the device to an existing firewall to ensure it is protected, please follow the steps to the right. Adding a Phone to your Firewall Step 1: You are done! Moving After moving a phone from one location to another, to ensure the phone continues to be protected, please follow the steps to the right. Moving a Phone on your Firewall Step 1: You are done! Removal After removing an existing phone from the network, to ensure the Firewall is updated, please follow the steps to the right. Removing a Phone on your Firewall Step 1: You are done! 11

Oh No, Not Another Gateway Appliance A Firewall is not another appliance you add to your ever growing collection of gateway appliances. In fact, you could have a Firewall already your existing Firewall. But before you get too excited, let s see if your existing firewall can do the following if it can t you may have the wrong Firewall. Support H.323 and SIP protocols Transport traffic over IPSec VPN connections Prioritize traffic and guarantee bandwidth Bandwidth manage non- applications and data Detect and protect against Denial of Service attacks Automatically update IPS signatures Track and perform deep packet inspection of all signaling and media traffic Automatically detect the addition, change and removal of devices on the network Generate comprehensive reports and graphs on all traffic I will not add another gateway appliance. I will not add another gateway appliance. I will not add another gateway appliance. I will not add another gateway appliance. I will not add another gateway appliance. I will not add another gateway appliance. I will not add another gateway appliance. I will not add another gateway appliance. Do everything else you ve come to expect in a business-class Firewall 12

A Real Firewall To get everything you need in a Firewall, look no further than SonicWALL E-Class Network Security Appliance (NSA) and NSA firewalls which provide security, control and access to networks supporting voice, video and data. They combine industry leading performance with advanced Unified Threat Management services to protect and manage all types of network traffic; data, applications and even. Ready SonicWALL firewalls are ready. There is no extra memory, disk modules or special services to add, just spend a few minutes to configure the firewall for traffic and you re ready. Protected SonicWALL Firewalls deliver advanced quality of service protection, to ensure performance, and when combined with Reassembly-Free Deep Packet Inspection, automatic updates and more, ensure traffic just like all traffic is safe. 13

How Can I Learn More? n Read more about SonicWALL s Converged Network Security Solutions n Read more about SonicWALL s Avaya DevConnect Tested Solutions n To opt in to receive SonicWALL newsletters For feedback on this e-book or other SonicWALL e-books or whitepapers, please send an e-mail to feedback@sonicwall.com. About SonicWALL SonicWALL is a recognized leader in comprehensive information security solutions. SonicWALL solutions integrate dynamically intelligent services, software and hardware that engineer the risk, cost and complexity out of running a high-performance business network. For more information, visit the company Web site at www.sonicwall.com. 2009 SonicWALL, the SonicWALL logo and Protection at the Speed of Business are registered trademarks of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice. 10/09 SW 771

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information