Secure Voice over IP (VoIP) Networks



Similar documents
Lucent VPN Firewall Security in x Wireless Networks

ETM System SIP Trunk Support Technical Discussion

Securing SIP Trunks APPLICATION NOTE.

Recommended IP Telephony Architecture

Voice Over IP and Firewalls

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Secure VoIP for optimal business communication

Security & Reliability in VoIP Solution

Session Border Controllers in Enterprise

Voice over IP Networks: Ensuring quality through proactive link management

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

VoIP Solutions Guide Everything You Need to Know

Private Cloud Solutions Virtual Onsite Data Center

VOICE OVER IP SECURITY

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

WAN Traffic Management with PowerLink Pro100

Voice Over IP (VoIP) Denial of Service (DoS)

NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service

Best Practices for Securing IP Telephony

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

SonicWALL Advantages Over WatchGuard

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

Best Practices for Outdoor Wireless Security

IP Telephony Deployment Models

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

The term Virtual Private Networks comes with a simple three-letter acronym VPN

Integrate VoIP with your existing network

ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS

Cisco Virtual Office Flexibility and Productivity for the Remote Workforce

Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks

The Cisco ASA 5500 as a Superior Firewall Solution

SIP Trunking with Microsoft Office Communication Server 2007 R2

VPLS lies at the heart of our Next Generation Network approach to creating converged, simplified WANs.

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Cisco Virtual Office Unified Contact Center Architecture

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

This document describes how the Meraki Cloud Controller system enables the construction of large-scale, cost-effective wireless networks.

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Multi-layered Security Solutions for VoIP Protection

INTRODUCTION TO FIREWALL SECURITY

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

VitalPBX. Hosted Voice That Works. For You

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

ICTTEN5168A Design and implement an enterprise voice over internet protocol and a unified communications network

Load Balancing for Microsoft Office Communication Server 2007 Release 2

IVCi s IntelliNet SM Network

WAN Failover Scenarios Using Digi Wireless WAN Routers

Network Access Security. Lesson 10

Contents. Specialty Answering Service. All rights reserved.

PRODUCTS & TECHNOLOGY

Cisco Virtual Office Express

Industrial Firewalls Endpoint Security

Is Your Network Ready For IP Telephony?

Level: 3 Credit value: 9 GLH: 80. QCF unit reference R/507/8351. This unit has 6 learning outcomes.

Gateways and Their Roles

Marratech Technology Whitepaper

Firewall Environments. Name

VoIPon Solutions Tel: +44 (0) Ranch Asterisk VoIP Solution

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Cisco Which VPN Solution is Right for You?

VoIP Deployment Options

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

The Next Generation Network:

Gigabit Multi-Homing VPN Security Router

Cisco Advanced Services for Network Security

Cisco Certified Security Professional (CCSP)

Voice over IP (VoIP) for Telephony. Advantages of VoIP Migration for SMBs BLACK BOX blackbox.com

VMware vcloud Networking and Security Overview

Cisco 2600 Series Modular Access Routers

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Steelcape Product Overview and Functional Description

Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN

SIP Trunking Configuration with

Security Considerations for DirectAccess Deployments. Whitepaper

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Migration from TDM to IP in Public Safety Environments: The Challenge for Voice Recording

Making the Case for Satellite: Ensuring Business Continuity and Beyond. July 2008

Small, Medium and Large Businesses

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

Managed 4G LTE WAN: Provide Cost-Effective Wireless Broadband Service

Security & Encryption

Security Guidance for Deploying IP Telephony Systems

BroadCloud PBX Customer Minimum Requirements

Convergence Technologies Professional (CTP) Course 1: Data Networking

VOIP THE ULTIMATE GUIDE VERSION /23/2014 onevoiceinc.com

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

Virtual Privacy vs. Real Security

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Firewall Architecture

Wireless Network Quality of Service WHITE PAPER

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

What is an E-SBC? WHITE PAPER

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Transcription:

Secure Voice over IP (VoIP) Networks How to deploy a robust, secure VoIP solution that counters both external and internal threats and, at the same time, provides top quality of service. This White Paper: Discusses the key security challenges to consider when deploying VoIP solutions Describes Lucent s VPN Firewall Portfolio and how it can meet the security requirements of today s and tomorrow s VoIP networks and applications

Contents Executive Summary...3 Key Challenges in Securing a VoIP Network...3 Meeting the Challenge...4 Solution: Lucent VPN Firewall Portfolio...4 Lucent VPN Firewall Portfolio...5 Lucent Operating System...5 Lucent Security Management Server...5 VPN Firewall Brick Portfolio...6 Bandwidth Management...6 Lucent VPN Firewall Brick High Availability/Failover...7 Lucent IPsec Client...7 Complete Solution for Total VoIP Security...7 2

Executive Summary Creating high levels of security is essential to fully leverage VoIP technology and the many advantages it offers over traditional wireline solutions. Lucent s VPN Firewall Portfolio provides a complete solution to cope with the evolving threats that can slow down the deployment and use of VoIP applications. The portfolio combines the Lucent Security Management Server, Lucent VPN Firewall Brick appliances, and Lucent IPsec Client, along with third party applications, to ensure a robust, highly secure VoIP deployment. Lucent solutions, developed by Lucent s R&D arm, Bell Labs, offer blended communications that enable simple, seamless, secure networks that help drive your business forward. Lucent s unique security solution for your VoIP network provides: VoIP application layer filtering where you need it on your network Bandwidth control call by call to maintain voice quality on busy networks Failover capabilities that guarantee no voice or data session will be lost in case of network failure Key Challenges in Securing a VoIP Network VoIP is moving into the mainstream. According to Infonetics Research 1, the IP telephony market will grow at a healthy 21 percent CAGR between now and 2008. Organizations have the opportunity to take advantage of low cost, feature-rich VoIP solutions that can augment or even replace traditional wireline implementations. 1 Enterprise Telephony Report, Infonetics Research, Nov. 29 2005. However, there are some stumbling blocks, and security is at the top of the list. Packet-based communications are particularly vulnerable to subversive attacks and illegal usage. Current technology serving data networks makes it easier to probe voice information on a packet network compared to physically tapping into a circuit switched network. Malefactors can conduct voice tapping through the use of sniffing packets and, by manipulating packets, obtain fraudulent service subscriptions that can be used without payment or charged to another actual customer. IP networks are also susceptible to identity theft, spoofing, loss of sensitive data, denial of service attacks, and eavesdropping. Hackers launch virus and worm attacks, and malefactors manipulate the networks to conduct internal espionage. IP PBXs can be hijacked and Windows-based servers are also vulnerable despite enhanced support for IPv6. If network hijackers successfully access network equipment, modify databases or replicate equipment, they can shut down, jam or takeover the voice network, or manipulate packet network protocols, such as and H.323. The challenge for network administrators is to secure the network against these many and varied threats while, at the same time, allowing the VoIP sessions to flow smoothly. 3

Meeting the Challenge Stateful inspection firewalls and Intrusion Detection Systems (IDS) commonly used for VoIP security offer limited defenses. Ideally, a VoIP security solution will dynamically adapt network resources and security based on VoIP application requests, regardless of the signaling protocol used or whether or not the signaling or media traffic is encrypted. A viable VoIP security solution must also: Understand and H.323 protocols to prevent the introduction of fraudulent packets Conduct packet inspection during and H.323 call setup to obtain the necessary information to dynamically open and close ports Be aware of emerging applications that require protection for example audio, web and video conferencing, as well as Unlicensed Mobile Access (UMA) for WiFi/cellular dual-mode handsets Support low latency, minimal jitter and negligible packet loss to ensure call quality and customer satisfaction Offer high availability to avoid loss of VoIP session in case of security device failure Solution: Lucent VPN Firewall Portfolio Lucent has taken a leadership role in VoIP security by offering a complete security solution that integrates with any existing VoIP application. Figure 1 shows Lucent s VPN Firewall Brick -based VoIP security system. Centralized VoIP Security policy & QoS management, distributed protection Centralized Data Center Virtual Office ClientCare Contact Center Enterprise VoIP Network Security Lucent Feature Server 3000 Hosted Enterprise VoiceMail Corporate HQ VitalSuite Performance Management Lucent Security Policy Manager Lucent Brick Firewall APX-1000 PRI DSL CPE Branch Office Softphone Analog Phones Softphone Phone Enterprise VoiceMail /H.323 Lucent Brick Firewall Analog Lines PRI PRI Phone PBX or Softphone IP PBX PBX/IP Phones Enterprise Directory, Call Logs, VoiceMail 802.1 Messaging & Database, DNS H.323 and application filters H.225, H.245, RTP, RTCP dynamic filtering Address and Port translation for H.323 & Stateful filtering for higher performance sessions filtered based on authentication and services authorization Flexible deployment models, to protect users, proxy servers and gatekeepers from attacks Bandwidth control: Brick shape the traffic to guaranty VoIP bandwidth between sites. Figure 1 Centralized Lucent VPN Firewall Brick -based VoIP Security 4

Lucent security solutions are based on the Lucent Network Security Model, which is the foundation of ITU-T Recommendation X.805 Security Architecture for Systems Providing End-to-End Communications. This model provides a framework that supports the Lucent VPN Firewall Portfolio. Lucent VPN Firewall Portfolio The Lucent VPN Firewall Portfolio offers a flexible platform that enables you to implement multiple security policies tailored to your individual application. The portfolio includes a broad range of carrier-class platforms that provide low price/performance and total cost of ownership (TCO). The Lucent VPN Firewall portfolio includes: Lucent Operating System (OS) based on Bell Labs Inferno developments Lucent Security Management Server VPN Firewall Brick platforms Lucent IPsec Client Lucent Operating System Lucent Technologies provides a real-time network Operating System (OS) based on innovative software developments by Bell Labs called Inferno. The operating system provides a software infrastructure for VoIP and other distributed network applications. It enables end-to-end connectivity over the public telephone network, the Internet, corporate networks, cable television, and satellite broadcast. Networking and security protocols are built into the OS, and applications run unchanged across any communications network or device. The product has a very small memory footprint, allowing it to act as a stand-alone OS on information appliances and run as an application on network elements such as servers, routers and switches using UNIX or Microsoft NT platforms. The Lucent OS creates a distributed architecture that allows security policies to be created in the heart of the system the Lucent Security Management Server and instantly pushes the policies to the point on the network where they need to be enforced. The VPN Firewall Brick allows the security administrator to enforce security policies anywhere on the network. This tight connection simplifies management operations and guarantees high levels of security in a distributed network. Bell Labs Innovations and VoIP Security Lucent s VoIP security solutions make full use of Bell Labs innovations. Bell Labs has numerous patents and seminal publications in the field of security, and essentially wrote the book on firewalls. Bell Labs, the R&D development arm of Lucent, designed and built the Lucent Firewall, among the first of its kind to obtain NSA GPP (National Security Agency General Purpose Processor) certification. The Lab conducts advanced cryptography research and has developed missioncritical secure networks for the Department of Defense. Bell Lab s Internet Research Laboratory develops network mapping and analysis techniques and research on protocols, particularly as they affect network infrastructure and services. The Lab provides recommendations and analysis for vulnerabilities in cooperation with Carnegie Mellon s Computer Emergency Response Team (CERT). Lucent Security Management Server Working with Lucent s VPN Firewall Brick portfolio and Lucent IPsec client software, Lucent Security Management Server allows you to rapidly provision and manage security, VPN and QoS services for thousands of users from a single console. It provides network-wide control of multiple systems, security policies, VPN tunnels and remote clients. Totally secure remote management eliminates the need for network reconfigurations, truck-rolls, and on-site support. 5

The Lucent Security Management Server provides real-time monitoring, robust logging, and customized reporting. The server supports 10,000 VPN Firewall Brick devices and 100,000 Lucent IPsec Client users from one console. It accommodates up to 100 simultaneous administrators. In addition to scalability, the Lucent Security Management Server provides carrier grade reliability and a number of VPN authentication features such as Internal Key Exchange (IKE), Advanced Encryption Standards (AES), Department of Defense Public Key Infrastructure (PKI), and X.509 digital certificates. VPN Firewall Brick Portfolio The VPN Firewall Brick portfolio delivers service-level-assured advanced security, IP VPN, and QoS services for your VoIP environment. These integrated firewall/vpn gateway appliances offer unparallel performance. They are hybrid L2/L3 devices that allow any combination of interfaces to be set to bridge or route. Each VPN Firewall Brick is centrally staged and remotely managed by the Lucent Security Management Server for security reasons you cannot manage a VPN Firewall Brick through a serial cable or from a web browser. Unlike pure router-based security platforms, you can add advanced security services without costly network reconfiguration, truckrolls or on-site support. The VPN Firewall Brick supports 801.q VLAN tagging and virtual firewalls. This means that you can securely share one device among multiple customers for network-based VoIP managed security services. The components of this security solution, in combination with third-party software from Lucent trusted partners, provide completely integrated, high performance content security services including command blocking, URL filtering and virus scanning. High availability is a feature that comes standard with the VPN Firewall Brick through the use of redundant configurations. and H.323 open ports dynamically during VoIP calls and if the firewall were to leave all of these ports open there would be almost no network security. In order to secure the network and, at the same time, allow VoIP channels to open dynamically, the firewall needs to participate in the call setup and teardown. The VPN Firewall Brick inspects H.323 and VoIP traffic and opens dynamic pinholes that dynamically secure each voice call on a call-by-call basis without degrading performance. Unlike many other solutions, the VPN Firewall Brick acts like a packet sniffer, monitoring the call setup and opening the ports dynamically for an individual call only between the calling and called endpoints. Bandwidth Management In addition to dynamic pinholing capabilities, expert bandwidth management is absolutely essential for VoIP security. Most solutions have either no bandwidth management or management at the interface level only. At the interface level, you might have hundreds of VoIP calls active at any one time. If a heavy data application or download starts running on that interface, you could lose all or some of your VoIP calls or experience a severe drop in quality. 6

The Lucent VPN Firewall Brick solves these problems by managing bandwidth at the interface, rule-set, the rule, and session levels. This is a critical component when working with VoIP or any other real-time application, including streaming video and video conferencing. Your ability to guarantee bandwidth for each individual session allows you to ensure the quality of the session or VoIP call, and also allows you to sell Service Level Agreements to your customers. Lucent VPN Firewall Brick High Availability/Failover The Lucent Security Management Server includes a Lucent VPN Firewall Brick feature that provides automatic failover configuration to ensure VoIP calls are not dropped if a device fails. The feature allows an administrator to deploy two Lucent VPN Firewall Brick devices as a failover pair. Both devices share the same identity, including IP address, name, and virtual MAC addresses (one per port). The first device to boot becomes the active device. The second device is designated the standby, ready to take over should the first device fail. From the administrator s viewpoint, the two devices are treated as one both are connected to the same LAN and wired identically. Both the active and standby Lucent VPN Firewall Brick devices issue regular heartbeat messages. The heartbeat indicates the presence of an active device and allows the devices to share health, status, and priority information. If the standby device does not receive appropriate heartbeats from the active device, it automatically becomes active. The active device may also yield to the standby if it determines that the standby has better LAN connectivity. Also, the active Lucent VPN Firewall Brick continuously sends session state information to the standby device. If the standby device has to take over, it already has all the information it needs regarding the active sessions to keep them alive. Lucent IPsec Client Lucent IPsec Client is specifically built to support carrier-managed IP services. When deployed with Lucent VPN Firewall Brick platforms, the IPsec Client is completely integrated and centrally managed by Lucent Security Management Server, simplifying administration of large-scale, remote access VPNs. Complete Solution for Total VoIP Security Essential VoIP Applications Features If you re on the hunt for a firewall for your VoIP application or other real time solutions, there is a must have set of features you won t want to do without. They include: H.323 application layer filtering (including NAT for H.323) application layer filtering (including NAT for ) Failover capabilities including redundant firewalls to ensure quality of service with no outages ( Five Nines reliability) General Packet Radio Service (GPRS)-3G (for mobile VoIP) GPRS Tunnel Protocol (GTP)-3G Bandwidth controls at the session layer to ensure quality of service Layer two capabilities to keep the firewall in stealth mode Dynamic pinhole capabilities that open and close ports on a per call basis to ensure that the rest of the network is secured To ensure that your VoIP application is not compromised, make sure that you use a firewall that has all these essential features. The combination of the Security Management Server, Lucent VPN Firewall Brick portfolio, and Lucent IPsec Client, enables VoIP services that are secure and robust. With these security solutions from Lucent, you are able to implement VoIP deployments that are secure, always available, and scale to meet your changing requirements. 7

To learn more about our comprehensive portfolio, please contact your Lucent Technologies Sales Representative or visit our web site at http://www.lucent.com. This document is for informational or planning purposes only, and is not intended to create, modify or supplement any Lucent Technologies specifications or warranties relating to these products or services. Information and/or technical specifications supplied within this document do not waive (directly or indirectly) any rights or licenses including but not limited to patents or other protective rights of Lucent Technologies or others. Specifications are subject to change without notice. Copyright 2006 Lucent Technologies Inc. All rights reserved SecurityVoIP v1.0706 Lucent VPN Firewall Brick is a registered trademark of Lucent Technologies. Inferno is a trademark of Lucent Technologies.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information