Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Yes, Virginia, VoIP Can Be Secure

One of the biggest knocks on VoIP technology is its lack of security. But at the Interop show this week, a group of vendors and technicians has quietly been demonstrating secure, multivendor VoIP connections -- both from within the LAN and from remote users over a VPN.

The InteropLabs VoIP demo focuses on two major areas of security: protecting the SIP gateway from attack and supporting remote users connecting via a VPN. The demo shows that it is possible to support VoIP within the closed confines of a single enterprise, though it also exposes potential problems with network address port translation (NAPT) that will need to be solved in live deployments.

In the demo, border protection starts with a SIP-aware application layer gateway or deep packet inspection. During call setup, the phones negotiate the call parameters they are willing to accept and what UDP ports, or ephemeral ports, they will use for voice packets. A non-SIP-aware firewall can't handle the ephemeral ports, and the voice connection between the phones could never be completed.

As Craig Johnson, systems engineering manager for Check Point, explains, "the SIP firewall has to be session-aware so that when a call ends -- either through a hang-up or a time-out -- the ephemeral ports are closed. Otherwise, avenues for malicious activity like toll fraud are possible."

The SIP-aware firewall also can stop denial-of-service attacks, which bombard the SIP gateway with registration and call requests, effectively cutting off legitimate calls or sending malformed SIP packets to the SIP gateway.

  • 1