- New attack fells Internet Explorer
- Steve Jobs is a man of a few words
- Oddball gifts for uber geeks
- Global warming research exposed after hack
- Google adding IPv6 to YouTube
 |
 |
 |
 |
||
|
Once corporate users have tested voice over IP and proven that it works, they face one last hurdle: making sure it's secure.
But users who have taken the plunge into VoIP say they're not worried about security. "If you configure it properly and treat it as you would any other mission-critical server and application on the network, voice over IP is as secure as any other data," says Doug Haluza, director of engineering and new technologies at Lexent, a New York electrical services firm that has run VoIP on its corporate network since January 2002.
Analysts agree, saying that safeguarding VoIP comes down to typical procedures for ensuring the security of networked servers, applications and voice. But, special care is required when choosing firewalls, intrusion-detection systems (IDS) and other security tools.
Securing VoIP data at the firewall is tricky. VoIP sessions use H.323 or Session Initiation Protocol (SIP). Firewalls in a VoIP deployment must be able to handle these fairly complex real-time communications protocols. H.323 and SIP have separate control and media transfer connections, which means they typically make a connection on one IP port to set up a call and then pick a random, high-numbered IP port, usually above Port 1024, for the data connection. You can't simply configure a firewall with certain ports opened and blocked because the device can never know which port will be used for the connection.
"You need a firewall that understands those protocols well enough to only open data connections when they've been negotiated and authenticated in the control fields," says Mark Kraynak, strategic marketing manager at Check Point, which markets stateful SIP- and H.323-compliant firewalls. "And it needs to know to close them when [the sessions are] over."
The firewall also has to do all of this stateful packet inspection without affecting the performance of the voice stream.
Based on International Telecommunication Union recommendations, the voice stream should be subject to no more than 100 millisec of delay end to end. Because voice uses smaller packets than data and transmits more packets per second (about 50 packet/sec per voice stream, nearly twice the number of packets in a typical data stream), processing voice can quickly bog down a firewall.
"A lot of software firewalls can meet the demands of data traffic, but when you start to initiate 50 packets per second per call, that really ups the amount of packets they have to inspect and some can't keep up," says John Truetken, senior architect for MCI Advantage, a converged IP service for enterprise users. He says dedicated hardware firewalls tend to perform better.
The same is true of VPNs, he says. "Some low-end VPN encryptors have a problem when you get up to 20 or so voice streams," he says. "The number of packets per second they have to deal with sometimes can overwhelm them."
Rss FeedRss Feed
The Leader in Network Knowledge
Comment