- 4chan hell raisers finding fame brings heat?
- The 10 dumbest mistakes network managers make
- NetApp quits bidding war in face of EMC opposition
- CompuServe closes after 30 years
- Google to launch open-source Chrome OS this year
 |
 |
 |
 |
||
|
Once corporate users have tested voice over IP and proven that it works, they face one last hurdle: making sure it's secure.
But users who have taken the plunge into VoIP say they're not worried about security. "If you configure it properly and treat it as you would any other mission-critical server and application on the network, voice over IP is as secure as any other data," says Doug Haluza, director of engineering and new technologies at Lexent, a New York electrical services firm that has run VoIP on its corporate network since January 2002.
Analysts agree, saying that safeguarding VoIP comes down to typical procedures for ensuring the security of networked servers, applications and voice. But, special care is required when choosing firewalls, intrusion-detection systems (IDS) and other security tools.
Securing VoIP data at the firewall is tricky. VoIP sessions use H.323 or Session Initiation Protocol (SIP). Firewalls in a VoIP deployment must be able to handle these fairly complex real-time communications protocols. H.323 and SIP have separate control and media transfer connections, which means they typically make a connection on one IP port to set up a call and then pick a random, high-numbered IP port, usually above Port 1024, for the data connection. You can't simply configure a firewall with certain ports opened and blocked because the device can never know which port will be used for the connection.
"You need a firewall that understands those protocols well enough to only open data connections when they've been negotiated and authenticated in the control fields," says Mark Kraynak, strategic marketing manager at Check Point, which markets stateful SIP- and H.323-compliant firewalls. "And it needs to know to close them when [the sessions are] over."
The firewall also has to do all of this stateful packet inspection without affecting the performance of the voice stream.
Based on International Telecommunication Union recommendations, the voice stream should be subject to no more than 100 millisec of delay end to end. Because voice uses smaller packets than data and transmits more packets per second (about 50 packet/sec per voice stream, nearly twice the number of packets in a typical data stream), processing voice can quickly bog down a firewall.
The Leader in Network Knowledge
Comment