Analysis: Firewall limits vex VoIP users

While firewalls are the IT pro’s favorite security tool, they can be troublesome for companies trying to deploy IP telephony over the Internet as many firewalls offer little or no support for voice-over-IP protocols.

Firewall vendors and those crafting standards are working to make firewalls operate effectively with the widely deployed H.323 protocol and the emerging Session Initiation Protocol (SIP), many users are skirting the issue by encrypting wide-area VoIP traffic and sending it over VPN tunnels for site-to-site and remote office connections. IT professionals say this method for running VoIP over a WAN keeps IP conversations secure. They also say it eliminates the risk of exposing a network to intruders, which comes with opening ports on a firewall to allow VoIP to flow through.

“Getting a firewall to understand voice or multimedia protocols, particularly H.323, is not simple,” says Joel Snyder, a senior partner at Opus One Inc., a firm that tests network gear, and a Network World columnist. He says it requires the firewall to act as a proxy for the H.323 traffic.

“The H.323 proxy in the firewall has to dig deep into the H.323 protocol. It actually has to understand the whole protocol to know what IP addresses are going to talk, what ports, etc.,” Snyder says.

Without such proxy ability, the firewall would have to open ports for each call that is made, without determining whether the packets are legitimate. Opening holes in a firewall for H.323 or other multimedia protocols could leave networks vulnerable, as intruders could utilize voice traffic to spoof a firewall and gain network access, experts say.

“The issue is that the H.323 stack is a wide-open stack,” says Mike Venner, CIO at network silicon and component vendor Broadcom Corp. “It’s a hackable stack, and it’s hard to control.”

To avoid tricky VoIP/firewall issues, Venner uses VPN tunneling to connect remote workers and private point-to-point DS-3 lines to connect larger offices. Fifty Broadcom employees working from home use IP phones and hardware-based VPN clients to link to centrally located IP PBXs from Avaya Inc. and Cisco Systems Inc. over encrypted IP Security tunnels. This setup lets home and remote office workers have phone extensions as if they were in the one of the company’s buildings in Irvine, Calif. Firewalls at Broadcom stay out of the VoIP equation.

Punching holes in a firewall lets voice pass through but could put networks at risk. This threat becomes dire for businesses using server-based IP PBXs because the phone systems could be brought down by viruses and hacker attacks.

“We’ve found that running voice over a VPN tunnel works really well,” Venner says. While Venner would not say what VPN gear he uses, he says the voice quality is as good as an IP telephony conversation on the company’s LAN.

Two types of problems

The potential problems with sending IP voice through a firewall break down into two categories: network address translation (NAT) and the complexity of VoIP traffic.

NAT changes the source IP address of a packet from a private address to a public one so it can be routed over the Internet. The “NAT-ing” device, such as a firewall, keeps track of what the private IP address is, so returning traffic can be routed to the sending device.

IP voice traffic consists of signaling traffic and packets carrying the voice signal. The signaling traffic, such as SIP or H.323, uses protocols that contain address information not just in the header but deeper within the packet.

To conduct NAT on this signaling traffic, the firewall must be able to parse and modify the packet all the way to the application layer, something most firewalls were not intended to do.

The signaling traffic and payload packets involved in a single voice call use many types of firewall ports, such as User Datagram Protocol (UDP) and TCP. For a voice call to successfully cross a firewall, these ports must be opened. And to maintain security, they must be closed when there is no traffic flowing. Conventional firewalls were not designed to handle this type of complex traffic.

Users could leave firewalls open to all UDP traffic to allow voice to go in and out, but that would violate most people’s idea of security.

“It would work but the security manager would be fired the same day,” says Opher Kahane, CEO of Kagoor Networks Inc., which makes VoiceFlow, a device that can handle NAT and firewall traversal support for firewalls.

VoiceFlow also addresses how to allow management traffic from outside a site to pass through a firewall to keep track of IP voice gear. Generally, network security dictates that such traffic is blocked by firewalls.

Vendors make strides

Firewall makers, such as Cisco and Check Point Software Technologies Ltd., have added support for SIP and H.323 to their firewalls. Other vendors including Swedish firm Ingate, Acme Packets and Jasomi, offer VoIP-specific firewalls and appliances that supplement firewalls to better handle voice. Ingate’s device supports SIP on dynamically allocated ports on the firewall, which lets large volumes of calls through the box, as opposed to opening a specific port on a firewall for VoIP, which could leave a network open to intrusion, the company says.

Jasomi says its PeerPoint SIP-enabled firewall sits outside a regular corporate firewall and acts as a secure proxy for SIP traffic between sites connected over a nonsecure network.

The Internet Engineering Task Force is working on a proposal called MidCom that would standardize such a proxy for IP voice traffic that is separate from the firewall.

“Voice over IP on the Internet is certainly doable, but I wouldn’t recommend it,” says Mike ko, director of IT for Experio Solutions, a consulting firm. Experio uses VoIP gear from Shoreline Communications in the comany’s 18 offices around the country to support 800 employees. The distributed Shoreline boxes run analog voice to desktops, then convert traffic to IP, which can be run across the company’s WAN – an IP VPN service from Qwest Communications International Inc. Cisco routers at the edge of each site prioritize the VoIP traffic before it is sent to Qwest, where the voice and data flows are encrypted and sent across the VPN instead of the Internet.

While ko says he has run H.323-based videoconferencing through his firewalls and over the Internet for some company meetings, he says he’ll stick with his VPN to carry everyday voice.

“We had discussions of possibly opening ports [on our firewalls] to allow voice to go across the Internet … but there’s no need to,” ko says, adding that the less his network is exposed to the Internet, the more secure it is.