SIP-Tips - Security Becomes Paramount - Critical Options

voip-firewall-proxy-gateway-three-types.swf
Click on the above link to see the animated tutorial.

Various types of VoIP systems require different security formats. Here are some examples: - Proxy/Gateway/SBC-Session Border Controllers In/Outside the Firewall - Proxy/Gateway in Co-Edge Mode - Proxy/Gateway Outside the Firewall This tutorial is to review these formats and risks associated with them. For example, when a firewall provides NAT between an internal and an external network, proxies may allow VoIP traffic to be processed properly, even in the absence of a firewall that can translate addresses for VoIP traffic. Since VoIP is not the only type of traffic and each customer situation is completely different, guidance from the IT designer is essential.

Proxy/Gateway or SBC-Session Border Controller Inside the Firewall occurs when during VoIP call setup, the ports and addresses require a detailed inspection (sometimes referred to as a Stateful Inspection) as the setup progresses. If the firewall does not support dynamic ACL-Access Control Lists based on the inspection, Proxy and Gateway Servers can be used just inside the firewall. In regard to SBC, there are arguments on placing SBC Inside (behind) the firewall, outside or at the carrier (service provider).

In this configuration, interfaces lead to both inside and outside networks. To avoid exposing a network to unsolicited traffic, configure the Proxy to route only proxied traffic. In other words, the Proxy Server routes only VoIP protocol traffic that is terminated on the inside and then repeated to the outside.

Proxy in Co-Edge (2-edge) Mode is the situation where local interior IP addresses that must be translated to valid exterior IP addresses. The firewall must be capable of decoding and translating all addresses passed in the various VoIP protocols. If the firewall is not capable of this translation task, a Proxy Server may be placed next to the firewall in a Co-edge Mode.

Proxy/Gateway Outside the Firewall is if the firewall does not support VoIP dynamic ACL-Access Control Lists. The firewall can be configured with static ACL that allow traffic from the Proxy/Gateway Servers through the firewall. This poses a security risk if a hacker can spoof or simulate, the IP addresses of the Proxy/Gateway Servers and use them to attack their own network.

This course is available for onsite delivery anywhere onsite, online or via webseminar. This presentation is also included in TMC University special course on Microsoft OCS-Office Communications Server at ITexpo.com. For more go here: http://www.tmcnet.com/voip/conference/west-08/tmc-university-microsoft-ocs.htm

This included in online/onsite courses SIP 2.0c and for OCS-101 Office Communications Server per person (volume and site license discounts available). Discounts are also available to members of the SIP Forum and MS Partners. For customizing, special discounts, website animations, technical/sales training, technical writing and other services, go to http://www.techtionary.com or please call Tom Cross at 303-594-1694 or cross@gocross.com.