5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

5

Firewalls in VoIP

Selected Topics in Information Security – Bazara Barry

Firewalls

Firewalls demarcate inside from outside, trusted from non trusted networks, and they are used to separate VoIP from data on internal networks.

Two significant issues affect firewall performance with regard to VoIP: the first is that the boundary between inside and outside or trusted and non trusted networks is gradually becoming less clear; the second is that most firewalls fail to adequately process VoIP packets and sessions.


Firewalls

Most firewalls share common characteristics:

1.They work as a choke point.2.They can be configured to allow or deny any protocol traffic.3.They provide a logging function for audit purposes.4.They provide a NAT function.5.Their operating systems are hardened.6.They often serve as a VPN endpoint.7.They fail closed.


Shallow packet inspection

Shallow packet inspection inspects only a few header fields in order to make processing decisions.

As an IP packet traverses the firewall, the headers areparsed, and the results are compared to a rule set defined by a system administrator.

The rule set, commonly based upon source and/or destination IP address, source and/or destination port, or a combination of the two, defines what type of traffic issubsequently allowed or denied.


Stateful inspection

A stateful inspection firewall registers connection data and compiles this information in a kernel-based state table.

A stateful firewall examines packet headers and, essentially, remembers something about them (generally source/destination IP address/ports).The firewall then uses this information when processing later packets.


Medium-depth packet inspection

Mostly performed by Application Layer Gateways (ALG) which peer more deeply into the packet than packet filtering firewalls but normally do not scan the entire payload.

An ALG provides intermediary services for hosts that reside on different networks, while maintaining complete details of the TCP connection state and sequencing.



An application-level gateway (or proxy server), acts as a relay of application-level traffic.

A user contacts the gateway to access some service, provides details of the service, remote host & authentication details, contacts the application on the remote host and relays all data between the two endpoints.


Deep packet inspection

To address the limitations of Packet Filtering, Application Proxies, and Stateful Inspection, a technology known as Deep Packet Inspection (DPI) was developed.

DPI analyzes the entire packet, and may buffer, assemble, and inspect several related packets as part of a session.

DPI engines parse the entire IP packet, and make forwarding decisions by means of a rule-based logic that is based upon signature or regular expression matching.



The issue with DPI is that packet data contents are virtually unstructured compared with the highly structured packet headers.

Analysis of packet headers can be done economically since the locations of packet header fields are restricted by protocol standards.

However, the payload contents are, for the most part, unconstrained.



Particular attention must be paid to firewall and deep packet inspection configurations to make sure they don’t introduce unacceptable latency.

Implementation of some security measures can degrade QoS. These complications range from interruption or prevention of call setup by firewalls to encryption-produced latency and delay variation ( jitter).


VoIP aware firewalls

The basic problem with firewalls in VoIP environments istwofold:

Firewall administrators are reluctant to open up a range of high ports (> 1024) that will allow uncontrolled connections between external and internal hosts, and firewalls often rewrite information that is necessary for VoIP signaling traffic to succeed.


SIP Firewall issues

In the context of traversing firewalls and NAT, SIP’s primary problem relates to determination of the “real” IP addresses of end users or UAs, which are often located in private IP address space.

When used as a VoIP application, SIP opens bidirectional UDP media channels over random high ports.


Access control lists

Network access control lists (ACLs) are table-like data structures that normally consist of a single line divided into three parts:

a reference number that defines the ACL; a rule (usually permit or deny); and a data pattern, which may consist of source and/or destination IP addresses, source and/or destination port numbers, masks, and Boolean operators.


Conclusions

One promising approach is to combine an application layer gateway with a stateful packet filtering firewall.

In this approach, an ALG software module running in close logical proximity to a NAT firewall device updates payload and header data made invalid by address translation.


Conclusions

One particular technology that looks promising with regard to making firewalls intelligent and VoIP-aware is Deep Packet Inspection (DPI).

Deep Packet Inspection may enhance firewall capabilities by adding the ability to dynamically open and close ports for VoIP application traffic.



References1. T. Porter, Practical VoIP Security. Rockland, MA: Syngress, 2006, Ch 13.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Documents

Transcript of 5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.