S 4.290 Requirements on security gateways for VoIP

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

If an IP data network is used for VoIP, there are additional requirements, especially in terms of the security of the network. In many cases, strict separation of the voice and data networks is impossible, since softphones on workstation computers access the VoIP server in the voice network from the data network, groupware clients allow the telephone numbers of stored contacts to be called directly from the application, or VoIP servers with directory services such as LDAP (Lightweight Directory Access Protocol) are connected, for example. In addition, sites of government agencies, companies, or organisations that are separated geographically may be networked, with these sites using a central VoIP server for communication throughout the organisation and simultaneously using this connection to exchange data, for example.

A security gateway should be used to protect a secure internal system against unauthorised accesses from an insecure network, while simultaneously permitting authorised accesses to the protected areas. The networks considered to be secure and/or insecure, the resources worthy of protection, and the way they must be protected is specified in the security policy of the organisation (see also module S 3.1 Security gateway (firewall)).

When planning the use of VoIP, the existing security gateway should be examined to see if it could be adapted for VoIP usage. Otherwise, an additional security gateway must be purchased and installed for this purpose.

Selection of and requirements on a security gateway

The performance of the security gateways operated when using VoIP bot only has an influence on the protection, but also on the quality of the voice communication. Due to the processing of the many small data packets commonly encountered when using VoIP, the load placed on the security gateway is high, which means delay and jitter could directly affect the transmitted voice signals.

If signalling and voice data is forwarded by the security gateway, a VoIP-capable security gateway should be used that is able to analyse the signalling protocols used during the entire call connection and disconnection processes and to save corresponding status values. Based on the protocol data (e.g. the UDP ports to be used for the voice data transmitted with RTP), the necessary ports are opened for the duration of the communication.

Furthermore, the selection of the correct system depends on the following factors:

• How large is the network?
• Which system components are available? Do the existing switches permit VLAN separation of the voice and data networks? Do the existing routers support access control lists (ACLs) or security gateway functionalities?
• Which security gateways are already used in the data network?
• Is only IP telephony restricted to the LAN or also internet telephony planned?
• How comprehensive is the knowledge of the supporting IT personnel?
• Which VoIP system components will be used?
• What financial resources are available to implement the security objectives?

Designing a security gateway

Regardless of whether an existing security gateway is to be changed for the use of VoIP or a new system is to be procured, the gateway may consist of the following components:

• Stateless packet filter
  
  Simple packet filters can be used on routers, layer 3 switches, and security gateways to separate the data and voice networks, but their filtering functionality is limited in comparison to that of stateful filters and/or application level gateways.
• Stateful packet inspection
  
  Stateful packet filters allow the return packets necessary for communication to be forwarded dynamically and therefore provide a higher level of security for a network. They store the states of a connection and can therefore forward the return packets belonging to an existing connection without having to configure explicit access lists.
• Application level gateway (ALG)
  
  Application level gateways, in contrast to the systems mentioned above, are not only able to filter at the IP address and port levels, but also at the application level. The advantages of application level gateways are especially noticeable when transmitting RTP packets. The end points exchange information on which UDP ports will be used for RTP transmission during the signalisation phase (using SDP). A different port is generally used for each new call and the corresponding port must be released on the security gateway. Since the ALG monitors the exchange of the protocol messages used to negotiate the IP addresses and the UDP ports to be used, it can adapt the filter dynamically to allow the corresponding RTP stream to pass.

When comparing stateless packet filters, stateful packet filters, and ALGs, it becomes obvious that ALG should be recommended if possible due to its advantages. To permit incoming RTP traffic, both stateless-based and stateful-based security gateways need to maintain a large number of ports open at all times to forward the RTP packets containing the voice data. Such a configuration poses a significant security risk.

Application level gateways, in contrast, only open the ports actually needed for the duration of the communication and therefore offer fewer possible points of attack.

The use of protocols such as IAX (InterAsterisk eXchange) also makes it easier to design the security gateway. Since both the signalling and media transport information are transmitted using a stream of messages in this case, only one port must be specified. Since it is not necessary to negotiate the port used, no dynamic port filtering is required.

Configuring a security gateway

The security gateways used for VoIP are hardly any different from classic security gateways. The safeguards described in module S 3.1 Security gateway (firewall) must be implemented to design and securely operate the gateway.

The VoIP-specific settings must be specified according to the safeguards in this module and the product documentation contains information as to how these safeguards must be implemented specifically.

Review questions:

• Is there a provision governing the protection of the VoIP service by a security gateway?