5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry

Firewalls Firewalls demarcate inside from outside, trusted from non trusted networks, and they are used to separate VoIP from data on internal networks. Two significant issues affect firewall performance with regard to VoIP: the first is that the boundary between inside and outside or trusted and non trusted networks is gradually becoming less clear; the second is that most firewalls fail to adequately process VoIP packets and sessions. Selected Topics in Information Security – Bazara Barry

Firewalls Most firewalls share common characteristics: 1.They work as a choke point. 2.They can be configured to allow or deny any protocol traffic. 3.They provide a logging function for audit purposes. 4.They provide a NAT function. 5.Their operating systems are hardened. 6.They often serve as a VPN endpoint. 7.They fail closed. Selected Topics in Information Security – Bazara Barry

Shallow packet inspection Shallow packet inspection inspects only a few header fields in order to make processing decisions. As an IP packet traverses the firewall, the headers are parsed, and the results are compared to a rule set defined by a system administrator. The rule set, commonly based upon source and/or destination IP address, source and/or destination port, or a combination of the two, defines what type of traffic is subsequently allowed or denied. Selected Topics in Information Security – Bazara Barry

Stateful inspection A stateful inspection firewall registers connection data and compiles this information in a kernel-based state table. A stateful firewall examines packet headers and, essentially, remembers something about them (generally source/destination IP address/ports).The firewall then uses this information when processing later packets. Selected Topics in Information Security – Bazara Barry

Medium-depth packet inspection Mostly performed by Application Layer Gateways (ALG) which peer more deeply into the packet than packet filtering firewalls but normally do not scan the entire payload. An ALG provides intermediary services for hosts that reside on different networks, while maintaining complete details of the TCP connection state and sequencing. Selected Topics in Information Security – Bazara Barry

Medium-depth packet inspection An application-level gateway (or proxy server), acts as a relay of application-level traffic. A user contacts the gateway to access some service, provides details of the service, remote host & authentication details, contacts the application on the remote host and relays all data between the two endpoints. Selected Topics in Information Security – Bazara Barry

Medium-depth packet inspection Selected Topics in Information Security – Bazara Barry

Deep packet inspection To address the limitations of Packet Filtering, Application Proxies, and Stateful Inspection, a technology known as Deep Packet Inspection (DPI) was developed. DPI analyzes the entire packet, and may buffer, assemble, and inspect several related packets as part of a session. DPI engines parse the entire IP packet, and make forwarding decisions by means of a rule-based logic that is based upon signature or regular expression matching. Selected Topics in Information Security – Bazara Barry

Deep packet inspection The issue with DPI is that packet data contents are virtually unstructured compared with the highly structured packet headers. Analysis of packet headers can be done economically since the locations of packet header fields are restricted by protocol standards. However, the payload contents are, for the most part, unconstrained. Selected Topics in Information Security – Bazara Barry

Deep packet inspection Particular attention must be paid to firewall and deep packet inspection configurations to make sure they don’t introduce unacceptable latency. Implementation of some security measures can degrade QoS. These complications range from interruption or prevention of call setup by firewalls to encryption- produced latency and delay variation ( jitter). Selected Topics in Information Security – Bazara Barry

VoIP aware firewalls The basic problem with firewalls in VoIP environments is twofold: Firewall administrators are reluctant to open up a range of high ports (> 1024) that will allow uncontrolled connections between external and internal hosts, and firewalls often rewrite information that is necessary for VoIP signaling traffic to succeed. Selected Topics in Information Security – Bazara Barry

SIP Firewall issues In the context of traversing firewalls and NAT, SIP’s primary problem relates to determination of the “real” IP addresses of end users or UAs, which are often located in private IP address space. When used as a VoIP application, SIP opens bidirectional UDP media channels over random high ports. Selected Topics in Information Security – Bazara Barry

Access control lists Network access control lists (ACLs) are table-like data structures that normally consist of a single line divided into three parts: a reference number that defines the ACL; a rule (usually permit or deny); and a data pattern, which may consist of source and/or destination IP addresses, source and/or destination port numbers, masks, and Boolean operators. Selected Topics in Information Security – Bazara Barry

Conclusions One promising approach is to combine an application layer gateway with a stateful packet filtering firewall. In this approach, an ALG software module running in close logical proximity to a NAT firewall device updates payload and header data made invalid by address translation. Selected Topics in Information Security – Bazara Barry

Conclusions One particular technology that looks promising with regard to making firewalls intelligent and VoIP-aware is Deep Packet Inspection (DPI). Deep Packet Inspection may enhance firewall capabilities by adding the ability to dynamically open and close ports for VoIP application traffic. Selected Topics in Information Security – Bazara Barry

References 1.T. Porter, Practical VoIP Security. Rockland, MA: Syngress, 2006, Ch 13.