Securing Hosted Voice-over-IP

Hosted Voice-over-IP solutions providers face a unique set of challenges as they seek to deploy their solutions into Small and Mid-sized Business (SMB) customer networks. Many factors that have traditionally been outside of the provider’s responsibility, such as perimeter firewall, bandwidth contention and local area network Quality of Service (QoS), now affect their success.

Even the most stable VoIP delivery platform will have major call quality issues if the customer’s firewall and switch are not suited to facilitate the advanced signaling and media required for hosted VoIP applications.

Securing and assuring VoIP traffic is a challenge due to the dynamic nature of the ports and protocols. Firewalls need to understand VoIP signaling protocols. Otherwise, calls cannot pass through the firewall unless a range of ports are opened, which exposes the network to unauthorized access.

OfficeScreen Managed Services are delivered exclusively using Juniper® Networks Appliances that provide optimal VoIP security while prioritizing latency sensitive voice applications. Hardware accelerated unified threat management devices sit at the gateway of each office inspecting VoIP traffic to manage session and port security in real time. Once configured, each device not only provides security but it also dedicates bandwidth to voice traffic, assuring priority handling.

OfficeScreen Managed Services provide a comprehensive solution for secured and assured VoIP, maximizing voice performance and security.

OfficeScreen Firewall and VPN Service –Managed VoIP Security

OfficeScreen Firewall/VPN solutions are configured to enforce security policies, which are designed to protect communications between servers, PCs, VoIP end-devices and the outside world. These policies restrict VoIP communication based on authorized end-devices or traffic destined for a particular IP address or interface.

To secure VoIP solutions, OfficeScreen security hardware is configured to prioritize VoIP protocols (such as SIP, RTP, UDP, MGCP, and H.323) at the signaling layer and packet flows at the media layer. OfficeScreen units can be set up to segment the VoIP network, separating voice traffic to apply appropriate priority and policies.

OfficeScreen solutions offer best in breed hardware managed by expert engineers around the clock. Optional security services such as web-filtering, anti-virus, remote access and wireless security are also available.

Securing Hosted VoIP Port Vulnerabilities

Juniper Networks FW/VPN appliances included with OfficeScreen feature the Juniper proprietary Application Layer Gateway (ALG). The Application Layer Gateway is built in to the hardware and is used to characterize a VoIP application’s protocol behavior, prioritizing and securing that traffic. Properly configured, the ALG protects against Session Initiation Protocol (SIP) port vulnerabilities of VoIP by opening ports for the duration of the call and closing these ports at the end of the call. This eliminates the need to permanently open WAN facing ports to allow inbound voice traffic.

VoIP protocols have well known ‘listener’ ports and assign data transfer to another port. This requires an ALG in order to maintain statefulness and traffic flow. The ALG extracts the dynamically assigned port information, opens the appropriate ports and then closes those ports when the session is completed to prevent data leakage. Configured such that external access is allowed only for encrypted users or authorized phone conversations, OfficeScreen makes the customer network invisible to the outside world.

Dedicating Bandwidth to VoIP Call Traffic

VoIP call control protocols, media requirements and dynamic port utilization present a challenging set of security vulnerabilities. Not all firewalls are created equal where the handling of latency sensitive port shifting applications are concerned. This is the primary reason some firewalls drop calls or produce choppy voice quality.

Standard VoIP configurations with OfficeScreen include the fine tuning of Juniper’s proprietary ALG to specific protocol standards and securing of the LAN and wireless access points. With this configuration, sessions are secured and routed across ports based on the security policy profile, with lower priority traffic taking second place.

Once a call is initiated the ALG guarantees bandwidth to the call for its duration. This keeps other applications from stepping on VoIP traffic and ensures the highest priority. Aside from securing ports on the external interface of the customer network, the ALG smoothly handles complex signaling, service creation and voice transport traffic that can dynamically change ports, often in the middle of a conversation.

OfficeScreen VoIP configurations bridge the gap between LAN and WAN QoS protocols 802.1p and q with Diffserv, MPLS tagging and MGCP by providing a network gateway to the outside world that routes and prioritizes both sets of protocols. Managed Juniper appliances at the gateway of each network understand and bind wide area and local area network protocols priority levels as traffic passes through each gateway in the customer’s environment.

Advanced Denial of Service Protection

VoIP networks are vulnerable to many of the same security risks that data networks are, including Denial of Service (DoS) attacks, service theft, tampering, and fraud. Denial of Service is a problem for most data networks, but can be catastrophic for VoIP installations as they can bring down both data and voice networks in one attack. Many conventional firewalls cannot combat VoIP attacks because VoIP is implemented at both the signaling and media layers of the network model.

OfficeScreen solutions provide advanced security, designed to protect the customer’s business critical VoIP application. External denial of service attacks can flood VoIP and gateway devices in hopes of causing them to crash or reboot. OfficeScreen units are configured to allow User Datagram Protocol (UDP - the primary protocol used in the media phase of a VoIP conversation) streams required for VoIP traffic without allowing UDP Denial of Service attacks to occur. Additionally, the OfficeScreen Gateway Anti-Virus option protects against worms and viruses that create internal denial of service conditions when a user’s computer is infected.

Even when the firewall supports DoS defense, inadequate configuration of the defenses can void the technical capabilities of the hardware. OfficeScreen Managed Services engineers have installed thousands of customer locations, implementing advanced security solutions on Juniper hardware for over six years. This experience results in smooth installation, VoIP bandwidth dedication through the gateway, denial of service protection and proactive troubleshooting.

Redundancy and Failover Configurations

For mission critical VoIP environments, OfficeScreen FW/VPN can be configured to integrate two broadband circuits with policy based traffic routing. In this configuration there are two paths to the hosted VoIP servers through the OfficeScreen appliance. VoIP traffic can be routed through the primary circuit and Internet through the second if so desired, with the Dual Homed configuration option.

Failure of the primary circuit results in the failover to the secondary circuit for voice and Internet. Fail back resumes when the primary comes back online and the non-failure configuration resumes. This complex configuration is implemented by skilled OfficeScreen engineers and is inclusive with the service.

No Hassle Managed Service

As a managed solution, OfficeScreen engineers monitor and respond to global security threats and outbreaks so customers can focus on their business. As VoIP technology evolves, so do the threats and vulnerabilities. OfficeScreen evolves with the technology and the threats leveraging trained security engineers that monitor customer networks around the clock, updating devices as needed. Despite the evolution of OfficeScreen, as a managed service it offers predictable security costs without investment in engineering payroll, consulting fees and hardware expenses. OfficeScreen lets the customer focus on running their business not on VoIP security and wide area network uptime.

Maintain Focus on Core Product Sales

Many VoIP solution providers see the value of offering complete solutions that include security, but are hesitant to have the security discipline detract from core product sales. OfficeScreen Managed Services allow the VoIP solutions provider to have best in breed VoIP security without detracting from core competencies or expending considerable resources and expense to extend the services through in-house efforts.

OfficeScreen Managed Services are available to hosted VoIP service providers as a brand-able service that generates revenue streams and also increases VoIP sales by offering specialized managed security services tailored to VoIP applications. OfficeScreen Hosted VoIP Service Provider programs include training and daily presales support. Ask your Iomega representative for more information on a program that meets your business needs.