Carrying real-time streaming media such as voice and video on a network
that was originally designed to carry data requires the marriage of two
disparate communication technologies. This fusion of circuit-based services
on packet-based technologies presents unique security challenges and
potential risks to operators.
At their heart, VoIP networks are IP networks. The devices in that
network are subject to the same attacks that can threaten any other kind of
IP device. Maintaining security is further complicated by the fact that VoIP
networks must interact with a variety of non-VoIP elements and must
communicate with other mission critical networks like the SS7 network.
Every point of interconnection with another domain presents a potential
security breach. This article, the first in a series, will explore the
unique challenges presented when interconnecting VoIP networks to other VoIP
and IP networks. Future columns will explore the security issues related to
interconnecting with SS7 and customer premise networks.
Apples And Oranges
Communication networks today, whether packet- or circuit-based, have
mechanisms in place to handle essential functions like addressing and
establishing signaling and media paths from one device to another. However,
the way in which data and voice networks handle these functions is
inherently different. When carriers attempt to lay voice communication onto
a data network, these differences can become painfully obvious.
Getting From Point A To B
In the voice network, each subscriber has a unique address, a directory
number thatï¿½s globally known. This makes the task of passing calls from
one network to another relatively simple. However, in data networks
individual addresses are neither unique nor global.
The Internet is growing so quickly that the IP address resources are
being quickly depleted. To conserve the remaining available IP address, most
customers are assigned a single address, or in the case of large customers,
several addresses. A single address allows a customer to have only one
computer connected to the Internet or other IP network at a time ï¿½ not a
very efficient way to do business.
Enter The NAT And Firewall
Network Address Translators (NATs) have been deployed to conserve IP address
and enhance security. NATs enable multiple computers within a private
network to connect to and communicate with an external IP network using a
single shared public IP address. The NAT translates a private unregistered
address within a local network to a globally registered address in an
external network. From inside the network, devices can access any host in an
outside IP network. From outside the network, it appears that all traffic is
originating from a single valid IP number on the NAT.
Traditional NATs, also known as symmetrical NATs, are deployed in many
data networks. These devices are uni-directional and allow sessions to be
initiated only from within the private network. So, requests to establish a
session can only be made from within the network.
NATs also perform another network critical role ï¿½ providing security by
hiding the private address from the outside world. The symmetrical NAT
provides additional security since it only allows connections that originate
within the network.
In addition to NATs, firewalls are also deployed at the network boundary
for security. The firewalls screen all traffic before it is allowed to pass
through and into the network. The firewall screening rules are static and
typically set up to allow communication between valid known port addresses.
Implementing peer-to-peer applications like Internet telephony on a data
networkï¿½s client-server architecture, which must travel through NATs and
firewalls, poses significant challenges. In a peer-to-peer architecture, end
points are distributed across public and private networks. External peers
are just as likely as internal ones to originate a session. This is a
particular problem with symmetrical NATs since they allow sessions to
originate only from within the network.
NAT devices are application unaware. The NAT does not look at anything
above the IP/TCP/UDP/ICMP layer and does not translate or modify the
contents of the packets. Session applications such as H.323 and SIP use the
IP address of the end device contained within the packet to establish a
media flow between end points. Many of these applications will be broken
when routed through the NAT. For example, SIP messages contain the address
and port of the endpoint, which is to receive the media. If that endpoint
has a private address, then media coming from an external network may not
reach it since the address is not global. And, if the session originated in
a direction that is not permitted by the NAT, it will be rejected.
Call setup and tear down for voice service takes place in real time. Port
addresses are assigned on demand, are dynamic, and bound to the state of the
call. This poses challenges when establishing firewall screening rules,
which are typically static. To enable voice service, the rules have to be
modified in real time as calls are established and released.
The IETF MIDCOM working group is actively addressing these NAT and firewall
issues associated with unifying networks. Their proposed solution employs a
call-aware signal routing node that works in conjunction with the NAT and
firewalls to dynamically open and close pin holes to specific addresses. The
pinholes are created and closed as sessions to these addresses are
established and released. In addition, they must inspect the session
establishment packets and modify encoded private addresses to the public
addresses recognizable by the outside world. This solution is the most
elegant, but it requires upgrading NATs and firewalls. This node-based
solution is viewed as a long-term fix since upgrades will likely delay its
ubiquitous deployment in the near term.
While the IETF is exploring technical solutions, the International
Softswitch Consortium (ISC) has started a new working group to develop a
requirements document. The final document will be submitted to the IETF for
consideration and could influence the final technical solution. The group is
looking at the issue from a carrier and enterprise perspective to determine
the requirements for enabling VoIP in a firewall-protected network. c
A Promising Future
Although the deployment of a unified network presents challenges, the
obstacles are not insurmountable. Successful solutions can be developed with
thoughtful network planning coupled with innovative product solutions. VoIP
offers the great promise to operators ï¿½ the ability to create more
efficient and cost-effective networks that can deliver advanced,
revenue-generating services. Taking time today to thoroughly understand all
of the implications of combining voice and data on a single network will
insure the future success of VoIP.
Mr. Ravi Ravishankar is director, Advanced Technology Planning, at
Tekelec. His focus is on defining signaling solutions and products for the
next-generation packet telephony and 3G wireless networks. Tekelec is a
leading developer of telecommunications signaling infrastructure,
softswitches, testing, and diagnostic solutions, and service applications.
Please visit their Web site at www.tekelec.com.
To The June 2002 Table Of Contents ]