ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells

Packet IN
June 2002

Security Measures in Packet Networks Create Challenges for IP Telephony


Carrying real-time streaming media such as voice and video on a network that was originally designed to carry data requires the marriage of two disparate communication technologies. This fusion of circuit-based services on packet-based technologies presents unique security challenges and potential risks to operators.

At their heart, VoIP networks are IP networks. The devices in that network are subject to the same attacks that can threaten any other kind of IP device. Maintaining security is further complicated by the fact that VoIP networks must interact with a variety of non-VoIP elements and must communicate with other mission critical networks like the SS7 network.

Every point of interconnection with another domain presents a potential security breach. This article, the first in a series, will explore the unique challenges presented when interconnecting VoIP networks to other VoIP and IP networks. Future columns will explore the security issues related to interconnecting with SS7 and customer premise networks.

Apples And Oranges
Communication networks today, whether packet- or circuit-based, have mechanisms in place to handle essential functions like addressing and establishing signaling and media paths from one device to another. However, the way in which data and voice networks handle these functions is inherently different. When carriers attempt to lay voice communication onto a data network, these differences can become painfully obvious.

Getting From Point A To B
In the voice network, each subscriber has a unique address, a directory number that�s globally known. This makes the task of passing calls from one network to another relatively simple. However, in data networks individual addresses are neither unique nor global.

The Internet is growing so quickly that the IP address resources are being quickly depleted. To conserve the remaining available IP address, most customers are assigned a single address, or in the case of large customers, several addresses. A single address allows a customer to have only one computer connected to the Internet or other IP network at a time � not a very efficient way to do business.

Enter The NAT And Firewall
Network Address Translators (NATs) have been deployed to conserve IP address and enhance security. NATs enable multiple computers within a private network to connect to and communicate with an external IP network using a single shared public IP address. The NAT translates a private unregistered address within a local network to a globally registered address in an external network. From inside the network, devices can access any host in an outside IP network. From outside the network, it appears that all traffic is originating from a single valid IP number on the NAT.

Traditional NATs, also known as symmetrical NATs, are deployed in many data networks. These devices are uni-directional and allow sessions to be initiated only from within the private network. So, requests to establish a session can only be made from within the network.

NATs also perform another network critical role � providing security by hiding the private address from the outside world. The symmetrical NAT provides additional security since it only allows connections that originate within the network.

In addition to NATs, firewalls are also deployed at the network boundary for security. The firewalls screen all traffic before it is allowed to pass through and into the network. The firewall screening rules are static and typically set up to allow communication between valid known port addresses.

The Problem
Implementing peer-to-peer applications like Internet telephony on a data network�s client-server architecture, which must travel through NATs and firewalls, poses significant challenges. In a peer-to-peer architecture, end points are distributed across public and private networks. External peers are just as likely as internal ones to originate a session. This is a particular problem with symmetrical NATs since they allow sessions to originate only from within the network.

NAT devices are application unaware. The NAT does not look at anything above the IP/TCP/UDP/ICMP layer and does not translate or modify the contents of the packets. Session applications such as H.323 and SIP use the IP address of the end device contained within the packet to establish a media flow between end points. Many of these applications will be broken when routed through the NAT. For example, SIP messages contain the address and port of the endpoint, which is to receive the media. If that endpoint has a private address, then media coming from an external network may not reach it since the address is not global. And, if the session originated in a direction that is not permitted by the NAT, it will be rejected.

Call setup and tear down for voice service takes place in real time. Port addresses are assigned on demand, are dynamic, and bound to the state of the call. This poses challenges when establishing firewall screening rules, which are typically static. To enable voice service, the rules have to be modified in real time as calls are established and released.

The Solution
The IETF MIDCOM working group is actively addressing these NAT and firewall issues associated with unifying networks. Their proposed solution employs a call-aware signal routing node that works in conjunction with the NAT and firewalls to dynamically open and close pin holes to specific addresses. The pinholes are created and closed as sessions to these addresses are established and released. In addition, they must inspect the session establishment packets and modify encoded private addresses to the public addresses recognizable by the outside world. This solution is the most elegant, but it requires upgrading NATs and firewalls. This node-based solution is viewed as a long-term fix since upgrades will likely delay its ubiquitous deployment in the near term.

While the IETF is exploring technical solutions, the International Softswitch Consortium (ISC) has started a new working group to develop a requirements document. The final document will be submitted to the IETF for consideration and could influence the final technical solution. The group is looking at the issue from a carrier and enterprise perspective to determine the requirements for enabling VoIP in a firewall-protected network. c

A Promising Future
Although the deployment of a unified network presents challenges, the obstacles are not insurmountable. Successful solutions can be developed with thoughtful network planning coupled with innovative product solutions. VoIP offers the great promise to operators � the ability to create more efficient and cost-effective networks that can deliver advanced, revenue-generating services. Taking time today to thoroughly understand all of the implications of combining voice and data on a single network will insure the future success of VoIP.

Mr. Ravi Ravishankar is director, Advanced Technology Planning, at Tekelec. His focus is on defining signaling solutions and products for the next-generation packet telephony and 3G wireless networks. Tekelec is a leading developer of telecommunications signaling infrastructure, softswitches, testing, and diagnostic solutions, and service applications. Please visit their Web site at www.tekelec.com.

[ Return To The June 2002 Table Of Contents ]

Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas