BY LAURA GUEVIN
Managing Editor, INTERNET TELEPHONY

The VoIP Firewall Paradox

Believe me, I understand the importance of having firewalls for protection in this crazy Internet world. You've got denial of service attacks, thieves out hunting for credit card numbers and other valuable personal information, and bored hackers looking for the cheap thrill of breaking into an unprotected PC or network. I have a broadband Internet connection at home with a firewall protecting my small network, and I'm grateful for the safety and protection it has afforded me so far.

I became frustrated this week, however, when I tried to test out a new VoIP product at home and at the office, and was unable to get it to work because of firewalls in both locations. The product, Actiontec's InternetPhoneWizard, is simple in theory -- it's a small box that plugs into a USB or PCI port on your PC. It features two RJ-11 ports, one for connecting to a regular analog phone, and one for connecting to a modem if you have a dialup Internet connection. It allows users to place calls using their choice of a handful of ITSPs (including dialpad.com, Deltathree.com, MyFreeLD.com, Hottelephone.com, and e001.com for calling to Hong Kong and Singapore). One of the main features of the product is that it allows users to place PC calls using a normal phone, eliminating the use of those pesky headsets.

I got the product installed in both locations relatively easily, but when it came time to place calls, the trouble set in. I was able to call out using dialpad.com, and actually got through to the callers. The callers could hear me, but I could not hear them -- not the best way to conduct a conversation. I soon realized that the problem was not the InternetPhoneWizard, but the firewalls I was calling from behind, and I verified this by making a PC call through dialpad.com using a regular headset (eliminating the Wizard from the equation). I ran into the exact same problem.

THE FIREWALL DILEMMA
For your average dial-up modem user looking to make cheap phone calls, these problems are inconsequential (although dropped packets and echo are just some of the issues you'll likely encounter if you make a PC call over a 56 Kbps or slower connection). But for the growing number of home users with broadband Internet connections (not to mention small offices, and even larger offices like my own with a large network of users and a constant connection to the Internet), a firewall is a necessity, and running VoIP software becomes a problem.

According to Tom Keating, our CTO and resident technology guru here at TMC, the firewall problem extends beyond VoIP and the H.323 protocol, which uses a variety of dynamically chosen ports to pass voice packets. (For a great discussion on the importance of firewalls for broadband connections, read Tom's column.) The problem, says Tom, is with packets sent using User Datagram Protocol (UDP). UDP is a transaction-oriented protocol used for real-time IP communications, as an alternative to the Transmission Control Protocol (TCP). UDP doesn't instruct a group of packets to arrive at the same place, in a certain order, and it doesn't take network traffic into account when sending a transmission (unlike TCP, which offers some adjustment for congested networks and includes packet order instructions in packet headers). But UDP offers speeds up to three times as fast as TCP, and that's a necessity for real-time IP voice communications and broadcast applications like RealAudio. With UDP, the application program sending the packets is responsible for ensuring they arrive at the proper place, in the proper order. Unfortunately, many applications send UDP packets to random multiple ports, and those ports must be open for the application to be successful. This can leave a network wide open to port flooding and other types of infiltration. As a result, many firewalls are configured to block UDP traffic, and I view this issue as a large hurdle in the mainstream acceptance of VoIP.

SAFETY AND SPEED
In fact, there are few solutions to the problem of security for VoIP traffic. Sure, a network administrator can open up specified ports to authorized UDP traffic, but crafty hackers can find their way around all sorts of authorization schemes. There are a few firewall products that claim to address this issue, but with the astounding projections for growth in the VoIP market, I'm surprised there aren't more solutions out there.

I met with a company called Aravox a couple of weeks ago, and was impressed with their packet filtering/intrusion detection firewall. The Aravox SP5000 Firewall is largely a software solution, and runs on a card in a CompactPCI chassis. It can scale within the chassis to process packets at 100 Mbps, and is aimed at service providers and CLECs offering VoIP service. It offers open APIs for easy integration with gateway and switching equipment, and operates at the network layer, separating signaling information (determined by H.323, SIP, and other VoIP protocols) from media information. What distinguishes this firewall from the many data firewalls on the market is that it opens and closes UDP ports on the fly for authorized traffic. The intelligence of the existing gatekeeper is used to determine which information is vital for call setup and processing, and those packets are the only ones allowed through the firewall.

Check Point Software also offers the FireWall-1 product, which provides a virtual connection on top of UDP streams. Information for each UDP connection is stored on the gateway, and every UDP packet that consequently tries to pass through the firewall is recorded and checked against the pending connections. Only packets responding to a request are allowed to pass.

I'm sure there are a few other firewall products out there that can handle VoIP traffic, but I have to wonder if the needs of the average user are being addressed? Sure, you can make phone-to-phone IP calls now without even owning a PC, but free calling and interesting services like Web-based voice chat and video conferencing require an Internet connection. It's kind of an ugly paradox really: For VoIP to truly work as a quality enhanced service, callers must have high-bandwidth IP access. And that connection, whether it be to the Internet or a managed network, must be protected.

We have service providers (SPs) of every flavor emerging these days -- ASPs, VASPs, CASPs, and the list goes on. What about security service providers (they may already exist although I haven't heard the term used yet)? Surely there are some pioneering companies out there that can work with VoIP software vendors and firewall manufacturers to ensure the right packets are allowed to enter a network without compromising its security. It's the only way VoIP will have a chance of reaching the end users, who will ultimately elevate it into the mainstream service it's meant to be.

Laura Guevin welcomes your comments at lguevin@tmcnet.com.