[June
30,
2000]
The VoIP Firewall Paradox
Believe me, I understand the importance of having firewalls for
protection in this crazy Internet world. You've got denial of service
attacks, thieves out hunting for credit card numbers and other valuable
personal information, and bored hackers looking for the cheap thrill of
breaking into an unprotected PC or network. I have a broadband Internet
connection at home with a firewall protecting my small network, and I'm
grateful for the safety and protection it has afforded me so far.
I became frustrated this week, however, when I tried to test out a new
VoIP product at home and at the office, and was unable to get it to work
because of firewalls in both locations. The product, Actiontec's
InternetPhoneWizard, is simple in theory -- it's a small box that plugs
into a USB or PCI port on your PC. It features two RJ-11 ports, one for
connecting to a regular analog phone, and one for connecting to a modem if
you have a dialup Internet connection. It allows users to place calls
using their choice of a handful of ITSPs (including dialpad.com,
Deltathree.com, MyFreeLD.com,
Hottelephone.com, and e001.com
for calling to Hong Kong and Singapore). One of the main features of the
product is that it allows users to place PC calls using a normal phone,
eliminating the use of those pesky headsets.
I got the product installed in both locations relatively easily, but
when it came time to place calls, the trouble set in. I was able to call
out using dialpad.com, and actually got through to the callers. The
callers could hear me, but I could not hear them -- not the best way to
conduct a conversation. I soon realized that the problem was not the
InternetPhoneWizard, but the firewalls I was calling from behind, and I
verified this by making a PC call through dialpad.com using a regular
headset (eliminating the Wizard from the equation). I ran into the exact
same problem.
THE FIREWALL DILEMMA
For your average dial-up modem user looking to make cheap phone calls,
these problems are inconsequential (although dropped packets and echo are
just some of the issues you'll likely encounter if you make a PC call over
a 56 Kbps or slower connection). But for the growing number of home users
with broadband Internet connections (not to mention small offices, and
even larger offices like my own with a large network of users and a
constant connection to the Internet), a firewall is a necessity, and
running VoIP software becomes a problem.
According to Tom Keating, our CTO and resident technology guru here at
TMC, the firewall problem extends beyond VoIP and the H.323 protocol,
which uses a variety of dynamically chosen ports to pass voice packets.
(For a great discussion on the importance of firewalls for broadband
connections, read Tom's
column.) The problem, says Tom, is with packets sent using User
Datagram Protocol (UDP). UDP is a transaction-oriented protocol used for
real-time IP communications, as an alternative to the Transmission Control
Protocol (TCP). UDP doesn't instruct a group of packets to arrive at the
same place, in a certain order, and it doesn't take network traffic into
account when sending a transmission (unlike TCP, which offers some
adjustment for congested networks and includes packet order instructions
in packet headers). But UDP offers speeds up to three times as fast as
TCP, and that's a necessity for real-time IP voice communications and
broadcast applications like RealAudio. With UDP, the application program
sending the packets is responsible for ensuring they arrive at the proper
place, in the proper order. Unfortunately, many applications send UDP
packets to random multiple ports, and those ports must be open for the
application to be successful. This can leave a network wide open to port
flooding and other types of infiltration. As a result, many firewalls are
configured to block UDP traffic, and I view this issue as a large hurdle
in the mainstream acceptance of VoIP.
SAFETY AND SPEED
In fact, there are few solutions to the problem of security for VoIP
traffic. Sure, a network administrator can open up specified ports to
authorized UDP traffic, but crafty hackers can find their way around all
sorts of authorization schemes. There are a few firewall products that
claim to address this issue, but with the astounding projections for
growth in the VoIP market, I'm surprised there aren't more solutions out
there.
I met with a company called Aravox
a couple of weeks ago, and was impressed with their packet
filtering/intrusion detection firewall. The Aravox SP5000 Firewall is
largely a software solution, and runs on a card in a CompactPCI chassis.
It can scale within the chassis to process packets at 100 Mbps, and is
aimed at service providers and CLECs offering VoIP service. It offers open
APIs for easy integration with gateway and switching equipment, and
operates at the network layer, separating signaling information
(determined by H.323, SIP, and other VoIP protocols) from media
information. What distinguishes this firewall from the many data firewalls
on the market is that it opens and closes UDP ports on the fly for
authorized traffic. The intelligence of the existing gatekeeper is used to
determine which information is vital for call setup and processing, and
those packets are the only ones allowed through the firewall.
Check Point Software also
offers the FireWall-1 product, which provides a virtual connection on top
of UDP streams. Information for each UDP connection is stored on the
gateway, and every UDP packet that consequently tries to pass through the
firewall is recorded and checked against the pending connections. Only
packets responding to a request are allowed to pass.
I'm sure there are a few other firewall products out there that can
handle VoIP traffic, but I have to wonder if the needs of the average user
are being addressed? Sure, you can make phone-to-phone IP calls now
without even owning a PC, but free calling and interesting services like
Web-based voice chat and video conferencing require an Internet
connection. It's kind of an ugly paradox really: For VoIP to truly work as
a quality enhanced service, callers must have high-bandwidth IP access.
And that connection, whether it be to the Internet or a managed network,
must be protected.
We have service providers (SPs) of every flavor emerging these days --
ASPs, VASPs, CASPs, and the list goes on. What about security service
providers (they may already exist although I haven't heard the term used
yet)? Surely there are some pioneering companies out there that can work
with VoIP software vendors and firewall manufacturers to ensure the right
packets are allowed to enter a network without compromising its security.
It's the only way VoIP will have a chance of reaching the end users, who
will ultimately elevate it into the mainstream service it's meant to be.
Laura Guevin welcomes your comments at lguevin@tmcnet.com.
|