TMCnet News
TECH-TIP - VoIP Testing - Part 2 of 2 - Proxy/Gateway/Border Controller Security OptionsTECHtionary.com TECH-TIP - Proxy/Gateway/Border Controller Security Options Part 2 of 2 is available at www.techtionary.com Part 2 explains various types of VoIP systems and different security formats and includes detailed animations on: • Proxy/Gateway/SBC-Session Border Controllers In/Outside the Firewall • Proxy/Gateway in Co-Edge Mode • Proxy/Gateway Outside the Firewall This tutorial will review these formats and risks associated with them. For example, when a firewall provides NAT between an internal and an external network, proxies may allow VoIP traffic to be processed properly, even in the absence of a firewall that can translate addresses for VoIP traffic. Since VoIP is not the only type of data traffic and since each customer situation is completely different, guidance from the VoIP/IT designer is essential. Proxy/Gateway/Session Border Control Inside the Firewall occurs when during VoIP call setup, the ports and addresses require a detailed inspection (sometimes referred to as a Stateful Inspection) as the setup progresses. If the firewall does not support dynamic ACL-Access Control Lists based on the inspection, Proxy and Gateway Servers can be used just inside the firewall. In regard to SBC, there are arguments on placing SBC Inside (behind) the firewall, outside or at the carrier (service provider). Proxy in Co-Edge (2-edge) Mode is the situation where local interior IP addresses that must be translated to valid exterior IP addresses. The firewall must be capable of decoding and translating all addresses passed in the various VoIP protocols. If the firewall is not capable of this translation task, a Proxy Server may be placed next to the firewall in a Co-edge Mode. In this configuration, interfaces lead to both inside and outside networks. To avoid exposing a network to unsolicited traffic, configure the Proxy to route only proxied traffic. In other words, the Proxy Server routes only VoIP protocol traffic that is terminated on the inside and then repeated to the outside. Proxy/Gateway Outside the Firewall is if the firewall does not support VoIP dynamic ACL-Access Control Lists. The firewall can be configured with static ACL that allow traffic from the Proxy/Gatgeway Servers through the firewall. This poses a security risk if an hacker can spoof, or simulate, the IP addresses of the Proxy/Gateway Servers and use them to attack their own network. The remainder of the animated tutorial provides details on VOIP Security including DOS-Denial of Service. Please see other TECHtionary tutorials on IP Security or SS7. In VOIP security, there are two primary network issues - Signaling Path (in green) and Media Path (in purple). The Signaling Path shown here comes from control of TCP-Transmission Control Protocol issues explained next. Media Path control comes from protection of the conversation contained in IP-Internet Protocol packets. ----- NEXT WEEK WIRELESS SECURITY |