The Place of VoIP Firewalls in Your Network

By Mac McCarver

In a previous blog, we described the concept and purpose of a session border controller (SBC). An SBC ensures the security of a PBX network. But implementing an SBC into a network does not necessarily replace the utility of firewalls. A properly configured VoIP firewall still constitutes a useful line of defense for a network.

VoIP Firewall?

The concept of ‘hacking’ and network security predates the Internet (notably, for example, the hacking of telephone lines to make free calls or for more malicious intentions). But in the early days of computer networking, it quickly became apparent how vulnerable digital networks are. This led to the adoption of ‘firewalls’ within computer networking circles.

The term comes from architecture. If you examine old townhomes, you’ll notice that a thick wall separates each unit. That wall is the firewall, so named for containing fires. So, in a PBX network, a VoIP firewall monitors and controls network packet exchange between a trusted internal network and an untrusted external network (like the Internet).

Best Practice: SBC AND VoIP Firewall

The best practice in implementing a Unified Communications system is to utilize both a VoIP firewall and an SBC. This is because they complement and support each other in a common function.

SBCs and firewalls both perform similar network border security functions, but they work in different ways. Traffic on a network is standardized on the OSI model, which abstracts traffic into seven layers without reference to the structure of the network or hardware from which it originates. (This type of standardization is what allows large networks of diverse systems like the Internet to exist.)

Protection at Different Levels

From one to seven, the information contained in each layer gets more specific, with layer one being the physical (electrical, radio, or optical) vehicle for network traffic and layer seven being application-level specific data.

A VoIP firewall monitors traffic by inspecting it at layers three and four. In other words, it inspects packets and packet segments of incoming network traffic. This allows it to block most threats, while remaining high-level enough to handle high traffic volumes. An SBC, on the other hand, can inspect traffic on any level.

Session Initiation Protocol (SIP), which establishes and ends real-time communication sessions on a network, is the most popular protocol used in VoIP telephony. And its specific operations (like its SIP address, for instance) reside in the seventh layer of network traffic.

Securing SIP Traffic

Some VoIP firewalls can distinguish a packet as a SIP packet but lack the ability to identify a malicious SIP packet. That’s why many firewalls have to be configured to allow SIP traffic through, sometimes blocking it by default. But even particularly SIP-aware VoIP firewalls that can dynamically open and close ports for SIP traffic, leave your network vulnerable to malicious SIP traffic.

An SBC can read all the intricate details of a SIP stack, understand if its properly addressed and safe, and even provide SIP codec translation to allow interoperability between systems operating on different SIP codecs. This enhances the security of the network by closing the small window of opportunity for attack via SIP channels.

To put it simply: if you compare a PBX network to a castle, a VoIP firewall is the gate and walls that are able to efficiently admit or exclude large volumes of traffic. And the SBC is like the guard who can more accurately monitor traffic but can become a bottleneck if confronted with too much traffic. The combination of high-level, high-traffic supervision that a VoIP firewall affords with the low-level, specific protection from an SBC ensures the total security of a PBX network.

Security – Only One Aspect of Network Readiness for Unified Communications

VoIP firewalls and SBCs perform vital functions in protecting a network internally from a malicious attack and externally with encryption and network address translation (protecting topology and network addresses). But security is only one consideration in ensuring your network is properly equipped for VoIP and Unified Communications (UC), whether you’re in the process of migrating to UC or are already operating with VoIP in some capacity.

Watch the Webinar

Join the Sangoma family for an informative, free webinar discussing every aspect of optimum network conditions for ensuring world-class quality of service on your Unified Communications system! Click here to watch!

Related Posts

No Comments Yet

Get the conversation started!

Add to the Discussion

Your email address will not be published. Required fields are marked *

About the Author

Mac McCarver

Mac McCarver is the Content Creation Manager at Digium. His chief responsibility in this role is the creation of engaging content for distribution on all of Digium’s platforms. He graduated with honors from the University of North Alabama with a BA in English Literature. For his efforts, he was selected for membership in Sigma Tau Delta, the international honor society for distinguished achievement in English language, literature, and writing.

See All of Mac's Articles