Firewalls, Schmirewalls

Posted: 10/2003

Firewalls, Schmirewalls
You Can Provide VoIP Services to Security-Conscious Customers
Using Network-Boundary Solutions
By Dan Freedman

As anyone who has ever put
a voiceover- IP (VoIP) network involving a firewall can tell you, firewalls and
VoIP dont mix very well at all. In fact, most VoIP communications will stop
dead at the firewall, causing problems for branch offices, road warriors and
anyone else on the other side.

Why is it that firewalls cause so much trouble for VoIP and
what can be done about it? The root of the problem is VoIP represents a kind of
traffic that firewalls dont know how to deal with for three reasons:

First, the traffic consists of between six and 10 data
streams for each call whereas protocols like HTTP, TELENT, SMTP and POP each
consist of a single, bi-directional connection. Correlating all the VoIP streams
requires in-depth protocol knowledge which most firewalls dont yet have.

Second, VoIP streams can start by being outside-in,
whereas most other protocols start by being inside-out. That is, most
other protocols start with an inside machine making an outbound request for some kind of information.
However, with VoIP, when someone calls you and needs to make
your VoIP phone ring, its an outside- in communication. Since the
firewall sees an initial inbound data stream with no corresponding inside-out
stream, it views the stream as an attack and denies passage to it.

Third, firewalls apply network address translation (NAT)
to packet headers but do not know how to translate VoIP packet bodies, which
contain many IP addresses used in complex callrouting situations. The result is
that even when packets are allowed in and out, their bodies end up out of sync
with their headers, resulting in a failed call.

These three problems will go away in a few years if firewalls
become VoIP-aware, but in the meantime, if you want to deploy VoIP to customers
with firewalls, youll need a solution. Over the last year, a number of
vendors have developed network-boundary solutions for VoIP that solve these
problems. The best of these solutions doesnt attempt to replace, modify or
circumvent the firewall something usually not well-received by the customer
for obvious reasons. Instead, the best-ofbreed solutions work just like a Web
proxy or mail host, sitting in the firewalls DMZ and routing traffic in and
out with the firewalls full knowledge. These solutions perform NAT
translation for VoIP streams, solving the third problem. They also have deep call knowledge, allowing them to solve the
first problem of correlating call streams.

They also use properly configured firewall pinholes to solve
the second problem of outside-in communications. Some even can push these
functions up into the network, so a service provider can take responsibility for
firewall and NAT traversal of VoIP streams.

Bottom line: firewalls and VoIP dont yet mix, but with the
proper application of a well-crafted network-boundary traversal solution, the 70
percent of residential users and 98 percent of business users behind firewalls
will become available to you as potential customers.

Dan Freedman is CEO of Jasomi Networks Inc., a provider of IP
solutions for carriers and enterprise networks.

Jasomi Network Inc.

Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 69865