[VOIPSEC] VoIP, Firewalls and NATs

Andrew Graydon agraydon at borderware.com
Mon Feb 13 07:21:20 CST 2006 

There are a lot of vendors in the marketplace which are offering ALG
based solutions for VoIP security, another lot with firewall based
solutions and then the SBC and hybrid solutions.

I think that this question raises some excellent points, as a flood of
replies mentioned lots of different vendors but one common theme, they
don't all work :) This is not through a lack of professionalism on the
part of the vendors but unfortunately the case in any implementation of
a standard which is in progress. We have been working our way through
these issues as a community for a few years now, and still, as is
apparent from the vendor responses, you must be careful to ensure
compatibility and interoperability of the various solutions. 

In retrospect, with other IP communications protocols such as HTTP,
SMTP, FTP, etc etc, we primarily execute security at both ends of the
OSI stack, transport and application, utilising firewalls and proxies
separately, e.g. a firewall and a SPAM/AV gateway, leveraging the
expertise and experience of each vendor in each area. Is there a reason
we are approaching, or expect to approach, this problem differently ?

Let the vendor flames begin :)


Andrew

_____

Andrew Graydon

Chair Security Requirements Committee 
VOIPSA

agraydon at voipsa.org
http://www.voipsa.org

-----Original Message-----
From: Shrikant Latkar [mailto:shri at juniper.net] 
Sent: February 10, 2006 2:21 PM
To: chris at InfraVAST.com; aservin at itesm.mx
Cc: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] VoIP, Firewalls and NATs


Juniper Networks also offers FW and IPS appliances that have ALG based
security for H.323 and SIP. Our IPS and FW systems have received
numerous awards for their performance in VoIP deployment.

We have done interop with Avaya and other vendors for the ALGs.

Shrikant
-----------------
Date: Fri, 10 Feb 2006 09:22:56 -0700
From: "Boswell, Jason S (Jason)" <jboswell at lucent.com>
Subject: Re: [VOIPSEC] VoIP, Firewalls and NATs
To: "'Christopher A. Martin'" <chris at InfraVAST.com>, Arturo Servin
	<aservin at itesm.mx>
Cc: Voipsec at voipsa.org
Message-ID:
	
<81FC03339A3F6B4DB2D80276126BE855B7651B at co7010exch002u.ih.lucent.com>
Content-Type: text/plain;	charset="iso-8859-1"

Lucent's VPN Firewall Brick also does full ALG inspection of SIP and
H323.
Lots of security vendors offer ALG-level firewalls, but, in my opinion,
you have to focus on vendors that are involved with specific solutions.
There
are still a lot of problems with trying to make a firewall into an SBC,
which is essentially what you are trying to do in certain situations.
The
reason I say it depends on the solution is that different vendors seem
to have done more testing with certain solutions than others.  SIP is
still rather unconstrained, so you run into different gotchas depending
on the devices in the solution.  So, a Cisco might work well with
AcmePackets but might not with Kagoor.  A Lucent firewall might be great
with a Broadworks solution but not with another one.  Sonus might have a
problem with certain firewalls but not others.  (just throwing names out
there, not trying to make specific claims).

Hope that helps.

-Jason Boswell
*******

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list