[VOIPSEC] Has anyone found or done a comprehensive review of open source firewalls with a focus on SIP?

Sat Feb 2 21:21:38 CST 2008

--m Van Meggelen wrote:

> I put a posting on the taug.ca list regarding firewalls, and got a lot of
> great responses, but I couldn't help but wonder if anyone had ever done a
> comprehensive review of the various firewalls out there, and some sort of
> comparison with a weight towards handling VoIP traffic efficiently.
> 
> Has anyone had any experiences that they would be willing to share?
> 
> Regards,

Alright, not a "comprehensive review" but factual experiences. I
currently work at a managed VoIP provider. I work with everything
from Asterisk, PBXNSIP, Avaya, Epygi, CCM, Lucent etc., and yup
(hey Dan) Mitel equipment. Being we do VoIP termination as well
I'm constantly having to guide network and security engineers to
get things working. I myself on a daily basis work with the
following: Checkpoint, Netscreen, Stonegate, Sonicwall, Open
Source fw's (IPF, IPTables, PF) and others here and there. 

In order of preference with an explanation:

Stonegate - What a firewall should be
PIX/ASA - Fixup helps a lot
Open Source fw's
Netscreen

...

...

Dare I even place Checkpoint in the mix. Sonicwall! 

Stonegates have been the easiest and most logical setups and
work best for high availability which is a plus for me. The
only other "TRUE" high available firewall I've seen I think
is made by Borderware (HALO High Availability Link Optimization).

PIX/ASA works best in a Cisco environment but their phones
are horrible when playing with PBX's like Asterisk, etc.,
so much so we don't even recommend it. Costs us more in the
long run via way of support to fiddle with it.

Open Source fw's I should have placed first but many CSO,
CTO types have the notion that if it doesn't cost money
its not worth it. Me personally, I configure open source
fw's out of habit on my managed PBX's (Asterisk and others)
and I've also written my own IPS/IDS like scripts to deter
and detect toll fraud.

Netscreen... I love my Netscreen. I just wish they weren't
so damn expensive. Can be a pain to set up, but once you've
done over 5 configurations it dawns on you "now I get it!"

Checkpoint... Jesus... I've first dabbled with Checkpoint
back in 97/98. Hated it then, not quite fond of it now.
For VoIP its a pain when doing NAT. NAT in itself can be
a pain and you can go the STUN server routes, do as much
as you'd like but you would think Checkpoint and their
ego bastardized NAT to a point that its a bigger pain to
get it to work with VoIP when it was already was a pain
to begin with.

Sonicwall... I've got a 2040 on my desk... It supports
my other equipment and remains unplugged as it should
be. I let it collect dust so my other equipment doesn't

http://infiltrated.net/reDesigned/

In the pictures you can see what I think of Sonicwall.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E