[VOIPSEC] Voipsec Digest, Vol 14, Issue 11

Boswell, Jason S (Jason) jboswell at lucent.com
Fri Feb 10 20:35:48 CST 2006 

Erwin
 
Problems that you would run into are generally dependant upon the devices
involved within the solution.  Some are bugs, some are limitations, some are
configuration gotchas.  The most common issues I have seen are things like 
*	One-way RTP streams
*	Problems with 3-way conference calls
*	Problems with voicemail forwarding
*	Scalability/throughput
*	Name resolution issues
 
As the saying goes, "your results may vary".  The bottom line I was trying
to get across is there is no easy answer or magic bullet solution.  The
discussion gets even more complicated when you bring security into it.  So,
regardless of what vendor you choose [ I'm trying to stay vendor-neutral
here :-) ] there are certain levels and phases of testing that you will need
to go through.  Things are much better now than they were even 6 months ago,
and 6 months before that, etc..  I think maybe the vendors are finally
starting to catch up with the market in the sense that all of the features
and configuration options that have been flooding into SIP for the past few
years are more solidified now.  Once the bugs are worked out of the system,
then it's a matter of deciding how you want to secure it in terms of layers,
policies, etc., but that's another discussion.
 
Happy hunting!  
 
Jason Boswell
-----Original Message-----
From: Erwin Davis [mailto:erwin.davis at gmail.com]
Sent: Friday, February 10, 2006 3:23 PM
To: Voipsec at voipsa.org; Boswell, Jason S (Jason)
Subject: Re: Voipsec Digest, Vol 14, Issue 11
 
Hi, Jason,

What are the problems to make a firewall into SBC?
Any resources related to those problems? Thanks,

e



Message: 3
Date: Fri, 10 Feb 2006 09:22:56 -0700 
From: "Boswell, Jason S (Jason)" < jboswell at lucent.com
<mailto:jboswell at lucent.com> >
Subject: Re: [VOIPSEC] VoIP, Firewalls and NATs
To: "'Christopher A. Martin'" <  <mailto:chris at InfraVAST.com>
chris at InfraVAST.com>, Arturo Servin
        < aservin at itesm.mx <mailto:aservin at itesm.mx> >
Cc: Voipsec at voipsa.org <mailto:Voipsec at voipsa.org> 
Message-ID:
        <
<mailto:81FC03339A3F6B4DB2D80276126BE855B7651B at co7010exch002u.ih.lucent.com>
81FC03339A3F6B4DB2D80276126BE855B7651B at co7010exch002u.ih.lucent.com>
Content-Type: text/plain;       charset="iso-8859-1"

Lucent's VPN Firewall Brick also does full ALG inspection of SIP and H323. 
Lots of security vendors offer ALG-level firewalls, but, in my opinion, you
have to focus on vendors that are involved with specific solutions.  There
are still a lot of problems with trying to make a firewall into an SBC, 
which is essentially what you are trying to do in certain situations.  The
reason I say it depends on the solution is that different vendors seem to
have done more testing with certain solutions than others.  SIP is still 
rather unconstrained, so you run into different gotchas depending on the
devices in the solution.  So, a Cisco might work well with AcmePackets but
might not with Kagoor.  A Lucent firewall might be great with a Broadworks 
solution but not with another one.  Sonus might have a problem with certain
firewalls but not others.  (just throwing names out there, not trying to
make specific claims).

Hope that helps.

-Jason Boswell 

-----Original Message-----
From:   Voipsec-bounces at voipsa.org <mailto:Voipsec-bounces at voipsa.org>
[mailto: Voipsec-bounces at voipsa.org <mailto:Voipsec-bounces at voipsa.org> ]
On
Behalf Of Christopher A. Martin 
Sent:   Saturday, February 04, 2006 10:00 AM
To:     Arturo Servin
Cc:     Voipsec at voipsa.org <mailto:Voipsec at voipsa.org> 
Subject:        Re: [VOIPSEC] VoIP, Firewalls and NATs

<< File: ATT4629847.txt >> For robustness Ingate offers the best of breed
in this area, as they are
proxy based.

Cisco, Netscreen, and Checkpoint offer application level gateway
solutions, as well as linksys (also cisco). 

Microappliances also had a proxy solution but I have not heard much from
them on their product in some time.

These are all good starting points if you are performing research.

Chris

Arturo Servin wrote: 

>
>
>            I am doing a personal research about VoIP security and the use
>of firewalls, IPS and NAT. I remember some issues a couple of years ago
>specifically with NAT and H.323. I guess there was the same problem with
>SIP. Also I remember a topic in this email list about SIP proxys. Do you
>know if there are still issues with Firewalls/NAT/IPS and VoIP, how the
>vendors and protocols are dealing with this? Any comments? 
>
>
>
>Thanks in advance,
>
>-as
>
>_______________________________________________
>Voipsec mailing list
> Voipsec at voipsa.org  <mailto:Voipsec at voipsa.org> 
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
<http://voipsa.org/mailman/listinfo/voipsec_voipsa.org> 
>
>
>
>

More information about the Voipsec mailing list