Can your data-oriented firewall handle packet voice traffic?

Firewalls provide security by blocking intrusions into an enterprise network. By allowing certain traffic in while blocking other kinds, they represent the physical implementation of an enterprise’s security policies.

But firewalls also produce performance problems and cause delay. Most firewalls are designed for data applications and are not application-specific, though some firewall vendors (such as CheckPoint and F5 Networks) are moving towards deep packet inspection. This is a move to more application-specific security, even though it does not yet cover voice-over-IP packet analysis.

VoIP and firewalls

VoIP traffic requires real-time delivery, short delay, low jitter and low packet loss across networks. Data firewalls are not designed for real-time applications. Among other issues, they have difficulty dealing with Network Address Translation (NAT) and VoIP signalling.

Besides these challenges, other performance and control issues arise when voice passes through a firewall. Next-generation firewalls will have to understand the concept of a ‘call’ in order to do voice traffic analysis.

These complexities point toward the central question: what is the best way for enterprises to deploy firewall capabilities in converged voice/data networks?

Protecting and passing VoIP traffic

VoIP creates a whole new set of firewall problems. To understand these problems, we first have to understand how VoIP traffic crosses the firewall perimeter.

A VoIP call uses either the TCP or UDP protocol with well-known application ports to set up a call. TCP port 1720 is used as the primary port for H.323,, and UDP port 5060 is used for SIP (which rarely employs TCP—though the latest version of the standard recommends that TCP be used with SIP in the future).

VoIP also requires one or two additional UDP ports to be opened for each individual voice traffic stream. One port is used for the real-time protocol (RTP) traffic that carries the voice packets, and a second optional port may be assigned to monitor the performance of the RTP call, using the real-time control protocol (RTCP). This means that three UDP ports are required for a SIP-based call (for call control, monitoring, and the voice payload itself). The early version of H.323 required two UDP ports for RTP and two UDP ports for RTCP.

The UDP ports should be opened only for the duration of the call. Static UDP port assignment—that is, keeping ports open permanently—essentially leaves the firewall open and not really secure. And not only does the firewall have to open UDP ports dynamically, it must do it rapidly, for multiple calls simultaneously, with short delay and without introducing jitter or packet loss. Cheaper and older firewall products lack this dynamic UDP port assignment capability.

One possible VoIP-specific solution is to embed security functions in VoIP gateways, such as the one in Avaya’s Gateway product line. The Avaya gateway integrates VoIP firewall protection, VPN functionality, and IP-telephony support. It also includes a bandwidth manager to provide QoS for voice traffic.

This article first appeared in Asia Computer Weekly