Consider these issues when making a VoIP decision

Mike Mullins discusses two major areas require significant study and attention before beginning a VoIP project.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Voice over IP (VoIP) technology is becoming more and more prevalent in corporate networks. Depending on the size of a company and the monthly costs for local and long distance service to separate networked sites, it can prove cost-effective to implement a VoIP network.

When deciding whether to implement VoIP, organizations should focus on quality of service (QoS) through the network as well as the cost of deployment. These two major areas require significant study and attention before beginning a VoIP project.

In addition, organizations should take several security precautions into consideration before beginning an implementation. For example, don't use the same IP addressing scheme as your current network; this helps protect the new network from misuse and denial-of-service attacks.

In order to protect your VoIP network, it's important to understand VoIP protocols and the problems that you might encounter.

Know the protocols

A VoIP deployment could use several protocols to go through its call signaling, call control, and media communications. These protocols use a wide range of ports to provide VoIP functionality.

Depending on your VoIP vender, these protocols could include the following:

  • Session Initiation Protocol (SIP): This uses UDP or TCP to signal to port 5060, and it uses Real-Time Transport Protocol (RTP) audio stream to UDP ports 16384 through 32767.
  • H.323: This uses unicast and multicast for gatekeeper discovery over UDP port 1718, initiates remote access service to UDP port 1719, and uses H.225 and H.245 for call signaling over TCP port 1720 and capability exchange over TCP ports 1000 through 65535 respectively.
  • Media Gateway Control Protocol (MGCPv1): This uses media gateway and call-agent signaling to UDP port 2427, and it initiates an RTP audio stream to UDP port 16384 through 32767.

Prepare for these security problems

As you can see, VoIP depends heavily on UDP traffic. However, this yields two significant security problems.

How does VoIP work with a network using Network Address Translation (NAT)?
NAT has several notorious limitations. It modifies the source and/or destination address at the IP layer of the OSI (Layer 3).

In addition, it doesn't modify the upper layer protocols used by VoIP (Layer 4 and 5). It embeds the port assignments that these protocols negotiate within the IP payload.

How does VoIP work through a firewall?
By default, most firewalls deny an outside connection that has no corresponding internal origination. By design, firewalls only allow outside traffic from well-known ports. But VoIP traffic randomly uses high UDP ports for inbound calls.

Final thoughts

Deploying VoIP technology involves several major hurdles. During your planning phase, check with the vendor of your current network and firewall equipment to see if it offers any support for VoIP applications. This can help build security into your initial deployment.

Also plan for fault tolerance and redundancy. Extending a live VoIP network is much more difficult than just adding disks to an array.

Keep in mind that VoIP is still an emerging technology. It's a good idea to wait until it matures before deploying it, and then you can learn from others' mistakes.


Editor's Picks