Hackers beware

Firewall security for data differs greatly from firewall security for voice. Most firewalls today are designed to protect data networks, but data firewalls cause latency in real-time communications such as voice and video transmissions.

As a result, many voice transmissions travel unprotected from port to port to prevent delays and disruptions, which leaves the door open for hackers and denial of service attacks. Currently, most voice-over-IP (VoIP) traffic occurs in private networks, but as it transitions to the public Internet, more firewalls geared specifically toward VoIP will be needed.

Enter Aravox Technologies, which has created an IP infrastructure solution designed specifically to handle voice traffic. Aravox helps companies such as Level 3 Communications protect their global IP networks.

“You can't wait three or four seconds to hear the other person talk. You can't wait a second between the packets as they arrive stored and forwarded through the network,” said Craig Warren, co-founder and vice president of marketing for Aravox. “There's going to have to be a provision on the IP network to allow voice traffic to travel unimpeded and without undue processing on the packets.”

The company's technology was designed to handle external and internal threats and serves three segments of the VoIP market: backbone carriers, access providers and enterprises.

Level 3 uses Aravox's VoiceShield firewall in its native IP end-to-end network, the (3)Voice Exchange, which was designed to enable telephone-quality voice communication via PCs and IP phones.

The VoiceShield firewall supports call control engines such as the Session Initiation Protocol (SIP) proxy server and the H.323 gatekeeper so that media ports can be opened and closed on a per-call basis. The Aravox technology also performs network address translation from private to public networks.

It's very difficult to secure a VoIP network with static rules about the kind of traffic admitted, as can be done in a data network, according to Jon Peterson, senior architect for Level 3. “The whole need for firewalls is motivated by the need for a device that can respond to dynamic information that is present in SIP signaling that describes how you need to configure rules about admitting particular traffic into the network,” he said.

The Aravox firewall sits at the edge of Level 3's network. “We want to prevent people from trying to break into our softswitches, hijack our softswitches or gateways, or attacking our billing collection systems,” Peterson said. “By having some security at our edges and preventing IP traffic that isn't associated with calls from entering our network, we can be reasonably assured that these kinds of devices are not going to come under scrutiny.”

Aravox integrates with existing VoIP architectures by working with companies such as dynamicsoft, which processes the signaling through a VoIP network, Warren said.

But Aravox goes beyond just creating a firewall to protect a VoIP network. Under its Aravox Network Service Platform the company offers four services that help protect a VoIP network (see box).

Aravox “seems to have the core components there that we know we need right now for voice over IP,” said Jeff Phillips, director of consulting for TeleChoice. “From firewalls, to the way they handle address translations and management, to the quality of service issue, to the bandwidth — those are some of the main things people are trying to address in the public environment.”

Mission control

Components of the Aravox network services platform

• Access control
  Protects network infrastructure by keeping media ports closed until instructed by a call manager to open them
• Address control
  Performs private-to-public IP network address translation in real time, protecting private networks and timesharing routable addresses
• Path control
  Network address translation enforces a consistent path for all media packets of a VoIP call
• Usage control
  Prevents overconsumption of bandwidth by regulating usage on a per-call basis

Source: Aravox