Category Archives: Knowledge Base

Polycom® SoundPoint® IP 331

Excellent sound quality and an enterprise-grade feature set.

soundpoint_ip330_320

Polycom IP Phone 350Polycom®
SoundPoint® IP 331

Two-line entry-level phones
Superb sound quality and full-duplex speakerphone performance with
Clarity by Polycom™ acoustic technology
Enterprise-grade feature set
Easy to configure and use
Integrated Power over Ethernet (PoE) support
Interoperability with leading IP PBX and Softswitch platforms
SIP features

Features and Benefits

Two lines
Full-duplex IEEE 1329 Type 1-compliant speakerphone with Clarity by Polycom™ acoustic technology
102 x 33-pixel graphical LCD
Integrated 802.3af PoE support
Two-port 10/100 Ethernet –switch – SoundPoint IP 331 (Single 10/100 Ethernet port – SoundPoint IP 321)
Small footprint

TLS & SRTP

The TLS and SRTP Combination

Firewalls offer the ability to encrypt SIP protocol signaling by changing the transport from UDP/TCP to TLS (Transport Layer Security). Some also includes support for SRTP (Secure Real-time Transport Protocol). SRTP provides a high level of security for live data with advanced encryption, confidentiality, message authentication and replay protection.

Together, this powerful SRTP-TLS combination protects media from being overheard by unauthorized persons, providing an extremely high level of security for live data. Using TLS and SRTP to encrypt signaling and media traversing the Internet effectively stops eavesdroppers, hackers and spoofers. The firewalls decrypts the signaling and media and deliver them “in the clear” to devices on the Local Area Network (LAN), or pass the encrypted packets on to the server or phone fully encrypted all the way to the user. This flexibility permits the network administrator to tailor the use of encryption to the needs of the organization and the capabilities of the other SIP equipment in the network. The integrity of the call is much stronger than ever possible on PSTN. Used in conjunction with Ingate’s full SIP proxy technology, Ingate’s TLS-SRTP combination delivers maximum protection for enterprises using SIP communications.

More SIP Protocol Security & Compliancy

Providing all important layers of SIP security.

Solid firewalls have deep packet inspection (DPI) capability, which gives Ingate the ability to look at Layer 2 through Layer 7 of the OSI model. As the SIP protocol is an application layer (Layer 7) in the OSI model, some products have a unique ability to evaluate the SIP protocol packets and provide non-protocol compliance rules, routing rules and policies. Deep packet inspection also provides an important layer of security.

How else does a proper plan ensure security for SIP applications?

Products which strictly adhere to the SIP protocol, look specifically for SIP compliancy. If there is a failure of SIP protocol compliance, the Ingate will use SIP components such as its full SIP proxy and SIP B2BUA to correct or discard SIP traffic to resolve compliancy issues.

Such products can also apply policies to correct SIP non-conformances in various applications such as:

Removal of VIA Headers
SIP Method Processing Rules
MIME Content Filtering
SIP Offer / Answer Call Flow
Escaped Whitespace Rules
SIP Method Authentication
URI Encoding
Session Timers
180 Response Removal
Username Checks
Limitation of Media Streams
Better Reliability
UDP Packet Size
Limitation of RTP Codecs
and so much more!

Depending on the nature of the failure to adhere to the protocol, the Ingate can also invoke a denial of service.

SIP Deep Packet Inspection

Deep Packet Inspection (DPI) will identify and classify the SIP traffic based on a signature database

Deep packet inspection (or DPI) is a powerful way to protect not just SIP traffic, but also the network. DPI is a form of computer network packet filtering that examines the data (or datagram) and UDP/TCP header part of a packet as it passes through an Ingate SIParator or Firewall.

Managed devices are searching for non-protocol compliance, viruses, spam, intrusions or predefined criteria to decide if the packet can pass or if it needs to be routed to a different destination, or for the purpose of collecting statistical information. This is in contrast to shallow packet inspection (usually called just packet inspection) which only checks the UDP/TCP header portion of a packet.

Shallow packet inspection is the kind of inspection commonly found in most NAT firewall devices.

Firewalls with Deep Packet Inspection capability, Ingate has the ability to look at Layers 2 through 7 of the OSI model. Since the SIP protocol is an Application Layer (Layer 7) in the OSI Model, Ingate products have a unique ability to:

Look at the SIP protocol packets, to provide non-protocol compliance rules, routing rules and statistical information, and
Provide IDS/IPS security features for an effective defense against overflow attacks, denial of service (DoS) attacks, and sophisticated intrusions.This includes headers and SIP protocol structures as well as the actual payload of the message.

DPI will identify and classify the SIP traffic based on a signature database that includes information extracted from the data part of a UDP/TCP packet, providing extremely precise of control of any SIP traffic — finer than any classification based only on header information only.

SIP Security

With the proper protections in place, SIP applications are very secure.

Like any application over Voice-over-IP and all similar applications should be implemented in a way that ensures the continued security and integrity of the enterprise network. With the proper protections in place, SIP applications are very secure. In fact, VoIP calls can be more secure than those made on the PSTN. That’s just an example of how, with the right measures, any SIP application can be secure enough for enterprise use.

The SIP protocol resides in the Application Layer; it is written in clear text within the datagram of a UDP or TCP transport. Because it is in clear text, it is readily readable to any malicious efforts to compromise your VoIP or data traffic. Sensitive IP address information, port address information, contact addresses, usernames, SIP compliance capabilities, media stream attributes and more are all contained in the SIP protocol.

In addition, the VoIP media stream is also unencrypted. Common media streams such as G711, G723, and G729 are open for malevolent efforts to record conversations over the Internet. Given that SIP is a relatively new protocol for VoIP deployment, there have been very few malicious SIP attacks to date. But as popularity grows and SIP becomes more widespread, the possibility for these kinds of events increases. But since the SIP protocol has been developed by the IETF it has built in capabilities to ensure that the security and control of the enterprise network is maintained, and that measures can be taken to protect the integrity of all Internet-based communications, even for the most sensitive conversations.

The IP-PBX should be deemed a “Mission Critical” server. The IP-PBX is the controller for all of the VoIP phones and SIP applications. Any service outage or degradation would result in the loss of communication and ultimately the loss of business revenue. The IP-PBX must be protected from the Internet and foreign or unknown networks just as any other mission-critical server on the network.

That means that the PBX should never be assigned a publicly routable IP address. The Network Address Translation to the private address space provides a layer of security that must be maintained for the IP-PBX. Measures such as deep packet inspection, encryption and support for TLS and SRTP, authentication, intrusion detection and prevention (IDS/IPS) functionality, DoS attack detection and even SIP (and SIPconnect) compliance are all necessary ways to protect not just the SIP traffic, but also the network.

Solid plans employ all of these and more, including filtering capabilities to ensure that only authorized users are permitted access. With an E-SBC in place, like the SIParator from Ingate Systems, SIP communications can be successfully and securely introduced to the network and the enterprise remains in full control of their network.

Role of Managed Services Environment

In a managed service offering, often the service provider delivers an MPLS (Multi-Protocol Label Switching)
interface and delivers a private address space into the organization from their network.

We discussed managed SIP trunk service offerings, what they were and their advantages. Now we’ll drill down even further and look at why Ingate is an important part of these deployments to normalize SIP traffic, maintain network security and bridge the voice and data LANs for more effective use of SIP in the enterprise.

In a managed service offering, often the service provider delivers an MPLS (Multi-Protocol Label Switching) interface and delivers a private address space into the organization from their network. This resolves the NAT traversal issues. However, it does not solve SIP normalization issues between the IP-PBX and ITSP. It also doesn’t address security. Despite the actual delivery mechanism of the SIP trunks, the Ingate unit is still required to normalize the traffic between the business and the service provider when those two implementations are not identical.

From a security point of view, since the service provider is offering the Local Area Network and the private IP addresses from their network space, business must ask themselves: Do I trust the service provider to protect my IP-PBX and other parts of my network from harm? If the answer is not a definitive “yes” then the company will be well advised to install an Ingate SIParator or Firewall to perform this very important function.

Finally, by delivering service this way, the service provider is in effect creating separate voice and data networks in the customer premise. This means that personal computers are not going to be connected to the same LAN segment and cannot be used for such services as Presence and Instant Messaging, soft clients cannot be used and the PC cannot be used to self-configure user accounts. In these instances, the Ingate can act as a bridge between the two networks allowing the full capabilities of SIP to be realized, including the promise of Business VoIP.

Managed SIP Trunking Service Providers

Managed SIP Trunks offer the advantage of a closely monitored network maintained to deliver the highest voice quality.

The physical connection to the service provider can vary according to the needs of the enterprise and may range from a single T1 with 1.5Mbps of bandwidth which is sufficient for 23 simultaneous calls, up to and including fiber optic connections with very large capacities. Since voice is very susceptible to delay, often the Managed SIP Trunking Service Provider will deliver service using MPLS (Multi-Protocol Label Switching) which assures that the voice packets will receive delivery precedence over other services being delivered on the same physical connection.

For both of the above reasons, many service providers are willing to write Service Level Agreements (SLAs) that guarantee a certain level of service quality and managed SIP Trunks are often more expensive than those services which are offered over the Public Internet.

The firewall remains critical in this application as a security device between a foreign network and the enterprise network. The firewall provides voice and data security for the enterprise, from other foreign networks. It also monitors and secures the SIP traffic, protecting the IP-PBX from malicious attacks which may range from theft of service to Denial of Service attacks. This is important because any malicious issues on foreign networks can quickly become enterprise issues without a security device in between.

Managed SIP Trunks offer the advantage of a closely monitored network maintained to deliver the highest voice quality. The enterprise needs to ensure that its network is robust and that no internal bottlenecks exist that could reduce voice quality. Enterprises should also consider establishing its own security perimeter to maintain control of its network and who is allowed to use the SIP Trunking services.

SIP Trunking Bring Your Own Bandwidth

Companies like InfoStructure provide open access to their telephony services over the Internet.

Internet Telephony Service Providers (ITSPs) provide SIP trunking services to all who have Internet connectivity. VoIP communications is just another application provided over the Internet alongside Web, e-mail, FTP and other services commonly found on the Internet.

ITSP companies like InfoStructure provide open access to their telephony services over the Internet. The enterprise leases telephony services such as SIP trunking to provide PSTN numbers and access.

The ISP (Internet Service Provider) is simply the service to gain access to the Internet. The physical connection to the Internet can vary according the enterprise’s needs; it can be as small as DSL or grow to T1, T3, Ethernet, OCx, and more. The advantage is the consolidation of both voice and data traffic on the same physical connection, thus maximizing bandwidth utilization and minimizing monthly reoccurring costs.

Firewalls are critical in this deployment, providing voice and data traffic security to the enterprise: solving the NAT traversal issues through the corporate firewall, monitoring and providing security to SIP traffic, and protecting the IP-PBX from malicious attacks.

The downside is that the voice communication is only as good as the Internet connection that is being used because that link is not managed from end to end. The advantages of this type of delivery is that it is available anywhere and typically is offered at very attractive rates. With an Internet connection, afirewall at the edge to resolve routing and security concerns, and a good ITSP, SIP trunking may be delivered anywhere in the world.

Port Forwarding for SIP

Port forwarding is a hole in your firewall.

In an attempt to overcome NAT issues, many IP-PBX and ITSP vendors will recommend to “port forward” all UDP and TCP traffic on port 5060 (SIP signaling port) and a range of thousands of media ports on the NAT firewall to the IP-PBX. This is not a good idea at all, as it opens the network to security risks. Port forwarding is a hole in your firewall, now forwarding ALL UDP or TCP traffic to the IP-PBX. This UDP/TCP traffic does not have to be SIP protocol specific; it can be traffic from any malicious hacker attempting to gain access to your network.

Better products monitor the SIP signaling port (5060) and apply routing rules and process policies to only the SIP protocol traffic, where all other UDP/TCP traffic will be discarded and not forwarded to the IP-PBX. In addition, these special firewalls will dynamically open and close media ports based on the negotiated SIP traffic, by carefully monitoring the media ports negotiated and responding and routing media accordingly.

These firewalls can also fix far-end NAT devices. If there is a SIP device behind a remote NAT device, the Ingate (with its Remote SIP Connectivity software module) can correct all of the SIP signaling traffic from the remote SIP device, and ensure ports remain open for future SIP signaling and media.

It’s a cost-effective solution, as this removes the requirement of having SIP-aware firewalls at each remote location, while also allowing traveling SIP users (or remote workers, or satellite offices) access to the main office no matter where they are. Want more information