Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Voice over IP (VoIP) Software Blade

Voice over IP (VoIP) Software Blade

Overview

The Check Point security family enables you to deploy VoIP applications such as telephony or video conferencing without introducing new security threats or needing to redesign your network. Because worms and VoIP-specific Denial of Service attacks can take IP phone services down, the Check Point family delivers an evolving solution that understands and protects against existing and new threats that may disrupt business continuity. Check Point solutions also reduce the complexity of VoIP deployment by eliminating such common pain points as incompatibility between VoIP and Network Address Translation.

Key Benefits

  • Increases protection and availability of VoIP against worms and attacks on a converged network
  • Decreases likelihood of fraud and theft of VoIP services
  • Reduces costs of VoIP deployment by enabling it to work with NAT and other existing network elements
  • Simplifies extension of VoIP to remote offices and workers
  • Provides preemptive protection for both the VoIP network and the underlying infrastructure

Features

Enabling complex, diverse VoIP protocols
Companies can choose from among a host of VoIP protocols—all which function completely differently and interact with security in ways that traditional firewalls cannot handle. Voice over IP Software Blade delivers the most intelligent security for the widest variety of VoIP protocols available in a perimeter security solution. The intelligent security of the Voice over IP Software Blade delivers two benefits that other perimeter solutions do not. First, it enables complete inspection of both the network layer and the payload—where additional VoIP data is placed. Second, because Check Point Security Gateways were developed to be aware of how VoIP sessions should work, it can detect and stop malicious VoIP activity without administrator interaction.

Protecting the converged network
Placing voice traffic on the data network exposes it to traditional data attacks. The Voice over IP Software Blade goes beyond simple support for VoIP protocols to an awareness of how VoIP works, providing preemptive protection for both the VoIP network and the underlying infrastructure.

Delivering high voice quality
A major concern for VoIP deployments is maintaining the high level of voice quality people are used to from traditional phone services. The Voice over IP Software Blade integrates Quality of Service (QoS) mechanisms to ensure that the quality of voice traffic is not reduced while still maintaining a high level of security.

Solving the NAT problem
Network address translation (NAT) is a common security function that is often incompatible with VoIP deployment. The Voice over IP Software Blade provides the greatest range of deployment options for VoIP in a NAT environment without the use of third-party products.

Specifications

Feature Details
Signaling protocols

H.323
Session Initiation Protocol (SIP)
SCCP
Media Gateway Control Protocol (MGCP)
Media protocols

Real-time Transport Protocol (RTP)
Real Time Control Protocol
SIP

RFC 3261 - Latest SIP RFC, RFC 3372 - SIP-T, RFC 3311 - UPDATE message, RFC 2976 - INFO message, RFC 3515 - REFER message , RFC 3265 - SIP Events, RFC 3266 – IPv6 in SDP, RFC 3262 - Reliability of Provisional responses, RFC 3428 - MESSAGE message, MSN messenger over SIP, SIP over TCP, SIP over UDP, SIP early media
H.323
H.323 V.2, V.3, V.4 , H.225 V.2, V.3, V.4 , H.245 V.3, V.5, V.7
SCCP Supported
MGCP RFC 3435 – MCGP v1, J.171 – TGCP
Quality of Service (QoS) methods
Low Latency Queuing (LLQ) LLQ enables highly sensitive traffic such as VoIP to be given the highest priority for security processing, including setting a maximum delay
Guaranteed bandwidth A portion of bandwidth can be set aside specifically for VoIP transmissions
Weighted priorities Different types of traffic can be assigned different priorities. For example, VoIP traffic may be given a weight of 50 compared to a weight of 5 for file sharing. During congested network conditions, the ratio between VoIP and file sharing traffic will be 10:1.
Differentiated Service (DiffServ) Integrated DiffServ support allows service providers to identify and prioritize VoIP traffic as it travels across the corporate wide area network (WAN).
NAT support for SIP networks
Endpoints can be installed with static NAT or hide NAT in the internal network, external network, or DMZ
Incoming calls to hide endpoints that are behind a gateway using hide NAT are supported
SIP-PSTN gateways with hide NAT can be installed in the internal network, external network, or DMZ
SIP-PSTN gateways with static NAT can be installed in the internal network, external network, or DMZ
NAT support for H.323 networks
Gatekeepers can be installed in the external network, internal network, or DMZ using static NAT
Gateways/PBXes can be installed in the external network, internal network, or DMZ using static NAT
Endpoints can be installed everywhere using static NAT
Endpoints can be installed everywhere using hide NAT
Incoming calls to hide NAT are supported
H.323-PSTN gateways can be installed everywhere with static NAT
H.323-PSTN gateways can be installed everywhere with hide NAT

 

SIP security H.323 advanced security

Stateful Inspection of SIP messages

  • Open RTP/RTCP connection dynamically
  • Close RTP/RTCP connection if there is no signaling connection
  • Continuous enforcement of control-data connection relationship

Use of streaming mechanism in SIP over TCP

  • All messages are fully inspected even if divided in several packets

Restricting the following fields

  • RFC enforcement
  • Protocol state machine
  • Usernames
  • Call-ID
  • SDP headers

Special syntax control of the following SIP messages

  • Registration (REGISTER, ACK)
  • Admission control (INVITE)
  • Capability exchange (SDP, OPTION)

Handover domain

  • Provide security enforcement of VoIP redirection and handover

Stateful Inspection of H.323 messages

  • Open RTP/RTCP connection dynamically
  • Close RTP/RTCP connection if there is no signaling connection
  • Open T.120 connection dynamically
  • Close T.120 connection if there is no signaling connection
  • Continuous enforcement of the control-data connection relationship

Use of streaming mechanism for H.225 and H.245

  • All messages are fully inspected even if divided in several packets

Special treatment for the following H.323 messages

  • H.225 RAS messages
  • Q.931 messages
  • H.245
  • Support for fast start—encapsulate H.245 in H.225 messages
  • Support of H.245 tunneling—encapsulate H.245 in H.225 messages

Restricting the following fields

  • RFC enforcement
  • Phone numbers
  • Presence of IP addresses in specific messages
  • Presence of phone numbers in specific messages
  • Protocol flow logic

Handover domain

  • Provide security enforcement of VoIP redirection and handover

Support

Threats to networks are constantly evolving and becoming more sophisticated. To maintain continuity and productivity, defenses must advance as quickly to deliver the technology and features that protect the business. Check Point Services protect against emerging threats with critical hot software fixes, service packs, and major software upgrades.

Benefits

  • Ensure continuous security with access to critical hot fixes and service packs
  • Maximize ROI and investment with access to major upgrades and enhancements
  • Increase security with the latest applications, features, and technologies

More information