The Check Point security family enables you to deploy VoIP applications such as telephony or video conferencing without introducing new security threats or needing to redesign your network. Because worms and VoIP-specific Denial of Service attacks can take IP phone services down, the Check Point family delivers an evolving solution that understands and protects against existing and new threats that may disrupt business continuity. Check Point solutions also reduce the complexity of VoIP deployment by eliminating such common pain points as incompatibility between VoIP and Network Address Translation.
- Increases protection and availability of VoIP against worms and attacks on a converged network
- Decreases likelihood of fraud and theft of VoIP services
- Provides preemptive protection for both the VoIP network and the underlying infrastructure
- Reduces costs of VoIP deployment by enabling it to work with NAT and other existing network elements
- Simplifies extension of VoIP to remote offices and workers
Companies can choose from among a host of VoIP protocols—all which function completely differently and interact with security in ways that traditional firewalls cannot handle. Voice over IP Software Blade delivers the most intelligent security for the widest variety of VoIP protocols available in a perimeter security solution. The intelligent security of the Voice over IP Software Blade delivers two benefits that other perimeter solutions do not. First, it enables complete inspection of both the network layer and the payload—where additional VoIP data is placed. Second, because Check Point Security Gateways were developed to be aware of how VoIP sessions should work, it can detect and stop malicious VoIP activity without administrator interaction.
Placing voice traffic on the data network exposes it to traditional data attacks. The Voice over IP Software Blade goes beyond simple support for VoIP protocols to an awareness of how VoIP works, providing preemptive protection for both the VoIP network and the underlying infrastructure.
A major concern for VoIP deployments is maintaining the high level of voice quality people are used to from traditional phone services. The Voice over IP Software Blade integrates Quality of Service (QoS) mechanisms to ensure that the quality of voice traffic is not reduced while still maintaining a high level of security.
Network address translation (NAT) is a common security function that is often incompatible with VoIP deployment. The Voice over IP Software Blade provides the greatest range of deployment options for VoIP in a NAT environment without the use of third-party products.
|Signaling protocols||H.323 Session Initiation Protocol (SIP) SCCP Media Gateway Control Protocol (MGCP)|
|Media protocols||Real-time Transport Protocol (RTP)|
|Real Time Control Protocol|
|SIP||RFC 3261 - Latest SIP RFC, RFC 3372 - SIP-T, RFC 3311 - UPDATE message, RFC 2976 - INFO message, RFC 3515 - REFER message , RFC 3265 - SIP Events, RFC 3266 – IPv6 in SDP, RFC 3262 - Reliability of Provisional responses, RFC 3428 - MESSAGE message, MSN messenger over SIP, SIP over TCP, SIP over UDP, SIP early media|
|H.323||H.323 V.2, V.3, V.4 , H.225 V.2, V.3, V.4 , H.245 V.3, V.5, V.7|
|MGCP||RFC 3435 – MCGP v1, J.171 – TGCP|
|Quality of Service (QoS) methods|
|Low Latency Queuing (LLQ)||LLQ enables highly sensitive traffic such as VoIP to be given the highest priority for security processing, including setting a maximum delay|
|Guaranteed bandwidth||A portion of bandwidth can be set aside specifically for VoIP transmissions|
|Weighted priorities||Different types of traffic can be assigned different priorities. For example, VoIP traffic may be given a weight of 50 compared to a weight of 5 for file sharing. During congested network conditions, the ratio between VoIP and file sharing traffic will be 10:1.|
|Differentiated Service (DiffServ)||Integrated DiffServ support allows service providers to identify and prioritize VoIP traffic as it travels across the corporate wide area network (WAN).|
|NAT support for SIP networks|
|Endpoints can be installed with static NAT or hide NAT in the internal network, external network, or DMZ|
|Incoming calls to hide endpoints that are behind a gateway using hide NAT are supported|
|SIP-PSTN gateways with hide NAT can be installed in the internal network, external network, or DMZ|
|SIP-PSTN gateways with static NAT can be installed in the internal network, external network, or DMZ|
|NAT support for H.323 networks|
|Gatekeepers can be installed in the external network, internal network, or DMZ using static NAT|
|Gateways/PBXes can be installed in the external network, internal network, or DMZ using static NAT|
|Endpoints can be installed everywhere using static NAT|
|Endpoints can be installed everywhere using hide NAT|
|Incoming calls to hide NAT are supported|
|H.323-PSTN gateways can be installed everywhere with static NAT|
|H.323-PSTN gateways can be installed everywhere with hide NAT|
H.323 advanced security
|Stateful Inspection of SIP messages - Open RTP/RTCP connection dynamically - Close RTP/RTCP connection if there is no signaling connection - Continuous enforcement of control-data connection relationship Use of streaming mechanism in SIP over TCP All messages are fully inspected even if divided in several packets Restricting the following fields - RFC enforcement -Protocol state machine - Usernames - Call-ID - SDP headers Special syntax control of the following SIP messages - Registration (REGISTER, ACK) - Admission control (INVITE) - Capability exchange (SDP, OPTION) Handover domain Provide security enforcement of VoIP redirection and handover||Stateful Inspection of H.323 messages - Open RTP/RTCP connection dynamically - Close RTP/RTCP connection if there is no signaling connection - Open T.120 connection dynamically - Close T.120 connection if there is no signaling connection - Continuous enforcement of the control-data connection relationship Use of streaming mechanism for H.225 and H.245 All messages are fully inspected even if divided in several packets Special treatment for the following H.323 messages - H.225 RAS messages - Q.931 messages - H.245 - Support for fast start—encapsulate H.245 in H.225 messages - Support of H.245 tunneling—encapsulate H.245 in H.225 messages Restricting the following fields - RFC enforcement - Phone numbers - Presence of IP addresses in specific messages - Presence of phone numbers in specific messages - Protocol flow logic Handover domain Provide security enforcement of VoIP redirection and handover|