Protecting a VoIP Network with Security Appliances

VoIP and IP telephonyWe can protect our voice network with simple Auxiliary VLAN but sometimes to be more secure Auxiliary VLAN are not enough. In this case we can use Security appliances such firewalls or VPN termination devices or both.

Firewall maybe seems like very clean and simple mechanism to protect RTP protocols transmitted voice packets but there’s a problem. Protecting voice networks with a firewall is not so simple because we are not sure what UDP port will be used by the RTP voice packets flow.

If we look at some Cisco network architecture and Cisco device environment, a UDP port for an RTP stream is an random port selected from the pool of 16,384 to 32,767. We surely don’t want to open all those ports on firewall just to be sure that the VoIP will function well. So many open ports may be seen from other side like a bunch of security holes.

Firewalls from Cisco are smarter than that, PIX and Cisco ASA – Adaptive Security Appliance have the possibility to dynamically inspect calls packets and read the setup protocol traffic like H.323 to learn the used UDP ports for every RTP flows. The firewall will then open those UDP ports for the duration of the RTP connection and then close those ports again.

VoIP RTP Inspection


Let’s be clearer about this. In the image here you can see that the first thing that happens is the Phone’s usage of SCCP protocol to initiate a call to the PSTN.

SCCP uses TCP port 2000 will make the communication between the Cisco IP Phone and the UCM server possible. After the communication is established UCM is reading the numbers dialed by user’s phone and using this numbers he is deciding that the call needs to be sent out the H.323 gateway.

In the next step, using TCP port 1720, UCM initiates a call setup with the H.323 gateway. The firewall will allow the communication between these devices using H.323 protocol. The firewall will also analyze H.323 data and determine which UDP ports are in use for the voice path.

The next step is important because the firewall will need to allow bidirectional RTP communication. There will be need for two random UDP ports, every one for one direction of communication. Let’s take an example in which UDP ports 20,548 and 28,642 are selected. Firewall analyzes the H.323 protocol and based on this information dynamically learns about UDP ports that are used. The firewall then permits the RTP flow in every direction until the call is over.

Using security appliance to protect voice network

There’s not only the ability to deny or permit some ports. The firewall may have some additional methods of protection of voice network. Let’s say that someone is attacking our VoIP network with DoS attack. In that case firewall has the ability to see that there are too many messages of a certain type sent in a short period of time. In some other case a firewall can be configured to use of policies, in that configuration a firewall can determine if necessary which phone to block.

Biggest part of Cisco IP phones can authenticate and encrypt call packets on the network. Some other phones from Cisco and other vendors don’t have this capability. If you however want to implement encryption and authentication in you voice network is not impossible. The solution is to use IPsec-protected VPN tunnel to send all call traffic across the network.

Cisco Unified Communications Manager but also a whole bunch of other devices from different vendors have the capability to be used for VPN termination

Leave a Reply