IP Phones routing in through NAT table. Need advise. 1

[eod]

We are looking into rolling out a few ip phones for some home offices. One of the things I'm concerned with (besides the QoS) is routing the ip phone into our network past our firewall. We use a Sonicwall soho2 at our main office which basically uses a hyped up nat table with logging.

Would there be any issues with routing a few ip phones through the nat? Would it be as simple as opening a few ports? What are some of the common solutions people use when dealing with IP phones and NAT.

 

[pansophic]

The most common implementation that I see is using a VPN. It does a few things for you. 1) it allows you to limit the protocols that you support. 2) it allows you to authenticate VoIP phones (otherwise, anyone can route calls through your VoIP gateway). 3) it gets around providing a VoIP (H.323 or SIP) aware proxy in your firewall.

Your IP address is coded into some of the call control messages in both SIP and H.323. A NAT device rewrites the packet header, so now the two don't match. You need a protocol aware proxy to write both the header and the contents of the payload for those messages that contain it.

pansophic

 

[eod]

Thanks for this reply.. W

hat I was wondering about with a VPN is that for the encryption scheme doesn't it end up slowing down a bit since it'd have to write and authenticate the packets? Still sounds like a solid plan.

So no ip phones or common ip phone setups include any sort of authentication? Are any of the phones VPN aware or would I be required to make each site a VPN tunnel with ip phones behind the tunneled gateway?

 

[pansophic]

AFAIK no one builds a VPN integrated into the phone. Softphones are an option though. Then you can put your VPN client right on the remote computer. Some systems, like the Avaya Definity (I am told) force you to use a VPN appliance. More expensive, but probably the best option.

As far as speed is concerned, I've seen little performance degradation in any of the VPN solutions that I have worked on. Most systems spend so much time running through idle cycles that it is rediculous.

Avaya hard phones supposedly support the H.235 security protocol assocaited with H.323. I haven't done enough research to know how secure the protocol is, though.

Do you know what brand of system you are thinking about using? If you want to stir things up yet again, go post this question on the Cisco: Call Manager forum on this site. They'll have lots of things to say!

pansophic

 

[eod]

Hahaha I'll stay clear of the cisco guys for now.. We are looking into buying a phone system either a Inter-Tel or Avaya. We are trying to make the decision this week.

While IP phones won't be our main concern out the door they are a concern within a few months though. We'd like to roll out a small remote office or some home offices. I'm just looking at what we'd need to change on our network or what a few ip phones will require. The vendors all tell me that it is as easy as just plugging it in (which they did during a demo at our office into our network.. and it worked) but hell they could be insecure for all I know..

So take me as a n00b if you will, phones are a far different scenrio than my normal server and network administration duties..

Thanks for your help, this is really good stuff..

 

[pansophic]

Regard ALL VoIP as insecure. Take a look at some of following if you are concerned at all about security.

http://www.atstake.com/research/advisories/2002/a071202-1.txt

http://www.securiteam.com/exploits/5KP0Q0K6AO.html

http://vomit.xtdnet.nl/

Just some interesting vulnerability stuff. And the vendors are lucky that VoIP just hasn't taken off yet. When it does, it will be 100 times worse than it is now.

The telecom industry is historically VERY poor at securing systems, worse at identifying compromises, and downright terrible at admitting that there is a problem, even after they find it. VoIP is going to fix a lot of that. Unfortunately, it will also require users to be accustomed to losing telephone service periodically while they try to get it hammered out.

If my phone system went down, even momentarily, half as often as my server, or my network, or my internet connection, I'd throw it out and get a new one.

You might want to try posting to the Definity forum for answers from people who actually implement the solution. Also, there is an Avaya and Inter-Tel forum on

http://www.pbxinfo.com

if you want to look around some more.

pansophic

 

[nknook]

pansophic wrote: "The telecom industry is historically VERY poor at securing systems, worse at identifying compromises, and downright terrible at admitting that there is a problem, even after they find it."

I would like to react on this one: At Avaya* security is a very important part of our solution, everything is (stress) tested to the extreme, and all known (and maybe unknown) vulnerabilties are assessed as well. Apart from this we have an option to encrypt the RTP stream, and by default you can't use "simple" clients like Netmeeting (you need an Avaya Soft- or hardphone, wich needs to authenticate with extension & pin), unless you program it specifically for that purpose. More security features & procedures are developped continiously.

Maybe in the past there have been issue's, but I can assure you (especially because the perception is telecom-equipment isn't secure!) a lot of effort is put on security in all aspects, as we can't afford any mistakes.
But, moving to open standards (and often Open Source), opens up a lot of new possibilities, but also new vulnerabilities, wich _ALL_ vendors have to assess and fix, regardless of their background being in telecoms or data.

Just my 2 cents, I don't mean to open up a discussion about this, but I hear this a lot, and I am convinced it is not true (at least no more or less than any other product you put on your LAN/WAN). Putting your (telecom) equipment on a publicly accessable network ALWAYS introduces security risks. Security is in the design, not (only) the product.

* I work for Avaya, so I can only talk for them, but I am convinced that other "traditional" telecomfirms also have a big focus on security.

Cheers,
Nico

 

[pansophic]

nknook,

Read a few of the 2600 and phrack articles. I think that you might change your mind (and keep in mind that we are talking historically).

You'll find many articles on the Definity and System 75 in there.

pansophic

 

[appund]

Don't know if you have made the decision yet, but I had issues with my firewall/IDS combo not accepting fragmented packets which the IP phones (Inter-tel) or the network interaction or something generates. When fragmented packets are allowed on the specific ports those issues went away. Now we are only down to QOS issues.

 

[pansophic]

appund,

You really need to migrate to IPv6 on your backbone if you want to resolve QoS issues, but there are some ways around it potentially.

I believe that you can set queing thresholds on the routers, so that your RTP packets don't get held up. I think that you have to configure the queing based on IP address, though, so you need to set up your phones in a separate block of IP addresses. Hopefully you are using martian (RFC 1918) addresses for your phones anyway, they should never be accessible from the Internet.

Also, Cisco's Call Manager solution will integrate nicely with their routers to give you QoS, if you are inclined the Cisco way.

pansophic