By Date:	<-- -->
By Thread:	<-- -->
Voipsec Digest, Vol 14, Issue 11

From: "Boswell, Jason S (Jason)" <jboswell (at) lucent.com>
Date: Fri, 10 Feb 2006 19:35:48 -0700
Erwin
 
Problems that you would run into are generally dependant upon the devices
involved within the solution.  Some are bugs, some are limitations, some are
configuration gotchas.  The most common issues I have seen are things like 
*	One-way RTP streams
*	Problems with 3-way conference calls
*	Problems with voicemail forwarding
*	Scalability/throughput
*	Name resolution issues
 
As the saying goes, "your results may vary".  The bottom line I was trying
to get across is there is no easy answer or magic bullet solution.  The
discussion gets even more complicated when you bring security into it.  So,
regardless of what vendor you choose [ I'm trying to stay vendor-neutral
here :-) ] there are certain levels and phases of testing that you will need
to go through.  Things are much better now than they were even 6 months ago,
and 6 months before that, etc..  I think maybe the vendors are finally
starting to catch up with the market in the sense that all of the features
and configuration options that have been flooding into SIP for the past few
years are more solidified now.  Once the bugs are worked out of the system,
then it's a matter of deciding how you want to secure it in terms of layers,
policies, etc., but that's another discussion.
 
Happy hunting!  
 
Jason Boswell
-----Original Message-----
From: Erwin Davis [mailto:erwin.davis (at) gmail.com]
Sent: Friday, February 10, 2006 3:23 PM
To: Voipsec (at) voipsa.org; Boswell, Jason S (Jason)
Subject: Re: Voipsec Digest, Vol 14, Issue 11
 
Hi, Jason,

What are the problems to make a firewall into SBC?
Any resources related to those problems? Thanks,

e



Message: 3
Date: Fri, 10 Feb 2006 09:22:56 -0700 
From: "Boswell, Jason S (Jason)" < jboswell (at) lucent.com
<mailto:jboswell (at) lucent.com> >
Subject: Re: [VOIPSEC] VoIP, Firewalls and NATs
To: "'Christopher A. Martin'" <  <mailto:chris (at) InfraVAST.com>
chris (at) InfraVAST.com>, Arturo Servin
        < aservin (at) itesm.mx <mailto:aservin (at) itesm.mx> >
Cc: Voipsec (at) voipsa.org <mailto:Voipsec (at) voipsa.org> 
Message-ID:
        <
<mailto:81FC03339A3F6B4DB2D80276126BE855B7651B (at) co7010exch002u.ih.lucent.com>
81FC03339A3F6B4DB2D80276126BE855B7651B (at) co7010exch002u.ih.lucent.com>
Content-Type: text/plain;       charset="iso-8859-1"

Lucent's VPN Firewall Brick also does full ALG inspection of SIP and H323. 
Lots of security vendors offer ALG-level firewalls, but, in my opinion, you
have to focus on vendors that are involved with specific solutions.  There
are still a lot of problems with trying to make a firewall into an SBC, 
which is essentially what you are trying to do in certain situations.  The
reason I say it depends on the solution is that different vendors seem to
have done more testing with certain solutions than others.  SIP is still 
rather unconstrained, so you run into different gotchas depending on the
devices in the solution.  So, a Cisco might work well with AcmePackets but
might not with Kagoor.  A Lucent firewall might be great with a Broadworks 
solution but not with another one.  Sonus might have a problem with certain
firewalls but not others.  (just throwing names out there, not trying to
make specific claims).

Hope that helps.

-Jason Boswell 

-----Original Message-----
From:   Voipsec-bounces (at) voipsa.org <mailto:Voipsec-bounces (at) voipsa.org>
[mailto: Voipsec-bounces (at) voipsa.org <mailto:Voipsec-bounces (at) voipsa.org> ]
On
Behalf Of Christopher A. Martin 
Sent:   Saturday, February 04, 2006 10:00 AM
To:     Arturo Servin
Cc:     Voipsec (at) voipsa.org <mailto:Voipsec (at) voipsa.org> 
Subject:        Re: [VOIPSEC] VoIP, Firewalls and NATs

<< File: ATT4629847.txt >> For robustness Ingate offers the best of breed
in this area, as they are
proxy based.

Cisco, Netscreen, and Checkpoint offer application level gateway
solutions, as well as linksys (also cisco). 

Microappliances also had a proxy solution but I have not heard much from
them on their product in some time.

These are all good starting points if you are performing research.

Chris

Arturo Servin wrote: 

>
>
>            I am doing a personal research about VoIP security and the use
>of firewalls, IPS and NAT. I remember some issues a couple of years ago
>specifically with NAT and H.323. I guess there was the same problem with
>SIP. Also I remember a topic in this email list about SIP proxys. Do you
>know if there are still issues with Firewalls/NAT/IPS and VoIP, how the
>vendors and protocols are dealing with this? Any comments? 
>
>
>
>Thanks in advance,
>
>-as
>
>_______________________________________________
>Voipsec mailing list
> Voipsec (at) voipsa.org  <mailto:Voipsec (at) voipsa.org> 
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
<http://voipsa.org/mailman/listinfo/voipsec_voipsa.org> 
>
>
>
>




 
_______________________________________________
Voipsec mailing list
Voipsec (at) voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
Prev by Date: MIDCOM
Next by Date: VoIP, Firewalls and NATs
Previous by thread: Voipsec Digest, Vol 14, Issue 11
Next by thread: MIDCOM
Index(es):
- Main
- Thread