You are on page 1of 12

VPN-1 Pro VoIP Capabilities

July 14, 2005

In This Document Overview Supported Protocols Session Initiation Protocol (SIP) H.323 Media Gateway Control Protocol (MGCP) Skinny Client Control Protocol (SCCP) page 1 page 2 page 3 page 6 page 9 page 11

Overview
Voice over IP (VoIP), or IP telephony, is a market that affords cost saving opportunities for companies that use traditional telephony or are looking to expand their connectivity capabilities. Companies are looking to VoIP to reduce their telecommunications and network operating costs. Voice-enabled applications also provide opportunities to improve efficiency, productivity, and competitiveness. However, companies considering VoIP have two important concerns: the cost and ease of migration to VoIP and the security of their networks and business. Security is an important consideration when implementing VoIP because each element in the VoIP infrastructure, accessible on the network like any computer, can be attacked or used as a launching point for deeper attacks. In addition, VoIP presents certain specific security challenges. Both parts of a VoIP call, the call setup messages and the actual call media stream, need to be inspected by a firewall capable of both network and application level protection. Without this protection VoIP calls are susceptible to Denial of Service attacks, hacked gateways leading to unauthorized free calls, call eavesdropping, and malicious call redirection.

Copyright 2005 Check Point Software Technologies, Ltd. All rights reserved.

Supported Protocols

Since VoIP traffic is converged with data traffic traveling over IP networks, VoIP is susceptible to many of the same threats as data traffic. To combat this, VPN-1 Pro secures VoIP networks by protecting against all common threats to VoIP traffic. These threats include call hijacking, where calls intended for the receiver are redirected to someone else, call theft, where the caller pretends to be someone else, and network hacking using ports opened for VoIP connections. Other threats are Denial of Service (DoS) attacks, in which attackers send malformed or fragmented packets. This document presents how NGX R60 includes comprehensive inspection and security for VoIP as the only VoIP security solution to provide Denial of Service (DoS) protection for all the major VoIP protocols, including H.323, SIP, MGCP and SCCP (Skinny). The following document assumes you have knowledge of basic Internet Telephony technology concepts.

Supported Protocols
Check Point VPN-1 NGX R60 VoIP capabilities supports the following four protocols: SIP H.323 MGCP Cisco SCCP (Skinny)

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

Session Initiation Protocol (SIP) SIP Supported RFCs and Standards

Session Initiation Protocol (SIP)


SIP (Session Initiation Protocol) is a VoIP. It is an application-layer control protocol used for creating, modifying, and terminating sessions with one or more participants.
In This Section

SIP Supported RFCs and Standards SIP Supported Deployment Modules SIP Security Capabilities Supported SIP Networking Configurations Advanced SIP Features

page 3 page 4 page 4 page 4 page 5

SIP Supported RFCs and Standards


The following represent the accepted or proposed Internet standards or standards of practice for VPN-1 Pro VoIP capabilities:
From Version Internet Standards

NGX R60

3372 - SIP-T 3311 - UPDATE message SIP over TCP 3266 Ipv6 in SDP 3265 - SIP Events SIP can be configured using the standard, dynamic and non standard ports MSN messenger over SIP SIP early media 3261 - Latest SIP RFC 2976 - INFO message 3428 - MESSAGE message 3515 - REFER message 3262 - Reliability of Provisional responses SIP over UDP

NG R55W IPv6 NG R55W

NG R55 NG R54

FP3

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

Session Initiation Protocol (SIP) SIP Supported Deployment Modules

SIP Supported Deployment Modules


Network configuration that includes SIP Redirect Server or SIP Proxy is supported by VPN-1 Pro VoIP capabilities.

SIP Security Capabilities


1) Stateful Inspection of SIP messages provides the following capabilities: Open RTP/RTCP connection dynamically. Close RTP/RTCP connections if there is no signaling connections. Enforcement of the control/data connection relationship. Inability to allow one type of connection to exist independently of the other. 2) SIP TCP Streaming Mechanism enables all messages to be fully inspected even if divided into several packets. 3) SIP provides the following capabilities for RFC enforcement: Protocol state machine Security enforcement is provided for the SIP header fields (for instance, Usernames, Call-ID, etc.). Security enforcement is provided for the SDP header fields (for instance, Connection, Media, etc.). 4) Special syntax control exists for all SIP messages. 5) Handover Domains provide a security enforcement for VoIP redirection and handover.

Supported SIP Networking Configurations


1) Supported SIP configurations when NAT is not used: SIP Proxy server can be installed in the internal network, external network or DMZ. SIP Endpoints and SIP-PSTN gateways can be located in the internal network, external network or DMZ. 2) Supported SIP configurations when NAT is used: Endpoints can be installed with STATIC NAT or HIDE NAT in the internal network, external network or DMZ. Incoming calls to hide Endpoints that are behind a gateway using HIDE NAT. SIP-PSTN gateways with STATIC NAT and HIDE NAT can be installed in the internal network, external network or DMZ.

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

Session Initiation Protocol (SIP) Advanced SIP Features

Advanced SIP Features


All messages are inspected and a full SIP state machine is enforced. The following call capabilities are supported: Hold Blind transfer Regular transfer Re-invite Re-invite limiting Call conference

The following advanced SIP features are supported as of NGX R60. Call Forwarding capabilities are supported with NAT: Forward on busy Forward on no answer Find me, Follow me Forward unconventional Default proxy registration expiration time period (available in SmartDefense) indicates that a database will hold the user registration information for the time specified. Upon timeout the information is deleted. Third party registration indicates that the registration is sent by someone other then the user currently registering. Proxy failover indicates that a proxy change during the call is supported. The Enable VoIP DoS protection (available in SmartDefense) indicates that it is possible to set a maximum number of new VoIP sessions that can be initiated per minute from a specific IP. This is not enforced for configured Proxies and IP addresses in a white list.

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

H.323 H.323 Supported ITU Standards

H.323
H.323 is an ITU (International Telecommunication Union) standard that specifies the components, protocols and procedures that provide multimedia communication services, real-time audio, video, and data communications over packet networks, including Internet protocol (IP) based networks.
In This Section

H.323 Supported ITU Standards H.323 Supported Deployment Models H.323 Security Capabilities Supported H.323 Networking Configurations H.323 Advanced Features

page 6 page 6 page 7 page 8 page 8

H.323 Supported ITU Standards


The following represent the accepted or proposed Internet standards or standards of practice for VPN-1 Pro VoIP capabilities:
Version Internet Standards

Prior to NGX R60

H.323 V.2 H.225 V.2 H.245 V.3 H.323 V.2, V.3, V.4 H.225 V.2, V.3, V.4 H.245 V.3, V.5, V.7

As of NGX R60

H.323 Supported Deployment Models


1) Supported Gatekeeper routing modes: Direct (only RAS messages) Call Setup (Q.931) Call Setup & Call Control (Q.931 and H.245) 2) Supported Gateway routing modes: Call Setup (Q.931) Call Setup & Call Control (Q.931 and H.245)

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

H.323 H.323 Security Capabilities

3) Supported H.225 RAS messages: Registration Admission Location Gatekeeper discovery Information 4) A H.225 Q.931 connection can be opened from the Admission and Location messages. 5) The registration needs to contain a phone number (digits) in order to be considered a valid registration and inserted/saved in the registration database. 6) All the messages are accepted, but the following are treated specially (for example, generate logs about the calls state to be used for monitoring and tracking, extract FastStart fields from these messages to open RTP/RTCP connections, etc.), because of their importance to the call state machine: Setup Connect Alerting Call Proceeding Progress Facility

H.323 Security Capabilities


1) Stateful Inspection of H.323 messages has the following capabilities: Open RTP/RTCP connections dynamically. Close RTP/RTCP connections if there are no signaling connections. Open T.120 connections dynamically. Close T.120 connections if there are no signaling connections. Enforcement of the control-data connection relationship. 2) The use of TCP Streaming Mechanism for H.225 and H.245 enables all messages to be fully inspected even if divided into several packets. 3) H.323 has the following capabilities for ITU standards enforcement: All H.323 messages are fully decoded. For instance, if the decode fails the firewall drops the messages. Protocol state machine

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

H.323 Supported H.323 Networking Configurations

Security enforcement is provided for the H.323 fields (for instance, Phone numbers, IP addresses, etc.).

4) Handover Domains provide a security enforcement for VoIP redirection and handover.

Supported H.323 Networking Configurations


1) Supported H.323 configurations when NAT is not used: Gatekeepers can be installed in the external network, internal network or DMZ. Gateways/PBX can be installed in the external network, internal network or DMZ. Endpoints can be installed in the external network, internal network or DMZ. H.323-PSTN gateways can be installed everywhere. 2) Supported H.323 configurations when NAT is used: Peer to Peer configurations where endpoints can be installed everywhere using STATIC NAT and HIDE NAT. As of NGX R60: Gatekeepers and gateways/PBX can be installed in the external network, internal network or DMZ using STATIC NAT. Incoming calls to HIDE NAT are supported. H.323-PSTN gateways can be installed everywhere with STATIC NAT and HIDE NAT.

H.323 Advanced Features


1) Call forwarding 2) Hold 3) Blind transfer 4) Regular transfer 5) H.323 advanced features as of NGX R60: RTP/RTCP opening connections is supported using FastStart with NAT. H.245 Tunneling and NAT messages is supported when Block H.245 tunneling option is not selected. The Enable VoIP DoS protection (available in SmartDefense) indicates that it is possible to set a maximum number of new VoIP sessions that can be initiated per minute from a specific IP. This is not enforced for configured Proxies and IP addresses in a white list.

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

Media Gateway Control Protocol (MGCP) MGCP Supported RFCs and Standards

Media Gateway Control Protocol (MGCP)


MGCP is a protocol for controlling telephony gateways from external call control devices called Call Agents (also known as Media Gateway Controllers). MGCP is a master/slave protocol, which means it assumes limited intelligence at the edge (endpoints) and intelligence at the core (Call Agent). In this it differs from SIP and H.323, which are peer-to-peer protocols.
In This Section

MGCP Supported RFCs and Standards MGCP Security Capabilities Supported MGCP Networking Configurations MGCP Advanced Features

page 9 page 9 page 10 page 10

MGCP Supported RFCs and Standards


The following represent the accepted or proposed Internet standards or standards of practice for VPN-1 Pro VoIP capabilities as of NG with Application Intelligence R55W: 3435 - MGCP v.1 J.171 - TGCP

MGCP Security Capabilities


1) Stateful Inspection of MGCP messages provides the following capabilities: Open RTP/RTCP connections dynamically. Close RTP/RTCP connections if there is no signaling connections. Enforcement of the control-data connection relationship. 2) MGCP provides the following capabilities for RFC enforcement: Protocol state machine Security enforcement is provided for the MGCP fields (for instance, Transaction IDs, IP addresses, etc.). 3) Special syntax control exists for all MGCP messages. 4) Handover Domains provide a security enforcement for VoIP redirection and handover.

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

Media Gateway Control Protocol (MGCP) Supported MGCP Networking Configurations

Supported MGCP Networking Configurations


1) MGCP is not supported with NAT. 2) Supported MGCP configurations: Call Agent can be installed in the external network, internal network or DMZ. Endpoints can be installed in the external network, internal network or DMZ.

MGCP Advanced Features


Block and/or allow MGCP commands in SmartDefense. Create and/or delete MGCP commands in SmartDefense. Hold Conference Transfers The Enable VoIP DoS protection (available in SmartDefense) indicates that it is possible to set a maximum number of new VoIP sessions that can be initiated per minute from a specific IP. This is not enforced for configured Proxies and IP addresses in a white list. This feature is supported as of NGX R60.

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

10

Skinny Client Control Protocol (SCCP) SCCP Protocol Support

Skinny Client Control Protocol (SCCP)


SCCP (Skinny Client Control Protocol) controls telephony gateways from external call control devices called Call Agents (also known as Media Gateway Controllers).
In This Section

SCCP Protocol Support Supported SCCP Networking Configurations SCCP Security Capabilities SCCP Advanced Features

page 11 page 11 page 11 page 12

SCCP Protocol Support


VPN-1 Pro VoIP capabilities supports the proprietary Cisco protocol as of NG with Application Intelligence R55W.

SCCP Security Capabilities


1) Stateful Inspection of SCCP messages has the following capabilities: Open RTP/RTCP connections dynamically. Close RTP/RTCP connections if there is no signaling connections. Enforcement of the control-data connection relationship. 2) SCCP has the following capabilities for protocol enforcement: Protocol state machine Security enforcement is provided for SCCP messages (for instance, CallStateMessage, OpenReceiveChannel, RegisterMessage, CallInfoMessage, etc.). Security enforcement is provided for SCCP fields (for instance, Phone numbers, IP addresses, etc.). 3) Handover Domains provide a security enforcement for VoIP redirection and handover.

Supported SCCP Networking Configurations


1) SCCP is not supported with NAT. 2) Supported SCCP configurations: Call Manager can be installed in the external network, internal network or DMZ. Endpoints can be installed in the external and internal networks.

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

11

Skinny Client Control Protocol (SCCP) SCCP Advanced Features

SCCP Advanced Features


Hold Conference Transfers The Enable VoIP DoS protection (available in SmartDefense) indicates that it is possible to set a maximum number of new VoIP sessions that can be initiated per minute from a specific IP. This is not enforced for configured Proxies and IP addresses in a white list. This features is supported as of NGX R60.

VPN-1 Pro VoIP Capabilities. Last Update July 14, 2005

12