Vendors offer gear to harden VoIP

Several vendors last week took aim at perceived security and reliability issues involved with running voice over IP.

Foundry Networks and Mitel say they will jointly sell a package that includes Mitel IP PBXs and Foundry switches that can be used to balance IP telephony traffic loads and protect the PBXs from hackers. Separately, VoIP firewall vendor Jasomi Networks introduced a box designed to ensure that IP phones work even in the presence of firewalls that use network address translation (NAT).

Mitel and Foundry will offer a cluster of up to 32 Mitel 3300 Integrated Communications Platform (ICP) IP PBXs in conjunction with two Foundry ServerIron Layer 4 to Layer 7 switches. This will give customers redundancy and failover for their IP PBXs, ensuring that internal IP calls and IP-to-public-switched-telephone-network calls go through.

Foundry's ServerIron boxes also include software that can identify denial-of-service attacks aimed at shutting down an IP PBX. The switch also can be configured not to accept fragmented packets or incomplete TCP/IP handshake signals, which can be signs of a malicious user attempting to flood a server with packets.

"Certainly, denial-of-service attacks are a legit threat if you have an IP PBX sitting on your network," says Mike Hommer, lab manager with Miercom, an IP voice and data equipment testing and consulting firm. "With IP telephony, you're just as subject to anything that makes an IP server vulnerable, including [DoS attacks]."

Foundry and Mitel gear is installed at the Greater London Authority (GLA), the governing body of London. More than 700 users are connected to a cluster of three 3300 ICPs over a network of Foundry FastIron and BigIron Layer 2 and Layer 3 switches. Load balancing that IP PBX cluster with a Web switch is something the GLA might look into, says Keith Beddard, network architect for the GLA.

Beddard says he has researched the FastIron switch and has considered using it as a load-balancing device for the GLA's Web servers. He says he has not mixed load-balancing technology with IP telephony before.

"For sites with large amounts of IP telephony traffic, using a ServerIron to load balance [IP PBXs] would be ideal," he says.

The Foundry/Mitel product bundle will be available in the fourth quarter. Pricing has not been set. But separately, the Mitel 3300 ICP costs about $700 per user, and Foundry's ServerIron starts at about $10,000.

Getting around NAT

Jasomi's PeerPoint Centrex product is for use with IP phones and gateways that work with Session Initiation Protocol (SIP). The box has been designed to solve problems created when SIP phone users are located behind a firewall that uses NAT, which translates IP traffic from a private IP address scheme to a public one for transport over the Internet.

Jasomi says the NAT process can corrupt SIP-based calls given that SIP cannot handle the swapping of IP addresses. Outgoing SIP traffic never reaches its destination because of the address change, the company says, and incoming SIP call traffic can be denied by the NAT firewall in the process.

PeerPoint Centrex, which can support up to 1,000 concurrent SIP sessions, can be deployed in front of an IP PBX. The Jasomi device can identify incoming SIP traffic that would normally get bounced by the corporate firewall and deliver it to the VoIP equipment sitting behind the PeerPoint Centrex box.

For outgoing SIP traffic, the PeerPoint Centrex device can learn the translation schemes of the NAT firewalls it is communicating with on the user end, and format the SIP traffic so that it can be accepted by the outside caller. Jasomi says this feature does not require extra hardware or software on the user's end.

PeerPoint Centrex will be available next month starting at $16,000.

RELATED LINKS