VoIP Overview
808
SonicOS 5.8.1 Administrator Guide
SonicWALL’s VoIP Capabilities
The following sections describe SonicWALL’s integrated VoIP service:
• “VoIP Security” on page 808
• “VoIP Network” on page 809
• “VoIP Network Interoperability” on page 809
• “Supported VoIP Protocols” on page 810
• “How SonicOS Handles VoIP Calls” on page 813
VoIP Security
• Traffic legitimacy - Stateful inspection of every VoIP signaling and media packet
traversing the firewall ensures all traffic is legitimate. Packets that exploit implementation
flaws, causing effects such as buffer overflows in the target device, are the weapons of
choice for many attackers. SonicWALL security appliances detect and discard malformed
and invalid packets before they reach their intended target.
• Application-layer protection for VoIP protocols - Full protection from application-level
VoIP exploits through SonicWALL Intrusion Prevention Service (IPS). IPS integrates a
configurable, high performance scanning engine with a dynamically updated and
provisioned database of attack and vulnerability signatures to protect networks against
sophisticated Trojans and polymorphic threats. SonicWALL extends its IPS signature
database with a family of VoIP-specific signatures designed to prevent malicious traffic
from reaching protected VoIP phones and servers.
• DoS and DDoS attack protection - Prevention of DoS and DDoS attacks, such as the SYN
Flood, Ping of Death, and LAND (IP) attack, which are designed to disable a network or
service.
–
Validating packet sequence for VoIP signaling packets using TCP to disallow out of
sequence and retransmitted packets beyond window.
–
Using randomized TCP sequence numbers (generated by a cryptographic random
number generator during connection setup) and validating the flow of data within each
TCP session to prevent replay and data insertion attacks.
–
Ensures that attackers cannot overwhelm a server by attempting to open many TCP/IP
connections (which are never fully established-usually due to a spoofed source
address) by using SYN Flood protection.
• Stateful monitoring - Stateful monitoring ensures that packets, even though appearing
valid in themselves, are appropriate for the current state of their associated VoIP
connection.
• Encrypted VoIP Device Support - SonicWALL supports VoIP devices capable of using
encryption to protect the media exchange within a VoIP conversation or secure VoIP
devices that do not support encrypted media using IPsec VPNs to protect VoIP calls.
• Application-Layer Protection - SonicWALL delivers full protection from application-level
VoIP exploits through SonicWALL Intrusion Prevention Service (IPS). SonicWALL IPS is
built on a configurable, high performance Deep Packet Inspection engine that provides
extended protection of key network services including VoIP, Windows services, and DNS.
The extensible signature language used in SonicWALL’s Deep Packet Inspection engine
also provides proactive defense against newly discovered application and protocol
vulnerabilities. Signature granularity allows SonicWALL IPS to detect and prevent attacks
based on a global, attack group, or per-signature basis to provide maximum flexibility and
control false positives.