The gradual adoption of Voice over Internet Protocol (VoIP) technologies in recent years has helped reduce networking costs while bridging voice and data networks. A VoIP-enabled telephone (IP phone) can communicate with other IP phones over a data network also used for transmission of data by computers. In a common embodiment, administrative tasks associated with IP telephony such as provisioning the IP phones on the network and setting up and tearing down calls are handled by a call processing server (sometimes referred to as an IP PBX) that communicates with the IP phones over the same data network.
Although often the IP phones and associated call processing server are co-located on a secure private data network, it is sometimes the case that one or more IP phones are located on an untrusted data network such as the internet. This configuration requires connecting the call processing server directly or indirectly to the untrusted data network.
It is well-known that directly connecting a server to an untrusted data network such as the internet exposes the server to unauthorized intrusion and attacks from the untrusted data network, such as, for example, denial of service attacks, man-in-the-middle attacks, theft of service, and/or Trojan horses or malware. These security concerns are magnified for call processing servers in an IP telephony environment. Because the call processing server handles all call processing requests, any form of attack that can disable or disrupt a call processing server can jeopardize the entire IP telephony network. An unauthorized intruder, moreover, could use unauthorized access to the call processing server to eavesdrop on the phone calls of authorized users or to make unauthorized phone calls.
A firewall can shield servers and other network devices from intruders and attacks. A firewall is a system or combination of systems, implemented in hardware and/or software, that enforce a boundary between a trusted data network and an untrusted data network. The untrusted network could be a first data network such as the internet. It could also be part of a private data network (such as a LAN) where it is desired to protect sensitive components against internal attacks such as those from disgruntled employees. A network-level firewall, often called a packet filter, can filter traffic at the network protocol packet level, allowing or denying access to incoming packets based on the source address, destination address, and ports of the packet. An application-level firewall can route or filter incoming traffic at the application level, sometimes intelligently routing payload based on protocols such as HTTP. Many firewalls also rely on network address translation (NAT), wherein the firewall converts internal network addresses on the trusted network, otherwise invisible externally, to public addresses directly accessible on the untrusted network, and vice versa, and routes communications accordingly.
A conventional firewall, however, does not optimally protect the call processing servers in a typical IP telephony environment. If the firewall is to act as a packet filter, the amount of access the firewall will be required to provide to the untrusted data network to permit proper functioning of the call processing server leaves the call processing server too exposed to malicious attacks; and filtering at the application level introduces a substantial, potentially excessive, amount of latency (delay) into the processing of packets containing call control information and/or voice traffic. What is needed, then, is an appliance that can shield call processing servers without the deficiencies of a conventional firewall.
A virtual private network (VPN) is a known solution to the security problems created by using untrusted data networks such as the internet for transmission of IP telephony communications. A VPN allows secure communication from one trusted network to another trusted network where part of the path traverses an untrusted network, and it can does so through a combination of authentication of user identification, encryption of call processing and/or voice payload, and tunneling, i.e. embedding the encrypted packets in an IP packet for transmission with TCP/IP. A VPN typically carries other types of data in addition to IP Telephony traffic, however, and the additional latency added by the VPN and the cost and complexity of licensing, configuration, support, and maintenance make a VPN less than optimal for IP telephony applications.
What is needed, then, is an appliance that will provide some or all of the security advantages of a VPN without the additional cost, complexity and overhead associated with a VPN.