The technology and concepts behind firewalls that utilize Network Address Translation are not new. NAT has been around for quite a long time now, yet modern applications and services, including VoIP, have trouble traversing such environments.
In fact, the issues surrounding VoIP services, trunking, and remote extensions have caused such angst that most organizations have engineered complex VPN infrastructures utilizing service-prioritization technologies like QoS to deliver secure and simplified VoIP.
Of course, the decision to spend hours in telecom switch, firewall, and router configurations must be weighed against developing a complex VPN or SIP proxy infrastructure.
While retaining effective inter-site trunking or remote dialtone is important, and the ultimate goal for such deployments, it's important not to forget security. It's easy to punch holes in border firewalls to allow VoIP traffic through, but opening a range of hundreds of ports for RTP or media transport is often considered "unsecure."
So, what do you do?
The development of VoIP-aware firewalls and products is becoming a promising solution. Until the "major" security vendors are able to effectively deliver solutions, these smaller vendors will likely get passed by.
Secondly, for SIP environments, the SIP proxy is becoming a preferred solution. Sitting in a DMZ, these proxies can translate and modify routing information in SIP signaling sessions to actively suppress any NAT or firewall-related problems.
Third, encapsulating the traffic into a VPN payload is another viable alternative. Of course, this requires a significant investment for intra-site communications, but may leave some end-users and VoIP trunking features out in the cold.
IP signaling is a complex world, and unfortunately, there is yet to be a sure-fire way to resolve every issue that meets every need. When choosing a solution, remember these key points:
- Maintain security
- Simplify configurations for end-users
- Allow connectivity from internal and external users
- Reduce the hardware infrastructure needed to deliver the solution
- Allow for interoperability between vendors, endpoints, and trunking providers