Traffic check frees up VoIP data (1)

The combination of multimedia applications and traditional enterprise networks has become commonplace in enterprises. In particular, with the steady development of VoIP technology, IP voice has gradually become an indispensable new member in the enterprise network. However, this poses new challenges to enterprise network security. Recently, more and more attacks have been initiated against enterprise VoIP applications. I have also dealt with attackers several times. Here, I will share with you some protection experience in this regard, mainly about how to worry over VoIP data through traffic checks.

1. Security of H.323 Protocol

The H.323 protocol is a key protocol in VoIP technology. Because the protocol family is based on TCP connections, It is also vulnerable to attacks. The H.323 protocol family uses two TCP connections and four to six UDP connections. Basically, they work collaboratively for a specific session. This agreement can complete a number of key tasks. Such as management security and authentication-related content, use of negotiation channels, and so on. Therefore, ensuring the security of this protocol is a very important part of the VoIP Security System.

In practice, the protocol uses Abstract Syntax symbols to encode the group. Therefore, it is difficult to take some security measures. In other words, there are few security solutions for this abstract syntax symbol. This is mainly because it is much easier to understand the content of the H.323 stream than to understand the stream of other existing protocols. Because of this, many attackers prefer this protocol as a stepping stone for attacks.

Are Security Management Personnel helpless? That's not. Cisco firewalls provide a ready-made protection mechanism. In general, H.323 uses 1720 as the TCP control port. This port is also a port that attackers like to use. In practical work, if you can enhance the Traffic Inspection on this port, the security of VoIP applications can be guaranteed for a long time. You can run the fixup protocol h323 command to check the port traffic. By default, the port 1720 connection is used in the PIX Firewall to check the h.323 traffic. Therefore, the port parameters are not required in the command.

However, sometimes the default port is changed to further improve its security. After the change, attackers cannot use port scanning or other methods to determine whether a company uses a VoIP application. After the port is changed, the security settings still need to enable the H.323 traffic check on the new port after the port is changed. In this case, the port parameter must be followed by fixup protocol h323.

Ii. Enable MGCP traffic check

MGCP is a speech protocol, which is similar to H.323. The voice protocol runs together with the No. 7 signaling system. The main function of this Protocol is to bridge the switching circuit network and the grouping network. MGCP voice protocol can separate signaling and call control from media gateway. When the MGCP voice Protocol is under attack, it may cause voice communication faults or even eavesdroppers. Therefore, enabling MGCP traffic check is also an important security measure to ensure the security of MGCP traffic.

By default, this traffic check is disabled. This is mainly because of performance considerations. Because the traffic is checked, it will inevitably have a negative impact on the transmission of data streams. Therefore, before enabling this check, the network security personnel also need to evaluate and achieve a balance between security and performance. Generally, the MGCP voice protocol requires at least two ports, one for the gateway to receive commands (the default port is 2427 ), another command is used to receive calls from the proxy (the default port number is 2727 ). If you want to enable MGCP traffic check, you must configure both ports. The configuration is also very simple, just use the command fixup protocol mgcp, followed by the specific port number.

The author once again stressed that when the MGCP traffic check is enabled, the performance must be evaluated. If the network deployment is unreasonable, the performance of the IP voice phone will decrease linearly after this function is enabled, and there may even be a long delay of the voice phone. Therefore, it is necessary to evaluate the performance after it is enabled. Do not wait until the user complains.