Sergio A. Chacón, Driss Benhaddou, and Deniz Gurkan
The transmission of voice information over the Internet Protocol (VoIP) offers many securty challenges. Deploying voice over the Internet using signaling protocols such as Session Initiation Protocol (SIP) and multimedia transport protocol Real-Time Transport Protocol (RTP) present security risks that need to be inspected and resolved as more new end systems that use these protocols are being implemented. After identification of the risks, it becomes clear that most of the vulnerabilities occur in the way that voice information is handled in the IP layer [Walsh, 2005].
Some solutions include VPN-based solutions in the internal or external border routers where information is encrypted before it reaches the public network [Maharaj, 2004]. Other solutions are based at the client who uses a VPN utility to connect remotely to a VPN firewall. However, if the attacker is an insider, the voice system and the voice information it carries still are vulnerable. In addition, client-based solutions are susceptible to computer attacks and are difficult to maintain.
This study proposes a solution that brings VPN IPSec closer to the SIP user agents, between the users and the switch, in the way of a dedicated VPN-based local area firewalls. These firewalls bring security closer to the client than a border router making it less susceptible to attacks from an insider to the network, can easily and reliably handle and protect several types of clients in small office environments freeing the client from the responsibility of maintaining the VPN, control access restricting traffic coming into the inside network and allowing users access to any SIP proxy in the Demilitarized Zone (DMZ) or the Internet , and encrypt IP voice packets using IPSec tunneling before it reaches the access switch.