• SonicOS and SonicOSX 7 VoIP
• VoIP
  • VoIP Security
    • Security Appliance Requirements for VoIP
  • VoIP Protocols
    • H.323
    • SIP
  • SonicWall’s VoIP Capabilities
    • VoIP Security
    • VoIP Network
    • VoIP Network Interoperability
    • Supported Interfaces
    • Supported VoIP Protocols
      • H.323
      • SIP
      • SonicWall VoIP Vendor Interoperability
      • CODECs
      • VoIP Protocols on which SonicOS/X Does Not Perform Deep Packet Inspection
    • BWM and QoS
      • Quality of Service
    • How SonicOS/X Handles VoIP Calls
      • Incoming Calls
      • Local Calls
• Settings
  • Configuring VoIP Settings
    • General Settings
    • SIP Settings
      • Enabling SIP
    • H.323 Settings
      • Configuring Bandwidth on the WAN Interface
      • Configuring VoIP Access Rules
  • Configuring VoIP Logging
• Call Status
• SonicWall Support
  • About This Document

VoIP Security

• Traffic legitimacy - Stateful inspection of every VoIP signaling and media packet traversing the Security Appliance ensures all traffic is legitimate. Packets that exploit implementation flaws, causing effects such as buffer overflows in the target device, are the weapons of choice for many attackers. SonicWall Security Appliances detect and discard malformed and invalid packets before they reach their intended target.
• Application-layer protection for VoIP protocols - Full protection from application-level VoIP exploits through SonicWall Intrusion Prevention Service (IPS). IPS integrates a configurable, high performance scanning engine with a dynamically updated and provisioned database of attack and vulnerability signatures to protect networks against sophisticated Trojans and polymorphic threats. SonicWall extends its IPS signature database with a family of VoIP-specific signatures designed to prevent malicious traffic from reaching protected VoIP phones and servers.
• DoS and DDoS attack protection - Prevention of DoS and DDoS attacks, such as the SYN Flood, Ping of Death, and LAND (IP) attack, which are designed to disable a network or service.
  • Validating packet sequence for VoIP signaling packets using TCP to disallow out of sequence and retransmitted packets beyond window.
  • Using randomized TCP sequence numbers (generated by a cryptographic random number generator during connection setup) and validating the flow of data within each TCP session to prevent replay and data insertion attacks.
  • Ensures that attackers cannot overwhelm a server by attempting to open many TCP/IP connections (which are never fully established-usually due to a spoofed source address) by using SYN Flood protection.
• Stateful monitoring - Stateful monitoring ensures that packets, even though appearing valid in themselves, are appropriate for the current state of their associated VoIP connection.
• Encrypted VoIP device support - SonicWall supports VoIP devices capable of using encryption to protect the media exchange within a VoIP conversation or secure VoIP devices that do not support encrypted media using IPsec VPNs to protect VoIP calls.
• Application-layer protection - SonicWall delivers full protection from application-level VoIP exploits through SonicWall Intrusion Prevention Service (IPS). SonicWall IPS is built on a configurable, high performance Deep Packet Inspection engine that provides extended protection of key network services including VoIP, Windows services, and DNS. The extensible signature language used in SonicWall’s Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. Signature granularity allows SonicWall IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives.