Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

VoIP

Check Point and AvayaAvaya

Avaya and Check Point are working together to ensure that customers deploying a combined solution of the Check Point VPN-1 product family and the Avaya Converged Infrastructure portfolio enjoy full defense against the threats to both data and voice communications. We test the products for interoperability to ensure that VPN-1 protection covers the full range of capabilities of the Avaya data and voice solution.

The Avaya Converged Infrastructure
As integral components of the Avaya Converged Infrastructure, Avaya Media Servers and Media Gateways provide highly flexible, scalable, and standards-based building blocks that can be mixed and matched to create customized solutions. They enable the centralized management efficiency of a single, streamlined network-while delivering best-in-class call-processing quality and availability that have made Avaya the communication solution provider more than 90 percent of Fortune 500 companies rely on every day.

Avaya Media Servers
The Avaya family of media servers provides a robust application platform based on industry-standard operating systems to support distributed IP networking and centralized call processing across multi-protocol networks. These servers are available as an integrated solution or can operate independently, with ability to handle up to 300,000 busy-hour call completions. Key features include

  • Redundant, survivable call and media processing supporting crucial business continuity
  • Distributed survivable IP networking supporting campus, global multi-site, and branch environments
  • Centralized call processing distributed across multi-protocol networks supporting a highly diversified network architecture

Avaya Media Gateways
Avaya Media Gateways support both TDM and IP telephony environments by seamlessly integrating traditional circuit-switched and IP-switched interfaces. They allow your organization to evolve easily from TDM-based telephony to the next generation of IP infrastructures, including those based on the open SIP (Session Initiation Protocol) standard.

Avaya Media Gateways are available in compact standalone, stackable, and chassis-based configurations that support Analog, Digital, IP PoE, LAN, and WAN interfaces. They are optimized for blended TDM/IP and all IP environments in distributed enterprises, small remote offices, and large campus environments with thousands of users.

Key Features Include

  • Interoperability with standards-based data networks providing maximum flexibility and reducing total cost of ownership
  • Redundant system and network options that support high-availability configurations for both TDM and IP-based solutions
  • Connectivity across any public or private network using a variety of interface options over TDM, ATM, Ethernet, Frame Relay, or PPP.

Check Point Security for VoIP
Check Point offers distinct advantages for securing VoIP. VPN-1 Pro is a tightly integrated software solution that combines the market-leading FireWall-1 security suite with sophisticated VPN technologies to connect corporate networks, remote and mobile users, branch offices, and business partners for secure data, voice, and multimedia communications. FloodGate-1, integrated with VPN-1 Pro, guarantees or prioritizes bandwidth for real-time voice communications.

Security for complex mixed-protocol environments
SIP and H.323 protocols may be used together with appropriate gateways, and VPN-1 Pro supports both equally. VPN-1 Pro inspects VoIP control signals passing through the enforcement point to prevent call hijacking, fooled billing, and DoS attacks. Using information derived from the control signals, VPN-1 Pro provides this protection through:

  • Dynamic management of RTP (media) sessions
  • Analysis and enforcement of message states
  • Verification of the existence and correctness of call parameters
  • Maintenance of the call state for each call
  • Enforcement of handover domains

VPN-1 Pro overcomes a significant limitation of other firewalls in a VoIP environment. It is the only firewall solution that accepts and allows inbound calls to the local network for both dynamic and nonroutable IP addresses, handling both signaling and media traffic in real time.

As VoIP control signals always pass through the enforcement point, VPN-1 Pro secures the call by opening ports only for those endpoints negotiated during the signaling. It closes the ports as soon as the call ends, without waiting for a timeout. VPN-1 Pro also enforces the order and direction. If both endpoints are on the same side of the VPN-1 Pro enforcement point but the signal routing device is on the other side, VPN-1 Pro is aware of this fact, and will not open any ports for the call.

Application Intelligence for SIP
Network and application level protection is accomplished through Check Point Application Intelligence. Using INSPECT, the most adaptive and intelligent inspection technology, VPN-1 Pro integrates both network-level and application-level protection and provides the highest level of security, with access control, attack protection, content security, authentication, and integrated Network Address Translation (NAT).

Leveraging SMART Management, VPN-1 Pro enables you to intelligently manage security infrastructure with maximum efficiency. VPN-1 Pro restricts signal routing locations and controls signaling and data connections. VPN-1 Pro Application Intelligence™ ensures packets conform to RFC 3261 for SIP over UDP/IP and inspects SIP-based Instant Messaging protocols.

It protects against Denial of Service (DoS) attacks and against penetration attempts such as connection hijacking and connection manipulation. VPN-1 Pro validates the expected usage of the SIP protocol. For example, if an end-of-call message comes immediately after the start of the call, the call will be denied because this behavior is characteristic of a DoS attacks.

Guaranteed or prioritized bandwidth for VoIP protocols
Integrated with VPN-1 Pro, FloodGate-1 improves the VoIP experience by providing guaranteed or prioritized bandwidth for VoIP protocols. The quality of service can be managed for both encrypted and unencrypted VoIP traffic. FloodGate-1 supports the Integrated Differentiated Services (DiffServ). If QoS is managed by VoIP gateways behind VPN-1/FireWall-1, FloodGate-1 uses the DiffServ settings.

ArrowMore on Avaya
Configuration Notes
Joint Datasheet