Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

VoIP

Check Point and NortelNortel

Nortel and Check Point are working together to ensure that customers deploying a combined Voice over IP (VoIP) solution of the Check Point VPN-1 product family and Nortel's Communication Server product family enjoy full defense against the threats to both data and voice communications. We test the products for interoperability to ensure that VPN-1 protection covers the full range of capabilities of the Nortel data, voice, and media solution.

Nortel CS 1000 for converged networks
The Nortel Communication Server 1000 (CS 1000) family is a highly scalable, reliable, and survivable communications platform for network convergence and collaborative communications. It consists of three primary components that can be distributed across IP LANs and WANs and managed centrally.

  • CS 1000 Call Servers provide reliable call and connection management service. It controls the system software and is capable of supporting up to 15,000 IP clients per server, as well as supporting geographically redundant configurations to ensure business continuity.
  • Signaling Servers perform important call control services such as registration of IP terminals, IP address translation and bandwidth control. It streamlines the network dialing plan and simplifies the scalability and management of CS 1000 networks.
  • Enterprise Media Gateways support a complete range of analog and digital line and trunk interfaces across LAN or WAN infrastructures.

CS 1000 supports a broad portfolio of business-critical applications including unified messaging, centralized management, web-based contact center applications, SIP-based multimedia services, and over 650 world-class telephony features designed to keep your enterprise competitive. As anytime, anywhere business communications becomes the norm, CS 1000 delivers service ubiquity through a diverse portfolio of adaptive IP client devices as well as analog and digital telephones.

Check Point Security for VoIP
Check Point offers distinct advantages for securing VoIP. VPN-1 Pro is a tightly integrated software solution that combines the market-leading FireWall-1 security suite with sophisticated VPN technologies to connect corporate networks, remote and mobile users, branch offices, and business partners for secure data, voice, and multimedia communications. FloodGate-1, integrated with VPN-1 Pro, guarantees or prioritizes bandwidth for real-time voice communications.

Security for complex mixed-protocol environments
SIP and H.323 protocols may be used together with appropriate gateways, and VPN-1 Pro supports both equally. VPN-1 Pro inspects VoIP control signals passing through the enforcement point to prevent call hijacking, fooled billing, and DoS attacks. Using information derived from the control signals, VPN-1 Pro provides this protection through:

  • Dynamic management of RTP (media) sessions
  • Analysis and enforcement of message states
  • Verification of the existence and correctness of call parameters
  • Maintenance of the call state for each call
  • Enforcement of handover domains

VPN-1 Pro overcomes a significant limitation of other firewalls in a VoIP environment. It is the only firewall solution that accepts and allows inbound calls to the local network for both dynamic and nonroutable IP addresses, handling both signaling and media traffic in real time.

As VoIP control signals always pass through the enforcement point, VPN-1 Pro secures the call by opening ports only for those endpoints negotiated during the signaling. It closes the ports as soon as the call ends, without waiting for a timeout. VPN-1 Pro also enforces the order and direction. If both endpoints are on the same side of the VPN-1 Pro enforcement point but the signal routing device is on the other side, VPN-1 Pro is aware of this fact, and will not open any ports for the call.

Application Intelligence for SIP
Network and application level protection is accomplished through Check Point Application Intelligence. Using INSPECT, the most adaptive and intelligent inspection technology, VPN-1 Pro integrates both network-level and application-level protection and provides the highest level of security, with access control, attack protection, content security, authentication, and integrated Network Address Translation (NAT).

Leveraging SMART Management, VPN-1 Pro enables you to intelligently manage security infrastructure with maximum efficiency. VPN-1 Pro restricts signal routing locations and controls signaling and data connections. VPN-1 Pro Application Intelligence™ ensures packets conform to RFC 3261 for SIP over UDP/IP and inspects SIP-based Instant Messaging protocols.

It protects against Denial of Service (DoS) attacks and against penetration attempts such as connection hijacking and connection manipulation. VPN-1 Pro validates the expected usage of the SIP protocol. For example, if an end-of-call message comes immediately after the start of the call, the call will be denied because this behavior is characteristic of a DoS attacks.

Guaranteed or prioritized bandwidth for VoIP protocols
Integrated with VPN-1 Pro, FloodGate-1 improves the VoIP experience by providing guaranteed or prioritized bandwidth for VoIP protocols. The quality of service can be managed for both encrypted and unencrypted VoIP traffic. FloodGate-1 supports the Integrated Differentiated Services (DiffServ). If QoS is managed by VoIP gateways behind VPN-1/FireWall-1, FloodGate-1 uses the DiffServ settings.

ArrowMore on Nortel