Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

VoIP

Check Point and SiemensSiemens

With the integration of Voice over IP into the data network, effectiveness and productivity within the company are significantly increased. A crucial advantage here is the uniform infrastructure, which is used simultaneously for data and voice traffic. However the operation of these convergent networks also confronts the company with the challenge of further improving the way this infrastructure is protected against attacks. A wealth of systems is available for this purpose, with firewall systems being highly important as a means of protection against intrusion from outside.

Siemens Com ESY has recognized the challenges of the marketplace, and is working very closely with market-leading security experts CheckPoint on solutions that boost the security of convergent networks.

System description HiPath 4000
HiPath 4000 is the innovative Hosted Real Time IP communications system for midsize and large companies. The HiPath 4000 combines the advantages of IP-based communications, the comprehensive HiPath ComScendo Feature Set and high resilience to produce the communication solution of your choice. Many customers opt to deploy this flexible and innovative communication platform on technical and economic grounds.

The benefits to the customer are obvious. HiPath 4000 offers high-performance, functional terminal devices in various configurations, so that the optimum product can be selected for each individual case to boost productivity and effectiveness. This also applies to employees requiring a high degree of mobility, either because they are constantly operating from different company sites or, for example, they work from home as teleworkers.

Thanks to its modular system architecture, the HiPath 4000 offers universal use and expansion from the smallest to the largest configurations. Here, up to 83 sites can be equipped with a state-of-the-art communications solution based on a distributed IP architecture. This HiPath 4000 system architecture supports up to 12,000 users, with a maximum of 100,000 feasible without problems when networked. Here, particular attention has been paid to the failsafe characteristics of the overall system. The duplicated control system maximizes the availability of the central host of the HiPath 4000, ideally supported by the emergency concept within the distributed architecture. And if the occasion demands, an additional integrated controller in a branch office assumes control of its own operations and, if the customer so desires, those of other branch offices.

System description HiPath 3000
HiPath 3000 is the innovative Real Time IP communications system for SMEs. Here, the HiPath 3000, like the HiPath 4000, combines the advantages of IP-based communications, the comprehensive HiPath ComScendo Feature Set and good failsafe characteristics to produce the communication solution of your choice. Customers opt for HiPath 3000 as their communications platform on technical and economic grounds.

The HiPath 3000 supports versatile, high-performance terminal devices in various configurations, so that the optimum product can be selected for each individual case to boost productivity and effectiveness. These options are, of course, also open to employees requiring high levels of mobility because they operate at different sites, as members of the field sales force or as teleworkers.

Even in its standard configuration, the system architecture of the HiPath 3000 enables its expansion from a standalone installation into a networked scenario. These expansion options afford the customer the advantage of being able to use data links between locations for voice communication at the same time, and to get to grips with communication via IP. The network interconnection can expand to handle up to 64 IP-networked sites. Use of the HiPath Management System enables the network interconnection to be administered centrally as a single image.

HiPath 3000 supports up to 500 VoIP (Voice over IP) users in standalone mode at one location, while a networked solution can handle a maximum of 1000 VoIP users. Here, HiPath 3000 functions autonomously, thus guaranteeing good failsafe qualities for the entire system.

Check Point Security for VoIP
Check Point offers distinct advantages for securing VoIP. VPN-1 Pro is a tightly integrated software solution that combines the market-leading FireWall-1 security suite with sophisticated VPN technologies to connect corporate networks, remote and mobile users, branch offices, and business partners for secure data, voice, and multimedia communications. FloodGate-1, integrated with VPN-1 Pro, guarantees or prioritizes bandwidth for real-time voice communications.

Security for complex mixed-protocol environments
SIP and H.323 protocols may be used together with appropriate gateways, and VPN-1 Pro supports both equally. VPN-1 Pro inspects VoIP control signals passing through the enforcement point to prevent call hijacking, fooled billing, and DoS attacks. Using information derived from the control signals, VPN-1 Pro provides this protection through:

  • Dynamic management of RTP (media) sessions
  • Analysis and enforcement of message states
  • Verification of the existence and correctness of call parameters
  • Maintenance of the call state for each call
  • Enforcement of handover domains

VPN-1 Pro overcomes a significant limitation of other firewalls in a VoIP environment. It is the only firewall solution that accepts and allows inbound calls to the local network for both dynamic and nonroutable IP addresses, handling both signaling and media traffic in real time.

As VoIP control signals always pass through the enforcement point, VPN-1 Pro secures the call by opening ports only for those endpoints negotiated during the signaling. It closes the ports as soon as the call ends, without waiting for a timeout. VPN-1 Pro also enforces the order and direction. If both endpoints are on the same side of the VPN-1 Pro enforcement point but the signal routing device is on the other side, VPN-1 Pro is aware of this fact, and will not open any ports for the call.

Application Intelligence for SIP
Network and application level protection is accomplished through Check Point Application Intelligence. Using INSPECT, the most adaptive and intelligent inspection technology, VPN-1 Pro integrates both network-level and application-level protection and provides the highest level of security, with access control, attack protection, content security, authentication, and integrated Network Address Translation (NAT).

Leveraging SMART Management, VPN-1 Pro enables you to intelligently manage security infrastructure with maximum efficiency. VPN-1 Pro restricts signal routing locations and controls signaling and data connections. VPN-1 Pro Application Intelligence™ ensures packets conform to RFC 3261 for SIP over UDP/IP and inspects SIP-based Instant Messaging protocols.

It protects against Denial of Service (DoS) attacks and against penetration attempts such as connection hijacking and connection manipulation. VPN-1 Pro validates the expected usage of the SIP protocol. For example, if an end-of-call message comes immediately after the start of the call, the call will be denied because this behavior is characteristic of a DoS attacks.

Guaranteed or prioritized bandwidth for VoIP protocols
Integrated with VPN-1 Pro, FloodGate-1 improves the VoIP experience by providing guaranteed or prioritized bandwidth for VoIP protocols. The quality of service can be managed for both encrypted and unencrypted VoIP traffic. FloodGate-1 supports the Integrated Differentiated Services (DiffServ). If QoS is managed by VoIP gateways behind VPN-1/FireWall-1, FloodGate-1 uses the DiffServ settings.

ArrowMore on Siemens