Voice over Internet Protocol known as VoIP is a relatively new technology whose transmission is based on Packet Switched Networks. It allows making voice calls over the internet broadband connections instead of the using conventional PSTN landlines. It allows calling on another computer and as well as other telephone numbers and mobiles. It therefore provides all the services like a telephone with the addition of some other facilities due to the internet media.
VoIP services can be seen as the commercial realization of the Network Voice Protocol which came into being in 1973. VoIP services are increasing at an exponential rate due to the low cost calls. It only requires the setup of the data network transmissions and the call services can be used on this data network which lowers the cost of the VoIP calls very low as compared to other services.
The development of standards or ‘protocol’ for Voice over Internet Protocol (VoIP) is still embryonic. However, among number two main open protocols enables VoIP additionally to a number of registered vendor protocols. Environments such as Internet, mounting an attack to the telephony server is much easier. This causes due to the fact that VOIP services based on consistent and open technologies such as SIP, H.323, etc. supporting reachable servers through the internet and implemented software’s. However two main open technology protocols among a number that enables VoIP are explained below.
H.323 is a protocol suite specified by the International Telecommunications Union that lays a foundation for internet protocol based real-time communications including audio, video and data.8 H.323 allows for different configurations of audio, video and data. Possible configurations include audio only, audio & video, audio & data and, audio, data and video. H.323 does not specify the packet network or transport protocols. This standard specifies four kinds of VoIP components: Terminals, Gateways, Gatekeepers and Multi-point Control Units .Terminals are the end-user equipment discussed in the previous article: Components of Voice Over Internet Protocol (VoIP). Gateways handle communication between unlike networks with protocol translation and media format conversion. Gatekeepers provide services such as addressing, authorization and authentication, accounting functions and call routing. Multi-point Control Units handle conferencing.
Fig: H.323 Architecture
The International Telecommunications Union defines the H.323 zone that consists of terminals, gateways, Multi-point Control Units, and a gatekeeper. The gatekeeper manages the zone. H.323 uses different protocols to manage different needs. There are audio codecs and video codecs that encode and decode the audio and video data. H.225 covers registrations, admissions & status and call signaling. Realtime Transport Control Protocol handles various functions between the endpoints and the gateway, including registrations and admission control as its name implies. It also manages changes in bandwidth and disengage procedures. A Realtime Transport Control Protocol channel is opened, prior to opening other channels, between the gateway and endpoint whereby Realtime Transport Control Protocol messages are passed. Call signaling channels are opened between endpoints and between an endpoint and a gatekeeper. They are used to set up connections. Call setup and termination uses Q.931.9 H.245 is for channel negotiations such as flow controls and general commands and H.235 specifies security. Real-time Transport Protocol is used to transport data, typically via user datagram protocol and provides a timestamp, sequence number, data type and ability to monitor delivery. Realtime Transport Control Protocol is used mainly to monitor quality and manage synchronization. As mentioned above, the H.235 protocols of H.323 are for security profiles. These standards address authentication, integrity, privacy, and non-repudiation 10 and are expressed as Annexes to H.235 Version 2. They are Annexes D, E & F as follow:
- Annex D provides message integrity and/or authentication using symmetric keys. It also has a voice encryption option.
- Annex E provides authentication, message Integrity and non-repudiation using asymmetric methods.
- Annex F is a hybrid of Annex D and Annex E providing authentication, non-repudiation and message integrity.
The four security goals, authentication, integrity, privacy, and non-repudiation are accomplished with the four mechanisms: configuration, authentication, key exchange and encryption. During the initial stage of configuration, the device is authorized to the network and may be authenticated. Integrity and privacy are accomplished through encryption using symmetric or asymmetric keys. A signature is attached to gain the fourth goal of non-repudiation.
H.323 Security Concerns
Using H.323 to setup voice over internet protocol connections is a complicated process that is made more complex by adding security measures. Many of the protocols used with the H.323 suite use random ports causing problems securing through firewalls but may be able to be mitigated by using direct routed calls. Since the ports required for H.323 are not set, a filtering firewall would have to have all possibly needed ports left open. Therefore, the firewall would need to be H.323 aware allowing communication without opening up the firewall to other traffic. A stateful firewall and/or application firewall is required to ensure consistency of the characteristics of connections. Network Address Translation is a problem for H.323 because the internet protocol and port on the internet protocol header do not match those in the messages. This may be mitigated with an H.323 aware firewall. Additionally, there will be restrictions in other security measures if Network Address Translation is involved.