> Application Proxies

Application Proxies

A Proxy server acts as a translator for transactions or calls of different types. If
Johnny’s phone speaks IAX and Jen’s phone speaks only SIP, the proxy sits between
them and translates the message as necessary. Even if both sides speak the same protocol,
be it HTTP or SIP, there are security or NAT or other boundaries that call
for either a proxy or packet manipulation in an Application Layer Gateway (ALG)
within a firewall.The benefit of an application proxy is that it can be designed
specifically for a protocol (or even a manufacturer’s implementation of a protocol).
In addition to allowing boundary traversal, a proxy can also be used as a means of
access control, ensuring that a user has the rights to place a call before allowing it to
proceed. And the best proxies can even guard against malformed packets and certain
types of DoS attacks. Depending on the complexity of your call requirements, a
proxy may be integrated into a PBX or Media Server, or it may be an entirely different
piece of hardware.



Endpoints (User Agents)
In a phone system, an endpoint on the network was known as a terminal, reflecting
the fact that it was a slave to the switch or call-control server. But today’s endpoints
may possess much more intelligence, thus in the SIP world the term User Agent is
preferred.This could be a hardware IP telephone, a softphone, or any other device or
service capable of originating or terminating a communication session directly or as
a proxy for the end user.


Softphones
With the advent of VoIP technology, users are able to break free of classical physical
restrictions of communication, namely the special-purpose telephone terminal. A softphone
is a piece of software that handles voice traffic through a computer using a standard
computer speaker and microphone (or improved audio equipment that is
connected through an audio or multimedia card). Softphones can emulate the look
and feel of a traditional phone, using the familiar key layout of a traditional phone and
often even emulating the DTMF sounds you hear when you dial a call. Or it may
look more like an instant messaging (IM) client, and act like audio chat added to IM.
In fact, a softphone doesn’t even need a computer microphone or speaker: my
favorite doesn’t need to send media through the computer at all in telecommuter
mode—it just uses H.323 signaling to tell my media server which PSTN number (or
extension) to dial for sending and receiving the audio.This lets me turn any phone
into a fully featured clone of my work extension without regard to QoS available to
me on my Internet connection.
Because a soft phone resides on a PC, the principle of logically separating voice
and data networks is defeated as the PC must reside in both domains.You will need
to consider this trade-off as you design appropriate security policy for your VoIP
network, although the long-term trends favor voice-data integration, so at best
maintaining physical separation can be only a temporary strategy.
Consumer softphones have exploded over the past few years and nothing is
hotter than Skype in that space. Skype is the brainchild of the people who brought
us the Kazaa file sharing framework. Utilizing peer-to-peer technology and an
encrypted signaling and media channel, Skype has proven to be both easy to set up
and use securely by end users, while simultaneously being a thorn in the side of network
administrators. Because it aggressively jumps past firewalls to create call traffic,
it is considered to be a threat by many enterprise security groups.
One of Skype’s major enhancements over instant-messaging-based voice is its
superb codec, which is actually better than that used within traditional telephone
infrastructure.This provides superior call quality when contacting other Skype users.
Another major benefit of Skype is the ability to reach any phone in the PSTN by
way of SkypeOut gateways.With its PSTN gateway, Skype has become an attractive
alternative for small overseas call centers and other Internet businesses.
Are You 0wned?



Consumer Softphone Gotchas
Many consumer-oriented softphones contain advertising software that “phones
home” with private user information. Several popular softphones (such as X-Lite)
store credentials unencrypted in the Window’s registry even after uninstallation
of the program. Softphones require that PC-based firewalls open a number of
high UDP ports as part of the media stream transaction. Additionally, any special
permissions that the VoIP application has within the host-based firewall rule set
will apply to all applications on that desktop (e.g., peer-to-peer software may use
SIP for bypassing security policy prohibitions).
Also consider that malware affecting any other application software on the
PC can also interfere with voice communications. The flip-side is also true—malware
that affects the VoIP software will affect all other applications on the PC and
the data services available to that PC (a separate VoIP phone would not require
access to file services, databases, etc.).