Besides the platform, a key component to success is the quality of the network on which the platform will function.
In this blog article we will analyze which network devices must be chosen carefully, and which technologies we need to be familiar with to successfully deploy our UC solution.
Firewall / Routers
As seen in Reviewing Security Concerns of UC solutions, we should consider firewalls and routers only as support for enforcing security. The UC server and the connected devices must be secure, even in the absence of dedicated devices such as firewall / SBCs with packet inspection capabilities. This is achievable only by applying the best practises and security policies inside the UC solution.
Firewalls and routers are important for providing prioritization of real-time traffic and when monitoring suspect network activities.
Even the quality of VoIP-dedicated connectivity can be easily disrupted by excessive traffic generated by external sources. Many scans or attacks performed from the Internet can easily use all the available bandwidth, making it impossible to perform calls.
To prevent these kinds of problems, the operator providing the connectivity must add checks to identify attacks, and react to them by blocking the traffic before it reaches the local firewall or router. The local firewall or router should also, of course, report such activities.
In general, when a UC and VoIP system is introduced, there must be reliable checks in place on the quality of the Internet connectivity and internal LAN. Firewalls and routers should generate traffic statistics and notifications to allow IT managers to immediately identify connectivity problems. A good traffic analysis system can allow the network administrators to solve the problem even before users start noticing it.
SIP-ALG
This technology is supposed to simplify the life of SIP devices behind NAT/PAT. It works by rewriting relevant SIP headers and SDP session information with the public address of the router and the opened port.
When SIP traffic is encrypted using TLS, routers cannot perform any packet manipulation, so devices using TLS are not affected.
Unfortunately, the majority of SIP operators do not support TLS and encryption, which allows SIP-ALG-enabled routers to modify the packets in transit. The problem is that often SIP-ALG applications do not work correctly, or the modifications made by SIP-ALG application resident on the router conflict with the NAT traversal headers changes made by the SIP endpoint (usually by STUN-enabled devices). In such cases, the results are one-way calls or calls with no audio at all.
The best resolution is to disable SIP-ALG altogether, and always use encryption whenever possible.
Switches and PoE
Where VoIP phones are used, PoE switches are great to reduce cabling by sharing one Ethernet cable for voice and data connectivity. In this scenario, the phone works as a bridge between the network and the PC connected to the phone.
LAN Network Separation
Advanced switches also support VLANs and thus separate voice and data traffic. This allows us to prioritize traffic and prevent data traffic from ruining communication quality. Some switches automate the configuration of these VLANs. They automatically tag voice traffic by matching MAC addresses to a list of known VoIP manufacturer MAC address sets. This feature can save a lot of time when setting up the system, and later on when adding endpoints or other network devices.
Switches can also detect network attacks generated by local devices and block them immediately, without causing any service disruption.
