Firewall Integration - NEC Univerge SV9100 Manual

Issue 2.0
4.2
SV9100 Networking Manual
It is necessary to create some kind of Intranet environment (across the Internet),
with fixed network characteristics, where VoIP solutions can tolerate some minor
variations. IT personnel have been tasked with implementing different
mechanisms in the network to support the new demands required on the
converged network. Some solutions that have been implemented are:
QoS devices to support precedence settings of voice packets.

Elimination of hubs in place of switches to support 100Mbps full-duplex

transmission.
Firewall integration to protect the internal network from external attack.

Network Address Translation (NAT) devices are widely deployed to support the

addressing issues.
Virtual Private Network (VPN) Servers were added to Enterprise networks to

support the security and connectivity issues for remote users.
Some solutions, such as the hub replacement and integration of QoS, are done
behind the scenes and should have no effect on the voice application. Other
solutions such as NAT and Firewall cause major disturbance to VoIP.
Implementing a VPN is the only way to resolve these issues.

Firewall Integration

Network security is always a concern when connecting the Local Area Network
(LAN) to the Wide Area Network (WAN). There are many ways to integrate
security in the network – the most popular are Firewalls and Proxy servers.
Firewalls

Firewalls can be implemented in both hardware and software, or a combination
of both. Firewalls are frequently used to prevent unauthorized Internet users
from accessing private networks connected to the Internet, especially intranets.
All messages entering or leaving the intranet pass through the firewall, which
examines each message and blocks those that do not meet the specified
security criteria.
Proxy Server

Proxy server intercepts all messages entering and leaving the network. The
proxy server effectively hides the true network address.
What should be noted is that no matter which security measure is implemented,
the VoIP must have TCP/UDP ports open in the security wall (e.g., firewall/proxy)
for the media and control streams to flow. If any point in the network prevents the
ports from flowing from end-to-end, the VoIP application does not work.
The ports that need to be open on the firewall/proxy vary depending on the
particular application being used. A list of these ports is shown below, however it
should be noted that the preferred solution would be to allow all ports on the
UNIVERGE SV9100 device to be open, or to place the SV9100 outside of the
firewall.
5-7