Ingate and SonicWall answer the call for securing VoIP

VoIP (Voice over IP) represents an easily proven, cost-saving technology that many beleaguered IT executives are eager to exploit. Implementation, however, throws up hurdles, not the least of which is integrating VoIP into an existing security policy, especially the firewall.

The problem with sending VoIP traffic across firewall boundaries is the complex nature of VoIP traffic, especially NAT and its performance burden.

NAT changes a packet’s source address from the private one used on the local network, to a public address that can be routed over the Internet. In small networks this isn’t particularly taxing, but in large networks, the significant muscle and time associated with routing traffic creates a problem for VoIP traffic across firewall latencies. Fixing this problem requires tweaking each firewall product for VoIP support, a Herculean task given the multitude of VoIP standards.

Fortunately, a new breed of products is emerging to ease this VoIP-firewall standoff before it becomes pervasive. We reviewed two self-billed VoIP-capable firewalls geared toward SMBs, the Ingate Firewall 1400 and the SonicWall Pro 2040. Although both proved effective, the SonicWall device held the advantage, boasting superior firewall capabilities and exceeding Ingate’s SIP-based VoIP deployment limitation.

SonicWall Pro 2040

The 2040 represents a more typical example of VoIP support in a firewall package than does the SIP-dependent Ingate box. SonicWall has redesigned its software to deal with the performance problems associated with passing VoIP traffic. Further, the company has also improved on its core firewall offering. Unlike other firewall appliances we’ve tested at the University of Hawaii, it stood up to every attack we threw at it.

Similar to the Ingate, the SonicWall 2040 is a 1U rack-mountable device with four 10/100 ports. Unlike the Ingate, the SonicWall is based on a full-powered Intel Pentium III 800MHz CPU and the proprietary SonicOS, which probably accounts for its performance superiority over the Ingate.

SonicWall is clearly moving away from a port-blocking definition of firewall functionality, leaving this task largely to platforms, notably desktop-oriented defense packages such as Zone Labs’ ZoneAlarm. The message here is one heard from many firewall vendors: Simple perimeter security isn’t enough any more. Network security must be handled in layers, both internally as well as on the edge.

The 2040 is looking to make its mark in the

areas of NAT, automatic handling of the plethora of existing denial of service attacks, and, finally, in even more simplified management of VPNs.

The SonicWall fold-out quick-start guide made setup easy. We were able to achieve default configuration quickly and to create custom rules following the well-documented manual and online help system. SonicWall’s Web browser-based management interface handles configuration, though once again the company has significantly improved this software in a never-ending quest for ultimate usability.

Our performance tests aimed to gather some basics of the 2040’s VPN performance, as well as to gauge how well it managed encryption processing. Our Spirent TeraVPN tests simulated up to 20 branch office VPN connections. With a well-integrated encryption chip, SonicWall showed almost no difference in performance between simple single DES encryption and complicated AES-256.

VPN performance was good in this version of the 2040. One important difference between it and previous iterations is the new VPN Wizard, which organizes VPN configuration into plain English with a wonderful, context-sensitive help system that takes much of the mystery out of the process.

Another nice feature, exemplifying SonicWall’s newfound VoIP friendliness, is the updated address management piece, including policy-based NAT, which is so important to VoIP-sensitive NAT traversal. Because VoIP sessions are dynamic, they require fast firewall NAT processing, and the SonicWall 2040 delivers in this department. This allows users to run either SIP or H.323-based audio, video, or VoIP traffic over the device without the headache of tweaking firewall performance.

As far as call quality is concerned, after hooking the SonicWall into our lab’s SIP-based VoIP network and making a few tweaks to the SonicWall’s NAT management screen, we enjoyed clear calls from Hawaii to Las Vegas.

The Sonicwall Pro 2040 represents a serious shift in the firewall appliance landscape with less emphasis on traditional perimeter port-blocking defenses and far more emphasis on intelligent traffic management, specific attack defenses, and ever better ease-of-use. Add in things such as fourth port fail-over, load balancing, and object-based management, and you have features normally only found in hugely expensive security devices.

Ingate Firewall 1400

Of the two firewall platforms reviewed, the Ingate Firewall 1400 represents the most complete VoIP-oriented solution — as long as you’re running a SIP-based VoIP system. In addition to being a capable SMB firewall, the 1400 includes a full SIP proxy and SIP registrar as standard features. The box is certainly adequate for typical firewall usage, but its voice orientation and its associated licensing policies will intrigue potential buyers.

The 1400 is a 1U, rack-mounted, Celeron-based device capable of supporting up to 1,000 SIP users and (optionally) 100 concurrent VPN tunnels. Ingate has left one particularly notable omission: None of the 1400’s four network interfaces are GbE-capable, nor can they be upgraded. Additionally, the box cannot support a redundant power supply. To get these features, you’ll need to purchase the higher-end 1880.

Unlike the SonicWall, the Ingate’s initial configuration takes place at the command line, but Ingate’s documentation makes this process relatively easy. All subsequent management tasks can be accomplished through the unit’s browser-based interface.

On the SIP front, the Ingate 1400 packs a powerful punch. Not only does the firewall understand SIP and its associated security issues, its SIP registrar handles SIP-user and domain administration. The appliance also has a SIP proxy to manage incoming SIP requests, and it supports SIP-tolerant versions of NAT, PAT (Port Address Translation), and TLS (Transport Layer Security). The latter is handy for encrypting SIP conversations, solving many customers’ worries about the security of VoIP-based phone calls.

The Ingate 1400’s VoIP support enables the machine to act as a full-fledged SIP server all by itself, so an additional one is not required on the network to process incoming SIP requests, and the machine can handle all DNS issues internally.

We verified the Ingate’s SIP server capabilities by setting up a quick SIP network using a Versatel media gateway and several standard analog phones on the Ingate side, and a Zultys SIP PBX with Cisco handsets on the other. Configuration of our side took only 15 minutes and we were talking without hiccups soon after.

Ingate’s problem with voice isn’t related to technology but to pricing. Most competitors allow admins to treat voice protocols the same as any other network traffic, simply adding features such as NAT traversal to speed performance and specific security features as exploits are found. Ingate, however, has two licenses for every SIP user. The first is a standard SIP license required only if you elect to use the bundled SIP server. But the second is a traversal license, required of every VoIP user regardless of whether you’re using Ingate’s SIP registrar or not. So Ingate may add significant ease-of-deployment to SIP installations, but most customers will take the perspective that they must pay extra for it.

With excellent SIP support, the question of the Ingate’s firewall capabilities remains. Bottom line: They’re all there, but you’ll need to pay extra for some of them. You’ll find full support for standard packet filtering, with the ability to add time variables to specific rules, allowing you to tweak the amount of outside traffic coming into the network at specific times or intervals. The proxy supports both TCP and UDP with an application-level gateway for FTP traffic. Not bad for a midrange box, but some more specific application-level filtering would be nice.

On a more advanced note, the 1400 has optional support of QoS, a standard feature on the SonicWall. The QoS module not only allows admins to specify service levels for varying types of inbound traffic; it enables them to specify those levels to users or destinations on the network. And you’ve got the ability to tag that traffic for hops onto subsequent third-party infrastructure.

Although we reluctantly support Ingate’s decision to make the QoS module optional, we aren’t so happy with the decision to make its VPN functionality optional. This is a standard part of most midrange firewall packages.

The VPN performance on our Spirent TeraVPN tests was average for hardware of this caliber. The Ingate 1400 handled everything we threw at it, including adequate speeds across both basic and advanced VPN setup and teardown performance. Although its speed numbers wouldn’t pose a problem in the real world, it was still significantly slower than the SonicWall in these tests.

The Ingate 1400 is a well-rounded firewall feature set with mediocre VPN performance made exceptional by its support for QoS as well as its strong support for SIP-based VoIP. Especially for midsize businesses looking to implement a low-cost VoIP solution, the Ingate 1400’s embedded SIP server represents an excellent solution, though it does carry a corresponding price tag. The SonicWall, meanwhile, is not as SIP-capable as the Ingate, but it has much broader appeal, with enough support to satisfy SIP or H.323 VoIP users who have already made VoIP PBX or server investments.