Lucent Technologies says it has fixed one of the most serious security flaws tied to SIP and other dynamic protocols used to deliver advanced IP services like VoIP.
This week, the company released the newest additions to the VPN Firewall portfolio in the form of the VPN Firewall Brick 700 and Brick 1200. The line features a technology called Dynamic Pinholing designed to shut down non-essential ports during IP sessions.
IP service providers and large enterprise networks have long had to contend with the fact that SIP, FTP, Telnet and other dynamic protocols require the use of multiple ports to deliver associated data during a session. When the data transfer is completed, the port is often left open, allowing hackers to conduct a random port scan to gain access to secure networks.
“With Dynamic Pinholing, it opens only one direct connection and shuts it down after the transaction is completed,” said Joe Raccuglia, general manager of the VPN Firewall line at Lucent’s Bell Labs, during an interview with TMCnet. “And those ports are only going to be opened during sessions, so only the connection pairs are allowed to pass through there.”
In addition to heightened security, the new Brick systems offer high-performance packet handling, advanced system failover for voice and data continuity, hardware-based IPSec VPN acceleration and best-in-class benchmarking. Lucent also set them at lower price points than comparable devices, with the hopes that they will see greater penetration of the medium-sized network market.
The firewall products are tied to a new version of the Lucent Security Management Server that provides a means to centralize network management, even for global networks.
The systems utilizes a technique called Rules Based Routing that directs traffic based on the type of protocol it employs to a range of third-party security appliances performing such tasks as anti-virus scanning, spam-filtering, URL blocking and the like. Not only does it open Lucent-based network technology to more third-party devices, but it also provides for traffic segmentation across security zones and frees up network components from unnecessary processing loads.
Raccuglia said the system was originally designed at Bell Labs in the late 1990s as a highly secure fast packet processing engine. The latest version, 9.1, integrates all security functions directly, greatly improving system impenetrability.
“Our system is architected a little different than most,” he said. “We designed it with a central management platform that controls all Bricks directly, even in global networks. Many others manage their infrastructure with appliances, so anyone can Telnet in and manage that box. Our centralized management is highly secure because it operates on a per-connection basis.”
The Brick 700 supports 1.7 Gpbs connectivity and built-in encryption accelerator cards that provide 425 Mbps 3DES (Data Encryption Standard) and 350 Mbps AES (Advanced Encryption Standard) VPN performance. It offers 10/100/1000 Ethernet ports and up to 7,500 simultaneous VPN tunnels, 4,094 VLANs, 350 virtual firewalls and 1 million simultaneous sessions.
The brick 1200 offers up to 4.5 Gbps performance, plus 1.7 Gbps 3DES and AES VPN performance with the accelerator card. In addition to the Ethernet ports found on the 700, the 1200 offers six mini-GBIC SFP Gigabit ports and supports 20,000 VPN tunnels, 4,094 VLANS, 1,100 virtual firewalls and 3 million simultaneous sessions.
Session Initiation Protocol (News - Alert) (SIP) is arguably the single most important technological development for VoIP since the proliferation of Internet Protocol itself. See what all the buzz is about at the SIP Workshop taking place at INTERNET TELEPHONY Conference & Expo, WEST, which runs October 10-13, 2006, in San Diego.
Arthur Cole is a freelance writer specializing in high-tech information and communications.