The next generation broadband networks are interconnected and include elements from traditional PSTN, mobile and IP Telephony in addition to pure data. A mechanical transfer of the Class IV voice switch functionality onto IP Telephony Softswitches is sub-optimal. Hosted Softswitch takes full advantage of the features specific to IP Telephony protocols.
HostedSwitch® enables carriers to provision in the most secure manner thousands of VoIP gateways / gatekeepers independent of their manufacturer (including Cisco / Vocaltec / Clarent / Quintum). Additionally, the session controlling functionality of HostedSwitch® enables connected companies to obtain Call Detail Records and other data in real time.
A typical IP Telephony call consists of two logical parts: call control and voice streams. H.323 or SIP protocols govern call control while RTP/RTCP carries the voice. HostedSwitch® transmits only H.323 and SIP call signaling. The originating and terminating gateways establish a direct voice path bypassing VoIP SoftSwitch that opens (closes) the session once one of the gateways declares the beginning (end) of the call.
HostedSwitch® reaches additional flexibility in managing voice streams by modifying Protocol Signaling Units sent between the gateways. That allows companies connected to HostedSwitch® to interoperate gateways otherwise not operable because of inconsistent implementation of H.323 and/or SIP by different manufacturers.
 |
| Figure 1. HostedSwitch® Signaling |
Carriers using IP Telephony face more stringent security requirements than enterprises or calling card operators due to a much larger number of VoIP gateways/gatekeepers they have to manage. HostedSwitch® provides an elegant solution that greatly facilitates the process of secure provisioning.
SoftSwitch Instance receives a static IP address. The terminating gateway receives the control signaling (TCP) only from that address, unique to each carrier. Thus, the key security requirement for any Firewall Policy is to deny TCP (ports 1720 and 5060) to/from all external hosts except Softswitch.
The Recommended Firewall Policy is to Permit UDP (ports higher than 1024, except 5060) to/from ANY IP addresses. As a result the voice traffic (UDP) can come from the call-initiating gateway with virtually any IP address, as long as HostedSwitch® authorizes that particular call. This way you will ensure that all VoIP traffic authorized by HostedSwitch® will land at your gateway.
A Dated Firewall Policy is to permit UDP (ports higher than 1024, except 5060) ONLY to/from SPECIFIC IP addresses. This policy has a significant overhead in terms of time, costs, and security risks as the result of human errors appearing in the process of maintaining the list of trusted gateways.
Both policies have the same class of the security when it comes to VoIP calls. It may seem insecure to allow the UDP traffic from the Internet to penetrate the firewall, but in the case of H.323 calls, voice traffic over UDP will not start until the control part of a call is completed over TCP. Therefore, it is sufficient to block the TCP stream in order to prevent unauthorized traffic from being sent to/from your gateways.
 |
| Figure 2. Using a firewall to block unauthorized traffic |
Discover how easy it can be to route millions of VoIP minutes