5 firewalls and traffic filtering, 6 virtual private networks (vpns), Firewalls and traffic filtering – Polycom H340 User Manual

24

© 2010 Polycom, Inc. All rights reserved. POLYCOM

®

, the Polycom “Triangles” logo and the names and marks associated with Polycom’s products are trademarks and/or service marks of Polycom, Inc.

and are registered and/or common law marks in the United States and various other countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or

transmitted in any form or by any means for any purpose other than the recipient’s personal use without the express written permission of Polycom

Deploying SpectraLink e340, h340 and i640 Wireless Telephones

BEST PRACTICES GUIDE

October 2010

5.5 Firewalls and Traffic Filtering

The traffic filtering capabilities of firewalls, Ethernet switches and wireless controllers can also be used as an

additional security layer if configured to allow only certain types of traffic to pass onto specific areas of the LAN. To

properly provide access control, it is necessary to understand the type of IP traffic used by the SpectraLink handsets.

When using SpectraLink Telephony Gateways to interface to a traditional PBX or an SVP Server in an IP PBX

implementation, the handset uses the SpectraLink Radio IP Protocol (ID 119).

While the SpectraLink handset will generally work through a firewall if the appropriate ports are made available, this

is never recommended. Firewalls create a great deal of jitter in the network which can severely limit the successful,

on-time delivery of audio packets to the wireless telephone. Additionally, the use of ICMP redirects is not supported

because of the extreme delay this can result when the network gateway of the SVP Server or handsets is changed

dynamically. SpectraLink handset requires less than one millisecond of jitter from the SVP Server to handset. This

will be difficult to achieve if there are multiple ‘hops’ between the SVP Server and the handset.

For an IP telephony server interface, the ports used depend on the IP telephony protocol of the telephony switch

interface. The SpectraLink Wireless Telephones, Telephony Gateways and SVP Server use TCP and UDP and

other common IP protocols from time to time. These include DHCP, DNS, WINS, TFTP, FTP, NTP, Telnet, ARP and

ICMP. Polycom uses proprietary UDP channels between the infrastructure components i.e. UDP ports 5454 - 5458.

The push-to-talk (PTT) mode of the SpectraLink i640 Wireless Telephone uses the multicast IP address 224.0.1.116,

which other model handsets and SpectraLink infrastructure components also employ to locate and maintain

connection with each other. Some other common ports between the SVP Server and call server will be RTP traffic on

ports 16384 through 32767. The port used will be chosen randomly by the phone and call server at the time of call

setup.

5.6 Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs) are secure, private network connections. VPNs typically employ some combination

of strong encryption, digital certificates, strong user authentication and access control to provide maximum security

to the traffic they carry. They usually provide connectivity to many devices behind a VPN concentrator. The network

can be broken into two portions - protected and unprotected:

1) The area behind the VPN server is referred to as the “protected” portion of the network. Sensitive, private

network equipment such as file servers, e-mail servers and databases reside in this portion.

2) The area in front of the VPN server is referred to as the “unprotected” network, where the wireless APs and less

sensitive network equipment often reside.

VPNs offer an extremely effective method for securing a wireless network. Many network administrators implement

VPNs to maintain the integrity of their WLANs by requiring wireless users who need access to the protected portion

of the network to connect through a VPN server.

Most voice devices, such as the SpectraLink Wireless Telephones, do not require access to the protected portion of

the network (see Figure 8). Placing the handsets, SVP Server(s) and Telephony Gateways on the unprotected

network and requiring data users to connect to the VPN ensures that the network is protected against hackers

seeking to access sensitive information within the network core.