The cornerstone of a viable zero trust solution is that it must be able to successfully handle the wide variety of applications, both legacy and modern, that are being used within corporations today. While that statement seems obvious, it can be used to quickly differentiate between a comprehensive Security Service Edge solution and an offering that was rushed to market.
Starting from Zero Trust
Broad application support is critically important when trying to provide zero trust without compromises. Unfortunately, some vendors didn’t plan, design, or implement their solution to make this possible. Vendors that take shortcuts or simply did not want to tackle difficult problems end up leaving customers with huge security gaps in their zero trust implementations. Regrettably there are many examples of how companies suffer when vendors take ill-advised shortcuts. I prefer calling it an offering and I do not want to call what they provide a solution because it’s not really solving much of a problem. The only option they leave you with is to completely ignore the traffic sending it in the clear, or continue to use legacy VPNs.
Fortunately, not all offerings are created equal. From the start, the Banyan Security Service Edge (SSE) solution was designed to make sure we support and secure all applications. This includes VOIP, sometimes called IP telephony, which is a technology used over the past two decades by practically every company around the world regardless of size, location, or vertical industry.
How SSE and VOIP work together
Let’s dive in a little deeper to learn about VOIP and what a true SSE provider needs to consider when saying they secure all applications from anywhere.
VOIP software has two main flows: 1) session initiation using the TCP-based SIP protocol, and 2) media transport using the UDP-based RTP protocol. There are a bunch of additional protocols and variations that may need to be supported as well, depending on features enabled and devices used.
A ZTNA provider must support all of the required protocols, typically through some form of tunneling, to ensure that all types of calls are supported and ensure that all the related phone features, such as multi-person conferencing, directory lookup and voicemail, are supported.
Hidden VOIP Requirements You Should Know About
Often, a VOIP solution will have additional undocumented requirements, e.g., a dependence on reverse DNS or Reverse WINS. Some IP telephony devices, such as Cisco IP Phones, use DHCP option 150 and DHCP option 66 to push basic configurations, which then fetch full configuration files, background images, and other files from a TFTP server. Failure to meet these requirements typically leads to mysterious failures with unhelpful error messages.
While most modern applications perform correctly from behind Network Address Translation (NAT) firewalls (such as home routers), VOIP may not work correctly. Additional infrastructure such as Traversal Using Relays around NAT (TURN) servers must be deployed and configured in these scenarios. Support for incoming calls can be especially troublesome, because source NAT is incompatible with server-initiated traffic.
The Banyan Security Service Edge (SSE) contains a ZTNA solution that supports VoIP for remote users. The solution combines fast, lightweight service tunnels with least-privilege Layer-4 network policies and DNS control, along with optional ability to avoid requiring source NAT. This allows ZTNA administrators to securely enable fully functioning unified communications solutions using physical or virtual call platforms.
While we’ve detailed VOIP above, the same care and awareness goes into making sure our broad application support allows you to conduct business using the tools, equipment, and applications that your employees are comfortable and productive with. Our architecture allows you to easily enable, gain visibility of, and control access to applications and protocols while ensuring that your organization’s compliance and access needs are met.