Use Video and Voice-Aware Firewalls at Gateways
Ensure firewalls and proxies can handle video and voice data for secure conferencing and calls.
Plain language
This control ensures that the systems we use to protect our internet communication, like firewalls and proxies, are capable of handling video and voice data. This is important because if these systems can't efficiently manage such data, our video calls or online meetings might be insecure. Hackers could eavesdrop on these conversations or cause disruptions, leading to a breach of sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsOfficial control statement
When video conferencing or IP telephony traffic passes through a gateway containing a firewall or proxy, a video-aware or voice-aware firewall or proxy is used.
Why it matters
Without video/voice-aware firewalls at gateways, SIP/RTP may bypass inspection, enabling eavesdropping or call disruption during sensitive communications.
Operational notes
Confirm gateways use SIP/RTP-aware firewall/proxy functions; regularly test traversal/inspection and keep rules/signatures current for voice/video traffic.
Implementation tips
- IT Team should review existing firewall settings: They need to check if the current firewalls are configured to handle video and voice data. This involves consulting the user manual or vendor documentation to ensure those capabilities are enabled.
- Procurement should source video and voice-aware solutions: When purchasing firewalls or proxies, they should specify that they need to support video and voice protocols. This means including those requirements in vendor contracts.
- System Owners should test video and voice traffic: Collaborate with the IT team to conduct a test run of video conferences and voice calls through the firewall to confirm they are properly handled without dropping data or losing quality.
- IT Team should update software regularly: They need to ensure the firewall and proxy software is up-to-date to support the latest data processing techniques, doing this by scheduling regular maintenance checks and updates.
- Managers should provide staff training: Organise training sessions to educate staff on the importance of secure video and voice communication. This helps them understand why these controls are in place and how to use them effectively.
Audit / evidence tips
-
Aska configuration report from the firewall: Request documentation showing the firewall settings related to video and voice data handling
Gooda report that indicates settings are configured as per vendor recommendations for handling this data type
-
Aska procurement specification document: Request the document outlining the requirements for new firewall and proxy equipment
Goodclear criteria that any new purchase must support video and voice protocols
-
Aska test log of video and voice traffic handling: Request records of any tests conducted to verify that video and voice traffic is properly managed
Gooddocumented test procedures and results indicating successful management of video and voice traffic
-
Askthe software update log: Request a record of software update activities for firewall and proxy systems
Gooda detailed log showing recent and frequent updates with descriptions including relevant improvements
-
Asktraining session records: Request evidence of training sessions conducted for staff regarding video and voice security measures
Gooddetailed records showing comprehensive training on secure management of video and voice data
Cross-framework mappings
How ISM-0546 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
No cross-framework mappings recorded yet.