Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

What is a SIP aware Firewall and Application Level Gateway and how does it solve RTP firewall Problem

Posted on 2014-12-05
5
Medium Priority
?
383 Views
Last Modified: 2014-12-15
Hi,
I want to understand how does the SIP aware firewall/ALG solve the problem of trasfering RTP data to a client behind a firewall ?

Thanks
0
Comment
Question by:Rohit Bajaj
  • 2
  • 2
5 Comments
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1000 total points
ID: 40482591
SIP is an open standards communications protocol. It is often used in conjunction with RTP. A firewall needs to be able to understand SIP messages to properly perform NAT and to open dynamic RTP ports as necessary. Otherwise SIP applications that need to traverse the firewall will fail.
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 1000 total points
ID: 40482922
As Cliff points out, a SIP aware firewall knows how to handle SIP packets in a special way, but not only that, it also fixes information at layer 5. Imaging that with NAT, a firewall must read each packet that is going out to the Internet, and rewrite the source address with a public address instead of a private address. This is fixing the packet at layer 3.

SIP being a layer 5 protocol sits on top of the layer 3. So even though the packet has a source address which is routable in the public networks (Internet), the SIP signaling probably still contains some private IP address which are going to cause the SIP dialog to fail in one way or another. Here is an example of how an INVITE could be manufactured by a device inside an internal privte network:

INVITE sip:14107154522807@8.8.8.8:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.250.250:5060;branch=z9hG4bK98e4117d52a6
From: "Solihull" <sip:01214248526@10.105.80.114>;tag=25526~ffa80926-5fac-4dd6-b405-2dbbc56ae9a2-551664735
To: <sip:14107584528207@10.105.80.174>
Date: Mon, 02 Apr 2012 18:12:31 GMT
Call-ID: 68781700-f791ec0f-2d26-e28690a@10.105.80.114
Supported: timer,resource-priority,replaces
Min-SE: 1800
User-Agent: Cisco-CUCM8.6
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Expires: 180
Allow-Events: presence, kpml
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Call-Info: <sip:192.168.250.250:5060>;method="NOTIFY;Event=telephone-event;Duration=500"
Cisco-Guid: 1752700672-0000065536-0000007823-0237529354
Session-Expires: 84600
Contact: <sip:01214248526@192.168.250.250:5060>
Max-Forwards: 70
Content-Length: 0
Content-Type: application/sdp
Content-Length: 238
v=0
o=CiscoSystemsCCM-SIP 811669 1 IN IP4 10.105.40.14
s=SIP Call
c=IN IP4 192.168.250.250

See how the first line is targeting a public address 8.8.8.8?

INVITE sip:14107154522807@8.8.8.8:5060 SIP/2.0

That line is good, nothing to worry about. However the device is advertising its private address 192.168.250.250 in several other lines, for example:

c=IN IP4 192.168.250.250

This is an indicator of a call failure, either establishing the call altogether, or at least the audio part will be broken (one way audio or even dead air). A SIP aware firewall takes this line;

c=IN IP4 192.168.250.250

and transforms it to something like this;

c=IN IP4 9.9.9.9

Supposing 9.9.9.9 is the public IP address thefirewwall handles.

Hopes that helps.
0
 

Author Comment

by:Rohit Bajaj
ID: 40486781
Hi
I understood what you mentioned above. Just want to clarify one thing.
How does one identifies is the fix is at layer 5 or layer 3 . also i read that sip is an applicatiom level protocol.   Please help me also in identifyinf the difference between a network layer and session layer.
Thanka
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40486883
Entire books have been written on the OSI model. And the application layer is layer 7, not 5 *or* 3.  As far as identifying session layer or network layer, generally the network layer is IPv4 or IPv6 in most networks. That's it. No TCP. No UDP. No GRE. Just IP. A layer-3 only device can see an IP packet and understand the source and destination address and that's about it. You see some layer-3 switches, but most firewalls and routers understand *at least* layer-4, if not higher. After all, to do their job, they usually have to have a basic concept of a TCP packet vs a UDP packet, and if they are performing NAT, be able to map sessions (which is itself higher than layer 3.)

-Cliff
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 40487981
Yup, I got it wrong, its layer 7:

http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29

You can identify if the device can perform SIP level fixes if it has some sort of ALG functionality beyond NAT capabilities (layer 3 fixes or rewrites):

An ALG understands the protocol used by the specific applications that it supports (in this case SIP) and does a protocol packet-inspection of traffic through it. A NAT router with a built-in SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making signaling and audio traffic between the client behind NAT and the SIP endpoint possible.

http://www.voip-info.org/wiki/view/Routers+SIP+ALG
0

Featured Post

[Video] Create a Disruption-Free Workspace

Open offices have their challenges. And Sometimes, it's even hard to work at work. It's time to reclaim your office and create a disruption-free workspace. With the MB 660, you can:

-Increase Concentration
-Improve well-being
-Boost Productivity

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Why do some people recommend buying business VoIP from an ISP? What are the benefits to my company? What are the costs?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question