Solved

What is a SIP aware Firewall and Application Level Gateway and how does it solve RTP firewall Problem

Posted on 2014-12-05
5
211 Views
Last Modified: 2014-12-15
Hi,
I want to understand how does the SIP aware firewall/ALG solve the problem of trasfering RTP data to a client behind a firewall ?

Thanks
0
Comment
Question by:Rohit Bajaj
  • 2
  • 2
5 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
Comment Utility
SIP is an open standards communications protocol. It is often used in conjunction with RTP. A firewall needs to be able to understand SIP messages to properly perform NAT and to open dynamic RTP ports as necessary. Otherwise SIP applications that need to traverse the firewall will fail.
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 250 total points
Comment Utility
As Cliff points out, a SIP aware firewall knows how to handle SIP packets in a special way, but not only that, it also fixes information at layer 5. Imaging that with NAT, a firewall must read each packet that is going out to the Internet, and rewrite the source address with a public address instead of a private address. This is fixing the packet at layer 3.

SIP being a layer 5 protocol sits on top of the layer 3. So even though the packet has a source address which is routable in the public networks (Internet), the SIP signaling probably still contains some private IP address which are going to cause the SIP dialog to fail in one way or another. Here is an example of how an INVITE could be manufactured by a device inside an internal privte network:

INVITE sip:14107154522807@8.8.8.8:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.250.250:5060;branch=z9hG4bK98e4117d52a6
From: "Solihull" <sip:01214248526@10.105.80.114>;tag=25526~ffa80926-5fac-4dd6-b405-2dbbc56ae9a2-551664735
To: <sip:14107584528207@10.105.80.174>
Date: Mon, 02 Apr 2012 18:12:31 GMT
Call-ID: 68781700-f791ec0f-2d26-e28690a@10.105.80.114
Supported: timer,resource-priority,replaces
Min-SE: 1800
User-Agent: Cisco-CUCM8.6
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Expires: 180
Allow-Events: presence, kpml
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Call-Info: <sip:192.168.250.250:5060>;method="NOTIFY;Event=telephone-event;Duration=500"
Cisco-Guid: 1752700672-0000065536-0000007823-0237529354
Session-Expires: 84600
Contact: <sip:01214248526@192.168.250.250:5060>
Max-Forwards: 70
Content-Length: 0
Content-Type: application/sdp
Content-Length: 238
v=0
o=CiscoSystemsCCM-SIP 811669 1 IN IP4 10.105.40.14
s=SIP Call
c=IN IP4 192.168.250.250

See how the first line is targeting a public address 8.8.8.8?

INVITE sip:14107154522807@8.8.8.8:5060 SIP/2.0

That line is good, nothing to worry about. However the device is advertising its private address 192.168.250.250 in several other lines, for example:

c=IN IP4 192.168.250.250

This is an indicator of a call failure, either establishing the call altogether, or at least the audio part will be broken (one way audio or even dead air). A SIP aware firewall takes this line;

c=IN IP4 192.168.250.250

and transforms it to something like this;

c=IN IP4 9.9.9.9

Supposing 9.9.9.9 is the public IP address thefirewwall handles.

Hopes that helps.
0
 

Author Comment

by:Rohit Bajaj
Comment Utility
Hi
I understood what you mentioned above. Just want to clarify one thing.
How does one identifies is the fix is at layer 5 or layer 3 . also i read that sip is an applicatiom level protocol.   Please help me also in identifyinf the difference between a network layer and session layer.
Thanka
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Entire books have been written on the OSI model. And the application layer is layer 7, not 5 *or* 3.  As far as identifying session layer or network layer, generally the network layer is IPv4 or IPv6 in most networks. That's it. No TCP. No UDP. No GRE. Just IP. A layer-3 only device can see an IP packet and understand the source and destination address and that's about it. You see some layer-3 switches, but most firewalls and routers understand *at least* layer-4, if not higher. After all, to do their job, they usually have to have a basic concept of a TCP packet vs a UDP packet, and if they are performing NAT, be able to map sessions (which is itself higher than layer 3.)

-Cliff
0
 
LVL 20

Expert Comment

by:José Méndez
Comment Utility
Yup, I got it wrong, its layer 7:

http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29

You can identify if the device can perform SIP level fixes if it has some sort of ALG functionality beyond NAT capabilities (layer 3 fixes or rewrites):

An ALG understands the protocol used by the specific applications that it supports (in this case SIP) and does a protocol packet-inspection of traffic through it. A NAT router with a built-in SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making signaling and audio traffic between the client behind NAT and the SIP endpoint possible.

http://www.voip-info.org/wiki/view/Routers+SIP+ALG
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now