ASA5510 provider wants us to disable SPI

hello,

as the title says our new VOIP provider wants me to disable stateful packet inspection - SPI, on our ASA 5510.  I thought that appliance only did SPI and not any deeper scan so wouldn't this be a very unsecure thing to do?  what do I need to do to satisfy what they want?   May it's changed but it's been years since I worked on an ASA let alone a 5510.

They also want ALG disabled but I'm not sure that's as much of a concern.  Thanks.
Brian_BAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Even state inspection can add overhead. Since most VoIP traffic is UDP, there is no state anyways, so stateful inspection is mostly meaningless. The only packets that would matter would be the rare SIP over TCP (most SIP implementations are UDP as well), so the firewall basically has to look at each packet and determine it is UDP. Might as well skip it.

Now all of that is with the understanding that you usually don't run VoIP over your primary internet connection. At the very least it is done over VPN, and more often is done over MPLS or a dedicated link.  So while SPI is *generally* considered more secure, if the only traffic over the WAN link is from the VoIP provider, there isn't as much of a security concern since you won't be needing to track other non-VoIP connections.

If you are running your VoIP over your primary internet connection, that becomes a different conversation and your VoIP provider should be having a different set of requirements, the least concerning thing right now is SPI.  That is a red flag for me.
0
Brian_BAuthor Commented:
yes exactly - that's what I'm saying - it's over the primary internet circuit.  I just started at this company and inherited this project.  There's no backup circuit or anything.  

So I don't know how I can possibly turn off SPI.
0
Cliff GaliherCommented:
That's a much bigger conversation at that point then. You can't just turn it off without compromising security, but you will have call quality issues. Thus the need to replan the topology. That's a mess.
0
Brian_BAuthor Commented:
well that's what I was thinking but I wasn't sure if there was an option I wasn't aware of.  I don't pretend to a firewall or VOIP expert but I don't see a way around this.   They really want to move forward because this project is already months behind but I don't' know how to get around this requirement to avoid effecting call quality.
0
Cliff GaliherCommented:
There isn't a way around it. SPI inherently impacts call quality. Delays cause jitter. Wgich either requires buffering, which is perceived lag. Call your voip from a cell and you can hear the delay, which often means pauses in conversation are subconsciously interpreted as the break for the other party to speak and users talk over each other unintentionally. Lag creates a TERRIBLE user experience even though it seems minor. The brain is a wonderful thing and early voip companies like skype (pre-Microsoft) and CUSeeMe spent millions on these studies to find out the pitfalls. Lag is bad. But if you *dont* buffer for jitter, the conversation sounds like it is happening over a fast-food speaker from the 90s. Which the quality is less subconscious, but users complain more audibly to IT (or those responsible for IT in a contract /MSP relationship.)

Even consumer routers offer "optimized" VoIP filters (and gaming filters for xbox/PS, as lag kills gamers too.) It is that big of a deal. Like I Zaid above, this is a more fundamental architectural issue. You won't find an "easy" fix.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.