SIP%20Application%20Layer%20Gateway

1
SIP Application Layer Gateway

• Eilon Yardeni
• Columbia University

2
SIP-aware Firewalls

• VoIP calls are coming from/into the LAN
• Peremiter firewall needs to allow VoIP traffic
• The firewall needs to have
• SIP logic
• Deep packet inspection
• Scalability issues

3
What is Dynamic Pinhole Filtering

• SIP calls are stateful
• RTP media ports are negotiated during signaling,
  assigned dynamically, and taken down
• SIP signaling is done over a static port5060
• INVITE message contains an SDP message indicating
  the callers incoming media port (e.g., 43564 )
• Response 200OK has SDP with the callees incoming
  media port
• Each port creates a pinhole in firewall
• Pinholes are kept open only until a BYE message
  signals closing of both pinholes
• Firewall must keep a state table with all active
  pinholes to check if an arriving RTP packet can
  enter through an open pinhole, otherwise drop
  packet

4
Example of Dynamic Pinhole Filtering
SIPUA User1
SIPUA User2
CAM Table
128.59.19.16343564
128.59.19.16356432
5
Integrated End Point
Trusted
Untrusted
Control and Analysis
SUT
IEP
IEP
Traffic Analyzer
Traffic Generator
Port Scanning
SNORT
Probes
Traffic Passed
Media Port
through Pinholes
4
Scanning/Probing Traffic
SIPUA Loader
Signaling and Media Generation
Timing Synchronization