D-Link NetDefend DFL-210 User Manual page 154

6.2.7. SIP
Maximum Sessions per ID
Maximum Registration Time
SIP Request-Response Timeout
SIP Signal Timeout
Data Channel Timeout
SIP Setup Summary
For setup we will assume a scenario where there is an office with VOIP users on a private internal
network and the network's topology will be hidden using NAT. This scenario is illustrated below.
The SIP proxy in the above diagram could alternatively be located remotely across the Internet. The
SIP proxy server should be configured with the feature Record-Route Enabled to insure all SIP
traffic to and from the office peers will be sent through the SIP Proxy. This is recommended since
the attack surface is minimimized by allowing only SIP signalling from the SIP Proxy to enter the
local network. The steps to follow are:
1. Define a SIP ALG object using the options described above.
2. A Service object is used for the ALG which has the above SIP ALG associated with it. The
Service should have:
• Destination Port set to 5060
• Type set to UDP
3. Define two rules in the IP rule set:
Note
SIP User Agents and SIP Proxies should not be configured to employ NAT Traversal
in a setup. For instance the Simple Traversal of UDP through NATs (STUN) technique
should not be used. The NetDefendOS SIP ALG will take care of all traversal issues
with NAT in a SIP setup.
The number of simultaneous sessions that a single peer can be
involved with is restricted by this value. The default number
is 5.
The maximum time for registration with a SIP Registrar. The
default value is 3600 seconds.
The maximum time allowed for responses to SIP requests. A
timeout condition occurs after this wait. The default is 180
seconds.
The maximum time allowed for SIP sessions. The default
value is 43200 seconds.
The maximum time allowed for periods with no traffic in a
SIP session. A timeout condition occurs if this value is
exceeded. The default value is 120 seconds
154
Chapter 6. Security Mechanisms