Table of Contents
Advertisement
source network of the messages is not known then a large number of potentially dangerous
connections must be allowed by the IP rule set. This problem does not occur if the local proxy is
set up with the Record-Route option enabled. In this mode, all SIP messages will only come from
the proxy.
The different rules/policies required when the Record-Route option is enabled and disabled can
be seen in the two different sets of IP rules/policies listed below in the detailed description of
Scenario 1
Protecting local clients - Proxy located on the Internet.
IP Rules/Policies for Media Data
When discussing SIP data flows there are two distinct types of exchanges involved:
•
The SIP session which sets up communication between two clients prior to the exchange of
media data.
•
The exchange of the media data itself, for example the coded voice data which constitute a
VoIP phone call.
In the SIP setups described below, IP Rule objects (or alternatively, IP Policy objects) need only be
explicitly defined to deal with the first of the above, the SIP exchanges needed for establishing
client-to-client communications. No IP rules or other objects need to be defined to handle the
second of the above (the exchange of media data). The SIP ALG automatically and invisibly takes
care of creating the connections required (sometimes described as SIP pinholes) for allowing the
media data traffic to flow through the NetDefend Firewall.
Tip
Make sure there are no preceding IP rules or IP policies already in the IP rule set that
disallow or allow the same kind of traffic.
SIP Usage Scenarios
NetDefendOS supports a variety of SIP usage scenarios. The following three scenarios cover
nearly all possible types of usage. The example setups are described using IP Rule objects but
these could easily be IP Policy objects instead.
•
Scenario 1
Protecting local clients - Proxy located on the Internet
The SIP session is between a client on the local, protected side of the NetDefend Firewall and
a client which is on the external, unprotected side. The SIP proxy is located on the external,
unprotected side of the NetDefend Firewall. Communication typically takes place across the
public Internet with clients on the internal, protected side registering with a proxy on the
public, unprotected side.
•
Scenario 2
Protecting proxy and local clients - Proxy on the same network as clients
The SIP session is between a client on the local, protected side of the NetDefend Firewall and
a client which is on the external, unprotected side. The SIP proxy is located on the local,
protected side of the NetDefend Firewall and can handle registrations from both clients
467
Chapter 6: Security Mechanisms
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
