Configuring Nsgp Overview; Nsgp Modules Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring NSGP Overview

Related
Documentation

NSGP Modules Overview

Copyright © 2010, Juniper Networks, Inc.
NetScreen Gatekeeper Protocol (NSGP) is a Juniper Networks proprietary peer-to-peer
protocol that enables a security device to act as a server for voice-over-IP (VoIP) traffic:
NetScreen-500 security devices running ScreenOS 5.0 GPRS can be both the NSGP
server and client.
NetScreen-500 and NetScreen 5000 line security devices running ScreenOS 5.0 NSGP
or 5.1 and later can only be an NSGP server.
NOTE: To use NSGP on a NetScreen-500 or NetScreen 5000 line device,
you must first enable NSGP using a license key. For information about
activating NSGP using a license key, see the Network and Security
Administration Guide.
You can use NSGP to prevent overbilling attacks that can occur when using the GPRS
tunneling protocol (GTP) for VoIP. By configuring one security device as an NSGP server
and another security device as a GTP client, you can keep both server and client aware
of the connection status. When a user initiates a call, the NSGP server and GTP client
establish a session; when the user completes the call, the client notifies the server,
prompting the server to close the session.
Configuring NSGP on a device does not automatically enable the device to handle GTP
traffic—it enables the GTP client and NSGP server to close a session at the same time.
To enable the GTP client to manage GPRS traffic, you must create a GTP object, and
then add that object to the security policy installed on the device. For details on creating
a GTP object and adding a GTP object to a security policy, see the Network and Security
Manager Administration Guide.
NSGP Modules Overview on page 131
Configuring Hostnames and Domain Names Overview on page 130
Example: Configuring NSGP on GTP and Gi Firewalls (NSM Procedure) on page 132
Because each mobile station (MS) gets an IP address from an IP pool, an overbilling
attack can occur when a legitimate subscriber returns an IP address to the IP pool, but
the session is still open. Attackers can hijack the open session without being detected
and reported, then download data at the expense of the legitimate subscriber, or send
data to other subscribers. Overbilling can also occur when a newly returned IP address
is reassigned to another MS; traffic initiated by the previous MS might be forwarded to
the new MS, causing the new MS to be billed for unsolicited traffic. To protect subscribers
of a public land mobile network (PLMN) from overbilling attacks, you can use the
NetScreen Gatekeeper Protocol (NSGP) module and two security devices.
Chapter 4: Advanced Network Settings
131