The SIP ALG

The SIP ALG

In most cases you should use the SIP Application Layer Gateway (ALG) for processing SIP sessions. The SIP ALG provides the same basic SIP support as the SIP session helper. Additionally, the SIP ALG provides a wide range of features that protect your network from SIP attacks, apply rate limiting to SIP sessions, check the syntax of SIP and SDP content of SIP messages, and provide detailed logging and reporting of SIP activity.

By default all SIP traffic is processed by the SIP ALG. If the policy that accepts the SIP traffic includes a VoIP profile the SIP traffic is processed by that profile. If the policy does not include a SIP profile the SIP traffic is processed by the SIP ALG using the default VoIP profile.

If a FortiGate unit or a VDOM has been configured to use the SIP session helper, you can change this behavior to the default configuration of using the SIP ALG with the following command:

config system settings

set default-voip-alg-mode proxy-based end

 

From the GUI you can only configure VoIP security profiles and add them to security policies if VoIP is turned on under System > Feature Select and if the Inspection Mode is set to Proxy-based. However, you can always configure VoIP profiles and add them to secuity profiles from the CLI. And if the default-voip-alg mode is set to proxy-based the default SIP profile will still be used even if VoIP security pro- files are not visible from the GUI.

As shown in the figure below, the FortiGate SIP ALG intercepts SIP packets after they have been routed by the routing module, accepted by a security policy and passed through DoS and IPS Sensors (if DoS and IPS are enabled). The ALG raises SIP packets to the application layer, analyzes the SIP and SDP addressing information in the SIP messages, makes adjustments (for example, NAT) to this addressing if required, and then sends the packets out the egress interface to their destination.

 

The SIP ALG provides:

  • All the same features as the SIP session helper including NAT and SIP and RTP Pinholes.
  • In addition for the ALG you can enable or disable RTP pinholing, SIP register pinholing and SIP contact pinholing.

In a signalling only environment where the RTP stream bypasses the FortiGate unit, you can disable RTP pinholing to improve performance.

  • SIP TCP and UDP support
  • SIP Message order checking
  • Configurable Header line length maximums

 

The SIP ALG works at the application level after ingress packets are accepted by a security policy

SIP

Egress

Router

  • IP Routing and forwarding
  • IPsec VPN encryption, decryption

 

SIP ALG

  • Rate limiting and message blocking
  • Stateful SIP tracking
  • Message, header, and SDP syntax checking
  • Network surveillance
  • NAT and IP topology Hiding
  • Logging and debugging

 

IPS Signatures Opt.

  •  Intrusion Detection and Prevention
  • Defined by Fortinet and Enterprise signatures
  • SIP decoder identifies SIP sessions

 

Firewall

  • Security Policy
  • IPsec VPN encryption, decryption
  • Access control

DoS Sensor

  • Native (D)DoS prevention
  • Anomaly Detection and Prevention

 

SIP

  • Message fragment assembly (TCP)
  • If SIP messages are fragmented across multiple packets, the FortiGate unit assembles the fragments, does inspection and pass the message in its entirety to the SIP server as one packet. This offloads the server from doing all the TCP processing of fragments.
  • L4 Protocol Translation
  • Message Flood Protection
  • Protects a SIP server from intentional or unintentional DoS of flooding INVITE, REGISTER, and other SIP methods by allowing control of the rate that these massages pass through the FortiGate unit.
  • SIP message type filtering
  • The FortiGate unit can prevent specified SIP message types from passing through the FortiGate unit to a SIP server. For example In a voice only SIP implementation, there may be no need to permit a SUBSCRIBE message to ever make it’s way to the SIP call processor. Also, if a SIP server cannot process some SIP message types you can use SIP message type filtering to block them. For example, a SIP server could have a bug that prevents it from processing certain SIP messages. In this case you can temporarily block these message types until problem with the SIP server has been fixed.
  • SIP statistics and logging
  • SIP over IPv6
  • SIP over SSL/TLS
  • Deep SIP message syntax checking (also called deep SIP header inspection or SIP fuzzing protection). Prevents attacks that use malformed SIP messages. Can check many SIP headers and SDP statements. Configurable bypass and modification options.
  • Hosted NAT traversal, Resolves IP address issue in SIP and SDP lines due to NAT-PT in far end firewall. Important feature for VoIP access networks.
  • SIP High Availability (HA), including active-passive clustering and session pickup (session failover) for SIP sessions.
  • Geographical Redundancy. In an HA configuration, if the active SIP server fails (missing SIP heartbeat messages or
  • SIP traffic) SIP sessions can be redirected to a secondary SIP server in another location.
  • SIP per request method message rate limitation with configurable threshold for SIP message rates per request method. Protects SIP servers from SIP overload and DoS attacks.
  • RTP Bypass, Supports configurations with and without RTP pinholing. May inspect and protect SIP signaling only.
  • SIP NAT with IP address conservation. Performs SIP and RTP aware IP Network Address translation. Preserves the lost IP address information in the SDP profile i= line for later processing/debugging in the SIP server. See NAT with IP address conservation on page 2794.
  • IP topology hiding
  • The IP topology of a network can be hidden through NAT and NAPT manipulation of IP and SIP level addressing.

For example, see SIP NAT scenario: destination address translation (destination NAT) on page 2782.

  • SIP inspection without address translation
  • The SIP ALG inspects SIP messages but addresses in the messages are not translated. This feature can be applied to a FortiGate unit operating in Transparent mode or in NAT/Route mode. In Transparent mode you add normal Transparent mode security policies that enable the SIP ALG and include a VoIP profile that causes the SIP ALG to inspect SIP traffic as required. For an example configuration, see Configuration example: SIP in Transparent Mode on page 2770.
  • For a FortiGate unit operating in NAT/Route mode, if SIP traffic can pass between different networks without requiring NAT because is supported by the routing configuration, you can add security policies that accept SIP traffic without enabling NAT. In the VoIP profile you can configure the SIP ALG to inspect SIP traffic as required.

 

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.