[SIPForum-discussion] SIPForum-Firewall influence on SIP

Mon Jul 14 18:46:22 UTC 2008

Great inputs. I know I didn't start this thread, but I hope Sri doesn't
mind. It's just that I have so many questions about firewalls on SIP too.

I really can use some guidance. Now I know I'm quite off with my initial
design. Looks like I'm gonna be needing bigger routers and firewalls.

Back to firewalls, we have been using a SIP Proxy server for our internal
SIP calling. This equipment have a built in Hot Knife/ Firewall where the
RTP would run through and the SIP going in on a different port. From the SIP
Connect Recommendation, it shows that only the RTP does require a firewall.
This is perhaps the SIP itself is TLS encrypted.

In real life application, my company doesn't feel secure connecting directly
to SIP trunk providers with just this built-in firewall thus looking to put
a separate firewall appliance where everything would come in. Are we just
duplicating work here or can this off-load/ distribute firewall capabilities
for a more efficient network components? Below is what my network would look
like:

Gig Internet --> Router --> Firewall --> Switch --> SIP Proxy, Soft IVRs, IP
gateways

Is this more like a real world implementation scheme? Of course, I'm
duplicating each for redundancy like HSRP on Router, Dual Fail/Loadsharing
firewall, and Fail over switching. Do I need to establish encrypted tunnels
to each SIP trunk provider?

Regards to all.

Fortunato

On Sun, Jul 13, 2008 at 11:46 PM, Jason L. Nesheim <jnesheim at cytek.biz>
wrote:

> I believe this document should help you with this:
> http://www.cisco.com/en/US/tech/tk652/tk698/technologies_tech_note09186a0080094ae2.shtml
>
> --
> Jason Nesheim, Senior Network Design Engineer
> Cytek
> www.cytek.biz / 702-885-0815
>
>
> ----- Original Message -----
> From: "Richard L. Agonias (Digitel-GSM)" <Richard.Agonias at digitel.ph>
> To: "Neill Wilkinsonj" <neill.wilkinson at quortex.com>, "Fortunato Lacson" <
> junlacson at gmail.com>
> Cc: discussion at sipforum.org
> Sent: Sunday, July 13, 2008 6:46:16 PM GMT -08:00 US/Canada Pacific
> Subject: Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP
>
>  Hi Neil,
>
>
>
> Just a few comments, if Jason would be transporting the voice via IP via
> E1, then would he also consider the following:
>
>
>
> -          Ethernet frames – since IP will go down to the layer 2 level
> and or
>
> -          PPP – for E1
>
>
>
> Regards,
>
>
>
> richard
>
>
>  ------------------------------
>
> *From:* discussion-bounces at sipforum.org [mailto:
> discussion-bounces at sipforum.org] *On Behalf Of *Neill Wilkinsonj
> *Sent:* Monday, July 14, 2008 7:53 AM
> *To:* 'Fortunato Lacson'
> *Cc:* discussion at sipforum.org
> *Subject:* Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP
>
>
>
> You're nearly there – you just need to add the packet overhead alas G711
> needs some RTP, UDP and IP to get it across the IP network.
>
>
>
> SIP is the signalling protocol like SS7 is the signalling protocol.
> RTP/UDP/IP is the bearer, if you will, it's like the framing that allows
> timeslots of 64kbps speech to be transported over E1 links.
>
>
>
> So once you've added the overhead you end up with around 80kbps. Now take
> this value and divide 650Mbps and you get closer to the number of concurrent
> RTP streams – or calls. Now remember just like an E1 has a TX and RX paths,
> VoIP does too – so if the value of the ASA5540 is the total throughput –
> then you need to half the value you get by dividing 80kbps in to 650Mbps to
> get the number of concurrent calls.
>
>
>
> Also be careful as routers and firewalls are rated based on "average" size
> packets this can be around 570 bytes, overall performance of firewalls and
> routers are generally better with bigger packets. Alas RTP encoded G711 is
> rather small – 160 bytes plus headers for a 20ms sample. So it is likely
> that the real throughput is less than the performance figure quoted by a
> manufacturer.
>
>
>
> Also be careful about the word connections as this may well relate to TCP
> traffic, not UDP traffic and VoIP is carried over UDP.
>
> Neill...;o)
>
>
>
> *Neill Wilkinson*
> Principal Consultant
>
>
> Aeonvista Ltd - opening up new ideas
>
>
>
> [image: View Neill Wilkinson's profile on LinkedIn]<http://www.linkedin.com/in/neillwilkinson>
>
> *Aeonvista Ltd <http://aeonvista.com/>*
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* discussion-bounces at sipforum.org [mailto:
> discussion-bounces at sipforum.org] *On Behalf Of *Fortunato Lacson
> *Sent:* 13 July 2008 10:33
> *To:* Jason L. Nesheim
> *Cc:* discussion at sipforum.org
> *Subject:* Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP
>
>
>
> Hi all. I am new to this forum and am also new in the SIP world. I have a
> long background in traditional PSTN networks but is now ready to embrace
> SIP. I am currently involved in studying how we can migrate around 5,000
> concurrent inbound calls to our IVR systems using SIP technology.
>
> I am looking at a firewall for our application and found Cisco ASA 5540.
> This firewall is rated with a maximum throughput of 650 Mbps and 25,000
> firewall connections.
>
> I would imagine that these parameters is something that you would be
> looking at when dimensioning a firewall. For the SIP gurus, please correct
> me if I'm wrong. I'm also roughly estimating, with G711 at 64Kbps, you
> divide the throughput with that and you get an estimate number of concurrent
> calls it can handle.
>
> Regards,
>
>
> Fortunato Lacson
>
>  On Fri, Jul 11, 2008 at 11:56 PM, Jason L. Nesheim <jnesheim at cytek.biz>
> wrote:
>
> That would depend on the firewall or router in question and whether NAT is
> being used.
>
> Some firewalls such as the Cisco PIX, ASA, and routers with NAT have SIP
> Application Layer Gateways enabled by default.  These ALG engines will
> manipulate SIP packet contents with the intent to allow NAT traversal to
> function.  Another situation to consider are firewalls with built in back to
> back user agents that have a licensed call capacity.  The Ingate Firewall (
> http://www.ingate.com/firewalls.php) would be an example of this case.
>
> The DSCP/ToS code points on SIP packets may be manipulated by policy maps
> on routers in the network.  Many service providers remark SIP and RTP
> packets at the network edge with what they use to designate the priority
> queue.  It is also possible in some networks that the bandwidth allocated to
> SIP and RTP queues becomes exhausted as load increases and leads to dropped
> packets.  This typically only occurs if the QoS policies on the routers are
> improperly configured but is something to be aware of.
>
> --
> Jason Nesheim, Senior Network Design Engineer
> Cytek
> www.cytek.biz / 702-885-0815
>
>
>
> ----- Original Message -----
> From: "AMIT ANAND" <amiit.anand at gmail.com>
> To: "sri kuma" <cyberdyne at mail.com>
> Cc: discussion at sipforum.org
> Sent: Friday, July 11, 2008 10:07:32 AM GMT -08:00 US/Canada Pacific
> Subject: Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP
>
> Hi Sri,
>
> There should be no effect as such but the Packet Forwarding Rate of that
> firewall must be appropriate as per the simultaneous call you want to run.
>
> Amit Anand
> 91-9910211901
>
> On Sun, Jul 6, 2008 at 11:11 AM, sri kuma <cyberdyne at mail.com> wrote:
>
> hi ,
>         I woulld like to know whether a firewall(SIP aware) would  affect
> the SIP packets traversal if the number of calls  increases  and is there
> any influence of the intermediate routers on the SIP ie does the QOS
> settings in the routers affect the SIP packets
>
> thank you
>
>
> --
>
> Be Yourself @ mail.com!
> Choose From 200+ Email Addresses
> Get a *Free* Account at www.mail.com <http://www.mail.com/Product.aspx>!
>
>
> _______________________________________________
> This is the SIP Forum discussion mailing list
> TO UNSUBSCRIBE, or edit your delivery options, please visit
> http://sipforum.org/mailman/listinfo/discussion
> Post to the list at discussion at sipforum.org
>
>
>
> _______________________________________________ This is the SIP Forum
> discussion mailing list TO UNSUBSCRIBE, or edit your delivery options,
> please visit http://sipforum.org/mailman/listinfo/discussion Post to the
> list at discussion at sipforum.org
>
>
> _______________________________________________
> This is the SIP Forum discussion mailing list
> TO UNSUBSCRIBE, or edit your delivery options, please visit
> http://sipforum.org/mailman/listinfo/discussion
> Post to the list at discussion at sipforum.org
>
>
>
> _______________________________________________ This is the SIP Forum
> discussion mailing list TO UNSUBSCRIBE, or edit your delivery options,
> please visit http://sipforum.org/mailman/listinfo/discussion Post to the
> list at discussion at sipforum.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sipforum.org/pipermail/discussion/attachments/20080714/b13ffd4f/attachment-0002.html>