[SIPForum-discussion] SIPForum-Firewall influence on SIP

Neill Wilkinson neill.wilkinson at quortex.com
Mon Jul 14 19:34:31 UTC 2008 

Generally you would be using the additional firewall to provide services
such as NAT traversal and/or IPSec/SSL VPN services to the carriers SIP
trunk, then what the additional firewall provides is another layer of
security referred to in security circles as defence in depth.

 

Basically defence-in-depth puts different manufacturers equipment in a
network to guard against specific exploits targeted at a single
manufacturers equipment.

 

Typically for a "secure" network, you would deploy a front-end firewall
terminating to a proxy layer (DMZ), which itself is isolated from the main
(corporate) network by another firewall layer.

 

In the proxy layer you would generally place services that require external
connectivity, these in turn provide connectivity to internal servers, both
from the outside-in and the inside-out.

 

Generally you should always have a perimeter firewall protecting you from
the nasty Internet. You should also have ACLs on the Internet router to
allow only specific traffic to and from your firewall and inside proxy
layer. Generally the rules allow traffic out from the inside and are
stateful to ensure only traffic initiated from the inside is allowed to
traverse back to the inside proxy layer.

 

So the picture would be:



<Internet> ---- <router> ---- <firewall> ----[DMZ/Proxy layer] ----
<Firewall>---- inside network

 

Neill...;o)

 



Neill Wilkinson
Principal Consultant
  

Aeonvista Ltd - opening up new ideas

 

Email:  <mailto:neill.wilkinson at btinternet.com> neill.wilkinson@
<mailto:neill.wilkinson at btinternet.com> aeonvista.com

 <http://www.linkedin.com/in/neillwilkinson> View Neill Wilkinson's profile
on LinkedIn

Aeonvista Ltd <http://aeonvista.com/> 


 

 

 

 

 

From: Fortunato Lacson [mailto:junlacson at gmail.com] 
Sent: 14 July 2008 19:46
To: Jason L. Nesheim
Cc: Richard L. Agonias (Digitel-GSM); discussion at sipforum.org; Neill
Wilkinsonj
Subject: Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP

 

Great inputs. I know I didn't start this thread, but I hope Sri doesn't
mind. It's just that I have so many questions about firewalls on SIP too.

I really can use some guidance. Now I know I'm quite off with my initial
design. Looks like I'm gonna be needing bigger routers and firewalls. 

Back to firewalls, we have been using a SIP Proxy server for our internal
SIP calling. This equipment have a built in Hot Knife/ Firewall where the
RTP would run through and the SIP going in on a different port. From the SIP
Connect Recommendation, it shows that only the RTP does require a firewall.
This is perhaps the SIP itself is TLS encrypted.

In real life application, my company doesn't feel secure connecting directly
to SIP trunk providers with just this built-in firewall thus looking to put
a separate firewall appliance where everything would come in. Are we just
duplicating work here or can this off-load/ distribute firewall capabilities
for a more efficient network components? Below is what my network would look
like:

Gig Internet --> Router --> Firewall --> Switch --> SIP Proxy, Soft IVRs, IP
gateways

Is this more like a real world implementation scheme? Of course, I'm
duplicating each for redundancy like HSRP on Router, Dual Fail/Loadsharing
firewall, and Fail over switching. Do I need to establish encrypted tunnels
to each SIP trunk provider?

Regards to all.

Fortunato





On Sun, Jul 13, 2008 at 11:46 PM, Jason L. Nesheim <jnesheim at cytek.biz>
wrote:

I believe this document should help you with this:
http://www.cisco.com/en/US/tech/tk652/tk698/technologies_tech_note09186a0080
094ae2.shtml

 

-- 
Jason Nesheim, Senior Network Design Engineer
Cytek
www.cytek.biz / 702-885-0815



----- Original Message -----

From: "Richard L. Agonias (Digitel-GSM)" <Richard.Agonias at digitel.ph>
To: "Neill Wilkinsonj" <neill.wilkinson at quortex.com>, "Fortunato Lacson"
<junlacson at gmail.com>
Cc: discussion at sipforum.org

Sent: Sunday, July 13, 2008 6:46:16 PM GMT -08:00 US/Canada Pacific
Subject: Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP

Hi Neil,

 

Just a few comments, if Jason would be transporting the voice via IP via E1,
then would he also consider the following:

 

-          Ethernet frames - since IP will go down to the layer 2 level and
or

-          PPP - for E1

 

Regards,

 

richard

 

  _____  

From: discussion-bounces at sipforum.org
[mailto:discussion-bounces at sipforum.org] On Behalf Of Neill Wilkinsonj
Sent: Monday, July 14, 2008 7:53 AM
To: 'Fortunato Lacson'
Cc: discussion at sipforum.org
Subject: Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP

 

You're nearly there - you just need to add the packet overhead alas G711
needs some RTP, UDP and IP to get it across the IP network.

 

SIP is the signalling protocol like SS7 is the signalling protocol.
RTP/UDP/IP is the bearer, if you will, it's like the framing that allows
timeslots of 64kbps speech to be transported over E1 links.

 

So once you've added the overhead you end up with around 80kbps. Now take
this value and divide 650Mbps and you get closer to the number of concurrent
RTP streams - or calls. Now remember just like an E1 has a TX and RX paths,
VoIP does too - so if the value of the ASA5540 is the total throughput -
then you need to half the value you get by dividing 80kbps in to 650Mbps to
get the number of concurrent calls.

 

Also be careful as routers and firewalls are rated based on "average" size
packets this can be around 570 bytes, overall performance of firewalls and
routers are generally better with bigger packets. Alas RTP encoded G711 is
rather small - 160 bytes plus headers for a 20ms sample. So it is likely
that the real throughput is less than the performance figure quoted by a
manufacturer.

 

Also be careful about the word connections as this may well relate to TCP
traffic, not UDP traffic and VoIP is carried over UDP.

Neill...;o)

 



Neill Wilkinson
Principal Consultant
  

Aeonvista Ltd - opening up new ideas

 

 <http://www.linkedin.com/in/neillwilkinson> View Neill Wilkinson's profile
on LinkedIn

Aeonvista <http://aeonvista.com/>  Ltd


 

 

 

 

 

 

From: discussion-bounces at sipforum.org
[mailto:discussion-bounces at sipforum.org] On Behalf Of Fortunato Lacson
Sent: 13 July 2008 10:33
To: Jason L. Nesheim
Cc: discussion at sipforum.org
Subject: Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP

 

Hi all. I am new to this forum and am also new in the SIP world. I have a
long background in traditional PSTN networks but is now ready to embrace
SIP. I am currently involved in studying how we can migrate around 5,000
concurrent inbound calls to our IVR systems using SIP technology.

I am looking at a firewall for our application and found Cisco ASA 5540.
This firewall is rated with a maximum throughput of 650 Mbps and 25,000
firewall connections.

I would imagine that these parameters is something that you would be looking
at when dimensioning a firewall. For the SIP gurus, please correct me if I'm
wrong. I'm also roughly estimating, with G711 at 64Kbps, you divide the
throughput with that and you get an estimate number of concurrent calls it
can handle.

Regards,


Fortunato Lacson

On Fri, Jul 11, 2008 at 11:56 PM, Jason L. Nesheim <jnesheim at cytek.biz>
wrote:

That would depend on the firewall or router in question and whether NAT is
being used.  

Some firewalls such as the Cisco PIX, ASA, and routers with NAT have SIP
Application Layer Gateways enabled by default.  These ALG engines will
manipulate SIP packet contents with the intent to allow NAT traversal to
function.  Another situation to consider are firewalls with built in back to
back user agents that have a licensed call capacity.  The Ingate Firewall
(http://www.ingate.com/firewalls.php) would be an example of this case.

The DSCP/ToS code points on SIP packets may be manipulated by policy maps on
routers in the network.  Many service providers remark SIP and RTP packets
at the network edge with what they use to designate the priority queue.  It
is also possible in some networks that the bandwidth allocated to SIP and
RTP queues becomes exhausted as load increases and leads to dropped packets.
This typically only occurs if the QoS policies on the routers are improperly
configured but is something to be aware of.

-- 
Jason Nesheim, Senior Network Design Engineer
Cytek
www.cytek.biz / 702-885-0815



----- Original Message -----
From: "AMIT ANAND" <amiit.anand at gmail.com>
To: "sri kuma" <cyberdyne at mail.com>
Cc: discussion at sipforum.org
Sent: Friday, July 11, 2008 10:07:32 AM GMT -08:00 US/Canada Pacific
Subject: Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP

Hi Sri,

There should be no effect as such but the Packet Forwarding Rate of that
firewall must be appropriate as per the simultaneous call you want to run.

Amit Anand
91-9910211901

On Sun, Jul 6, 2008 at 11:11 AM, sri kuma <cyberdyne at mail.com> wrote:

hi ,
        I woulld like to know whether a firewall(SIP aware) would  affect
the SIP packets traversal if the number of calls  increases  and is there 
any influence of the intermediate routers on the SIP ie does the QOS
settings in the routers affect the SIP packets

thank you


-- 

Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com <http://www.mail.com/Product.aspx> !


_______________________________________________
This is the SIP Forum discussion mailing list
TO UNSUBSCRIBE, or edit your delivery options, please visit
http://sipforum.org/mailman/listinfo/discussion
Post to the list at discussion at sipforum.org



_______________________________________________ This is the SIP Forum
discussion mailing list TO UNSUBSCRIBE, or edit your delivery options,
please visit http://sipforum.org/mailman/listinfo/discussion Post to the
list at discussion at sipforum.org 


_______________________________________________
This is the SIP Forum discussion mailing list
TO UNSUBSCRIBE, or edit your delivery options, please visit
http://sipforum.org/mailman/listinfo/discussion
Post to the list at discussion at sipforum.org

 

 

_______________________________________________ This is the SIP Forum
discussion mailing list TO UNSUBSCRIBE, or edit your delivery options,
please visit http://sipforum.org/mailman/listinfo/discussion Post to the
list at discussion at sipforum.org 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sipforum.org/pipermail/discussion/attachments/20080714/ed2ea046/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 577 bytes
Desc: not available
URL: <http://sipforum.org/pipermail/discussion/attachments/20080714/ed2ea046/attachment-0002.gif>

More information about the discussion mailing list