[SIPForum-discussion] Fwd: SIPForum-Firewall influence on SIP
Fortunato Lacson
junlacson at gmail.com
Wed Jul 16 19:54:15 UTC 2008
---------- Forwarded message ----------
From: Fortunato Lacson <junlacson at gmail.com>
Date: Wed, Jul 16, 2008 at 12:52 PM
Subject: Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP
To: Neill Wilkinson <neill.wilkinson at quortex.com>
Thanks!
I plan to use the edge router for the NAT and IPSec tunneling to the SIP
providers, and ACLs to limit the incoming traffic from certain IPs.
I don't need to have my SIP Proxy Server in the DMZ zone right? I don't have
any web server I need to be in the DMZ too as we want to have the SIP stuff
on a totally separate network from our corporate system ( a clash between IS
and telecom operations, haha, how long will it last).
Then perhaps I will use the firewall appliance for SIP/ RTP packet analysis,
virus and trojan detection and dynamic port allocation. The firewall on the
SIP Proxy Server for traffic analysis?
Regards.
Fortunato
On Mon, Jul 14, 2008 at 12:34 PM, Neill Wilkinson <
neill.wilkinson at quortex.com> wrote:
> Generally you would be using the additional firewall to provide services
> such as NAT traversal and/or IPSec/SSL VPN services to the carriers SIP
> trunk, then what the additional firewall provides is another layer of
> security referred to in security circles as defence in depth.
>
>
>
> Basically defence-in-depth puts different manufacturers equipment in a
> network to guard against specific exploits targeted at a single
> manufacturers equipment.
>
>
>
> Typically for a "secure" network, you would deploy a front-end firewall
> terminating to a proxy layer (DMZ), which itself is isolated from the main
> (corporate) network by another firewall layer.
>
>
>
> In the proxy layer you would generally place services that require external
> connectivity, these in turn provide connectivity to internal servers, both
> from the outside-in and the inside-out.
>
>
>
> Generally you should always have a perimeter firewall protecting you from
> the nasty Internet. You should also have ACLs on the Internet router to
> allow only specific traffic to and from your firewall and inside proxy
> layer. Generally the rules allow traffic out from the inside and are
> stateful to ensure only traffic initiated from the inside is allowed to
> traverse back to the inside proxy layer.
>
>
>
> So the picture would be:
>
> <Internet> ---- <router> ---- <firewall> ----[DMZ/Proxy layer] ----
> <Firewall>---- inside network
>
>
>
> Neill...;o)
>
>
>
> *Neill Wilkinson*
> Principal Consultant
>
>
> Aeonvista Ltd - opening up new ideas
>
>
>
> *Email:* neill.wilkinson@ <neill.wilkinson at btinternet.com>aeonvista.com<neill.wilkinson at btinternet.com>
>
> [image: View Neill Wilkinson's profile on LinkedIn]<http://www.linkedin.com/in/neillwilkinson>
>
> *Aeonvista Ltd <http://aeonvista.com/>*
>
>
>
>
>
>
>
>
>
>
>
> *From:* Fortunato Lacson [mailto:junlacson at gmail.com]
> *Sent:* 14 July 2008 19:46
> *To:* Jason L. Nesheim
> *Cc:* Richard L. Agonias (Digitel-GSM); discussion at sipforum.org; Neill
> Wilkinsonj
>
> *Subject:* Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP
>
>
>
> Great inputs. I know I didn't start this thread, but I hope Sri doesn't
> mind. It's just that I have so many questions about firewalls on SIP too.
>
> I really can use some guidance. Now I know I'm quite off with my initial
> design. Looks like I'm gonna be needing bigger routers and firewalls.
>
> Back to firewalls, we have been using a SIP Proxy server for our internal
> SIP calling. This equipment have a built in Hot Knife/ Firewall where the
> RTP would run through and the SIP going in on a different port. From the SIP
> Connect Recommendation, it shows that only the RTP does require a firewall.
> This is perhaps the SIP itself is TLS encrypted.
>
> In real life application, my company doesn't feel secure connecting
> directly to SIP trunk providers with just this built-in firewall thus
> looking to put a separate firewall appliance where everything would come in.
> Are we just duplicating work here or can this off-load/ distribute firewall
> capabilities for a more efficient network components? Below is what my
> network would look like:
>
> Gig Internet --> Router --> Firewall --> Switch --> SIP Proxy, Soft IVRs,
> IP gateways
>
> Is this more like a real world implementation scheme? Of course, I'm
> duplicating each for redundancy like HSRP on Router, Dual Fail/Loadsharing
> firewall, and Fail over switching. Do I need to establish encrypted tunnels
> to each SIP trunk provider?
>
> Regards to all.
>
> Fortunato
>
>
>
> On Sun, Jul 13, 2008 at 11:46 PM, Jason L. Nesheim <jnesheim at cytek.biz>
> wrote:
>
> I believe this document should help you with this:
> http://www.cisco.com/en/US/tech/tk652/tk698/technologies_tech_note09186a0080094ae2.shtml
>
>
>
> --
> Jason Nesheim, Senior Network Design Engineer
> Cytek
> www.cytek.biz / 702-885-0815
>
>
>
> ----- Original Message -----
>
> From: "Richard L. Agonias (Digitel-GSM)" <Richard.Agonias at digitel.ph>
> To: "Neill Wilkinsonj" <neill.wilkinson at quortex.com>, "Fortunato Lacson" <
> junlacson at gmail.com>
> Cc: discussion at sipforum.org
>
> Sent: Sunday, July 13, 2008 6:46:16 PM GMT -08:00 US/Canada Pacific
> Subject: Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP
>
> Hi Neil,
>
>
>
> Just a few comments, if Jason would be transporting the voice via IP via
> E1, then would he also consider the following:
>
>
>
> - Ethernet frames – since IP will go down to the layer 2 level
> and or
>
> - PPP – for E1
>
>
>
> Regards,
>
>
>
> richard
>
>
> ------------------------------
>
> *From:* discussion-bounces at sipforum.org [mailto:
> discussion-bounces at sipforum.org] *On Behalf Of *Neill Wilkinsonj
> *Sent:* Monday, July 14, 2008 7:53 AM
> *To:* 'Fortunato Lacson'
> *Cc:* discussion at sipforum.org
> *Subject:* Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP
>
>
>
> You're nearly there – you just need to add the packet overhead alas G711
> needs some RTP, UDP and IP to get it across the IP network.
>
>
>
> SIP is the signalling protocol like SS7 is the signalling protocol.
> RTP/UDP/IP is the bearer, if you will, it's like the framing that allows
> timeslots of 64kbps speech to be transported over E1 links.
>
>
>
> So once you've added the overhead you end up with around 80kbps. Now take
> this value and divide 650Mbps and you get closer to the number of concurrent
> RTP streams – or calls. Now remember just like an E1 has a TX and RX paths,
> VoIP does too – so if the value of the ASA5540 is the total throughput –
> then you need to half the value you get by dividing 80kbps in to 650Mbps to
> get the number of concurrent calls.
>
>
>
> Also be careful as routers and firewalls are rated based on "average" size
> packets this can be around 570 bytes, overall performance of firewalls and
> routers are generally better with bigger packets. Alas RTP encoded G711 is
> rather small – 160 bytes plus headers for a 20ms sample. So it is likely
> that the real throughput is less than the performance figure quoted by a
> manufacturer.
>
>
>
> Also be careful about the word connections as this may well relate to TCP
> traffic, not UDP traffic and VoIP is carried over UDP.
>
> Neill...;o)
>
>
>
> *Neill Wilkinson*
> Principal Consultant
>
>
> Aeonvista Ltd - opening up new ideas
>
>
>
> [image: View Neill Wilkinson's profile on LinkedIn]<http://www.linkedin.com/in/neillwilkinson>
>
> *Aeonvista Ltd <http://aeonvista.com/>*
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* discussion-bounces at sipforum.org [mailto:
> discussion-bounces at sipforum.org] *On Behalf Of *Fortunato Lacson
> *Sent:* 13 July 2008 10:33
> *To:* Jason L. Nesheim
> *Cc:* discussion at sipforum.org
> *Subject:* Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP
>
>
>
> Hi all. I am new to this forum and am also new in the SIP world. I have a
> long background in traditional PSTN networks but is now ready to embrace
> SIP. I am currently involved in studying how we can migrate around 5,000
> concurrent inbound calls to our IVR systems using SIP technology.
>
> I am looking at a firewall for our application and found Cisco ASA 5540.
> This firewall is rated with a maximum throughput of 650 Mbps and 25,000
> firewall connections.
>
> I would imagine that these parameters is something that you would be
> looking at when dimensioning a firewall. For the SIP gurus, please correct
> me if I'm wrong. I'm also roughly estimating, with G711 at 64Kbps, you
> divide the throughput with that and you get an estimate number of concurrent
> calls it can handle.
>
> Regards,
>
>
> Fortunato Lacson
>
> On Fri, Jul 11, 2008 at 11:56 PM, Jason L. Nesheim <jnesheim at cytek.biz>
> wrote:
>
> That would depend on the firewall or router in question and whether NAT is
> being used.
>
> Some firewalls such as the Cisco PIX, ASA, and routers with NAT have SIP
> Application Layer Gateways enabled by default. These ALG engines will
> manipulate SIP packet contents with the intent to allow NAT traversal to
> function. Another situation to consider are firewalls with built in back to
> back user agents that have a licensed call capacity. The Ingate Firewall (
> http://www.ingate.com/firewalls.php) would be an example of this case.
>
> The DSCP/ToS code points on SIP packets may be manipulated by policy maps
> on routers in the network. Many service providers remark SIP and RTP
> packets at the network edge with what they use to designate the priority
> queue. It is also possible in some networks that the bandwidth allocated to
> SIP and RTP queues becomes exhausted as load increases and leads to dropped
> packets. This typically only occurs if the QoS policies on the routers are
> improperly configured but is something to be aware of.
>
> --
> Jason Nesheim, Senior Network Design Engineer
> Cytek
> www.cytek.biz / 702-885-0815
>
>
>
> ----- Original Message -----
> From: "AMIT ANAND" <amiit.anand at gmail.com>
> To: "sri kuma" <cyberdyne at mail.com>
> Cc: discussion at sipforum.org
> Sent: Friday, July 11, 2008 10:07:32 AM GMT -08:00 US/Canada Pacific
> Subject: Re: [SIPForum-discussion] SIPForum-Firewall influence on SIP
>
> Hi Sri,
>
> There should be no effect as such but the Packet Forwarding Rate of that
> firewall must be appropriate as per the simultaneous call you want to run.
>
> Amit Anand
> 91-9910211901
>
> On Sun, Jul 6, 2008 at 11:11 AM, sri kuma <cyberdyne at mail.com> wrote:
>
> hi ,
> I woulld like to know whether a firewall(SIP aware) would affect
> the SIP packets traversal if the number of calls increases and is there
> any influence of the intermediate routers on the SIP ie does the QOS
> settings in the routers affect the SIP packets
>
> thank you
>
>
> --
>
> Be Yourself @ mail.com!
> Choose From 200+ Email Addresses
> Get a *Free* Account at www.mail.com <http://www.mail.com/Product.aspx>!
>
>
> _______________________________________________
> This is the SIP Forum discussion mailing list
> TO UNSUBSCRIBE, or edit your delivery options, please visit
> http://sipforum.org/mailman/listinfo/discussion
> Post to the list at discussion at sipforum.org
>
>
>
> _______________________________________________ This is the SIP Forum
> discussion mailing list TO UNSUBSCRIBE, or edit your delivery options,
> please visit http://sipforum.org/mailman/listinfo/discussion Post to the
> list at discussion at sipforum.org
>
>
> _______________________________________________
> This is the SIP Forum discussion mailing list
> TO UNSUBSCRIBE, or edit your delivery options, please visit
> http://sipforum.org/mailman/listinfo/discussion
> Post to the list at discussion at sipforum.org
>
>
>
>
>
> _______________________________________________ This is the SIP Forum
> discussion mailing list TO UNSUBSCRIBE, or edit your delivery options,
> please visit http://sipforum.org/mailman/listinfo/discussion Post to the
> list at discussion at sipforum.org
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sipforum.org/pipermail/discussion/attachments/20080716/2d08372e/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 577 bytes
Desc: not available
URL: <http://sipforum.org/pipermail/discussion/attachments/20080716/2d08372e/attachment-0002.gif>
More information about the discussion
mailing list