source network of the messages is not known then a large number of potentially dangerous
connections must be allowed by the IP rule set. This problem does not occur if the local proxy is
set up with the Record-Route option enabled. In this mode, all SIP messages will only come from
the proxy.
The different rules/policies required when the
Record-Route
option is enabled and disabled can
be seen in the two different sets of IP rules/policies listed below in the detailed description of
Scenario 1
Protecting local clients - Proxy located on the Internet
IP Rules/Policies for Media Data
When discussing SIP data flows there are two distinct types of exchanges involved:
•
The SIP session which sets up communication between two clients prior to the exchange of
media data
.
•
The exchange of the
media data
itself, for example the coded voice data which constitute a
VoIP phone call.
In the SIP setups described below,
IP Rule
objects (or alternatively,
IP Policy
objects) need only be
explicitly defined to deal with the first of the above, the SIP exchanges needed for establishing
client-to-client communications. No IP rules or other objects need to be defined to handle the
second of the above (the exchange of media data). The SIP ALG automatically and invisibly takes
care of creating the connections required (sometimes described as SIP
pinholes
) for allowing the
media data traffic to flow through the NetDefend Firewall.
Tip
Make sure there are no preceding IP rules or IP policies already in the IP rule set that
disallow or allow the same kind of traffic.
SIP Usage Scenarios
NetDefendOS supports a variety of SIP usage scenarios. The following three scenarios cover
nearly all possible types of usage. The example setups are described using
IP Rule
objects but
these could easily be
IP Policy
objects instead.
•
Scenario 1
Protecting local clients - Proxy located on the Internet
The SIP session is between a client on the local, protected side of the NetDefend Firewall and
a client which is on the external, unprotected side. The SIP proxy is located on the external,
unprotected side of the NetDefend Firewall. Communication typically takes place across the
public Internet with clients on the internal, protected side registering with a proxy on the
public, unprotected side.
•
Scenario 2
Protecting proxy and local clients - Proxy on the same network as clients
The SIP session is between a client on the local, protected side of the NetDefend Firewall and
a client which is on the external, unprotected side. The SIP proxy is located on the local,
protected side of the NetDefend Firewall and can handle registrations from both clients
Chapter 6: Security Mechanisms
467
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...