SDP Session Description Overview
An SDP session description is text-based and consists of a set of lines. It can contain session-level and media-level information. The session-level information applies to the whole session, while the media-level information applies to a particular media stream. An SDP session description always contains session-level information, which appears at the beginning of the description, and might contain media-level information, which comes after.
In the SDP session description, the media-level information begins with the m= field.
Of the many fields in the SDP session description, two are particularly useful to the SIP ALG because they contain Transport Layer information. The two fields are the following:
c= for connection information
This field can appear at the session or media level. It displays in this format:
c=<network type><address type><connection address>
Currently, the security device supports only “IN” (for Internet) as the network type, “IP4” as the address type, and a unicast IP address or domain name as the destination (connection) IP address.
Note: Generally, the destination IP address can also be a multicast IP address, but ScreenOS does not currently support multicast with SIP.
m= for media announcement
This field appears at the media level and contains the description of the media. It displays in this format:
Currently, the security device supports only “ audio” as the media and “RTP” as the Application Layer transport protocol. The port number indicates the destination (not the origin) of the media stream. The format list (fmt list) provides information on the Application Layer protocol that the media uses.
If the destination IP address is a unicast IP address, the SIP ALG creates pinholes using the IP address and port numbers specified in the media description field m=.
In this release of ScreenOS, the security device opens ports only for RTP and Real-Time Control Protocol (RTCP). Every RTP session has a corresponding RTCP session. Therefore, whenever a media stream uses RTP, the SIP ALG must reserve ports (create pinholes) for both RTP and RTCP traffic. By default, the port number for RTCP is one higher than the RTP port number.
In this configuration, the following connections are logged:
Any connections into eth4 from any IP address except the database server IP address are logged with an alert.
Any connections into eth2 from any IP address except the Web server are logged. In addition, if the database server IP address appears in eth2, the sensor logs that event.