Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring SIP Settings

 

Use the SIP Settings option to configure Session Initiation Protocol (SIP) as a service on the security device. SIP is an Internet Engineering Task Force (IETF)-standard protocol for initiating, modifying, and terminating multimedia sessions (such as conferencing, telephony, or multimedia) over the Internet. SIP is used to distribute the session description, to negotiate and modify the parameters of an existing session, and to terminate a multimedia session.

The device can then screen SIP traffic, permitting or denying it based on a security policy that you configure. SIP is a predefined service in ScreenOS and uses port 5060 as the destination port. Security devices currently do not support NAT (network address translation) with SIP.

SIP is used to distribute the session description and, during the session, to negotiate and modify the parameters of the session. SIP is also used to terminate the session.

SIP messages consist of requests from client to server and responses to requests from servers to clients with the purpose of establishing a session (or a call). A UA (user agent) is an application that runs at the endpoints of the call and consists of two parts: the UAC (user agent client) that sends SIP requests on behalf of the user, and a UAS (user agent server) who listens to the responses and notifies the user when they arrive. Examples of user agents are SIP proxy servers and SIP phones.

A call can have one or more voice channels. Each voice channel has two sessions (or two media streams), one for RTP and one for RTCP. When managing the sessions, the security device considers the sessions in each voice channel as one group. Settings such as the inactivity timeout apply to a group as opposed to each session.

Setting SIP Inactivity Timeouts

You can configure the following types of inactivity timeouts that determine the lifetime of a group:

  • Signaling Inactivity Timeout—This parameter indicates the maximum length of time (in seconds) a call can remain active without any SIP signaling traffic. Each time a SIP signaling message occurs within a call, this timeout resets. The default setting is 43,200 seconds (12 hours).

  • Media Inactivity Timeout—This parameter indicates the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time a RTP or RTCP packet occurs within a call, this timeout resets. The default setting is 120 seconds.

If either of these timeouts expire, the security device removes all sessions for this call from its table, thus terminating the call.

Select any of the appropriate check boxes to pass messages that cannot be decoded by the device in either Route mode or NAT mode:

  • Pass nonparsable packets in Route mode

  • Pass nonparsable packets in NAT mode

Configuring SIP Firewall Features

Multiple SIP INVITE requests can overwhelm a SIP proxy server. You can configure the security device to monitor INVITE requests (and the proxy server replies) to protect SIP proxy servers.

  • SIP Attack Protection—To drop multiple, identical SIP INVITE messages, configure SIP Attack Protection and enter the number of seconds for which you want to drop similar packets. If SIP proxy server reply contains a 3xx, 4xx, or 5xx response code, the ALG stores the source IP address of the request and the IP address of the proxy server in a table. The security device checks all INVITE requests against this table and discards matching packets for the specified number of seconds.

  • Destination IP Server Protection—To protect a specific SIP proxy server from multiple identical SIP INVITE requests, configure Destination IP Server Protection for a specific IP address and netmask.

    • If you do not specify a specific SIP proxy server, SIP Attack Protection monitors all SIP traffic for multiple identical SIP INVITE messages.

    • If you do specify a specific SIP proxy server, SIP Attack Protection monitors only SIP traffic destined for the specified SIP proxy server.

For more detailed explanation about configuring SIP on security devices, see the “Fundamentals” volume in the Concepts & Examples ScreenOS Reference Guide.