SRX Services Gateway
SRX Services Gateway

VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

3 weeks ago

Hello everybody,

on a corp lan/man with several thousands of users and several hundreds of firewall modules spread across ranging from SOHO boxes to highend SRX we're in the middle of a large scale VoIP deployment.

In order to limit administrational expenses and due to the fact that we have dedicated/separated VoIP subnets we started out with a global VoIP policy (in Junos SPACE) allowing traffic from all VoIP subnets to all VoIP subnets with VoIP services assigned to respective modules that host VoIP subnets.

Following this approach sooner or later leads into scaling limits esp. of smaller devices (i.e. 1024 objects per rule). In the face of softphones (SIP) that can be located in any subnet in conjunction with decentralised rtp media streaming taking place directly between VoIP endpoints this results in an any:any traffic scheme with a huge range of high-ports opened largely defeating security devices.    

With this scenario in mind we decided testing SIP ALGs in order to limit the security impact:

With our callserver/registrar and the called station residing on the untrust side and another phone on the trust side of our firewall (all interfaces in route mode) we could see that outgoing calls from this phone worked perfectly via the ALG while incoming calls failed due to fact that call server was sending its INVITE messages to the untrust interface of the firewall where we were lacking a NAT pool. This is caused by the ALG rewriting the SDP part of SIP messages (i.e. c= field) inserting its own external IP.

As we are in route mode with no need for NAT at all and want to avoid NAT if possible (as this also does not scale) the question arose whether it was possible to have bidirectional SIP rules and have the ALG not rewrite the SDP portion (but still opening pinholes for subsequent rtp, rtcp streams) so that the callserver would try to contact the original UA instead of the external Interface of the firewall? From what I could find in the internet it seems the ALG is meant to exclusively be used in conjuction with NAT or is there something like a route mode for the SIP ALG also? And if not why did not anybody invent that feature as this could solve some security issues in enterprise networks with private pbxs' that use rfc 1918 networks where there is no need to NAT...or are there other best practices to solve these kinds of problem?

 

Best regards

 

Stephan

10 REPLIES 10
SRX Services Gateway

Re: VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

3 weeks ago

Hi Apu,

 

It would be great if you could post this question in SRX services gateway rather than in Junos. Because your question is SRX specific and experts are more attentive on that forum page.

 

Just trying to help Smiley Happy

 



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

3 weeks ago
Hi noobmaster,

no problem, tomorrow I can open the same thread in SRX section...if it's more likely to get a solution there.

What to do with this post...should I leave a remark with a link to the new one? Or could some forum admin delete/move this one so that we have no duplicates?

Best regards

Stephan
--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
SRX Services Gateway

Re: VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

[ Edited ]
2 weeks ago

Hi Stephan,

 

Could you please provide me with the following inputs?

 

  • When you mean my route mode in SRX, are you referring to packet mode? Are you using the SRX as a router by enabling the packet mode?
  • What type of NAT have you implemented in your network for SIP traffic?
  • Could you please provide me with a topology/diagram with IP schemas used in your network? [Change public IP to a different one]

Whenever a SIP phone initializes it will contact the Registrar. So, SRX device monitors outgoing REGISTER messages, performs NAT and stores the information in an Incoming NAT table. Then, when an INVITE message is received from outside the network, the device uses the Incoming NAT table to identify which internal host to route the INVITE message to. 

 

I think it is not possible to disable Layer 7 translation while still using the pinhole for RTP/RTCP traffic. Either you can enable the SIP ALG or configure bi-directional security policies. For more information, please check the following technical documentation - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-sip-alg.html#id-understa...

 

Let's see what others have to say...



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

2 weeks ago

Hello noobmaster,

 

please excuse the delay. I hope this can clarify your questions:

  • Our firewalls are not running in packet mode. Please excuse the inaccuracy...when I say route mode I mean that there are no interfaces that perform NAT (like SSG platforms NAT mode vs. route mode).
  •  Until now we did not implement any kind of (ingress) NAT - thats why ingress phone calls do not succeed. That was a part of my question: Is it possible in some mode to have the SIP ALG handle incoming calls without doing L7 translation of outgoing REGISTER messages beforehand and without performing DNAT on consecutive incoming calls. From my point of view NAT pools and the like do not scale very well, i.e. you have to know how many devices live behind this NAT. Isn't it also the case that you can just have NAT addresses from within the range of the physical interface, if that's the case our /30 network would surely limit us?
  • For the network diagram, please see below. All adresses are just fiction, but I think it'll do for the purpose of discussion.

Due to these shortcomings and the fact that having bidirectional fw-policies in terms of security are a horrible scenario either I was wondering why now one came across the idea of having a SIP ALG that doesn't do L7 rewriting so that you could have bidirectional SIP policies and the pinholing for RTP/RTCP without the need for NAT...or wouldn't that make sense?

 

sip_alg.jpg

SRX Services Gateway

Re: VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

2 weeks ago

Stephan,

 

Is the SRX performing Source NAT to the traffic initially sent by the phones (REGISTER messages if I undndestood properly)? Because if this is happening then the PBX Server will be sending the INVITES to the external address of the SRX and creating the need of the DNAT that you are looking to avoid.

 

I believe that if the SRX doesnt perform Source NAT then its ALG wont see the neccesity of translating the L7 payload of the REGISTER messages hence this will make that the PBX Server will be sending the INVITEs to the real address of the phones and at that point the SRX will just route those packets. Please let me know if this makes sense.

 

Another option that comes to my mind is to place a PBX server on the Trust zone and use a specific public IP address to represent this internal PBX server at the external interface of the SRX (Untrust). You will be using Static NAT to send traffic destined to the external address of the SRX to the internal address of the PBX and vice-versa.

 

 

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

2 weeks ago
Hi Stephan,

From the topology, I can see the exit interface is assigned with a private IP address. So, when the SIP phone sends a REGISTER message, does SRX performing a Source NAT or Static NAT?

As Stward stated, if NAT is not happening on the SRX for REGISTER traffic then there is no need for Layer 7 translation.


Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

2 weeks ago

Hello,

 

The SIP ALG performs several tasks, including opening dynamic pin-holder, re-writing the L7 information when NAT occurs, both of which occur independent of each other. 

 

So if you have a SIP infra communiating over an RFC1918 network the SIP ALG is capable of opening the dynamic pin-holes without re-writing the L7 IP info since there is no NAT involved.

 

Reading your symptoms it seems as if the traffic in question is  SRC NATted to interface IP of the firewall. If this is not expected, you can do a session lokup to confirm that there is no NAT happening on the traffic.

 

"show security flow session source-prefix <src-ip> destination-prefix <dst-ip>

 

Regards,

 

Vikas

SRX Services Gateway

Re: VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

2 weeks ago

Hello everybody,

 

I have to admit that I have tested the exact same setup with SRX as well as with SSG platform some weeks ago and reading Vikas' reply...

 

"So if you have a SIP infra communiating over an RFC1918 network the SIP ALG is capable of opening the dynamic pin-holes without re-writing the L7 IP info since there is no NAT involved."

 

...indicates that I might have confused the two labs now. Having spoken to a colleage at least for the SSG scenario we are sure that the firewall performs L7 translation of the SIP REGISTER messages (inserting its own external ip) regardless of whether NAT is involved or not (this causes incoming calls to fail without a NAT pool on the interface)

 

But anyway Vikas' statement above and our observations of which we are at least for the SSG platform sure of suggest that there is a difference in ALG behavior between the two platforms.

 

Will have to recheck my SRX lab in terms of NAT usage and L7 translation and will update this post accordingly.

 

Best regards

 

Stephan

 

 

 

SRX Services Gateway

Re: VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

Tuesday

Hi Stephan

 

I was wondering if you were able to confirm if my statement on that the ALG wont change the payload if there is no Source NAT was correct. Thanks for sharing any info you may have.

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: VoIP and SIP ALG behavior in routed rfc 1918 networks without NAT

Wednesday
Hi stwardlp,

I'm in a training this week and have no access to my lab. Will update this thread next week.

Thank you for your assistance.

Best regards

Stephan