Many next-generation firewalls contain so-called SIP - Application Layer Gateway functions (SIP-ALG) or SIP helpers, which in a NAT-based environment ensure that the ports and IP addresses used match the NAT tables of the firewall.
This is to ensure that a SIP gateway in the public network is presented with a remote station that can be reached via the public address.
A SIP-ALG is also necessary if not only one but several SIP Devices want to register with a provider without an additional telecommunications solution.
Then the SIP-ALG ensures that not all SIP Devices contact the provider with source port 5060.
This is achieved by having a SIP ALG or SIP helper latch into the communication and replace IP addresses and/or media ports in the SIP packets.
Unfortunately, this is very error-prone and always leads to problems.
Possible symptoms for a disturbing SIP ALG or SIP Helper can be
- Phones/clients do not register
- Phones/clients register, but incoming calls are not signalled
- Voice transmission is missing completely or is only available in one direction
In principle, a SIP-ALG is used on the "external" firewall to the Internet, so that it would only actively intervene in the traffic if the calls involved were external (via or from the SIP provider).
In DMZ scenarios, however, 2 firewalls are often used, which is why pure internal telephony can also be affected in such cases.
It is therefore advisable to deactivate the SIP-ALG or SIP-Helper functions in the above-mentioned cases.
Whether and how the SIP ALG can be deactivated depends on the router you are using. Please contact the manufacturer of the corresponding firewall solution.
The security issue of a SwyxWare is not affected by deactivating these ALG functions. Also other firewall rules, IDS systems and other techniques will still work. Disabling the ALG functions for the SIP protocol does not affect other protocols.
SwyxWare itself does not provide public dial-in for end devices. This is done either via a secured VPN or via the so-called RemoteConnector-Service. Direct communication is therefore exclusively to and from one provider. For security reasons, some providers allow you to switch to encrypted trunks to further increase security.
From the Swyx point of view a SIP-ALG is not necessary for SwyxWare or would not implement increased security.
Comments
0 comments
Article is closed for comments.