SIP ALG (Application Layer Gateway) is a security component, commonly found in a router or firewall device .
An ALG is created in the same way as a proxy policy and offers similar configuration options, SIP Application Layer Gateway (ALG) provides functionality to allow VoIP traffic to pass both from the private to public and public to private side of the firewall when using Network Address and Port Translation (NAPT), SIP ALG inspects and modifies SIP traffic to allow SIP traffic to pass through the firewall.
Many of today's commercial routers implement SIP ALG, coming with this feature enabled by default.
Basics SIP ALG operations
1-Control SIP call activity,The call duration and inactivity media timeout features help you to conserve network resources and maximize throughput.
2-Protect the SIP proxy server from denial-of-service (DoS) flood attacks
3-Enable unknown messages to pass when the session is in Network Address Translation (NAT) mode and route mode.
Many of today's commercial routers implement SIP ALG, coming with this feature enabled by default.
Basics SIP ALG operations
1-Control SIP call activity,The call duration and inactivity media timeout features help you to conserve network resources and maximize throughput.
2-Protect the SIP proxy server from denial-of-service (DoS) flood attacks
3-Enable unknown messages to pass when the session is in Network Address Translation (NAT) mode and route mode.
An ALG may offer the following functions:
For instance, for Session Initiation Protocol (SIP) Back-to-Back User agent (B2BUA), an ALG can allow firewall traversal with SIP. If the firewall has its SIP traffic terminated on an ALG then the responsibility for permitting SIP sessions passes to the ALG instead of the firewall. An ALG can solve another major SIP headache: NAT traversal. Basically a NAT with a built-in ALG can rewrite information within the SIP messages and can hold address bindings until the session terminates.
An ALG is very similar to a proxy server, as it sits between the client and real server, facilitating the exchange. There seems to be an industry convention that an ALG does its job without the application being configured to use it, by intercepting the messages. A proxy, on the other hand, usually needs to be configured in the client application. The client is then explicitly aware of the proxy and connects to it, rather than the real server.
- allowing client applications to use dynamic ephemeral TCP/ UDP ports to communicate with the known ports used by the server applications, even though a firewall configuration may allow only a limited number of known ports. In the absence of an ALG, either the ports would get blocked or the network administrator would need to explicitly open up a large number of ports in the firewall — rendering the network vulnerable to attacks on those ports.
- converting the network layer address information found inside an application payload between the addresses acceptable by the hosts on either side of the firewall/NAT. This aspect introduces the term 'gateway' for an ALG.
- recognizing application-specific commands and offering granular security controls over them
- synchronizing between multiple streams/sessions of data between two hosts exchanging data. For example, an FTP application may use separate connections for passing control commands and for exchanging data between the client and a remote server. During large file transfers, the control connection may remain idle. An ALG can prevent the control connection getting timed out by network devices before the lengthy file transfer completes.[2]
For instance, for Session Initiation Protocol (SIP) Back-to-Back User agent (B2BUA), an ALG can allow firewall traversal with SIP. If the firewall has its SIP traffic terminated on an ALG then the responsibility for permitting SIP sessions passes to the ALG instead of the firewall. An ALG can solve another major SIP headache: NAT traversal. Basically a NAT with a built-in ALG can rewrite information within the SIP messages and can hold address bindings until the session terminates.
An ALG is very similar to a proxy server, as it sits between the client and real server, facilitating the exchange. There seems to be an industry convention that an ALG does its job without the application being configured to use it, by intercepting the messages. A proxy, on the other hand, usually needs to be configured in the client application. The client is then explicitly aware of the proxy and connects to it, rather than the real server.
No comments:
Post a Comment