Voice over IP and multimedia standards supported by the PIX
Security Appliance include H.323 Version 4, Session Initiation Protocol (SIP),
Cisco Skinny Client Control Protocol (SCCP), and Media Gateway Control Protocol
(MGCP), helping businesses secure deployments of a wide range of current and
next-generation Voice over IP (VoIP) and multimedia applications.
The
PIX Security Appliance also provide security services for Telephony Application
Programming Interface (TAPI)-based and Java TAPI (JTAPI)-based applications
when these applications use Computer Telephony Interface Quick Buffer Encoding
(CTIQBE) as the network transport mechanism, such as the Cisco IP
SoftPhone.
H.323
H.323 is more complicated than other traditional protocols
because it uses two TCP connections and four to six UDP sessions for a single
"call." Only one of the TCP connections goes to a well-known port.
All the other ports are negotiated and are temporary. Furthermore, the content
of the streams is far more difficult for firewalls to understand than with many
other protocols because H.323 encodes packets using Abstract Syntax Notation,
or ASN.1.
By default, the PIX Security Appliance inspects port 1720
connections for H.323 traffic. If there are network devices using ports other
than the default ports, the class-map command is used to
identify these other traffic flows with their different port numbers. Use
no inspect h323 command to disable the inspection of
traffic for H.323 connections. Supported H.323 applications are shown in Figure
.
SIP
SIP is an application-layer control protocol used to set up
and tear down multimedia sessions. These multimedia sessions include Internet
telephony and similar applications. SIP uses RTP for media transport and RTCP
for providing a Quality of Service (QoS) feedback loop
. Using
SIP, the PIX Security Appliance can support any SIP VoIP gateways and VoIP
proxy servers.
To support SIP calls through the PIX Security Appliance,
signaling messages for the media connection addresses, media ports, and
embryonic connections for the media must be inspected, because while the
signaling is sent over a well-known destination port (UDP/TCP 5060), the media
streams are dynamically allocated. The inspect sip command
can be used to enable or disable SIP support. SIP is a text-based protocol and
contains IP addresses throughout the text. With the SIP inspection enabled, the
PIX inspects the packets, and both NAT and PAT are supported.
By default,
the PIX Security Appliance inspects port 5060 connections for SIP traffic. If
there are network devices using ports other than the default ports, the
class-map command can be used to identify these other
traffic flows with their different port numbers. Use no inspect
sip command to disable the inspection of traffic for SIP
connections. The show conn state sip command can be used to
display all active SIP connections.
SCCP
In PIX Security Appliance Software Versions 6.0 and higher,
application handling supports SCCP, also known as skinny protocol. SCCP is used
by Cisco IP Phones for VoIP call signaling
. SCCP defines
the set of messages that is needed for a Cisco IP Phone to communicate with the
Cisco Call Manager for call setup. The IP Phone uses a randomly selected TCP
port to send and receive SCCP messages. Call Manager listens for SCCP messages
at TCP port 2000. SCCP uses RTP and RTCP for media transmissions. The media
ports are randomly selected by the IP Phones.
Skinny protocol inspection
enables the PIX Security Applinace to dynamically open negotiated ports for
media sessions. SCCP support allows an IP Phone and Cisco Call Manager to be
placed on separate sides of the security appliance.
Skinny protocol
inspection is enabled by default to listen for SCCP messages on port 2000. If
there are network devices using ports other than the default ports, the
class-map command can be used to identify these other
traffic flows with their different port numbers. Use the no inspect
skinny command to disable the inspection of skinny protocol
traffic.
CTIQBE
The TAPI and JTAPI are used by many Cisco VoIP
applications. Cisco PIX Security Appliance Software Version 6.3 introduces
support for a specific protocol, CTIQBE, which is used by Cisco TAPI Service
Provider (TSP) to communicate with Cisco Call Manager. Support for this
protocol is enabled by default.
By default, the PIX Security Appliance
inspects port 2748 connections for CTIQBE traffic
. If there are
network devices using ports other than the default ports, the
class-map command can be used to identify these other
traffic flows with their different port numbers. Use no inspect
ctiqbe command to disable the inspection of traffic for CTIQBE
connections.
MGCP
Cisco PIX Security Appliance Software
Version 6.3 introduces support for application inspection of the MGCP. MGCP is
used for controlling media gateways from external call control elements called
media gateway controllers or call agents. A media gateway is typically a
network element that provides conversion between the audio signals carried on
telephone circuits and data packets carried over the Internet or over other
packet networks. Examples of media gateways are as follows:
- Trunking gateway – Provides an interface between the telephone network and
a VoIP network. Such gateways typically manage a large number of digital
circuits.
- Residential gateway – Provides a traditional analog (RJ-11) interface to a
VoIP network. Examples of residential gateways include cable modem/cable
set-top boxes, xDSL devices, and broadband wireless devices.
- Business gateway – Provides a traditional digital PBX interface or an
integrated soft PBX interface to a VoIP network. MGCP messages are transmitted
over UDP.
To use MGCP, at least two ports typically need to be configured, one on
which the gateway receives commands and one for the port on which the call
agent receives commands. Normally, a call agent will send commands to port
2427, while a gateway will send commands to port 2727
. Audio packets
are transmitted over an IP network using RTP. MGCP inspection enables the
security appliance to securely open negotiated UDP ports for legitimate media
connections through the security appliance. Neither NAT nor PAT is supported by
Cisco PIX Security Appliance Software Version 6.3 or lower.