Enabling Inspection Settings on H.323

Inspection Settings add more than 80 protections and VoIP settings. It protects against malicious attacks by:

• Identifying attack signatures
• Identifying packets with protocol anomalies
• Ensuring RFC compliance
• Inspecting signaling protocols, verifying header formats and protocol call flow state

As part of Inspection Settings, VoIP protections can be:

• Enforced for different gateways using Inspection Setting profiles
• Monitored using Detect Mode

With Inspection Settings you can:

• Generate detailed logs with packet captures on VoIP security events
• Configure granular VoIP security for maximum flexibility in deployment and enforcement
• Add exceptions to specified VoIP protections

  For example, if you add an exception that allows non-RFC compliant SIP traffic on a specified VoIP server, security is not compromised for all other VoIP traffic.

Inspection Settings can be configured for each profile and can be:

• Prevent
• Detect
• Inactive

Configuring H.323 Protections

Inspection Settings does these application layer checks:

• Strict protocol enforcement, including the order and direction of H.323 packets
• H.323 messages length restrictions
• Stateful checks on RAS messages

To configure Inspection Settings:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter H.323.

   In the Settings column, H.323 Inspection Settings show.

3. Double-click the service you want to configure. A window opens.
4. Double-click on the Inspection Profile of your choice. Select Advanced.
5. Check the boxes to enable the protections that you want.
6. Click OK.

Configuring H.323 Application Policy

Specified VoIP services can be blocked if the services:

• Consume more bandwidth than the IP infrastructure
• Do not comply with the organization's security policy

Application policy options are not intended to protect against attacks.

To configure Application Policy:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter H.323.

   A list of Settings options shows.

3. Double-click the setting that you want to configure.
4. Make your changes and click OK.

Configuring H.323 Protocol Anomaly

A protocol anomaly is a field name or value in the protocol header that is RFC compliant, but deviates from usual use.

For example, if a protocol header presents a field value which contains hundreds of characters, when normally, fewer than ten characters present. This is an anomaly. If a protocol anomaly is found in the VoIP packet, this is a good indication that the VoIP network is being attacked.

To configure Protocol Anomaly Protection:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter H.323.
3. A list of Settings options shows.
4. Double-click the setting that you want to configure.
5. Make your changes and click OK.

Configuring H.323 Engine Settings

To configure Engine Settings:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter H.323 - General Settings.

   The H.323 - General Settings window opens.

3. Select Advanced and configure the fields.
4. Click OK.

Fields

• T.120 Timeout

  A timeout for a dynamically opened T.120 connection.

• Block dynamic opening of ports for H.323 media channel

  A gateway dynamically opens ports for VoIP media channel, based on the information in the H.323 signaling connection. When you select this option, it prevents the opening of H.323 media channels. Do not select this option if an H.323 media channel passes through the gateway.

• Block dynamic opening of H.323 connections from RAS messages

  Control connections are required by all H.323 connections. If you select this setting, make sure that the H.323 service is marked as allowed in the Rule Base and the control connections are dynamically opened by the firewall from the RAS messages. This option applies only to connections that start with RAS.

• Allow an initiation of H.323 connections from server to endpoints

  The endpoint usually initiates the H.323 (H.225) TCP connection to the Gatekeeper or server. In scenarios where the Gatekeeper initiates the TCP connection to the endpoint, this setting must be selected.

Note - In this scenario, Hide NAT on the internal network is not supported.