SIP Advanced Configuration

Cluster Support for SIP

Synchronizing SIP Connections

SIP calls can be made across a ClusterXL clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. or a third-party cluster.

The Synchronize connections on Cluster option must be selected for:

  • ClusterXL

  • Third party clusters

  • When SIP connections can arrive asymmetrically

  • All services used in rules that secure SIP connections through the cluster

To confirm that SIP connections through a cluster are synchronized:

  1. Open SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

  2. Go to Object Explorer > Services.

  3. Locate your service with the search box and double-click on it.

  4. Select the Advanced tab.

  5. Make sure the Synchronize connections on Cluster box is checked.

    Note - The Synchronize connections on Cluster option is enabled by default.

  6. Click OK.

  7. Install the Access Control policy.

Configuring SIP-T Support

To configure support for RFC 3372 Session Initiation Protocol for Telephones (SIP-T):

  1. In the applicable $FWDIR/lib/user.def file on the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. (see sk98239), add this line:

    sipt_hosts = { <first_ip, second_ip> , <first_ip, second_ip> , .... ...., <first_ip, second_ip> } ;

    first_ip and second_ip are the IP addresses between which (bidirectional) SIP-T are allowed.

    For example, to allow SIP-T between 192.1.1.1 and 192.1.1.2, and between 192.1.1.1 and 192.1.1.3, add this line:

    sipt_hosts = { <192.1.1.1, 192.1.1.2> , <192.1.1.1, 192.1.1.3> } ;

    If the file does not exist, create it.

  2. Save the file.

  3. In SmartConsole, install the policy.

SIP Protocol Anomaly Protection

RFC 3261 section 6, has rules for the structure of SIP headers:

  • SIP messages are made up of a header and a body

    • A header is structured as a sequence of header fields

    • A header field can show as one or more header field rows

    • Each header field:

      • Consists of a field name

      • Is followed by a colon (:) and zero or more field values, field-name:field-value

  • Multiple header field values on a given header field row are separated by commas

  • Some header fields can only have a one header field value, and show as a single header field row

Protocol anomalies can result in buffer overflow conditions, parser errors, and malformed packets. Protocol anomalies in SIP messages make SIP applications vulnerable to attacks that send repeated, huge quantities of fraudulent data. The data that eventually overwhelms the server.

For example, many buffer-overflow attacks send repeated, large headers to the VoIP phone. Buffer overflow conditions can also result in arbitrary code execution.

Stateful and Stateless protocol validation is done on SIP headers. SIP messages with header values that do not match correct usage are blocked.

There are two header security protections found in the main Protocol Anomaly protection.

  • General Header Security

    In the general SIP header and not in specified header fields

  • Specific Header Security

    In specific SIP header fields