VoIP Media Admission Control

Media admission control refers to how a VoIP Server lets one endpoint send media directly to a different endpoint. In earlier VoIP versions, Media Admission Control was known as handover.

To understand VoIP Media Admission Control, it is important to examine a typical flow for establishing a VoIP call.

Endpoint A initiates with endpoint B, using VoIP server C.

When Endpoint A wants to open a VoIP call with Endpoint B:

Endpoint A sends control signals to VoIP Server C. The signaling messages include details about the media capabilities of Endpoint A.
VoIP Server C sends control signals to Endpoint B.

The signals are sent directly if it knows its physical location, (as shown in the diagram), or through a different VoIP Server.
If Endpoint B accepts the call, and the endpoints agree on the parameters of the media communication, the call is established.

Endpoints send the control signals to their designated VoIP Server, not to each other. The media (voice or video) can be sent through the endpoints designated VoIP servers or directly to each other. For the endpoints to send media directly to each other, each endpoint must first learn the physical location of the other endpoint. Physical location is contained in the control signals the endpoint receives from its designated VoIP Server.

Control signals must pass through the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The Security Gateway allows control signals through only if they are allowed by the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. According to the information the Security Gateway derives from its inspection of allowed control signals, the Security Gateway dynamically opens pinholes for media connections.

If no limitations are placed on VoIP Media Admission Control, attackers can craft control signals that:

Open pinholes for unauthorized access
Cause internal endpoints to send media to IP addresses of their choice
Eavesdrop, modify, or disrupt communications

Media admission control protection is available for:

SIP
H.323
SCCP
MGCP

Media Admission Control is configured on each VoIP Server.

Configuring VoIP Media Admission Control

To configure VoIP Media Admission Control:

Create a Host object for the VoIP Server
Create a Host or a Network Object Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies. for VoIP endpoints.
Create a Group for VoIP endpoints:

Network Objects > New > Groups > Simple Group.
Create a VoIP Domain:

Network Objects > New > Others > VoIP Domains
1. Select one of the following:
  - SIP Proxy
  - H.323 Gatekeeper or Gateway
  Note - For H.323 Media admission control, you can configure a VoIP Domain H.323 gateway or a VoIP Domain H.323 Gatekeeper. There is no difference between the two types of domain. The routing mode tab on these domains can be safely ignored.
  - MGCP Call Agent
  - SCCP CallManager
2. In the Related endpoints domain section, select the group you created for the VoIP endpoints.
3. In the VoIP Gateway installed at section, select the VoIP Server Host you created.
In the Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base, add the VoIP Domain object to the Source and Destination columns of the VoIP rule.

Note - VoIP domains disable SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. templates. If you are using SecureXL, move rules with VoIP Domains in them to the end of the Rule Base. Enable the related Inspection Settings according to the VoIP protocol:
- SIP > SIP Media Admission Control
- H.323 > H.323 Media Admission Control
- MGCP > MGCP Media Admission Control
- SCCP > SCCP Media Admission Control