Cisco IOS Firewall-SIP Enhancements ALG and AIC EnhancedSessionInitiationProtocol(SIP)inspectionintheCiscoIOSfirewallprovidesbasicSIPinspect functionality(SIPpacketinspectionandpinholesopening)aswellasprotocolconformanceandapplication security.Theseenhancementsgiveyoumorecontrolthaninpreviousreleasesonwhatpoliciesandsecurity checkstoapplytoSIPtrafficandthecapabilitytofilteroutunwantedmessagesorusers. ThedevelopmentofadditionalSIPfunctionalityinCiscoIOSsoftwareprovidesincreasedsupportforCisco CallManager(CCM),CiscoCallManagerExpress(CCME),andCiscoIP-IPGatewaybasedvoice/video systems.ApplicationLayerGateway(ALG),andApplicationInspectionandControl(AIC)SIPenhancements alsosupportRFC3261anditsextensions. • FindingFeatureInformation, page 1 • PrerequisitesforCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 2 • RestrictionsforCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 2 • InformationAboutCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 3 • HowtoConfigureCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 4 • ConfigurationExamplesforCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 20 • AdditionalReferences, page 20 • FeatureInformationforCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 21 Finding Feature Information Yoursoftwarereleasemaynotsupportallthefeaturesdocumentedinthismodule.Forthelatestcaveatsand featureinformation,seeBugSearchToolandthereleasenotesforyourplatformandsoftwarerelease.To findinformationaboutthefeaturesdocumentedinthismodule,andtoseealistofthereleasesinwhicheach featureissupported,seethefeatureinformationtable. UseCiscoFeatureNavigatortofindinformationaboutplatformsupportandCiscosoftwareimagesupport. ToaccessCiscoFeatureNavigator,gotowww.cisco.com/go/cfn.AnaccountonCisco.comisnotrequired. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 1 Cisco IOS Firewall-SIP Enhancements ALG and AIC Prerequisites for Cisco IOS Firewall-SIP Enhancements ALG and AIC Prerequisites for Cisco IOS Firewall-SIP Enhancements ALG and AIC ThefollowingprerequisitesapplytotheconfigurationofCiscoIOSFirewall--SIPEnhancements:ALGand AIC. Hardware Requirements •Oneofthefollowingrouterplatforms: •Cisco861,Cisco881,orCisco881Grouters •Cisco1700routers •Cisco1800routers •Cisco2600routers •Cisco2800routers •Cisco3700routers •Cisco3800routers •Cisco7200routers •Cisco7300routers Software Requirements •CiscoIOSRelease12.4(15)XZoralaterrelease. Restrictions for Cisco IOS Firewall-SIP Enhancements ALG and AIC DNS Name Resolution AlthoughSIPmethodscanhaveDomainNameSystem(DNS)namesinsteadofrawIPaddresses,thisfeature currentlydoesnotsupportDNSnames. Earlier Releases of Cisco IOS Software SomeCiscoIOSreleasesearlierthanRelease12.4(15)XZmayaccepttheconfigurationcommandsforSIP thatareshowninthisdocument;however,thoseearlierversionswillnotfunctionproperly. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 2 Cisco IOS Firewall-SIP Enhancements ALG and AIC Information About Cisco IOS Firewall-SIP Enhancements ALG and AIC Information About Cisco IOS Firewall-SIP Enhancements ALG and AIC Firewall and SIP Overviews ThissectionprovidesanoverviewoftheCiscoIOSfirewallandSIP. Cisco IOS Firewall TheCiscoIOSfirewallextendstheconceptofstaticaccesscontrollists(ACLs)byintroducingdynamicACL entriesthatopenonthebasisofthenecessaryapplicationportsonaspecificapplicationandclosetheseports attheendoftheapplicationsession.TheCiscoIOSfirewallachievesthisfunctionalitybyinspectingthe applicationdata,checkingforconformanceoftheapplicationprotocol,extractingtherelevantportinformation tocreatethedynamicACLentries,andclosingtheseportsattheendofthesession.TheCiscoIOSfirewall isdesignedtoeasilyallowanewapplicationinspectionwheneversupportisneeded. Session Initiation Protocol SIPisanapplication-layercontrol(signaling)protocolforcreating,modifying,andterminatingsessionswith oneormoreparticipants.ThesesessionscouldincludeInternettelephonecalls,multimediadistribution,and multimediaconferences.SIPisbasedonanHTTP-likerequest/responsetransactionmodel.Eachtransaction consistsofarequestthatinvokesaparticularmethodorfunctionontheserverandatleastoneresponse. SIPinvitationsusedtocreatesessionscarrysessiondescriptionsthatallowparticipantstoagreeonasetof compatiblemediatypes.SIPmakesuseofelementscalledproxyserverstohelprouterequeststotheuser’s currentlocation,authenticateandauthorizeusersforservices,implementprovidercall-routingpolicies,and providefeaturestousers.SIPalsoprovidesaregistrationfunctionthatallowsuserstouploadtheircurrent locationsforusebyproxyservers.SIPrunsontopofseveraldifferenttransportprotocols. Firewall for SIP Functionality Description TheFirewallforSIPSupportfeatureallowsSIPsignalingrequeststotraversedirectlybetweengatewaysor throughaseriesofproxiestothedestinationgatewayorphone.Aftertheinitialrequest,iftheRecord-Route headerfieldisnotused,subsequentrequestscantraversedirectlytothedestinationgatewayaddressasspecified intheContactheaderfield.Thus,theCiscoIOSfirewallisawareofallsurroundingproxiesandgateways andallowsthefollowingfunctionality: •SIPsignalingresponsescantravelthesamepathasSIPsignalingrequests. •Subsequentsignalingrequestscantraveldirectlytotheendpoint(destinationgateway). •Mediaendpointscanexchangedatabetweeneachother. SIP UDP and TCP Support RFC3261isthecurrentRFCforSIP,whichreplacesRFC2543.ThisfeaturesupportstheSIPUserDatagram Protocol(UDP)andtheTCPformatforsignaling. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 3 Cisco IOS Firewall-SIP Enhancements ALG and AIC SIP Inspection SIP Inspection ThissectiondescribesthedeploymentscenariossupportedbytheCiscoIOSFirewall--SIP,ALG,andAIC Enhancementsfeature. Cisco IOS Firewall Between SIP Phones and CCM TheCiscoIOSfirewallislocatedbetweenCCMorCCMEandSIPphones.SIPphonesareregisteredtoCCM orCCMEthroughthefirewall,andanySIPcallsfromortotheSIPphonespassthroughthefirewall. Cisco IOS Firewall Between SIP Gateways TheCiscoIOSfirewallislocatedbetweentwoSIPgateways,whichcanbeCCM,CCME,oraSIPproxy. PhonesareregisteredwithSIPgatewaysdirectly.ThefirewallseestheSIPsessionortrafficonlywhenthere isaSIPcallbetweenphonesregisteredtodifferentSIPgateways.InsomescenariosanIP-IPgatewaycan alsobeconfiguredonthesamedeviceasthefirewall.WiththisscenarioallthecallsbetweentheSIPgateways areterminatedintheIP-IPgateway. Cisco IOS Firewall with Local CCME and Remote CCME/CCCM TheCiscoIOSfirewallislocatedbetweentwoSIPgateways,whichcanbeCCM,CCME,oraSIPproxy. Oneofthegatewaysisconfiguredonthesamedeviceasthefirewall.Allthephonesregisteredtothisgateway arelocallyinspectedbythefirewall.ThefirewallalsoinspectsSIPsessionsbetweenthetwogatewayswhen thereisaSIPcallbetweenthem.WiththisscenariothefirewalllocallyinspectsSIPphonesononesideand SIPgatewaysontheotherside. Cisco IOS Firewall with Local CCME TheCiscoIOSfirewallandCCMEisconfiguredonthesamedevice.AllthephonesregisteredtotheCCME arelocallyinspectedbythefirewall.AnySIPcallbetweenanyofthephonesregisteredwillalsobeinspected bytheCiscoIOSfirewall. How to Configure Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a Policy to Allow RFC 3261 Methods PerformthistasktoconfigureapolicytoallowbasicRFC3261methodsandblockextensionmethods. Note TheCiscoIOSFirewall--SIPEnhancements:ALGandAICfeatureprovidesessentialsupportforthenew SIPmethodssuchasUPDATEandPRACK,asCCM5.xandCCME4.xalsousethesemethods. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 4 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a Policy to Allow RFC 3261 Methods SUMMARY STEPS 1. enable 2. configure terminal 3. class-maptypeinspect protocol-name match-any class-map-name 4. matchrequest method method-name 5. exit 6. class-maptypeinspect protocol-name match-any class-map-name 7. matchrequest method method-name 8. exit 9. policy-maptypeinspect protocol-namepolicy-map-name 10. classtypeinspect protocol-name class-map-name 11. allow 12. exit 13. classtypeinspect protocol-name class-map-name 14. reset 15. exit DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. •Enteryourpasswordifprompted. Example: Router> enable Step 2 configure terminal Entersglobalconfigurationmode. Example: Router# configure terminal Step 3 class-maptypeinspect protocol-name match-any Createsaninspecttypeclassmapandentersclass-map class-map-name configurationmode. Example: Router(config)# class-map type inspect sip match-any sip-class1 Step 4 matchrequest method method-name MatchesRFC3261methods.Methodsincludethe following: Example: •ack,bye,cancel,info,invite,message,notify, Router(config-cmap)# match request method invite options,prack,refer,register,subscribe,update. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 5 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a Policy to Allow RFC 3261 Methods Command or Action Purpose Step 5 exit Exitsclass-mapconfigurationmode. Example: Router(config-cmap)# exit Step 6 class-maptypeinspect protocol-name match-any Createsaninspecttypeclassmapandentersclass-map class-map-name configurationmode. Example: Router(config)# class-map type inspect sip match-any sip-class2 Step 7 matchrequest method method-name MatchesRFC3261methods,whichincludethe following: Example: •ack,bye,cancel,info,invite,message,notify, Router(config-cmap)# match request method message options,prack,refer,register,subscribe,update. Step 8 exit Exitsclass-mapconfigurationmode. Example: Router(config-cmap)# exit Step 9 policy-maptypeinspect protocol-name Createsaninspecttypepolicymapandenterspolicy-map policy-map-name configurationmode. Example: Router(config)# policy-map type inspect sip sip-policy Step 10 classtypeinspect protocol-name class-map-name Specifiestheclassonwhichtheactionisperformedand enterspolicy-mapclassconfigurationmode. Example: Router(config-pmap)# class type inspect sip sip_class1 Step 11 allow AllowsSIPinspection. Example: Router(config-pmap-c)# allow Step 12 exit Exitspolicy-mapclassconfigurationmode. Example: Router(config-pmap-c)# exit Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 6 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a Policy to Block Messages Command or Action Purpose Step 13 classtypeinspect protocol-name class-map-name Specifiestheclassonwhichtheactionisperformedand enterspolicy-mapclassconfigurationmode. Example: Router(config-pmap)# class type inspect sip sip-class2 Step 14 reset Resetstheclassmap. Example: Router(config-pmap-c)# reset Step 15 exit Exitspolicy-mapclassconfigurationmode. Example: Router(config-pmap-c)# exit Configuring a Policy to Block Messages PerformthistasktoconfigureapolicytoblockSIPmessagescomingfromaparticularproxydevice. SUMMARY STEPS 1. enable 2. configure terminal 3. parameter-maptype regex parameter-map-name 4. pattern url-pattern 5. exit 6. class-maptypeinspect protocol-nameclass-map-name 7. matchrequest header field regex regex-param-map 8. exit 9. policy-maptypeinspect protocol-namepolicy-map-name 10. classtypeinspect protocol-nameclass-map-name 11. reset 12. exit DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 7 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a Policy to Block Messages Command or Action Purpose •Enteryourpasswordifprompted. Example: Router> enable Step 2 configure terminal Entersglobalconfigurationmode. Example: Router# configure terminal Step 3 parameter-maptype regex parameter-map-name Configuresaparameter-maptypetomatchaspecific trafficpatternandentersprofileconfigurationmode. Example: Router(config)# parameter-map type regex unsecure-proxy Step 4 pattern url-pattern MatchesacallbasedontheSIPuniformresource identifier(URI). Example: Router(config-profile)# pattern “compromised.server.com” Step 5 exit Exitsprofileconfigurationmode. Example: Router(config-profile)# exit Step 6 class-maptypeinspect protocol-nameclass-map-name Createsaninspecttypeclassmapandentersclass-map configurationmode. Example: Router(config)# class-map type inspect sip sip-class Step 7 matchrequest header field regex regex-param-map Configuresaclass-maptypetomatchaspecificrequest headerpattern. Example: Router(config-cmap)# match request header Via regex unsecure-proxy Step 8 exit Exitsclass-mapconfigurationmode. Example: Router(config-cmap)# exit Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 8 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a 403 Response Alarm Command or Action Purpose Step 9 policy-maptypeinspect protocol-namepolicy-map-name Createsaninspecttypepolicymapandenters policy-mapconfigurationmode. Example: Router(config)# policy-map type inspect sip sip-policy Step 10 classtypeinspect protocol-nameclass-map-name Specifiestheclassonwhichtheactionisperformed andenterspolicy-mapclassconfigurationmode. Example: Router(config-pmap)# class type inspect sip sip-class Step 11 reset Resetstheclassmap. Example: Router(config-pmap-c)# reset Step 12 exit Exitspolicy-mapclassconfigurationmode. Example: Router(config-pmap-c)# exit Configuring a 403 Response Alarm Performthistasktoconfigureapolicytogenerateanalarmwhenevera403responseisreturned. SUMMARY STEPS 1. enable 2. configure terminal 3. parameter-maptype regex parameter-map-name 4. pattern url-pattern 5. exit 6. class-maptypeinspect protocol-nameclass-map-name 7. matchresponse statusregex regex-parameter-map 8. exit 9. policy-maptypeinspect protocol-namepolicy-map-name 10. classtypeinspect protocol-nameclass-map-name 11. log 12. exit Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 9 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a 403 Response Alarm DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. •Enteryourpasswordifprompted. Example: Router> enable Step 2 configure terminal Entersglobalconfigurationmode. Example: Router# configure terminal Step 3 parameter-maptype regex parameter-map-name Configuresaparameter-maptypetomatchaspecific trafficpatternandentersprofileconfigurationmode. Example: Router(config)# parameter-map type regex allowed-im-users Step 4 pattern url-pattern MatchesacallbasedontheSIPURI. Example: Router(config-profile)# pattern “403” Step 5 exit Exitsprofileconfigurationmode. Example: Router(config-profile)# exit Step 6 class-maptypeinspect protocol-nameclass-map-name Createsaninspecttypeclassmapandentersclass-map configurationmode. Example: Router(config)# class-map type inspect sip sip-class Step 7 matchresponse statusregex regex-parameter-map Configuresaclass-maptypetomatchaspecific responsepattern. Example: Router(config-cmap)# match response status regex allowed-im-users Step 8 exit Exitsclass-mapconfigurationmode. Example: Router(config-cmap)# exit Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 10
Description: