About SIP ALG: Basic Operations and Problems
If your enterprise deals with VoIP, you can employ a SIP ALG (Session Initiation Protocol and Application Layer Gateway, respectively) in order to open the ports needed to enable VoIP.
SIP Application Layer Gateway in BriefIn fact, SIP Application Layer Gateway is a security element which is usually found in a router or firewall device.
The Application Layer Gateway is created in the same fashion as a proxy policy, providing similar configuration options. In other words, it means that SIP ALG offers functionality allowing Voice-over-IP traffic going both from the private to public and public to private side of the firewall when using network address and port translation (NAPT) which is the most common type of network address translation.
NAPT modifies IP address information in IP packet headers when passing through a traffic routing device. Below we are going to dwell upon the basic operations and implementation problems referred to this security component.
What Is the SIP ALG Function?Many of the most recent commercial routers implement SIP Application Layer Gateway function enabled by default. Basic Gateway’s operations include but are not limited to:
SIP call activity control. For instance, such features as call duration and inactivity media will help you to conserve network resources and increase the maximum throughput.
Protecting the SIP proxy server by preventing denial-of-service (DoS) flood attacks.
Enabling unknown messages to pass when using NAT (Network Address Translation) mode, as well as route mode.
In simple terms, this Gateway inspects and modifies SIP traffic allowing it to pass through the firewall.
SIP Application Layer Gateway ProblemsIt is reported that this Gateway can cause some communication issues (for instance, when the callers can hear you, but you can’t hear them). However, in order to fix this problem you just need to disable SIP ALG.
The main cause of these issues is the poor implementation at SIP protocol level (in most commercial routers) and the fact that this particular technology is designed and can be just useful for outgoing calls, but not for incoming calls, due to the:
Lack of incoming calls. Once the User Agent (UA) is switched on, it sends a REGISTER to become localizable and be able to receive incoming calls. The REGISTER is inspected and modified by the Application Layer Gateway. As a rule, common routers just maintain the UDP (User Datagram Protocol) connection for a certain time span (approximately 30-60 seconds). Once the port forwarding is ended, the incoming packets are rejected by the router. Most of the SIP proxies will maintain the UDP ‘alive’ by sending OPTIONS and NOTIFY messages to the UA. However, this will happen just in case the UA has been recognized as natted during the registration.
SIP signaling break. Many of the devices with inbuilt ALG modify SIP headers and the SDP in the wrong way breaking the whole communication process.
Different router models with SIP ALG feature (enabled by default in most of the cases) may require different actions to disable the ALG.