With many modern data networks being used for not only data communications but also voice and video traffic, it is very important that the security appliances that are installed have an awareness of these types of protocols and can easily be configured to support both simple and complex voice and video configurations.
This article takes a look at some of the inspection methods that are provided within the Cisco Adaptive Security Appliance (ASA) line and how they are used to improve the functionality of these technologies even when security is a high priority on the network.
ASA Inspections Reminder
While this article is on the inspection capabilities of the ASA, keep in mind that these inspections will not even be allowed to happen if the ASA rules (ACL) don’t allow the traffic in the first place because they are evaluated before inspections take place.
While H.323 has been around for a while, it is still used in many deployments as a primary and secondary voice and video network protocol. According to the ASA documentation, H.323 inspection (both H.225 and RAS) is enabled by default as part of the default inspection rules; keep this is mind when configuring ASA traffic inspection. What the ASA does when these are enabled is listen to communications on both the H.225 (TCP 1720) and RAS (UDP 1718, 1719) communications ports. If the ASA detects that additional ports are being requested as part of normal protocol operations, it (the ASA) will allow the communications and enable inspection on those ports as well.
H.323 inspection can also be further configured to support additional inspection control by following the familiar process of creating class and inspection (policy) maps and applying them either globally (overriding the default H.323 inspection) or to a specific interface. H.225, H.245, and H.323 RAS sessions can be monitored on the ASA as well by using the show h225, show h245, and show h323-ras commands, respectively.
Media Gateway Control Protocol (MGCP) Inspection
MGCP is a protocol that is used to control a number of media gateways that are in turn used to control different call control elements within the network called call agents or media gateway controllers. There are a number of different media gateway types that exist within networks utilizing MGCP-some exist between trunking devices, and some exist between the end user and the central voice network. If either of these needs to cross a point in the network in which a security domain is crossed, this device must be aware of its use and how to deal with the potential traffic.
MGCP inspection on the ASA is not enabled by default and must be manually configured if the ASA is to be responsible for managing MGCP traffic through it. MGCP utilizes UDP ports 2427 and 2727 that are used for communications between the central call agent(s) and the remote (typically) gateways. When MGCP inspection is enabled on the ASA, it listens to the communications and determines from this inspection which MGCP traffic is allowed to pass. This is mainly required when failover (backup) configurations exist between various central call agents (for example, if a failover call agent is used to process a request that was initially sent to the main call agent, the source IP address would change and would break the rules of a “typical” firewalls connections table).
Real Time Streaming Protocol (RTSP) Inspection
RTSP is a protocol that is used by a number of different applications to transmit audio and video over a network connection; some of these applications include Apple QuickTime and Cisco IP/TV. According to the ASA documentation, RTSP inspection is enabled by default as part of the default inspection rules-keep this in mind when configuring ASA traffic inspection. RTSP uses the TCP port 554 as a control channel to negotiate the data channels that are used to transmit the traffic to the client. RTSP inspection listens to this port and allows the connections as set up on the control channel.
RTSP inspection also supports a number of different options that allow for additional connection control. Some of these options include matching traffic based on a specific request method and specifying the action that will be taken with this traffic; some of the actions include dropping the packet, dropping the connection, masking out a portion of the packet, resetting the connection, logging the packet, and a few others.
Session Initiation Protocol (SIP) Inspection
SIP is a protocol that is used to handle call sessions between clients; SIP works along with the Session Description Protocol (SDP) for call signaling. According to the ASA documentation, SIP inspection is enabled by default as part of the default inspection rules; keep this in mind when configuring ASA traffic inspection. SIP/SDP utilizes the TCP/UDP port 5060 for signaling, and this is the port that is used by the ASA for SIP inspection. SIP media streams are dynamically allocated; these session communications are listened to by the ASA and make the proper connections based on the result of these allocations. SIP can also embed IP addresses within the user-data portion of the IP packet. When this happens, the ASA will utilize NAT for these embedded addresses.
SIP inspection also supports a number of different options that allow for additional connection control; some of these options include matching traffic based on called-part, calling-part, content length, content type, and request method, among others. There are also a number of different actions that are supported, including dropping the packet, dropping the connection, masking out a portion of the packet, resetting the connection, and logging the packet.
There are certainly a number of different inspection types are provided within the Cisco ASA platform that can be used for a number of different traffic and application types, and voice and video applications are no different. Keep in mind that the support that is discussed in this article covers just the surface of available options that are available with complex class and policy maps with most of the inspection types.