This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jberg712
Collaborator
3 weeks ago

VoIP Traffic Application Control Objects vs Port Objects

Hi,

I wanted to reach out to the community and find out what others are doing when it comes to VoIP traffic and the Application/URL filtering layer.  I want to know if others are using the built in Application Objects (i.e RTCP, SIP Object, SDP over SIP, etc) or does your rule base have a rule with just the port objects (i.e udp_5060, 5061, etc).  

The reason being is that in our environment we basically have our rule duplicated from the firewall layer onto the application layer with the port objects defined.  I can't remember where I saw this, but the reason being is we had some strange issues with our VoIP system in the beginning and I found an SK somewhere that stated I needed to create a separate port object instead of using the builtin system objects for firewall and application control.

So far we haven't encountered any issues doing it this way.  While I'm looking over our rulebase and looking at doing some optimization for reorganization of our rulebase, I noticed our VoIP traffic on the Application Control hits the UDP port with the UDP port range object, but the logs indicate the RTCP Protocol along with it.  

I'm just wanting to know specifically for the Application/URL layer what's the better way, what works better, what others are doing in their rulebase for VoIP traffic.  Are you using custom UDP port objects similar to the firewall layer?  Or are you using the system built in application objects?

Jonathan

0 Kudos
1 Reply
Gennady
Collaborator
2 weeks ago

Good day!

I have seen different implementations and concluded that a Policy very much depends on specifics of VoIP installations used in an enterprise. A problem arises when traffic flow doesn't fully match with Protocol definition. Checkpoint may drop a packet in such cases. Common way to resolve this problem is to allow the connection by Port rather than Service (with protocol) or Application.

As far as I understand Unified Policy, the difference between "Service as Port" (protocol = none) definition vs Application definition is that Checkpoint firewall needs more packets to make a Match for an Application object rather than for Port object.

If you have both then, at first, Port object is matched as Possible Match and the packet is accepted. Application object is matched later as Full Match when the firewall had gathered enough information to make the decision. This "enough information" depends on protocol.

I have read some debugs in regard to Unified Policy and concluded that Application Control by itself doesn't add any security but only allows an administrator to define a policy in more convenient, understandable and sometime more precise manner. We pay by CPU resources for this luxury. Security comes from IPS and Thread Prevention where traffic flow is matched against Protections.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events