This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Justin_Dean
Explorer
‎2018-02-06 10:26 PM
Jump to solution

Voice over WiFi (VoWIFI) using UDP/IKE to specific destinations

First Post here so forgive any misteps.

We have a challenge that is going around in circles the last week.

In Australia we the Telco's are now doing VoWIFI which is basically an IKE Tunnel to their servers to allow VoWIFI.

We are more than happy to allow this traffic on our Guest Wireless networks.

Unfortunately, Anon/PrivateVPN services also use UDP/500 to do their business which we block by policy.

I can create a specific rule and match those destinations which will work for a while, however the providers will change their server addresses so I will play 'Chase The Server' in the next 12 months.

My question, is it worth trying to get this recognized as a new Application? Do the packet capture and see if there is any SIP identifiers inside etc?

What is the best way to go about this - hoping it might result in a benefit to others not just us?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-02-11 06:33 PM
In response to Justin_Dean
Jump to solution

We might be able to better identify the traffic with some packet captures.

We probably need 2-3 captures per client and a few different clients.

This will help us fingerprint this traffic better and hopefully be able to distinguish between it and other IKE traffic.

Please open a TAC case: Contact Support | Check Point Software 

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2018-02-10 04:13 PM
Jump to solution

First, this might be better in https://community.checkpoint.com/community/infinity-general?sr=search&searchId=614a3d78-07ff-4903-8b...‌.

Second, if you happen to know what SIP endpoint they are connecting to by DNS name, perhaps you can use a Dynamic and/or a Domain Object to allow SIP traffic to only those specific hostnames (depending on your gateway release).

I'll check with R&D and see if there are better options than this.

0 Kudos
Justin_Dean
Explorer
‎2018-02-11 04:37 PM
In response to PhoneBoy
Jump to solution

Thanks Dameon,

The DNS name is a long server specific name which would probably change as well, not sure how the device seeks the other tunnel endpoint.

The FW (80.10 release) detects the traffic as UDP/IKE, not SIP - only after you inspect the traffic do you see any SIP headers. It is a tricky issue...

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-11 06:33 PM
In response to Justin_Dean
Jump to solution

We might be able to better identify the traffic with some packet captures.

We probably need 2-3 captures per client and a few different clients.

This will help us fingerprint this traffic better and hopefully be able to distinguish between it and other IKE traffic.

Please open a TAC case: Contact Support | Check Point Software 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top