An Application Layer Gateway (ALG) is a network security component that protects specific network protocols. It is commonly found in firewall and router devices, and it works by monitoring and modifying the traffic that flows through it to improve network security.
For example, an ALG may be used to inspect and modify traffic for certain protocols such as SIP (Session Initiation Protocol) or FTP (File Transfer Protocol) to ensure that only valid traffic is allowed through, and to prevent attacks or unauthorized access. ALGs may also be used to perform NAT (Network Address Translation) to allow devices on a private network to communicate with devices on a public network.
Overall, ALGs are an important part of network security, helping to protect against a range of threats and ensuring that network traffic is safe and secure,
We find this feature present in our GWN7052(F)/GWN7062 router series and the way to configure it is as follows :
ALG with SIP Protocol
When an Application Layer Gateway (ALG) is used with the Session Initiation Protocol (SIP), it typically performs a number of functions to help ensure that the SIP traffic is properly routed and secured.
One of the main functions of an ALG for SIP is to modify the IP addresses and ports in the SIP messages, to account for the fact that many SIP deployments use Network Address Translation (NAT) to share a single public IP address among multiple private IP addresses. This allows the SIP traffic to flow properly between the internal and external networks, without causing issues with address translation.
Overall, the ALG for SIP plays an important role in ensuring that SIP traffic is properly routed and secured, which is crucial for maintaining reliable and secure voice and video communication over IP networks.
in the Example below we can see that we have enabled the ALG for SIP protocol and set the monitoring port to 5060.
In general, an ALG for SIP will monitor and modify the SIP traffic on both the signaling and media ports. The signaling port for SIP is typically port 5060 (or sometimes 5061 for secure SIP), while the media ports can range from 16384 to 32767 for the User Datagram Protocol (UDP) and from 16384 to 65535 for the Transmission Control Protocol (TCP).
When an ALG is in use for SIP, it may open additional ports as needed to handle the dynamic media streams that are used for voice and video calls. The exact ports used for media streams can vary depending on the specific implementation of SIP and the network topology being used.
How SIP ALG works
This section explains how SIP ALG works and why it is necessary. It will assist you in troubleshooting SIP-related issues.
We will first introduce the basic knowledge of sip to proceed with a sip call process example.
SIP signaling messages are classified into two types. For our troubleshooting, we should concentrate on the INVITE and 200/OK messages. This pair of request and response messages indicates that the call has been established at the signaling level, and it provides information about media sessions in the SDP file. A firewall can be used to protect private networks and individual machines from the dangers of the Internet by filtering incoming or outgoing traffic based on a predefined set of rules known as firewall policies.
- Request: REGISTER, INVITE, ACK, CANCEL, BYE, OPTIONS
- Response: 1xx、2xx、3xx、4xx、5xx、6xx
SIP ALG troubleshooting
In the majority of cases, the user would report that they are unable to hear the voice of others or that others are unable to hear his voice. This is the issue with RTP traffic. Signaling and RTP traffic typically follow separate paths. According to the call process below, the signaling packet is sent between Alice SIP phone, proxies, and Bob SIP phone, but the RTP traffic (Media Session) is sent directly between Alice SIP phone and Bob SIP phone, with no interference from Proxies.
The information for the Media Session is provided by SDP in the INVITE and 200/OK messages. Alice sends Bob her information via INVITE, and Bob sends Alice his information via 200/OK.
The SDP file contains necessary information such as the Owner, Connection Information, and Media Description (O, C, M). An example of SDP in an INVITE message is shown below. Furthermore, the O, C, and M values will be used in the Media session, as well as the source/destination IP address and port of RTP packets. When there is a problem with RTP traffic, such as a one-way call, the O,C,M information must be checked.
as shown in the screenshot below :
SIP ALG serves two important functions: one is to modify the O,C,M values in SDP in a NAT environment, and the other is to create a pinhole to allow RTP traffic to flow dynamically, we will go through the below troubleshooting options to solve ALG SIP related issues
- First, Isolate the problem from the SIP signaling process or the Media Session, In most cases, the issue is with the Media Session.
- Determine whether or not NAT is involved. In most cases, the SIP phone is in a private network and is assigned a private IP address
- If there is no NAT, the SIP ALG should be disabled, but keep in mind that if the SIP ALG is disabled, we must manually create policies for RTP traffic in bi-direction. To take effect after disabling SIP ALG,
- If NAT is used, the command <alg sip> should be used to enable SIP ALG.
- Capture the packets that pass through our firewall and those that do not.
ALG with RTSP Protocol
When an Application Layer Gateway (ALG) is used with the Real-Time Streaming Protocol (RTSP), it typically performs a number of functions to help ensure that the RTSP traffic is properly routed and secured.
One of the main functions of an ALG for RTSP is to handle the translation and management of the ports used for the RTSP control channel and the associated Real-time Transport Protocol (RTP) media streams. RTSP typically uses port 554 for the control channel, and RTP uses dynamically allocated ports in a specific range. The ALG for RTSP may modify the ports used in the RTSP messages to account for Network Address Translation (NAT) or firewall issues, and may also dynamically open ports in the firewall as needed to allow the media streams to flow between the endpoints.
The ALG for the SIP protocol has been enabled, and the monitoring port has been set to 5060 in the example below
Another important function of an ALG for RTSP is to handle the Real-time Streaming Protocol Interleaved (RTSP/UDP) transport, which is an alternative way to transport RTP streams over a single port. The ALG for RTSP may inspect the RTSP messages to identify whether RTSP/UDP transport is being used, and may modify the ports as necessary to allow the traffic to flow through the firewall.
In addition, an ALG for RTSP may also perform other security-related functions, such as filtering out malformed RTSP messages or preventing certain types of attacks, such as RTSP flooding or spoofing.
Overall, the ALG for RTSP plays an important role in ensuring that RTSP traffic is properly routed and secured, which is crucial for maintaining reliable and secure real-time streaming of audio and video over IP networks.
When media data is delivered using RTP over UDP, the client establishes three network channels with the RTSP server in RTSP standard mode.
For control and negotiation, a full-duplex TCP connection is used. For media data delivery using the RTP packet format, a full-duplex UDP channel is used. RTP is typically initiated by the server. To provide synchronization information to the client and packet loss information to the server, a full-duplex UDP channel called RTCP is used.
As the below figure shows the RTSP ALG standard mode.
Media data can be converted into packets using RTP or RDT over TCP in RTSP interleave mode. A single full-duplex TCP connection is used in this scenario for both control and media data delivery from the RTSP server to the client. The data stream and the RTSP control stream are intertwined.