Communicating Through a
Firewall
Firewalls inspect
packets and match them against configured rules. It is difficult to specify
ahead of time which ports will be used in a voice call because they are
dynamically negotiated during call setup.
H.323 is a complex, dynamic protocol that consists of several
interrelated subprotocols. The ports and addresses used with H.323 require
detailed inspection as call setup progresses. As the dynamic ports are
negotiated, the firewall must maintain a table of current ports associated with
the H.323 protocol. As calls are torn down, the firewall must remove those ports
from the table. The process of adding and removing ports from the table is
called stateful inspection of packets. In
addition to checking static ports and recognizing protocols that negotiate
dynamic ports as in H.323, the firewall looks into the packets of that protocol
to track the flows.
Any application might use a port in the range of 1024 to 65536.
In Figure 5-29, the firewall initially
blocks all packets destined for UDP port 16384. The firewall becomes H.323-aware
when it is configured to look for TCP port 1720 for call setup and UDP port
assignments.
Table 5-13 illustrates the dynamic access control
process used by firewalls.
Sections
Comments (0 posted)
Syndication
