ICSA Labs Network Firewall Certification Testing Report Enterprise (VoIP) - Version 4.1x. SonicWALL, Inc.



Similar documents
ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

nexvortex Setup Guide

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

Customer Guide. BT Business - BT SIP Trunks. BT SIP Trunks: Firewall and LAN Guide. Issued by: BT Business Date Issue: v1.

Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0

CSCE 465 Computer & Network Security

Firewall Defaults and Some Basic Rules

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Application Note. Onsight Connect Network Requirements V6.1

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Load Balancing SIP Quick Reference Guide v1.3.1

NetVanta 7100 Exercise Service Provider SIP Trunk

Firewall Firewall August, 2003

Virtual Fragmentation Reassembly

BroadCloud PBX Customer Minimum Requirements

FTP e TFTP. File transfer protocols PSA1

LifeSize Transit Deployment Guide June 2011

White Paper. Traversing Firewalls with Video over IP: Issues and Solutions

Vega 100G and Vega 200G Gamma Config Guide

TLS and SRTP for Skype Connect. Technical Datasheet

Spikes Security Isla Browser Isolation System. Prepared for Spikes Security

Application Note. Onsight Connect Network Requirements v6.3

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

VoIP technology employs several network protocols such as MGCP, SDP, H323, SIP.

Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

Firewalls. Chapter 3

Configuring WAN Failover & Load-Balancing

Ports Reference Guide for Cisco Virtualization Experience Media Engine for SUSE Linux Release 9.0

SIP Trunking using the Optimum Business SIP Trunk adaptor and the AltiGen Max1000 IP PBX version 6.7

nexvortex Setup Guide

F-SECURE MESSAGING SECURITY GATEWAY

Vega 100G and Vega 200G Gamma Config Guide

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

Snom 720 and Elastix Server

Microsoft Office Communications Server 2007 & Coyote Point Equalizer Deployment Guide DEPLOYMENT GUIDE

DLink-655 Router Configuration Guide for VoIP

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Note: As of Feb 25, 2010 Priority Telecom has not completed FXS verification of fax capabilities. This will be updated as soon as verified.

nexvortex Setup Template

Technical Note. ForeScout CounterACT: Virtual Firewall

Manual. ABTO Software

The SIP School- 'Mitel Style'

Overview. Author: Seth Scardefield Updated 11/11/2013

VoIPon Tel: +44 (0) Fax: +44 (0)

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Firewall Support for SIP

SIP Trunking using the EdgeMarc Network Services Gateway and the Mitel 3300 ICP IP-PBX

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Application Note - Using Tenor behind a Firewall/NAT

Securing Networks with PIX and ASA

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Basic Vulnerability Issues for SIP Security

MyPBX Security Configuration Guide

SIP Security Controllers. Product Overview

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

1 SIP Carriers Warnings Vendor Contact Vendor Web Site : Versions Verified SIP Carrier status as of 9/11/2011

MULTI WAN TECHNICAL OVERVIEW

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

SIP Trunking using Optimum Business SIP Trunk Adaptor and the Allworx 6x IP PBX

Implementing Secure Converged Wide Area Networks (ISCW)

Recommended IP Telephony Architecture

Application Notes for Configuring Yealink T-22 SIP Phones to interoperate with Avaya IP Office - Issue 1.0

Cisco Expressway IP Port Usage for Firewall Traversal. Cisco Expressway X8.1 D December 2013

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

SECURITY ADVISORY FROM PATTON ELECTRONICS

Polycom. RealPresence Ready Firewall Traversal Tips

CONFIGURING TALKSWITCH FOR RUBICON SERVICE

SIP Trunking with Microsoft Office Communication Server 2007 R2

Troubleshooting This document outlines some of the potential issues which you may encouter while administering an atech Telecoms installation.

SonicWALL NAT Load Balancing

Firewall Stateful Inspection of ICMP

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Cisco PIX vs. Checkpoint Firewall

How To - Implement Clientless Single Sign On Authentication with Active Directory

Voice Over IP and Firewalls

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Best Practices for Controlling Skype within the Enterprise. Whitepaper

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Telephony System Integrator s Guide for Bandwidth.com. Citrix EasyCall Gateway 2.2.1

Optimum Business SIP Trunk Set-up Guide

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

SonicOS Enhanced 4.0: NAT Load Balancing

AT&T IP Flex Reach/ IP Toll Free Configuration Guide IC 3.0 with Interaction SIP Proxy

MS Skype for Business and Lync. Integration Guide

UCi2i Video Conference Endpoint Firewall Requirements. UCi2i Video Conference Endpoint Firewall Requirements

IP Ports and Protocols used by H.323 Devices

How To Configure Virtual Host with Load Balancing and Health Checking

SIP Trunking Configuration with

Appendix D Firewall Log Formats

How to Configure the Allworx 6x, 24x and 48x for use with Integra Telecom SIP Solutions

Tunnels and Redirectors

Grandstream Networks, Inc. UCM6100 Security Manual

SonicOS 5.9 One Touch Configuration Guide

Transcription:

ICSA Labs Network Firewall Certification Testing Report SonicWALL, Inc. E-Class Network Security Appliance (NSA) Series February 28, 2011 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 www.icsalabs.com FWXX SONICWALLI-2011-0228-04

Table of Contents Executive Summary...1 Candidate Firewall Product Configuration Tested...2...2 Candidate Firewall Product Configuration...2 VoIP Required Services Security Policy...2...2...2 Logging...3...3...3 Administration...3...3...3 Functional and Security Testing...4...4...4 Criteria Violations and Resolutions...4...4...4 Testing Information...5 This report is issued by the authority of the Managing Director, ICSA Labs...5 Lab Report Date...5 Test Location...5 Product Developer s Headquarters...5 FWXX-SONICWALLI-2011-0228-04 Page i

Executive Summary This lab report is a companion report to the Enterprise certification lab report, which can be found at: https://www.icsalabs.com/sites/default/files/sw_enterprise.pdf The goal of the Enterprise Voice over IP (VoIP) lab report is to document the steps taken to ensure the Candidate Firewall Product met all of the VoIP certification criteria requirements. All VoIP specific configuration steps and any issues found are documented within this lab report. All other areas usually covered within an ICSA Labs Firewall Certification Lab Report can be found in the Enterprise Lab Report referenced above. FWXX-SONICWALLI-2011-0228-04 Page 1 of 5

Candidate Firewall Product Configuration Tested Any changes made to the Candidate Firewall Product (CFP) to meet the VoIP requirements will be documented within this section. Additionally, if VoIP does not work in any specific configuration mode supported by the CFP this will be noted. Candidate Firewall Product Configuration The SonicWALL, Inc. (SonicWALL) E-Class NSA Series was previously configured to use NAT for inbound and outbound services. This configuration was maintained for VoIP testing except for the following procedures: Under SIP -> Settings enabled the checkbox for Enable Consistent NAT. Under SIP -> Settings enabled the checkbox for Enable SIP Transformations. Under SIP -> Settings -> Enable SIP Transformations, changed both settings for SIP Signaling Activity inactivity time out and SIP Media inactivity time out. VoIP Required Services Security Policy The VoIP Required Services Security Policy (RSSP) articulates the services expected to allow VoIP to be handled by the Candidate Firewall Product in a secure and functional manner. The Network Security Lab team performed the following actions, utilizing the WebUI, during configuration of the VoIP RSSP: Under Network -> Address Objects, added a custom object pointing to the SIP server on the private network. Under Firewall -> Services, added a custom service group that included a custom SIP service that allowed only UDP/5060. Under Firewall -> Access Rules, created a rule set that allowed inbound access for the RSSP inbound custom service group that pointed to the server residing on the private network. Under Firewall -> Access Rules, created a rule set that allowed inbound access for the SIP custom service group that pointed to the PBX residing on the private network. The Network Security Lab team performed port scans followed by additional scans and other tests to ensure that the E-Class NSA Series was indeed configured according to the VOIP RSSP and that other TCP, UDP, ICMP, or other IP protocol traffic was permitted to or through the product in either direction. After performing the scans mentioned above, the Network Security Lab team then verified that the product properly handled inbound and outbound SIP, RTP and TFTP service requests. Finally the Network Security FWXX-SONICWALLI-2011-0228-04 Page 2 of 5

Lab team confirmed that no other traffic was permitted to traverse the SonicWALL E-Class NSA Series in either direction, as expected. Logging Version 4.1x of The Modular Firewall Certification Criteria requires that the Candidate Firewall Product provide an extensive logging capability. The Network Security Lab team has detailed in the Enterprise Lab Report, referenced above, that the logging functionality provided by the Candidate Firewall Product meets all of the certification criteria requirements. This section details how the CFP logs VoIP traffic. The SonicWALL E-Class NSA Series does have the ability to log locally, however, due to persistence requirements, logs were sent to a local syslog server. The following logged events were taken from the syslog server. The first logged event was a valid SIP response to a SIP registration event. The second logged event was a valid VoIP call that had successfully connected and the third logged event was a failed administrative login. Apr 26 08:45:58 205.160.57.254 id=firewall sn=0017c514b928 time="2010-04-26 08:52:20" fw=205.160.50.7 pri=7 c=1048576 m=643 msg="sip Request" n=0 src=205.160.57.20:5060:x0 dst=205.160.50.20:5060:x1 note="sip REGISTER (asterisk1@205.160.50.20)" Apr 26 08:51:01 205.160.57.254 id=firewall sn=0017c514b928 time="2010-04-26 08:57:24" fw=205.160.50.7 pri=6 c=1048576 m=622 msg="voip Call Connected" n=0 src=205.160.50.20:5060:x1 dst=205.160.57.20:5060:x0 note="sip (1001@205.160.50.7:29720 to 2001@205.160.50.20)" Apr 26 08:47:19 205.160.57.254 id=firewall sn=0017c514b928 time="2010-04-26 08:53:42" fw=205.160.50.7 pri=1 c=32 m=30 msg="administrator login denied due to bad credentials" n=0 usr="admin" src=205.160.57.66:0:x0 dst=205.160.57.254:443:x0 proto=tcp/https Administration The overall administration requirements are generally covered and documented in the aforementioned Enterprise Lab Report. This section will document how the Candidate Firewall Product addresses VoIP specific administration requirements. In order to view the dynamically opened RTP ports, open the WebUI and go to the following location, VoIP -> Call Status. FWXX-SONICWALLI-2011-0228-04 Page 3 of 5

Functional and Security Testing Once configured to enforce the VoIP security policy the Candidate Firewall Product should properly permit the services allowed by that policy. In this case, properly means that the service functions correctly. The Candidate Firewall Product must be capable of preventing the well-known, potentially harmful behavior found in some network protocols while at the same time being compliant with their RFCs in all other ways. In the event of a conflict, the product must be configurable for the more secure option. During functional testing the Network Security Lab team checks to ensure proper protocol behavior on the permitted services. During security testing the Network Security Lab team uses commercial, in-house-created, and freelyavailable testing tools to attack and probe the Candidate Firewall Product. The Network Security Lab team uses these tools to attempt to defeat or circumvent the security policy enforced on the Candidate Firewall Product. Additionally, using trivial Denial-of-Service and fragmentation attacks the Network Security Lab team attempts to overwhelm or bypass the Candidate Firewall Product. Since there is overlap between functional and security testing, the results of both phases of testing are presented in the section below. Since the product did not initially meet all the functional and security testing requirements, refer to the Criteria Violations and Resolutions section for more detailed information concerning the issues found during functional and security testing. SonicWALL addressed the issues reported by the Network Security Lab team and the E-Class NSA Series was re-tested. The product properly permitted the minimum set of common services inbound and outbound per the VoIP criteria. Furthermore, during re-testing of the E-Class NSA Series, it was not susceptible to attacks launched inbound and outbound to and through the product, including fragmentation and trivial Denial-Of-Service attacks. Criteria Violations and Resolutions In the event that the Network Security Lab team uncovers criteria violations while testing the Candidate Firewall Product, the vendor must make repairs before testing can be completed and certification granted. The section that follows documents any and all criteria violations discovered during testing. Additionally any steps that must be taken by an administrator to ensure that the product meets the criteria are documented below. The following Security criteria violation was found by the Network Security Lab team during testing and corrected by SonicWALL: An invalid packet was allowed that prematurely terminated a call. FWXX-SONICWALLI-2011-0228-04 Page 4 of 5

Testing Information This report is issued by the authority of the Managing Director, ICSA Labs. Testing was conducted under normal operation conditions. Lab Report Date February 28, 2011 Please visit www.icsalabs.com for the most current information about this and other products. Test Location ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 Product Developer s Headquarters SonicWALL, Inc. 2001 Logic Drive, San Jose, CA 95124 USA The certification test methods used to produce this report are accredited and meet the requirements of ISO/IEC 17025 as verified by the ANSI-ASQ National Accreditation Board/ACLASS. Refer to certificate and scope of accreditation number AT 1423. Testing reports shall not be reproduced except in full, without prior written approval of ICSA Labs. FWXX-SONICWALLI-2011-0228-04 Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information