A FIREWALL or a proxy that controls the firewall needs to understand SIP, be able to parse an INVITE REQUEST and 200 OK response, extract the IP addresses and port numbers from the SDP, and open up “pin holes” in the firewall to ALLOW RTP traffic to pass. The hole can then be closed when a BYE is sent or a session timer expires. An alternative is an ALG—a B2BUA that is trusted by the firewall. The firewall then allows SIP and RTP traffic, which terminates on the ALG and BLOCKS all other traffic. The authentication and security policies of allowing or denying SIP sessions are then controlled by the SIP ALG instead of in the firewall itself.

A firewall or a proxy that controls the firewall needs to understand SIP, be able to parse an INVITE request and 200 OK response, extract the IP addresses and port numbers from the SDP, and open up “pin holes” in the firewall to allow RTP traffic to pass. The hole can then be closed when a BYE is sent or a session timer expires. An alternative is an ALG—a B2BUA that is trusted by the firewall. The firewall then allows SIP and RTP traffic, which terminates on the ALG and blocks all other traffic. The authentication and security policies of allowing or denying SIP sessions are then controlled by the SIP ALG instead of in the firewall itself.