Datasheet
Data Sheet
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 8
Table 1. Features and Benefits Summary
Feature Details
Unified
Communications
Application Inspection
and Control
SIP, SCCP, H.323, MGCP, RTP/RTCP, TCP, CTIQBE, RTSP
SIP application
inspection and control
Enables deep inspection services for SIP traffic for both User Datagram Protocol (UDP) and
TCP-based SIP environments. This provides granular control for protection against unified
communications attacks.
Delivers protocol conformance support for numerous SIP RFCs, including RFC 3261. Delivers
SIP state awareness and tracking and the ability to enforce mandatory header fields and
absence of forbidden header fields, thus protecting businesses from attacks that use malformed
packets.
Enables Network Address Translation and Port Address Translation (NAT and PAT)-based
address translation support for SIP-based IP phones and applications such as Microsoft
Windows Messenger, while delivering advanced services such as call forwarding, call transfers,
and more.
Supports comprehensive threat defense features such as SIP state awareness and tracking, the
ability to rate-limit SIP traffic to prevent DoS attacks, preventing SIP traffic from specific proxies
to block SIP traffic from rogue proxy servers, and validation of RTP/RTCP for media.
Allows businesses to configure granular unified communications policies, such as permitting and
denying callers and callees by configuring SIP Uniform Resource Identifier (URI) filters,
inbound/outbound calls using whitelists and blacklists, permitting and denying use of applications
such as instant messaging over SIP, or permitting and denying specific SIP methods (including
user-defined methods).
H.323 security services
Enables advanced H.323 inspection services that support versions 1–4 of the protocol along with
Direct Call Signaling (DCS) and Gatekeeper Router Control Signaling (GKRCS) to provide
flexible security integration in a variety of H.323-driven voice-over-IP (VoIP) environments.
Provides NAT and PAT support for H.323 services, including advanced features such as fax over
IP (FoIP) using the T.38 protocol, an ITU standard that defines how to transmit FoIP in real time.
Supports threat prevention for H.323 traffic such as restricting call duration, preventing H.225
Registration, Admission, and Status (RAS) packets arriving out of state, and validation of
RTP/RTCP for media.
Allows businesses to configure granular policies for H.323 services such as filtering on calling
and called phone numbers to prevent rogue callers, and restricting services by filtering on
specific media types.
SCCP security services
Enables advanced SCCP inspection services for SCCP applications such as Cisco Unified IP
Phones, Cisco Unified Personal Communicator, and Cisco IP Communicator to provide flexible
security integration.
Supports comprehensive threat defense such as the ability to set the maximum SCCP message
length to prevent buffer overflow attacks, the ability to tune timeouts for TCP SCCP connections
and SCCP audio/video media connections, and validation of RTP/RTCP for media.
Allows businesses to configure granular policies for SCCP traffic such as enforcing only
registered phone calls to send traffic through the Cisco ASA appliance and filtering on message
IDs to allow or disallow specific messages.
MGCP security services
Enables rich MGCP security services and NAT- and PAT-based address translation services for
MGCP-based connections between media gateways and call agents or media gateway
controllers.
Real-Time Streaming
Protocol (RTSP)
security services
Enables inspection of RTSP protocols used to control communications between the client and
server for streaming applications such as Cisco IP/TV
®
, Apple Quicktime, and RealNetworks
RealPlayer.
RTSP security services deliver NAT- and PAT-based address translation services for RTSP
media streams to improve support in real-time networking environments.
Fragmented and
segmented multimedia
stream inspection
Enables inspection of H.323-, SIP-, and SCCP-based voice and multimedia streams that have
been fragmented or segmented to prevent against these unique unified communications attacks.
Advanced TCP security
engine
Enables protection from several attacks, including protection for SYN flood attacks using SYNC
cookies, protection for endpoints against protocol fuzzing, and retransmission-style TTL (time to
live) evasion.
Delivers smart TCP proxy feature that reassembles TCP packets to protect against segment
attacks that use multiple TCP packets.
Offers TCP traffic normalization services for additional techniques to detect attacks, including
advanced flag and option checking, TCP packet checksum verification, detection of data
tampering in retransmitted packets, and more.