We covered application layer gateways (ALGs) in Chapter 4, but we didn’t cover the built-in SRX protection mechanisms for the different ALGs. The SRX has many built-in application protections that can, for example, protect against the flooding of calls on your VoIP system. Protecting your internal infrastructure from misconfiguration or rogue users is critical to providing the percentage of uptime that current network users demand from their applications and services.
A proxy server is one of the most important pieces of equipment in a Session Initiation Protocol (SIP) setup. As such, the SRX can provide some level of protection to ensure availability of the proxy server to its users. The SIP DoS protection monitors invite requests and the proxy server replies. Any invite requests that are redirected, errored, or failed are placed into a table that is denied for a predefined duration. This prevents any invite floods to your proxy servers.
This SIP DoS protection is a global configuration and is not tied to a single zone.
The following configuration applies specifically to our VoIP server (you can leave this not configured to apply to all SIP proxy servers) and places users into the blocked table for 20 seconds:
set security alg sip application-screen protect denydestination-ip 172.31.100.50  juniper@SRX5800#
set security alg sip application-screen protect deny timeout 20
Figure 7-16 illustrates an example of the blocking table ...