The Mysterious "stun" application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

The Mysterious "stun" application

L4 Transporter

Does anyone have a understandable explaination of this application called "stun" from what I can gather its used for things like skype and facetime, but it generates a lot of traffic in my network. While yes we are lync/skype in house and there are the occosional calls out to the internet, I see this application going out to google public IPs on port 19305 and 19302, I see ports 5055 being used as well. How do you control this application?

4 REPLIES 4

Cyber Elite
Cyber Elite

@s.williams1,

Applipedia will help you out here a lot. 

"Simple Traversal of User Datagram Protocol is a network protocol allowing a client behind a NAT (or multiple NATs) to find out its public address."

You'll see stun utilized a lot for different applications and such as it is currently the best way of determining the clients public IP address and detecting whether or not it is behind a NAT or not. SIP, WebRTC and others rely on it pretty heavily. If you are running Skype internally you should be seeing a TON of Stun traffic, iPhones will generate a bit as well because of FaceTime, and depending on the applications on the device you can expect a lot to come from Android devics as well. 

Stun by itself really isn't dangerous so there really isn't much control to be done, at least to my eyes. Allow it outside your network on application default ports and if your Skype infrastructure is generating too many logs in your eyes setup a security rule to simply not log traffic going to your Skype servers. 

So I have a rule to allow stun applicaiton on application default service ports but i see it hitting my allow all at the end of the list on different ports. So should I allow "any" on the service ports section?

@s.williams1,

Kind of up to you at that point. Where exactly are you seeing the 'stun' traffic, from Trust to Untrust? I would first start to look at the logs and see if you can narrow this down to a more specific source or destination rule. 

Palo Alto doesn't do that great of a job identifying traffic unless you are running a cert store and issuing a cert to every device on your network.  We in education see STUN used mostly for MS Teams and Facetime in which Palo Alto has app identifiers for but since we don't run a cert store, all traffic can't be fully decrypted and identified properly by app id.  A better suggestion might be to setup a QOS with low real-time bandwidth and create a QOS rule for STUN to use that low bandwidth and see who screams and then find out what they are doing and see if it is allowed traffic or not.  Most of the time you will find it is all personal and not business related unless you rely heavily on VOIP apps like Skype, MS Teams, WebEx, SIP phones, etc.

  • 35912 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!