1 / 24

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion. Steven Johnson President, Ingate Systems Inc. SMTP created Email. HTTP created the Web. SIP can create universal live IP Communication person-to-person!. The Third Wave of the Internet. It’s all there – almost….

gabby
Télécharger la présentation

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

  2. SMTP created Email HTTP created the Web SIP can create universal live IP Communication person-to-person! The Third Wave of the Internet

  3. It’s all there – almost… • A single network (IP) • Everyone has a connection • High capacity and good performance • A single protocol (SIP) But SIP does not traverse common firewalls and NATs

  4. It’s All There – Almost… • A Single Network (IP) • High capacity and good performance • Everyone has a connection • A single protocol - SIP • Firewalls exclude inbound traffic • SIP does not traverse common firewalls and NATs

  5. Typical Internet protocol (SMTP, HTTP…) SERVER HOST Internet Internet SIP (and H.323…) connects person-to-person PERSON PERSON What’s the difference?

  6. SMTP created Email HTTP created the Web SIP can create universal live IP Communication person-to-person! More than IP Telephony! It’s the Third Wave of the Internet

  7. It’s Presence It’s Instant Messaging 4255551212 And it’s voice It’s Video A richer communications experience

  8. Converged Networks Realtime Communications • A change in the work paradigm • A change in communications style • A change in communications tools • An opportunity for productivity improvement Connect people, information and processes in real-time

  9. Vendor Partner Customer Customer Headquarters IP IP IP IP Internet IP IP One Way: VoIP Islands… VPN Tunnel Branch Office VPN is fine for branch to branch connections But the goal is global connectivity

  10. The Global All IP Way SIP-capable firewalls make the difference

  11. Suggested CPE Solutions • STUN  TURN  ICE • Can cope with certain types of existing NATs • Complexity has grown in trial to increase reliability/handle more NATs • Needs to be implemented in the SIP clients and servers on the Net • Tight firewalls will not be handled • Dynamically-controlled firewalls/NATs • Midcom: By Firewall Control Proxy (no activity known at this time) • UPnP: By the client (Windows) (Microsoft) • ALG (non-Proxy) SIP-aware firewall • TLS not possible • ALG + Proxy SIP-aware firewall • General, handles complex scenarios, PBX functionality • Tunnelling - Brings the SIP-client to an operator or a corporate LAN • Requires ALG for each client on LAN with own address space • IPSec, Proprietary

  12. STUN  TURN  ICE • Evolving ITEF Standard • Requires client on the inside of the LAN and “reflector” in the network • Client “pings” the reflector which returns the internal IP address that is being broadcast by the SIP end point • Once the internal IP address is known, then all communications carry that IP address in the header information

  13. Benefits Simple solution to NAT traversal Offers alternative to home users and small businesses that don’t wish to incorporate a full firewall solution Problems Exposes the internal IP addressing scheme Circumvents the protection offered by the firewall Inappropriate for enterprises and others with valuable information to protect on their LAN Only works for certain types of NATs STUN  TURN  ICE

  14. Midcom • Developing IETF standard for managing controllable firewalls with a Firewall Control Proxy • Elegant solution that puts the solution at the point where the problem occurs • Firewall Control Proxy would dynamically control the firewall to accept SIP media only when authorized • Control resides with the Firewall Control Proxy and the existing firewall takes care of all of the logging

  15. Benefits Based on an IETF Standard Leaves the firewall in place Offers a separate device to just manage SIP sessions Problems No companies are currently developing this technology There are currently no firewalls that are controllable by an outside agent Leaves vulnerabilities on the Firewall Control Proxy which could result in a violation of network security Midcom

  16. UPnP • Universal Plug and Play • Proposed by Microsoft • Allows all end points to be controlled by the Microsoft agent

  17. Benefits Simple implementation Nothing to set up or configure Excellent implementation for home users Would expand the use of SIP Problems Limited utility for enterprises of any size Cannot handle complex call scenarios Solution handles NAT only Cannot handle hard phones, only soft clients Security of the network controlled by Windows server UPnP

  18. ALG (non-Proxy) SIP-Aware Firewall • Implementation which sits between two hosts and modifies the information flow between them on the fly • ALGs normally do small modifications to the packets

  19. Benefits Theoretically faster processing times than proxy-based solutions Performs most of the important functions of allowing traversal of the NATed firewall Able to dynamically open and close ports for media Problems Cannot read deeply into the packet headers Cannot support encryption (TLS); ALGs see everything in the clear so modifying authenticated packets is impossible Setup of complex call scenarios a problem Current implementations do not support soft clients ALG (non-Proxy) SIP-Aware Firewall

  20. ALG + Proxy SIP-Aware Firewall • ALG performs NAT Traversal Function • Proxy terminates a packet flow, then reinitiates flow to the destination address • Records SIP client address to locate behind NAT • Digest authentication • Rewrites headers • Proxies can look deeply into the header information because it stops packet briefly • Inspection of SIP signaling (including Instant Messages) • Support for Transport Layer Security (TLS) • Adds privacy and authentication to communications • TLS is being used for adding security to Microsoft Office Live Communications Server, Avaya, Reuters and others • Can also be used as a separate SIP firewall when all data ports are permanently closed

  21. Benefits Most flexible solution Able to support all call scenarios, despite complexity Can support servers on the inside of the LAN Supports TLS Flexible and adaptable Offers a backup registration/ location server option Simple PBX functions can be added Problems Theoretically slower performance ALG + Proxy SIP-Aware Firewall

  22. Summary of Advantages

  23. Internet IP TLS SIP/PSTN Gateway SIP Server 3 SIP Server 2 Firewall/NAT LAN IP Phone SIP Server 4 SIP XP Real and Complex Scenarios Sooner or later: The NAT/Firewall Problem needs to be solved where it occurs Complications for non-proxy solutions: Tight firewalls Call transfer SIP server on the LAN Trusted connections: TLS

  24. SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

More Related