1 / 23

Traversing The Firewall for SIP Call Completion

Traversing The Firewall for SIP Call Completion. Steven J. Johnson President Ingate Systems Inc. The Third Big Wave of Internet Usage. SMTP created E - mail. HTTP created the Web. SIP will create realtime global connectivity from person to person!. Trends in SIP Adoption.

medwin
Télécharger la présentation

Traversing The Firewall for SIP Call Completion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Traversing The Firewall for SIP Call Completion Steven J. Johnson President Ingate Systems Inc.

  2. The Third Big Wave of Internet Usage SMTP created E-mail HTTP created the Web SIP will create realtime global connectivity from person to person!

  3. Trends in SIP Adoption • 2005 was a watershed year and VoIP is now mainstream • Lots of use cases are coming on line: • Branch office connections • Call center applications • Click to Talk for customer service centers • International calling • New service offerings for residential and commercial customers • Extension of Microsoft Office Live Communications Server beyond the Local Area Network

  4. It’s All There – Almost… • A single network (IP) • Everyone has a connection • High capacity and good performance • A single protocol - SIP • Firewalls are meant to exclude inbound communications • SIP won’t traverse common firewalls and NATs

  5. Alternative NAT Traversal Solutions

  6. Home Mobil+WiFi Hotell Laptop Soft phone SIP unaware Firewalls Why not Use VPN? IP to IP to any external user! • VPN - not a flexible solution • No Global Connectivity • Works where you have control, home etc • Does not always work from Hotels etc (~50%) • WiFi phones and dual Mobile/WiFi handsets normally have no VPN clients. • Start a VPN client just to receive a call?! • QoS can be taken out of play in some VPN’s • If headers are encrypted end-to-end. • Encryption may occur before it reach the unit that handles queuing. • Trend:Client-Server encryption replaces VPN • E-mail, Citrix etc • VPN potentially open up the network to others • No ”media release”, VPN does not scale. Office LAN WiFi Hotspot SIP unaware Firewall with VPN termination VPN SIP Media, Voice/Video etc

  7. Why not Use ICE? • Reliance on 3rd party servers to enable call setup • Some consider this to be a security issue • Gives control to the client • Difficult to configure and maintain in a large corporate environment • Current lack of endpoints that support ICE

  8. Centralized Telecom Network-centric Distributed Enterprise-centric Service Provider Service Provider Site A Site B Site A Site B SIP-capable firewall or SIP-enabling CPE device Session Border Controller What about Carrier Session Border Controllers?

  9. SIP capable Firewall 168.x.xx 10.x.xx SIP Proxy/Registrar SIP Signaling Media What About a SIP ALG Firewall • Check the SIP signaling • Can be encrypted for privacy • Rewrite for the different address spaces • Forward the signaling to the correct SIP proxy or client • -For inbound calls – need to know location of each SIP user (unless registrar is on the inside) • Open pinholes in the firewall for the media • -Only for the duration of the call • -Only between the exact endpoints • Close pinholes after the call • Cannot handle encryption

  10. What About Proxy Based Firewalls? • Robust solution to solve the problem where it occurs – at the enterprise edge • Enables signal inspection • Enables • Media and signaling encryption • Remote SIP Connectivity for mobile users • Routing in complex environments • Branch office failover • Prioritized voice and video • Allows the enterprise to control • Sources and destinations of communications • Content of the media • Offers protection against: • Spoofing • Denial of Service attacks

  11. Chose the Right SIP FirewallArchitecture SIP ALG Firewall SIP Proxy Firewall ALG ALG PROXY Encryption N Y REGISTRAR Authentication N Y SIP Filtering L Y Call Control L Y Extra SIP functions L Y

  12. VoIP, Security and SIP • The good news • VoIP and SIP - no security problems in themselves. • On the contrary, SIP: • Is robust, flexible and scaleable. • Supports authentication. • Signaling (TLS) and media streams (SRTP) can be encrypted. • Select products that leverage these benefits • Full SIP Proxy • SIP signaling inspection. • Ports only opened between the specific parties of the call and for the duration of the call. • SIP Registrar • Support for TLS and SRTP

  13. Support for Workers on the Road or Working from Home • 40% of the work force is said to work away from the office occasionally • Most of the remote workers would like access to the tools that the PBX offers at their office • With SIP that is possible as long as the user can connect back to the company infrastructure • A proxy based firewall solution allows the user to do this from wherever they may be working today.

  14. Internet 802.11 Hotspot Remote user module Support for Remote Workers Home NAT Hotel NAT Home user Traveling user SIP capable proxy-basedfirewall

  15. Branch Office Service Assurance • Automatic failover from central SIP server (hosted or centralized IP-PBX) to distributed offices • Automatic capture of user registrations to mirror configurations • Frequent ping of central server to determine availability • Basic call control features allow station to station dialing and dial plan to a local PSTN gateway

  16. 1 VoIP services through Broadworks Servers hosted by the Service Provider or Enterprise main office 2 VoIP toPSTN services through Broadworks Servers and a PSTN Gateway hosted by the Service Provider or Enterprise main office Settings, user data downloaded 3 Workstations Workstations VoIP Survival in Hosted Environments SIP/PSTN Gateway Internet Other SIP Users Enterprise

  17. 1 Local calls within the domain are handled by the Ingate Firewall or SIParator 2 Optional local backup PSTN Gateway is used for routing VoIP to PSTN calls. Workstations Workstations Host Down-VoIP Survival Activated SIP/PSTN Gateway Internet Other SIP Users Enterprise SIP/PSTN Gateway

  18. SIP Proxy-based Solution for SIP Adoption • Solves the FW/NAT traversal problem at the enterprise edge • The enterprise gains control over the IP Communications applications • A scalable solution that enables global connectivity • Robust solutions that add value to the enterprise: • QoS enables the organization to prioritize Voice and Video • Remote SIP Connectivity connects road warriors and home workers • Advanced SIP Routing for flexibility in complex scenarios • Security for SIP based communications • Stateful signal inspection • MIME / Content types consistent with negotiated parameters • Ability to set admission policies on various criteria • Protection from denial of service attacks and spoofing • Media and signaling encryption for privacy - Termination and Transcoding

  19. The Ingate Solution….Fully SIP-Capable Firewalls SIP Normal Firewalls Ingate Firewall® SIP With SIP-Proxy and -Registrar

  20. You Don’t Need to Replace your Firewall! SIP Normal Firewalls Ingate SIParator® DMZ SIP-enables any firewall SIP

  21. Firewall® 1880 & SIParator® 88 The Ingate Family Firewall® 1600 & SIParator® 60 800 Mbit/s 800 RTP sessions Firewall® 1450+ & SIParator®45+ 385 Mbit/s 500 RTP sessions Firewall® 1450 & SIParator®45 310 Mbit/s 240 RTP sessions 120 Mbit/s 150 RTP sessions Firewall® 1180 & SIParator® 18 30 Mbit/s 30 RTP sessions

  22. Bringing SIP to the Enterprise Please contact me at any time: Steve Johnson President Mail & SIP: steve@ingate.com Mobile: 1-603-557-7918 Direct: 1-603-883-6569

More Related