Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)

transcript

Thomas SiegersSongfuli Co., Ltd.

3 July 2007

Information

Hosted by:American Chamber of Commerce TaiwanCommunications Technology Workshop

This presentation is publicly available at:http://www.slideshare.net/thomasjs

This presentation is published under theCreative Commons Attribution Share Alike License.For more information, see http://creativecommons.org/about/licenses/

Agenda

Introduction Basics of telephony and networking Skype SIP protocol

Hardware Service providers Integration into network

and telephone system Scenarios and examples

2 hours30 minutes

Hype Cycle

www.gartner.com –2006

Introduction Internet Telephony

VoIP – Voice over IP (IP – Internet Protocol)

Pro: more economicno telephone charge for computer-to-computer calls*charge of local call for computer-to-telephone call*) except of charge for network access

Con: more complicated and less reliablerelies on electric poweremergency calls cannot be mapped to locationnetwork: connection interruptions, packet losssecurity: easier to trace calls over the Internetconfiguration: firewall traversal

Return of Investment

1 2 3 4 5 6

months

CHTVoIP

Accumulated cost over 6 months

60 min calls per day to Germany,20 days per month

CHT 16 NTD/min VoIP 1 €¢/min

Investment for VoIP 100,000 NTD

ROI after 5 months, after that savings of >18,500 NTD/month

How does it work?

Computer+ sound card+ headset+ software

Network

Telephone adapter+ analog telephone

Computer converts voice into digital signals.

Network transports digital signals as data packets.

Telephone adapter converts digital signals into voice.

Telephony PSTN

Public Switched Telephone Network

POTSPlain Old Telephone Service

ISDNIntegrated Services Digital Network

PBXPrivate Branch Exchange

FXOForeign Exchange Office

FXSForeign Exchange Station

PSTN–Public Switched Telephone Network

Circuit-Switching

TX TXTX

TX - Telephone Exchange

Extensions

FXSFXOPSTN

PBX = PABX–Private Automatic Branch Exchange

FXO–goes on-hock and off-hook

FXS–provides power, ring signal, dial tone

Network

Packet-Switching

R–Router

ServerClients

Layer Concept

Address

SENDER

Network

Transport

Service

Delivery

Message

Registered

Protocol StackISO/OSI* Internet Examples

7 Application Application www : HTTP, FTP, DNS

6 Presentation mail : SMTP, POP, IMAP

5 Session p2p : SIP, eD2k, XMPP

4 Transport Transport TCP, UDP, NetBEUI, WAP

3 Network Internet IP, IGMP, ICMP, IPsec, ARP

2 Data Link NetworkAccess**

PPP, L2TP, GPRS, ATM, FR

1 Physical Ethernet, USB, Wi-Fi, ISDN

*) ISO –International Organization for Standardization, OSI –Open Systems Interconnection**) original TCP/IP model, recently 5-layer model with data link and physical layer

TCP/IP Packet

IP-packet

TCP-packet

source addressdestination address

TCP-packet

header data

source portdestination port

application data(HTTP, FTP, SMPT)

dataheader

Request – Response

ClientServer

Request

Response

Source 10.0.0.100:1234Destin. 203.66.88.89:80

Source 203.66.88.89:80 Destin. 10.0.0.100:1234

IP-address:10.0.0.100

TCP-port: >1024

IP-address:203.66.88.89

TCP-port: 80

Network Address Translation NAT, IP masquerading Address shortage of IP ver. 4

32 bit => 4 G ~ 4 billion addresses

Address ranges only for private useclass A : 10.x.x.x, class B : 172.16.x.x – 172.31.x.x, class C : 192.168.x.x

Internet gateway (firewall) translatesbetween private and public addresses.

Firewall rules:request LAN Internet : allowresponse Internet LAN : allowrequest Internet LAN : deny

Internet can only connect to the LAN,when the LAN had sent a request before.

Internet

Peer-to-Peer Communication Peer-to-Peer (P2P)

VoIP, file sharing, instant messaging

VoIP Protocolstwo protocols involved: SIP and RTPSIP - session initiation protocol: signalling, UDP port 5060RTP - real-time transport protocol: voice communication, UDP port range 10000-20000

NAT Traversal- different kinds of NAT: symmetric, asymmetric- UDP hole punching- STUN - Simple Traversal of UDP through NATs necessary when both clients are behind NAT doesn’t work with symmetric NAT

UDP Hole Punching

Before Process After

UDP Hole Punching Process

Firewall Application Filter

Skype Peer-to-peer Internet telephony (VoIP) network

Software is free, but not open source

Proprietary protocol, traffic encrypted

Founded by the founders of the file sharing application Kazaa

Acquired by eBay in October 2005

Easy to deploy even behind firewall and NAT

Heavy use of network bandwidth and other resources

Difficult to integrate into organization’s security strategy

Getting Granular on Skype 2004 – Columbia University, New York, USA

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocolhttp://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf

Analysis of network structure and traffic 2006 - EADS Corporate Research Center, France

Silver Needle in the Skypehttp://www.secdev.org/conf/skype_BHEU06.handout.pdf

Developers of Skype made immense effort to prevent reverse engineering, i.e. getting an inside view. The Skype client detects, when it is running within a debugger and then changes its behavior. Parts of its code are ciphered and will be decrypted during runtime.

Problems with SkypeFrom a network security administrator point of view Almost everything is obfuscated

Peer to peer architecture

Traffic even when the software is not used

From a system security administrator point of view Many protections, anti-debugging tricks, ciphered code

A product that works well for free from a company not involved on Open Source ?!

The Chief Security Officer point of view Is Skype a backdoor ?

Can I distinguish Skype’s traffic from real data exfiltration ?

Is Skype a risky program for my sensitive business ?

ConclusionGood points Skype was made by clever people

Good use of cryptography

Bad points Hard to enforce a security policy with Skype

Jams traffic, can’t be distinguished from data exfiltration

Incompatible with traffic monitoring, IDS

Impossible to protect from attacks (which would be obfuscated)

Total blackbox. Lack of transparency.No way to know if there is/will be a backdoor

Fully trusts anyone who speaks Skype.

SIP Protocol SIP – session initiation protocol

- application layer protocol used for Internet telephone calls, multimedia distribution, and multimedia conferences- standardized by the Internet Engineering Task Force (IETF)- open specification: RFC 3261 (like all Internet standards)

SIP - The De-facto VoIP Standardhttp://en.wikipedia.org/wiki/SIP_Telephony#SIP_-_The_De-facto__VoIP_Standard

SIP – signalling, UDP port 5060RTP – real-time transport protocolvoice communication, UDP port range 10000-20000

Codec – audio data compression algorithm for voiceG.729a – 8kbps, G.711 – 64kbps,G.723 obsolete, superseded by G.726 – 16-40kbps

SIP – open protocol => everyone can offer services for it

VoIP provider is connected to both Internet and PSTN. Over 2000 SIP VoIP providers

Dialing between providerse.g. FreeWorldDialup no. 740218 => *393 740218http://www.sipbroker.com/sipbroker/action/providerWhitePages

Advanced Features- monthly rate, flat rate- unlimited local and distance calling- voicemail, call forwarding, caller ID- dial-in number with home area code- direct inward dialing (DID)- fax receipt with e-mail notification

VoIP Provider

VoIP Services

PSTN Internet

Gateway

Computer, Soft Phone &

Headset

IP Telephone

Analog Telephone

VoIP Provider

1) VoIP call–free2) dial-out–charged3) dial-in–charged

SIP – open protocol => everyone can build devices for it

Router

Analog Telephony Adapter (ATA)

SIP-Phone

Wireless Phone

USB-Devices

Integrated Systems

Large Systems Hardware bundled by VoIP providers

http://www.voipbuster.com/en/hardware.htmlhttp://www.sipgate.de/voipshop

VoIP Hardware

Router ADSL Internet access

VoIP (SIP)

FXS, (FXO)

Packet filter

VPN (virtual private network)

WLAN (wireless LAN)

Analog Telephony Adapter ATA

connects standard analog telephones to a VoIP network

SIP-Phone Connected to LAN

or directly to the Internet

Bridge to PCto share network cable

Wireless Phone Wireless USB phones

USB Bluetooth phones

Wi-Fi phones

USB-Devices Headsets

USP-Phones

Wireless USB-Phones

Integrated Systems Multiple analog ports

FXS, FXO

Firewall

VPN-gateway

Large SystemUsed by VoIP Providers

SIP Proxy Server

T1/E1 Gateway

RTP Resource Server

Session Border Controller

Voice Mail, Auto-Attendant

Application Server

Conference Server

IP Recorder

Billing server

Universal SIP/H.323 Signal Converter

IP PBX Software PBX

Can be installed on standard hardwarefrom PC to Unix-server

Additional hardware requiredconnection to POTS (FXO/FXS) or ISDN

Embedded appliances available Asterisk

popular open source software, another is sipXLinux distributions: Trixbox, AstLinux, AsteriskNOWused as basis for embedded appliancesused by leading VoIP providers, e.g. iotum**) iotum was named “Cool Vendor” in Enterprise Communications by Gartner in 2007http://www.asterisk.org

Asterisk Analog cards

PCI bus, half or full length1-8 FXO/FXS interfaces

Digital cardsPRI E1/T1, ISDN

ApplianceIP-PBX embedded in device with analog interfaces

Developer kitsversion ITSPs, OEMs, resellers, and integrators

IP-PBX Software PBX

embedded in robust hardwaremostly based on Asteriskconfigurable via web browser

Primary rate interface23 (T1) or 30 (E1) channels

Multiple extensionsFXS or ISDN

Application Examples Integration with PBX

VoIP gateway without PBX

VoIP gateway with PBX connected via FXS

VoIP gateway with PBX connected via FXO

Integration with Network VoIP gateway as Firewall

VoIP gateway in LAN with private IP address

VoIP gateway in DMZ with private IP address

VoIP gateway in DMZ with public IP address

IP-PBX SIP only / SIP and Skype

VoIP Gateway without PBX

PSTN Internet

FXOVoIP

VoIP Gateway

VoIP Gateway with PBX (FXS)

PSTN Internet

VoIP Gateway with PBX (FXO)

PSTN Internet

FXO FXO

VoIP Gateway in LAN

Internet

VoIPProvider

public IP address

private IP address

FW–firewall

LAN–localareanetwork

VoIP Gateway in DMZ

Internet

DMZ–demilitarized zone

public IP address

private IP address

VoIP Gateway with public IP

Internet

public IP address

private IP address

outer firewall

inner firewallVoIP

IP-PBX

PSTN Internet

analogtelephone digital (IP)

telephoneIP-PBX

SIP and Skype

PSTN Internet

PC, FXS-card,Skype software

VoIP Scenarios Transfer call between two VoIP Providers

dial via caller’s VoIP providertransfer call to company’s VoIP providertransfer call to company’s internal extension

Transfer incoming call to teleworkerteleworker is registered to company’s PBX (no provider)customer calls in via PSTNcompany’s operator transfers call to teleworker*

Setup multi-location corporate infrastructureheadquarter serve as central registrar (no provider)branch offices register to headquarter

*) http://en.wikipedia.org/wiki/Teleworker

Two VoIP Providers

PSTN Internet

VoIP provider A

VoIP provider B

Operator Extension

Caller

Teleworker

PSTN Internet

FXO FXO

Customer

Teleworker

Operator

Mobile Worker

Corporate Infrastructure

PSTN Internet

FXO FXO

Customer

Sales Office

Factory

Thomas SiegersSongfuli Co., Ltd.

Taipei, Taiwan松福禮股份有限公司

http://www.songfuli.comthomas.siegers@songfuli.com

http://www.slideshare.net/thomasjs