Post on 02-Apr-2015
transcript
Intertex Data AB, Sweden
VoIP to the Edge:
Firewalls - The Missing Link
Prepared for: Voice On the Net, Fall 2001
By: Karl Erik Ståhl
President Intertex Data AB
Chairman Ingate Systems AB
karl.stahl@intertex.se
© 2001 Intertex Data AB, All Rights Reserved 1Moderator Matt Noah
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
2
VoIP as we have seen it…
InternetPC
PCWanna talkto me?
Do we want the PC as a phone?
Gateway
Internet
Gateway
STO
LA
Are cheaper phone bills all we want?
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
3
VoIP as we have seen it…
VoIP between branch offices
Gateway
PSTN
Europe
IP
InternetVPN VPN
USGateway
IP
- But NOT globally to others!
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
4
Hmm, didn’t we pass this stage…
Paper was a very compatible media - So is POTS today…
But we need to move beyond!
PSTN
printer
fax
Organization 1Email system 1
Organization 2Email system 2
fax faxfax
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
5
Time to Get IP Telephony Out to Edge
Wouldn’t that be fine?
Black Phone
RJ45
LAN Intranet Internet
IP Phone
PSTN
RJ11
IAP
Firewall/NAT problems! IP PhoneIP Phone
IP Phone
IP Phone
SIPServer PSTN
SIP/PSTNGateway
Internet
Home LANBusiness LAN
DSLCableMTU
VoIP and SIP Services Out to the Edge
Operator network with NAT
NATFirewall
NAT
XP
PIM
Current status:SIP is the protocol for IP Communication person to person,BUT IT DOES NOT REACH THE EDGE!
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
7
SIP Firewall Problems
Firewall Problems:
Sessions initiated from outside of the firewall
- OK, open port 5060, but…
Media streams on dynamically allocated port numbers
- Ooops… !Even with public IP addresses inside
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
8
SIP NAT/PAT Problems
NAT & PAT Problems:Where is the device?
- Registration/location function
Private IP addresses and ports in SIP messages
- Rewrite with globally routable addresses
IP address and port of media stream has to be modified
- NAT engine has to be dynamically controlled
Worse with privateIP addresses inside
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
9
Suggested Solutions
SIP aware Firewall/NATs (SIP ALG)
[Intertex (SOHO), Ingate (enterprise), …]
Dynamically controlled Firewall/NATs [Aravox, …]• Midcom: By Firewall Control Proxy [Dynamicsoft…]• uPnP: By the client (Windows) [Microsoft]
Modifying the SIP protocol
Draft in progress: http://www.ietf.org/internet-drafts/
draft-rosenberg-sip-entfw-02.txt
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
10
Adding SIP Support to a Firewall
Important components:
Dynamic Firewall Engine
SIP Proxy Server, controlling the firewall
SIP Registrar, user location information
Communication between SIP Proxy and firewall SIP
Proxy
Firewall & NAT
FirewallControl
Protocol
UserLocation
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
11
NAT Friendly SIP Draft
IP Phone
LAN
NAT
SIPRegistrar
Not easy!All SIP clientsneed upgrade IP Phone
SIPBounceServer
LAN
FirewallNATRTP
If both parties are behind firewalls, RTP streams must bounce through a server
RTP
RTP media streams always start from inside
Keep registrar NAT path (TCP or UDP) always open by frequent registrations
SIGNALING
Route new signalling through this open path
Firewall/NAT problems!
Firewall/NAT SIP transparency! IP PhoneIP Phone
IP Phone
IP Phone
SIPServer PSTN
SIP/PSTNGateway
Operator network with NAT
Internet
Home LAN
NATFirewall
NAT
Business LAN
DSLCableMTU
DMZinGateSIParator
SIP Enabling the Private Networks
inGateFirewall
IP Phone IP Phone
IP Phone
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC IX66
IAP
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
13
Product Examples – Ingate Systems AB
A Complete Firewall An add-on to an Existing Firewall
inGateFirewall
DMZinGateSIParator
Existing Firewall
Firewall & NAT/PAT SIP Proxy SIP Registrar
Enterprise Products
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
14
Product Examples – Intertex Data AB
IX66 Internet Gate with or withoutADSL modem built-in
OEM as: Telia SurfinBird Gate PowerBit SafeGate
SOHO Products
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
15
The Intertex IX66 Internet Gate
A closer look
Firewall & NAT/PAT SIP Proxy and Registrar DHCP Server and Client WEB Server for configuration SIP Appliance Control, LAC via expansion port
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
16
The Intertex IX66 Internet Gate
Goodies
Two Ethernet and one USB port Expansion port, e.g. for appliance control Smart Card Reader Upgradeable
ON DC USB ET2 ET1 EXP LINE PHONE
Optional ADSL Built-in
© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah
17
See Intertex and inGate!
SIP Enabled Firewalls!
Ingate Systems ABwww.ingate.comLundagatan 31 SE-117 27 Stockholm, SwedenCEO Olle Westerbergolle.westerberg@ingate.com Tel +46 8 720 89 31
Booth #724 Booth #722
Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenPresident Karl Erik Ståhlkarl.stahl@intertex.se Tel +46 8 6282828