Date post: | 14-Dec-2015 |
Category: |
Documents |
Upload: | zoe-whitehead |
View: | 213 times |
Download: | 0 times |
Dealing with NATs and Firewalls!
Prepared for: Fall VON 2003 Boston
By: Karl Erik Ståhl
President Intertex Data AB
Chairman Ingate Systems AB
1© 2003 Intertex Data AB Moderator G. Hamilton
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 2
How do we connect?
PSTN
GSM
3G
Non Real Time OR Real Time
IP
XP
SERVER
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 3
VoIP: Still island interworking over the PSTN! Just like message handling before mid 90s…
Paper was a very compatible media - So is POTS today…
But isn’t it time to move beyond?
PSTN
printer
fax
Organization 1Email system 1
Organization 2Email system 2
fax faxfax
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 4
IP PhoneIP Phone
IP Phone
IP Phone
IP
SOHO LANEnterprise LAN
We have a global single new network…
XP
PIM
…but it is seldom used for person to person communication!
Everyone has a connection…
Operator Network
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 5
…and are rapidly moving towards a single protocol!
An Internet Standard
Used for live person-to-person IP Communication VoIP, IP Telephony
Audio, Video, Data Collaboration
Presence, Instant Messaging
Lots of activity, ongoing work and development
“Everyone” is on the wagonMCI/Worldcom, Microsoft, Nortel, AT&T, Alcatel, Siemens, Sprint…
SIP – Session Initiation Protocol
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 6
So There is a Big Potential!
HTTP created the Web
SMTP created Email
SIP can create universal live IP Communication person-to-person!
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 7
The Next Big Usage of the Internet!
A. Go beyond replacing sections of the PSTN by IP! The PSTN is something to interwork with, not the core to build around!
B. Go beyond the “quality” and “services” of the PSTN! The mobile phone world has shown that there is more than “black telephony”! POTS is 50-100 years old!
C. Get connectivity out to the end users! Aren’t we there??? THE TICKING BOMB!
How do we get there?
Everyone has a connection IP PhoneIP Phone
IP Phone
IP Phone
PSTN
SIP/PSTNGateway
IP
SOHO LANBusiness LAN
SIPServer
IAP
XP
PIM
Firewall/NAT problems!
DSLCableMTU
Operator network with NAT
NATFirewall
NAT
So, why don’t we just connect?
SIP is the Protocol for Live Person-to-Person Communication,
BUT IT DOES NOT REACH THE EDGE!
SIP does not traverse common NATs and Firewalls! And they are still being installed…
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 9
SIP Firewall Problems
Sessions initiated from outside the firewall
- OK, open port 5060, but…
Media streams on dynamically allocated port numbers
- Ooops… !
Even with public IP addresses inside
Firewall Problems:
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 10
SIP NAT/PAT Problems
Where is the device?
- Registration/location function
Private IP addresses and ports in SIP messages
- Rewrite with globally routable addresses
IP address and port of media stream has to be modified
- NAT engine has to be dynamically controlled
Worse with privateIP addresses inside
NAT & PAT Problems:
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 11
Suggested SolutionsDynamically controlled Firewall/NATs
Midcom: By Firewall Control Proxy
UPnP: By the client (Windows)
SIP aware Firewall/NATs (SIP Proxy + Registrar)
General, handles complex scenarios, PBX functionality
[Intertex (SOHO), Ingate (enterprise), …]
SIP aware Firewall/NATs (SIP ALG – non Proxy)
TLS not possible
STUN TURN ICE Can cope with certain types existing NATs
Complexity has grown in effort to make reliable and handle more NATs. Needs to be implemented in the SIP clients and servers on the net. Still, tight firewalls can not be handled.
Tunnelling - Brings the SIP-client to an operator or a corporate LAN
Requires ALG for each client on LAN with own address space
IPSec, Proprietary
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 12
Adding General SIP Traversal to a Firewall
Important components:Firewall & NAT
Dynamic Firewall Engine
SIPProxy
SIP Proxy Server, controlling the firewall
UserLocation
SIP Registrar, user location information
FirewallControl
Protocol Communication between
SIP Proxy and firewall
In the Ingate and Intertex products:
You got a SIP server!Use it just for firewall traversalAND/OR as your- SIP Server - Outbound proxy- Inbound proxy- PBX (The SIP Swich)
What have you got?
Firewall/NAT problems!
Firewall/NAT SIP transparency!
Office or home LAN
IP PhoneIP Phone
IP Phone
IP Phone
SIPServer PSTN
SIP/PSTNGateway
Operator network with NAT
Internet
NATFirewall
NAT
Enterprise LAN
DSLCableMTU
DMZinGateSIParator
SIP Enabling the Private Networks
inGateFirewall
IP Phone IP Phone
IP Phone
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC IX66
IAP
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 14
A Future of Live All IP Connectivity
SIP capable firewalls make the difference!
InternetJust Another Internet Service…
PSTNSIP/PSTNGateway
DNSSRV
DMZinGateSIParator
XP
Ingate Linköping LAN
IX66
Intertex Stockholm LAN
Sweden
USASweden
IX66
Home Office Users
SOHO LAN
IX66
XP
BostonVON
Booth#421
Enterprise LAN
XP
inGateFirewall
Networks
Telecom
inGateFirewall Sweden
ENUM
+43 1 25397 531
+43 1 25397 521
+43 1 25397 522 +43 1 25397 513
+43 1 25397 511 +43 1 25397 512
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 16
Use as Your Main SIP Server
Your own SIP server ready to go!
Firewall traversal requires NO setup!
Features can be applied to other SIP server domains also
Get a DNS entry!DynDNS if you don’t have a fixed IP address
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 17
Dial Plan with ENUM and Authentication
Use both URLs and E.164 numbers conveniently
Mimics PBX, e.g. dial 9 for PSTN
ENUM checking before passing to PSTN gateway
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 18
User Accounts
Speed Dial
Mapping of incoming PSTN call
Authentication
Forwarding, Forking
Voice mail forwarding
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 19
Restriction of Incoming Callers
Allow callers based on various criteria
SPAM calling may need to be controlled…
Or blacklist unwanted
(Although easy to bypass)
© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 20
SIP Capable Firewalls!
Rissneleden 45 SE-174 44 Sundbyberg, SwedenTel +46 8 6282828
Intertex Data [email protected]
See us in booth 421!