Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | lillian-poole |
View: | 220 times |
Download: | 2 times |
Managed SIP Trunk Connected to Separate Enterprise VoIP LAN in Operator’s Space
PSTNPublic
Internet
SIP Trunking Provider Network
GW
SIP System
Data LAN
FirewallIP-PBX
ManagedSIP Trunk
No Remote Users!
VoIP LAN??
No Soft or Multimedia Clients!
Operator: Security Warning!
Enterprise: Security Warning!
SIP Trunking Provider Network
Managed SIP Trunking with SBC Adapting SIP to NAT:ed Space of the Enterprise LAN
PSTNPublic
Internet GW
SIP System
VoIP& Data LAN
FirewallIP-PBX
No Remote Users!
ManagedSIP Trunk
Enterprise: Can we trust having our LAN pulled to the operator?
Other customers
SIP Trunking Provider Network
Ingate Firewall® Creating a Common Data andVoIP LAN for Managed SIP Trunking Service
PSTNPublic
Internet GW
SIP System
Data & VoIP LAN
IP-PBXDemarcation point and SIP communication via both WAN pipes.
Soft Clients and Multimedia Terminals
Remote Users Managed
SIP Trunk
Ingate Firewall®
Data LAN
NAT/Firewall Traversal Problem when SIP Trunking over the Internet
PSTNPublic
Internet
SIP Trunking Provider
GW
IP-PBX Firewall
SIP Trunking does not pass a SIP unaware NAT/firewall!
… and the firewall cannot even be opened enough to make it work.
SIP System
Data LAN
Ingate SIParator® Used with Existing Firewall for SIP Trunking Service over Internet
PSTNPublic
Internet
SIP Trunking Provider
GW
SIP System
IP-PBX Firewall
Soft Clients and Multimedia Terminals
Demarcation point and bringing SIP communication to the LAN
Data & VoIP LAN
SIP Trunk over Internet
Ingate SIParator®
Remote Users
The Function of a Full Featured SIP ProxyIngate SIP Proxy
SIP Proxy/Registrar
SIP Signaling 10.x.xx168.x.xx
1.Check the SIP signaling, packet inspection-Full flexibility to handle future threats
2.Rewrite for the different address spaces
3.Forward the signaling to the correct SIP proxy or client
4.Open ports (UDP/TCP) in the firewall for the media-Only for the duration of the call
-Only between the exact endpoints 5.Media flows through the ports
Media
6.Close ports after the call
ITSP
IP-Phone
SPIT, DoS – Filter, IDS/IPS
Internet ITSP
IP-PBX
Mobile user
Spammer
Dynamically allow authenticated users
Block non authenticated users
Monitor traffic and block end-points with a un-normal behavior
Encryption• Encrypted SIP signalling
– Support for TLS
• Encrypted media– Support for SRTP (Sdescriptions)
IP-Phone
Ingate Firewall or SIParatorIP-PBX / SIP Server
SRTP
In the clear
RTP
TerminationTLS
__SRTP__ SRTP
, Pass throughTLS
or Transcoding
SRTP
In the clear
Branch Office and Partner Interconnect
Swedish office
IngateFirewall®
US office
Internet
IP-PBX
DMZ
Connecting branch officesCustomers & Partners
Securing with TLS andEncrypted Media SRTP
IngateSIParator®SIP-unaware Firewall
IP-PBX