Dealing with NATs and Firewalls! Prepared for:Fall VON 2003 Boston By: Karl Erik Ståhl President...

Dealing with NATs and Firewalls!

Prepared for: Fall VON 2003 Boston

By: Karl Erik Ståhl

President Intertex Data AB

Chairman Ingate Systems AB

[email protected]

1© 2003 Intertex Data AB Moderator G. Hamilton

© 2003 Ingate Systems AB© 2003 Intertex Data AB Moderator G. Hamilton 2

How do we connect?

PSTN

GSM

3G

Non Real Time OR Real Time

IP

XP

SERVER


VoIP: Still island interworking over the PSTN! Just like message handling before mid 90s…

Paper was a very compatible media - So is POTS today…

But isn’t it time to move beyond?

PSTN

email

printer

fax

Organization 1Email system 1

email

Organization 2Email system 2

fax faxfax


IP PhoneIP Phone

IP Phone

IP Phone

IP

SOHO LANEnterprise LAN

We have a global single new network…

XP

PIM

…but it is seldom used for person to person communication!

Everyone has a connection…

Operator Network


…and are rapidly moving towards a single protocol!

An Internet Standard

Used for live person-to-person IP Communication VoIP, IP Telephony

Audio, Video, Data Collaboration

Presence, Instant Messaging

Lots of activity, ongoing work and development

“Everyone” is on the wagonMCI/Worldcom, Microsoft, Nortel, AT&T, Alcatel, Siemens, Sprint…

SIP – Session Initiation Protocol


So There is a Big Potential!

HTTP created the Web

SMTP created Email

SIP can create universal live IP Communication person-to-person!


The Next Big Usage of the Internet!

A. Go beyond replacing sections of the PSTN by IP! The PSTN is something to interwork with, not the core to build around!

B. Go beyond the “quality” and “services” of the PSTN! The mobile phone world has shown that there is more than “black telephony”! POTS is 50-100 years old!

C. Get connectivity out to the end users! Aren’t we there??? THE TICKING BOMB!

How do we get there?

Everyone has a connection IP PhoneIP Phone

IP Phone

IP Phone

PSTN

SIP/PSTNGateway

IP

SOHO LANBusiness LAN

SIPServer

IAP

XP

PIM

Firewall/NAT problems!

DSLCableMTU

Operator network with NAT

NATFirewall

NAT

So, why don’t we just connect?

SIP is the Protocol for Live Person-to-Person Communication,

BUT IT DOES NOT REACH THE EDGE!

SIP does not traverse common NATs and Firewalls! And they are still being installed…


SIP Firewall Problems

Sessions initiated from outside the firewall

- OK, open port 5060, but…

Media streams on dynamically allocated port numbers

- Ooops… !

Even with public IP addresses inside

Firewall Problems:


SIP NAT/PAT Problems

Where is the device?

- Registration/location function

Private IP addresses and ports in SIP messages

- Rewrite with globally routable addresses

IP address and port of media stream has to be modified

- NAT engine has to be dynamically controlled

Worse with privateIP addresses inside

NAT & PAT Problems:


Suggested SolutionsDynamically controlled Firewall/NATs

Midcom: By Firewall Control Proxy

UPnP: By the client (Windows)

SIP aware Firewall/NATs (SIP Proxy + Registrar)

General, handles complex scenarios, PBX functionality

[Intertex (SOHO), Ingate (enterprise), …]

SIP aware Firewall/NATs (SIP ALG – non Proxy)

TLS not possible

STUN TURN ICE Can cope with certain types existing NATs

Complexity has grown in effort to make reliable and handle more NATs. Needs to be implemented in the SIP clients and servers on the net. Still, tight firewalls can not be handled.

Tunnelling - Brings the SIP-client to an operator or a corporate LAN

Requires ALG for each client on LAN with own address space

IPSec, Proprietary


Adding General SIP Traversal to a Firewall

Important components:Firewall & NAT

Dynamic Firewall Engine

SIPProxy

SIP Proxy Server, controlling the firewall

UserLocation

SIP Registrar, user location information

FirewallControl

Protocol Communication between

SIP Proxy and firewall

In the Ingate and Intertex products:

You got a SIP server!Use it just for firewall traversalAND/OR as your- SIP Server - Outbound proxy- Inbound proxy- PBX (The SIP Swich)

What have you got?

Firewall/NAT problems!

Firewall/NAT SIP transparency!

Office or home LAN

IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Operator network with NAT

Internet

NATFirewall

NAT

Enterprise LAN

DSLCableMTU

DMZinGateSIParator

SIP Enabling the Private Networks

inGateFirewall

IP Phone IP Phone

IP Phone

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC IX66

IAP


A Future of Live All IP Connectivity

SIP capable firewalls make the difference!

InternetJust Another Internet Service…

PSTNSIP/PSTNGateway

DNSSRV

DMZinGateSIParator

XP

Ingate Linköping LAN

IX66

Intertex Stockholm LAN

Sweden

USASweden

IX66

Home Office Users

SOHO LAN

IX66

XP

BostonVON

Booth#421

Enterprise LAN

XP

inGateFirewall

Networks

Telecom

inGateFirewall Sweden

ENUM

+43 1 25397 531

+43 1 25397 521

+43 1 25397 522 +43 1 25397 513

+43 1 25397 511 +43 1 25397 512


Use as Your Main SIP Server

Your own SIP server ready to go!

Firewall traversal requires NO setup!

Features can be applied to other SIP server domains also

Get a DNS entry!DynDNS if you don’t have a fixed IP address


Dial Plan with ENUM and Authentication

Use both URLs and E.164 numbers conveniently

Mimics PBX, e.g. dial 9 for PSTN

ENUM checking before passing to PSTN gateway


User Accounts

Speed Dial

Mapping of incoming PSTN call

Authentication

Forwarding, Forking

Voice mail forwarding


Restriction of Incoming Callers

Allow callers based on various criteria

SPAM calling may need to be controlled…

Or blacklist unwanted

(Although easy to bypass)


SIP Capable Firewalls!

Rissneleden 45 SE-174 44 Sundbyberg, SwedenTel +46 8 6282828

Intertex Data [email protected]

See us in booth 421!

Dealing with NATs and Firewalls! Prepared for:Fall VON 2003 Boston By: Karl Erik Ståhl President...

Documents

Transcript of Dealing with NATs and Firewalls! Prepared for:Fall VON 2003 Boston By: Karl Erik Ståhl President...