Intertex Data AB, Sweden Firewall and NAT Traversal Bringing SIP the LAN Prepared for:International...

Intertex Data AB, Sweden

Firewall and NAT TraversalBringing SIP the LAN

Prepared for: International SIP 2003 By: Karl Erik Ståhl

President Intertex Data ABChairman Ingate Systems [email protected]

© 2003 Intertex Data AB 1


Is there a next big steps in Internet usage?

World Wide Web

Email

Will there be Real Time Communication Person-to-Person?


VoIP as we have seen it…

InternetPC

PCWanna talkto me?

Remember how it started in 95?

Now it is coming back in a most useful form!



Gateway

Internet

Gateway

STO

LA

Then this service was offered to end users?

Nowdays long distance VoIP minutes are bought by the established telcos. Your normal international calls often run over the public Internet!



VoIP between branch offices

Gateway

PSTN

Europe

IP

InternetVPN VPN

USGateway

IP

- But NOT globally to others!


VoIP as we see it…

MGCP often used to phones

PSTN

FWInternet

Phones get locked to operator

SOFTSWITCH


Hmm, didn’t we pass this stage…

Paper was a very compatible media - So is POTS today…

But we need to move beyond!

PSTN

email

printer

fax

Organization 1Email system 1

email

Organization 2Email system 2

fax faxfax


What about universal connectivity?

Wouldn’t that be fine?

Black Phone

RJ45

LAN Intranet Internet

IP Phone

PSTN

RJ11


“We need QoS of PSTN…”

3 kHz bandwith?

Video?

Presence?

draft-ietf-simple-presence-07.txt

Instant Messaging?RFC3428, December 2002

And more…

Is black telephony all we want?


Is the protocol part of the game?

HTTP Created the Web

SIP Can Create IP Communication Person-to-Person!

SMTP Created Email

Voice & Video (XP)

.NET Server will include SIP server, with API (3Q2) Applications will arise

Windows Messenger 4.6 and later has SIP-mode Presence & IM

10:s of millions of RTC (SIP) users within a year

4255551212

Dial to phone Rich SIP APIs

Microsoft is pushing – New RTC is SIP-based

IAPIP PhoneIP Phone

IP Phone

IP Phone

Connect to PSTN when required!

PSTN

SIP/PSTNGateway

Internet

Home LANBusiness LAN

Let SIP clients talk to each other!

XP

PIM

SIPServer

IP PhoneIP Phone

IP Phone

IP Phone

PSTN

SIP/PSTNGateway

Internet

Home LANBusiness LAN

SIPServer

IAP

XP

PIM

Firewall/NAT problems!

DSLCableMTU

Operator network with NAT

NATFirewall

NAT

Status until recently:SIP is the Protocol for IP Communication Person-to-Person,BUT IT DOES NOT REACH THE EDGE!

But there is a problem…


What is the difference?

Typical Internet protocol (SMTP, HTTP…)

Internet

HOSTSERVER

SIP (and H.323…) connects person-to-person

Internet

PERSONPERSON

Locate the person - Set up a session - Open real time media streams


SIP Firewall Problems

Firewall Problems:

Sessions initiated from outside the firewall

- OK, open port 5060, but…

Media streams on dynamically allocated port numbers

- Ooops… !Even with public IP addresses inside


SIP NAT/PAT Problems

NAT & PAT Problems:Where is the device?

- Registration/location function

Private IP addresses and ports in SIP messages

- Rewrite with globally routable addresses

IP address and port of media stream has to be modified

- NAT engine has to be dynamically controlled

Worse with privateIP addresses inside


Suggested Solutions

Dynamically controlled Firewall/NATs Midcom: By Firewall Control Proxy [Dynamicsoft…]uPnP: By the client (Windows) [Microsoft]SIP aware Firewall/NATs (SIP Proxy + Registrar)[Intertex (SOHO), Ingate (enterprise), …]SIP aware Firewall/NATs (SIP ALG)[Cisco,… TLS not possible]Making SIP NAT friendly - Drafts in progress: • draft-ietf-sipping-nat-scenarios-00.txt• draft-ietf-midcom-stun-02.txt• draft-ietf-sip-nat-02.txt• draft-ietf-sip-symmetric-response-00.txt


Adding SIP Support to a Firewall

Important components:Firewall & NAT

Dynamic Firewall Engine

SIPProxy

SIP Proxy Server, controlling the firewall

UserLocation

SIP Registrar, user location information

FirewallControl

Protocol Communication between

SIP Proxy and firewall

Firewall/NAT problems!

Firewall/NAT SIP transparency!

Office or home LAN

IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Operator network with NAT

Internet

NATFirewall

NAT

Enterprise LAN

DSLCableMTU

DMZinGateSIParator

SIP Enabling the Private Networks

inGateFirewall

IP Phone IP Phone

IP Phone

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC IX66

IAP

IX66

Home User

USASweden

InternetJust Another Internet Service…

IX66

IAP

Home LAN

Enterprise LAN

XP

inGateFirewall

SOHO LAN

IX66

XP

Helsinki PSTNSIP/PSTNGateway

DNSSRV

DMZinGateSIParator

XP

Ingate Linköping LAN

IX66

Intertex Stockholm LAN

Sweden

21

IP Communications Using IP NetworksIP Communications Using IP Networks

• Intranet IP VPN with IP communications• Domestic and global IP communications• PBX and PSTN – E.164 resolution

Customer Customer PremisesPremises

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Many call routing options:• Private/Public IP address• DNS and DNS SRV records• SIP aware NAT/PAT servers

Henry Sinnreich 4/10/2002

WorldComPublic

IP Network

22

IP Communications Using IP NetworksIP Communications Using IP Networks

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Integration with existing phones

SIP Capable FirewallIngate and IntertexFirst through SIT

Customer Customer PremisesPremises

No IP PBX Needed!

Enhanced Functionality

Enterprise LAN

WorldComPublic

IP Network


Product Examples – Ingate Systems AB

A Complete Firewall An add-on to an Existing Firewall

DMZ

Existing Firewall

Firewall & NAT/PAT SIP Proxy SIP Registrar

Enterprise Products

Firewall 1400 SIParator 40


Product Examples – Intertex Data AB

IX66 Internet Gate with or withoutADSL modem built-in

OEM as: Telia SurfinBird Gate PowerBit SafeGateReview at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp

SOHO Products


The Intertex IX66 Internet Gate

A closer look

Firewall & NAT/PAT Router SIP Proxy and Registrar DHCP Server and Client WEB Server for configuration Smart Card Reader for security applications Optional 802.11b Wireless Lan SIP Appliance Control, LAC via expansion port

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC

Optional ADSLand Splitter Built-in


SIP-capable firewalls!

Ingate Systems ABwww.ingate.comBox 10013, Slakthusplan 4 SE-121 26 Stockholm, SwedenVD Olle [email protected] Tel +46 8 6007750

Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenVD Karl Erik Stå[email protected] Tel +46 8 6282828

Intertex Data AB, Sweden Firewall and NAT Traversal Bringing SIP the LAN Prepared for:International...

Documents

Transcript of Intertex Data AB, Sweden Firewall and NAT Traversal Bringing SIP the LAN Prepared for:International...