SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate...
24
SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.
-
Upload
amber-simpson -
Category
Documents
-
view
219 -
download
1
Transcript of SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate...
SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion
Steven Johnson
President, Ingate Systems Inc.
The Third Wave of the Internet
HTTP created the Web
SMTP created Email
SIP can create universal live IP Communication person-to-person!
It’s all there – almost…
A single network (IP) Everyone has a connection High capacity and good performance A single protocol (SIP)
But SIP does not traverse common firewalls and NATs
It’s All There – Almost…
Firewalls exclude inbound trafficSIP does not traverse common firewalls and NATs
• Everyone has a connection
• High capacity and good performance
• A single protocol - SIP
• A Single Network (IP)
What’s the difference?Typical Internet protocol (SMTP, HTTP…)
Internet
HOSTSERVER
SIP (and H.323…) connects person-to-person
Internet
PERSON
PERSON
More than IP Telephony!
HTTP created the Web
SMTP created Email
SIP can create universal live IP Communication person-to-person!
It’s the Third Wave of the Internet
It’s Presence
It’s Instant Messaging
4255551212
And it’s voice
A richer communications experience
It’s Video
Converged Networks Realtime Communications
Connect people, information and processes in real-time
+ A change in communications style
= An opportunity for productivity improvement
+ A change in the work paradigm
+ A change in communications tools
One Way: VoIP Islands…
VPN is fine for branch to branch connections
Branch Office
Vendor
IPPartner
IPCustomer
IPCustomer
IP
VPNTunnel
IP
Headquarters
IP
Internet
But the goal is global connectivity
The Global All IP Way
SIP-capable firewalls make the difference
Suggested CPE SolutionsSTUN TURN ICE
– Can cope with certain types of existing NATs– Complexity has grown in trial to increase reliability/handle more NATs– Needs to be implemented in the SIP clients and servers on the Net– Tight firewalls will not be handled
Dynamically-controlled firewalls/NATs – Midcom: By Firewall Control Proxy (no activity known at this time)– UPnP: By the client (Windows) (Microsoft)
ALG (non-Proxy) SIP-aware firewall– TLS not possible
ALG + Proxy SIP-aware firewall– General, handles complex scenarios, PBX functionality
Tunnelling - Brings the SIP-client to an operator or a corporate LAN– Requires ALG for each client on LAN with own address space– IPSec, Proprietary
STUN TURN ICE
• Evolving ITEF Standard• Requires client on the inside of the LAN and “reflector” in the network• Client “pings” the reflector which returns the internal IP address that is
being broadcast by the SIP end point• Once the internal IP address is known, then all communications carry
that IP address in the header information
STUN TURN ICE
Benefits• Simple solution to NAT traversal• Offers alternative to home users
and small businesses that don’t wish to incorporate a full firewall solution
Problems• Exposes the internal IP
addressing scheme• Circumvents the protection
offered by the firewall• Inappropriate for enterprises
and others with valuable information to protect on their LAN
• Only works for certain types of NATs
Midcom
• Developing IETF standard for managing controllable firewalls with a Firewall Control Proxy
• Elegant solution that puts the solution at the point where the problem occurs
• Firewall Control Proxy would dynamically control the firewall to accept SIP media only when authorized
• Control resides with the Firewall Control Proxy and the existing firewall takes care of all of the logging
Midcom
Benefits• Based on an IETF Standard• Leaves the firewall in place • Offers a separate device to just
manage SIP sessions
Problems• No companies are currently
developing this technology• There are currently no firewalls
that are controllable by an outside agent
• Leaves vulnerabilities on the Firewall Control Proxy which could result in a violation of network security
UPnP
• Universal Plug and Play• Proposed by Microsoft• Allows all end points to be controlled by the Microsoft
agent
UPnP
Benefits• Simple implementation• Nothing to set up or configure• Excellent implementation for
home users• Would expand the use of SIP
Problems• Limited utility for enterprises of
any size• Cannot handle complex call
scenarios• Solution handles NAT only• Cannot handle hard phones,
only soft clients• Security of the network
controlled by Windows server
ALG (non-Proxy) SIP-Aware Firewall
• Implementation which sits between two hosts and modifies the information flow between them on the fly
• ALGs normally do small modifications to the packets
ALG (non-Proxy) SIP-Aware Firewall
Benefits• Theoretically faster
processing times than proxy-based solutions
• Performs most of the important functions of allowing traversal of the NATed firewall
• Able to dynamically open and close ports for media
Problems• Cannot read deeply into
the packet headers• Cannot support encryption
(TLS); ALGs see everything in the clear so modifying authenticated packets is impossible
• Setup of complex call scenarios a problem
• Current implementations do not support soft clients
ALG + Proxy SIP-Aware Firewall
• ALG performs NAT Traversal Function• Proxy terminates a packet flow, then reinitiates flow to the destination address
– Records SIP client address to locate behind NAT– Digest authentication– Rewrites headers
• Proxies can look deeply into the header information because it stops packet briefly
– Inspection of SIP signaling (including Instant Messages)• Support for Transport Layer Security (TLS)
– Adds privacy and authentication to communications– TLS is being used for adding security to Microsoft Office Live Communications
Server, Avaya, Reuters and others• Can also be used as a separate SIP firewall when all data ports are
permanently closed
ALG + Proxy SIP-Aware Firewall
Benefits• Most flexible solution• Able to support all call
scenarios, despite complexity• Can support servers on the
inside of the LAN• Supports TLS• Flexible and adaptable • Offers a backup registration/
location server option• Simple PBX functions can be
added
Problems• Theoretically slower
performance
Summary of Advantages
Capability ALG with Proxy ALG
Support for TLS Yes No
Flexible support for complex call scenarios
Yes No
Backup registrar and other services
Yes No
Support for soft clients Yes No
Internet IP
Real and Complex Scenarios
SIP/PSTNGateway
Complications for non-proxy solutions:
Tight firewalls
Call transfer
SIP server on the LAN
Trusted connections: TLS
XP
SIPServer 2
SIPServer 3
SIPServer 4
LAN
Firewall/NAT
IP Phone
SIP
TLS Sooner or later:
The NAT/Firewall Problem needs to be solved
where it occurs
SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion
Steven Johnson
President, Ingate Systems Inc.
