Intertex Data AB, Sweden Talking NATs & Firewalls Prepared for: Voice On the Net, Spring 2002 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate Systems AB [email protected] © 2002 Intertex Data AB Moderator Scott Wharton 1
Dec 21, 2015
Intertex Data AB, Sweden
Talking NATs & Firewalls
Prepared for: Voice On the Net, Spring 2002
By: Karl Erik Ståhl
President Intertex Data AB
Chairman Ingate Systems AB
© 2002 Intertex Data AB Moderator Scott Wharton 1
© 2002 Intertex Data AB Moderator Scott Wharton 2
VoIP as we have seen it…
InternetPC
PCWanna talkto me?
Do we want the PC as a phone?
Gateway
Internet
Gateway
STO
LA
Are cheaper phone bills all we want?
© 2002 Intertex Data AB Moderator Scott Wharton 3
VoIP as we have seen it…
VoIP between branch offices
Gateway
PSTN
Europe
IP
InternetVPN VPN
USGateway
IP
- But NOT globally to others!
© 2002 Intertex Data AB Moderator Scott Wharton 4
Hmm, didn’t we pass this stage…
Paper was a very compatible media - So is POTS today…
But we need to move beyond!
PSTN
printer
fax
Organization 1Email system 1
Organization 2Email system 2
fax faxfax
IAP
Firewall/NAT problems! IP PhoneIP Phone
IP Phone
IP Phone
SIPServer PSTN
SIP/PSTNGateway
Internet
Home LANBusiness LAN
DSLCableMTU
VoIP and SIP Services Out to the Edge
Operator network with NAT
NATFirewall
NAT
XP
PIM
Status until now:SIP is the Protocol for IP Communication Person-to-Person,BUT IT DOES NOT REACH THE EDGE!
© 2002 Intertex Data AB Moderator Scott Wharton 6
SIP Firewall Problems
Firewall Problems:
Sessions initiated from outside the firewall
- OK, open port 5060, but…
Media streams on dynamically allocated port numbers
- Ooops… !Even with public IP addresses inside
© 2002 Intertex Data AB Moderator Scott Wharton 7
SIP NAT/PAT Problems
NAT & PAT Problems:Where is the device?
- Registration/location function
Private IP addresses and ports in SIP messages
- Rewrite with globally routable addresses
IP address and port of media stream has to be modified
- NAT engine has to be dynamically controlled
Worse with privateIP addresses inside
© 2002 Intertex Data AB Moderator Scott Wharton 8
Suggested Solutions
Dynamically controlled Firewall/NATs [Aravox, …]
Midcom: By Firewall Control Proxy [Dynamicsoft…]
uPnP: By the client (Windows) [Microsoft]
SIP aware Firewall/NATs (SIP Proxy + Registrar)
[Intertex (SOHO), Ingate (enterprise), …]
SIP aware Firewall/NATs (SIP ALG)
[Cisco,…: client location?, TLS not possible]
Modifying the SIP protocol, Drafts in progress: • draft-rosenberg-sipping-nat-scenarios-00.txt• draft-rosenberg-midcom-stun-01.txt• draft-ietf-sip-nat-01.txt
© 2002 Intertex Data AB Moderator Scott Wharton 9
Adding SIP Support to a Firewall
Important components:
Dynamic Firewall Engine
SIP Proxy Server, controlling the firewall
SIP Registrar, user location information
Communication between SIP Proxy and firewall SIP
Proxy
Firewall & NAT
FirewallControl
Protocol
UserLocation
© 2002 Intertex Data AB Moderator Scott Wharton 10
NAT Friendly SIP Draft
Mods to SIP, SDPSIGNALLING
Route new signalling through this open path
For some NATs, if both parties are behind firewalls, RTP streams must bounce through a server
LANRTP
IP Phone
FirewallNAT
RTPProxy
NAT
IP Phone
LAN
SIPRegistrar
INTERNET
Use STUN to find out “looks” from outside
STUNServer
Keep registrar NAT path (TCP or UDP) always open by frequent registrations
RTP media streams always start from inside + symmetric
RTPSIP clientsneed upgrade
New servers on the net
Firewall/NAT problems!
Firewall/NAT SIP transparency! IP PhoneIP Phone
IP Phone
IP Phone
SIPServer PSTN
SIP/PSTNGateway
Operator network with NAT
Internet
Home LAN
NATFirewall
NAT
Business LAN
DSLCableMTU
DMZinGateSIParator
SIP Enabling the Private Networks
inGateFirewall
IP Phone IP Phone
IP Phone
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC IX66
IAP
12
IP Communications Using IP NetworksIP Communications Using IP Networks
• Intranet IP VPN with IP communications• Domestic and global IP communications• PBX and PSTN – E.164 resolution
Customer Customer PremisesPremises
PBX PSTN Phone
ManagedServices
Router
Vmail OSS
SIP Phone
WorldComPSTN
DialingPlans
Network GWY
Conf
PSTN Phone
IM
IN
EnterpriseGateway
SIP Routing
Firewall
SIP Server
IP VPN
Global IP Comm
Intranet IP Comm
…other…
Many call routing options:• Private/Public IP address• DNS and DNS SRV records• SIP aware NAT/PAT servers
Henry Sinnreich 4/10/2002
WorldComPublic
IP Network
13
IP Communications Using IP NetworksIP Communications Using IP Networks
PBX PSTN Phone
ManagedServices
Router
Vmail OSS
SIP Phone
WorldComPSTN
DialingPlans
Network GWY
Conf
PSTN Phone
IM
IN
EnterpriseGateway
SIP Routing
Firewall
SIP Server
IP VPN
Global IP Comm
Intranet IP Comm
…other…
Integration with existing phones
SIP Capable FirewallIngate and IntertexFirst through SIT
Customer Customer PremisesPremises
No IP PBX Needed!
Enhanced Functionality
Enterprise LAN
WorldComPublic
IP Network
© 2002 Intertex Data AB Moderator Scott Wharton 14
Product Examples – Ingate Systems AB
A Complete Firewall An add-on to an Existing Firewall
DMZ
Existing Firewall
Firewall & NAT/PAT SIP Proxy SIP Registrar
Enterprise Products
Firewall 1400 SIParator 40
© 2002 Intertex Data AB Moderator Scott Wharton 15
Product Examples – Intertex Data AB
IX66 Internet Gate with or withoutADSL modem built-in
OEM as: Telia SurfinBird Gate PowerBit SafeGateReview at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp
SOHO Products
© 2002 Intertex Data AB Moderator Scott Wharton 16
See Intertex and inGate!
SIP Capable Firewalls!
Ingate Systems ABwww.ingate.comBox 10013, Slakthusplan 4 SE-121 26 Stockholm, SwedenCEO Olle [email protected] Tel +46 8 6007750
Booth #400 Booth #400
Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenPresident Karl Erik Stå[email protected] Tel +46 8 6282828