Intertex Data AB, Sweden Talking NATs & Firewalls Prepared for:Voice On the Net, Spring 2002 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate.

Intertex Data AB, Sweden

Talking NATs & Firewalls

Prepared for: Voice On the Net, Spring 2002

By: Karl Erik Ståhl

President Intertex Data AB

Chairman Ingate Systems AB

[email protected]

© 2002 Intertex Data AB Moderator Scott Wharton 1


VoIP as we have seen it…

InternetPC

PCWanna talkto me?

Do we want the PC as a phone?

Gateway

Internet

Gateway

STO

LA

Are cheaper phone bills all we want?


VoIP as we have seen it…

VoIP between branch offices

Gateway

PSTN

Europe

IP

InternetVPN VPN

USGateway

IP

- But NOT globally to others!


Hmm, didn’t we pass this stage…

Paper was a very compatible media - So is POTS today…

But we need to move beyond!

PSTN

email

printer

fax

Organization 1Email system 1

email

Organization 2Email system 2

fax faxfax

IAP

Firewall/NAT problems! IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Internet

Home LANBusiness LAN

DSLCableMTU

VoIP and SIP Services Out to the Edge

Operator network with NAT

NATFirewall

NAT

XP

PIM

Status until now:SIP is the Protocol for IP Communication Person-to-Person,BUT IT DOES NOT REACH THE EDGE!


SIP Firewall Problems

Firewall Problems:

Sessions initiated from outside the firewall

- OK, open port 5060, but…

Media streams on dynamically allocated port numbers

- Ooops… !Even with public IP addresses inside


SIP NAT/PAT Problems

NAT & PAT Problems:Where is the device?

- Registration/location function

Private IP addresses and ports in SIP messages

- Rewrite with globally routable addresses

IP address and port of media stream has to be modified

- NAT engine has to be dynamically controlled

Worse with privateIP addresses inside


Suggested Solutions

Dynamically controlled Firewall/NATs [Aravox, …]

Midcom: By Firewall Control Proxy [Dynamicsoft…]

uPnP: By the client (Windows) [Microsoft]

SIP aware Firewall/NATs (SIP Proxy + Registrar)

[Intertex (SOHO), Ingate (enterprise), …]

SIP aware Firewall/NATs (SIP ALG)

[Cisco,…: client location?, TLS not possible]

Modifying the SIP protocol, Drafts in progress: • draft-rosenberg-sipping-nat-scenarios-00.txt• draft-rosenberg-midcom-stun-01.txt• draft-ietf-sip-nat-01.txt


Adding SIP Support to a Firewall

Important components:

Dynamic Firewall Engine

SIP Proxy Server, controlling the firewall

SIP Registrar, user location information

Communication between SIP Proxy and firewall SIP

Proxy

Firewall & NAT

FirewallControl

Protocol

UserLocation


NAT Friendly SIP Draft

Mods to SIP, SDPSIGNALLING

Route new signalling through this open path

For some NATs, if both parties are behind firewalls, RTP streams must bounce through a server

LANRTP

IP Phone

FirewallNAT

RTPProxy

NAT

IP Phone

LAN

SIPRegistrar

INTERNET

Use STUN to find out “looks” from outside

STUNServer

Keep registrar NAT path (TCP or UDP) always open by frequent registrations

RTP media streams always start from inside + symmetric

RTPSIP clientsneed upgrade

New servers on the net

Firewall/NAT problems!

Firewall/NAT SIP transparency! IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Operator network with NAT

Internet

Home LAN

NATFirewall

NAT

Business LAN

DSLCableMTU

DMZinGateSIParator

SIP Enabling the Private Networks

inGateFirewall

IP Phone IP Phone

IP Phone

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC IX66

IAP

12

IP Communications Using IP NetworksIP Communications Using IP Networks

• Intranet IP VPN with IP communications• Domestic and global IP communications• PBX and PSTN – E.164 resolution

Customer Customer PremisesPremises

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Many call routing options:• Private/Public IP address• DNS and DNS SRV records• SIP aware NAT/PAT servers

Henry Sinnreich 4/10/2002

WorldComPublic

IP Network

13

IP Communications Using IP NetworksIP Communications Using IP Networks

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Integration with existing phones

SIP Capable FirewallIngate and IntertexFirst through SIT

Customer Customer PremisesPremises

No IP PBX Needed!

Enhanced Functionality

Enterprise LAN

WorldComPublic

IP Network


Product Examples – Ingate Systems AB

A Complete Firewall An add-on to an Existing Firewall

DMZ

Existing Firewall

Firewall & NAT/PAT SIP Proxy SIP Registrar

Enterprise Products

Firewall 1400 SIParator 40


Product Examples – Intertex Data AB

IX66 Internet Gate with or withoutADSL modem built-in

OEM as: Telia SurfinBird Gate PowerBit SafeGateReview at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp

SOHO Products


See Intertex and inGate!

SIP Capable Firewalls!

Ingate Systems ABwww.ingate.comBox 10013, Slakthusplan 4 SE-121 26 Stockholm, SwedenCEO Olle [email protected] Tel +46 8 6007750

Booth #400 Booth #400

Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenPresident Karl Erik Stå[email protected] Tel +46 8 6282828

Intertex Data AB, Sweden Talking NATs & Firewalls Prepared for:Voice On the Net, Spring 2002 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate.

Documents

firewall sip registrar

sip protocol

sip services

sip support

sip messages rewrite

nat friendly sip draft

firewall ok

nat engine