260 likes | 421 Views
SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion. Steven Johnson President, Ingate Systems Inc. SMTP created Email. HTTP created the Web. SIP can create universal live IP Communication person-to-person!. The Third Wave of the Internet. It’s all there – almost….
E N D
SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.
SMTP created Email HTTP created the Web SIP can create universal live IP Communication person-to-person! The Third Wave of the Internet
It’s all there – almost… • A single network (IP) • Everyone has a connection • High capacity and good performance • A single protocol (SIP) But SIP does not traverse common firewalls and NATs
It’s All There – Almost… • A Single Network (IP) • High capacity and good performance • Everyone has a connection • A single protocol - SIP • Firewalls exclude inbound traffic • SIP does not traverse common firewalls and NATs
Typical Internet protocol (SMTP, HTTP…) SERVER HOST Internet Internet SIP (and H.323…) connects person-to-person PERSON PERSON What’s the difference?
SMTP created Email HTTP created the Web SIP can create universal live IP Communication person-to-person! More than IP Telephony! It’s the Third Wave of the Internet
It’s Presence It’s Instant Messaging 4255551212 And it’s voice It’s Video A richer communications experience
Converged Networks Realtime Communications • A change in the work paradigm • A change in communications style • A change in communications tools • An opportunity for productivity improvement Connect people, information and processes in real-time
Vendor Partner Customer Customer Headquarters IP IP IP IP Internet IP IP One Way: VoIP Islands… VPN Tunnel Branch Office VPN is fine for branch to branch connections But the goal is global connectivity
The Global All IP Way SIP-capable firewalls make the difference
Suggested CPE Solutions • STUN TURN ICE • Can cope with certain types of existing NATs • Complexity has grown in trial to increase reliability/handle more NATs • Needs to be implemented in the SIP clients and servers on the Net • Tight firewalls will not be handled • Dynamically-controlled firewalls/NATs • Midcom: By Firewall Control Proxy (no activity known at this time) • UPnP: By the client (Windows) (Microsoft) • ALG (non-Proxy) SIP-aware firewall • TLS not possible • ALG + Proxy SIP-aware firewall • General, handles complex scenarios, PBX functionality • Tunnelling - Brings the SIP-client to an operator or a corporate LAN • Requires ALG for each client on LAN with own address space • IPSec, Proprietary
STUN TURN ICE • Evolving ITEF Standard • Requires client on the inside of the LAN and “reflector” in the network • Client “pings” the reflector which returns the internal IP address that is being broadcast by the SIP end point • Once the internal IP address is known, then all communications carry that IP address in the header information
Benefits Simple solution to NAT traversal Offers alternative to home users and small businesses that don’t wish to incorporate a full firewall solution Problems Exposes the internal IP addressing scheme Circumvents the protection offered by the firewall Inappropriate for enterprises and others with valuable information to protect on their LAN Only works for certain types of NATs STUN TURN ICE
Midcom • Developing IETF standard for managing controllable firewalls with a Firewall Control Proxy • Elegant solution that puts the solution at the point where the problem occurs • Firewall Control Proxy would dynamically control the firewall to accept SIP media only when authorized • Control resides with the Firewall Control Proxy and the existing firewall takes care of all of the logging
Benefits Based on an IETF Standard Leaves the firewall in place Offers a separate device to just manage SIP sessions Problems No companies are currently developing this technology There are currently no firewalls that are controllable by an outside agent Leaves vulnerabilities on the Firewall Control Proxy which could result in a violation of network security Midcom
UPnP • Universal Plug and Play • Proposed by Microsoft • Allows all end points to be controlled by the Microsoft agent
Benefits Simple implementation Nothing to set up or configure Excellent implementation for home users Would expand the use of SIP Problems Limited utility for enterprises of any size Cannot handle complex call scenarios Solution handles NAT only Cannot handle hard phones, only soft clients Security of the network controlled by Windows server UPnP
ALG (non-Proxy) SIP-Aware Firewall • Implementation which sits between two hosts and modifies the information flow between them on the fly • ALGs normally do small modifications to the packets
Benefits Theoretically faster processing times than proxy-based solutions Performs most of the important functions of allowing traversal of the NATed firewall Able to dynamically open and close ports for media Problems Cannot read deeply into the packet headers Cannot support encryption (TLS); ALGs see everything in the clear so modifying authenticated packets is impossible Setup of complex call scenarios a problem Current implementations do not support soft clients ALG (non-Proxy) SIP-Aware Firewall
ALG + Proxy SIP-Aware Firewall • ALG performs NAT Traversal Function • Proxy terminates a packet flow, then reinitiates flow to the destination address • Records SIP client address to locate behind NAT • Digest authentication • Rewrites headers • Proxies can look deeply into the header information because it stops packet briefly • Inspection of SIP signaling (including Instant Messages) • Support for Transport Layer Security (TLS) • Adds privacy and authentication to communications • TLS is being used for adding security to Microsoft Office Live Communications Server, Avaya, Reuters and others • Can also be used as a separate SIP firewall when all data ports are permanently closed
Benefits Most flexible solution Able to support all call scenarios, despite complexity Can support servers on the inside of the LAN Supports TLS Flexible and adaptable Offers a backup registration/ location server option Simple PBX functions can be added Problems Theoretically slower performance ALG + Proxy SIP-Aware Firewall
Internet IP TLS SIP/PSTN Gateway SIP Server 3 SIP Server 2 Firewall/NAT LAN IP Phone SIP Server 4 SIP XP Real and Complex Scenarios Sooner or later: The NAT/Firewall Problem needs to be solved where it occurs Complications for non-proxy solutions: Tight firewalls Call transfer SIP server on the LAN Trusted connections: TLS
SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.