1 / 17

Presents 2005 IMTC Forum

Presents 2005 IMTC Forum. NAT/Firewall traversal: overcoming secure visual communication obstacles!. Presented by Patrick Luthi TANDBERG. Agenda. Today’s obstacles What solutions? The solution: NAT/firewall traversal An ITU standard is coming! New opportunities, new markets.

vega
Download Presentation

Presents 2005 IMTC Forum

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presents 2005 IMTC Forum

  2. NAT/Firewall traversal: overcoming secure visual communication obstacles! Presented by Patrick Luthi TANDBERG

  3. Agenda • Today’s obstacles • What solutions? • The solution: NAT/firewall traversal • An ITU standard is coming! • New opportunities, new markets IMTC Forum – May 2005 – Eibsee, Germany

  4. Calling outside the enterprise LAN • IP is used within the enterprise • ISDN is used to call outside the enterprise Enterprise Enterprise MCU Gatekeeper LAN ISDN GW GW IMTC Forum – May 2005 – Eibsee, Germany

  5. IP End-to-End • ISDN is expensive and not available everywhere • IP is widely available and affordable • The enterprise has IP already – for data • So why not use IP for video, end-to-end? Enterprise IP Enterprise MCU Gatekeeper ? LAN ISDN GW GW IMTC Forum – May 2005 – Eibsee, Germany

  6. Network Address Translation: the Challenge • Organizations use private addressing schemes and share a public address • Outside terminals cannot access to those private addresses • Translation function is widely exploited as a security feature • Address translation typically applies to packet headers, but not to the protocol within the packets (H.245, etc.) Enterprise IP MCU Gatekeeper 142.2.3.65 192.168.2.33 62.122.1.14 IMTC Forum – May 2005 – Eibsee, Germany

  7. The Firewall Problem • Rules that allow everyone to connect to everyone else are unusual and unwelcome to the security administrator. • Unsolicited incoming connections are typically not allowed • A firewall can be “opened” for video calls, but results in either loss of features (such as encryption) or reduced security • IP communication protocols use a wide range of network ports Enterprise IP Enterprise MCU Gatekeeper LAN IMTC Forum – May 2005 – Eibsee, Germany

  8. What solutions? • No firewall, no NAT (public IP address) • Endpoints are on the public internet and have no protection • VPN to connect separate locations • Typically used for intra-company communications, not for inter-company • May not be configured to handle H.323 random port assignments • ISDN Gateway • Removes cost advantage of IP • ISDN not available everywhere • Proprietary protocols • Don’t interoperate with each other • Stand-alone or Gatekeeper Proxy • Requires access to every NAT/FW on the call path for successful implementation • IP address published • Permanent inbound connection to proxy server required IMTC Forum – May 2005 – Eibsee, Germany

  9. What solutions? • Application Level Gateway • Requires access to every NAT/FW on the call path for successful implementation • Firewall/NAT upgrade likely required • Additional processing on firewall • IP address of firewall/router published to all callers • Permanent inbound connection required • MIDCOM, a protocol to let an outside box issue commands to open and close ports on the firewall • Complex and unproven standard still in development • Requires access to every NAT/Firewall on the call path for successful implementation • Firewall & router upgrade required • IP address published, Permanent inbound connection required • ICE (Interactive Connectivity Establishment), a methodology for NAT traversal • Still in development, makes use of existing protocols (STUN, TURN, RSIP) • Works only for SIP IMTC Forum – May 2005 – Eibsee, Germany

  10. The Solution • Embedded in endpoints • Extremely simple to deploy • Secure tunnelling of H.323 calls through any firewall • No features are lost – works with H.264, MPEG-4, AES, H.239, etc. • Border controller provides traversal for ALL other H.323 endpoints and MCUs • Result • Allows secure traversal of ANY firewall • The firewall only needs to allow connections between the solution components • The Border Controller and endpoints are designed to use a very small number of registered ports. • Provides a solution for ANY standards based H.323 endpoint IMTC Forum – May 2005 – Eibsee, Germany

  11. The Solution Border Controller Border Controller Enterprise • The Border Controller allows secure traversal through any firewall • The Border Controller might be hosted by a service provider, or hosted in an enterprise DMZ along with the enterprise mail and web proxies. Internet Firewall IMTC Forum – May 2005 – Eibsee, Germany

  12. The Solution Enhanced Endpoints Border Controller • Enhanced Endpoint and Border Controller create a route through the firewall • Enhanced Endpoint connects to the outside world through the Border Controller Internet Firewall Endpoint IMTC Forum – May 2005 – Eibsee, Germany

  13. The Solution Enhanced Endpoints Border Controller • Enhanced Endpoint and Border Controller create a route through the firewall • The outside world calls through the Border Controller Internet Firewall Endpoint IMTC Forum – May 2005 – Eibsee, Germany

  14. The TANDBERG Solution TANDBERG MXP Endpoints All Other H.323 Endpoints • TANDBERG Gatekeeper and Border Controller create a route through the firewall • The gatekeeper provides routing on behalf of all endpoints that are registered to the gatekeeper • MXP and Border Controller create a route through the firewall • MXP connects to the outside world through the Border Controller Border Controller Border Controller TANDBERG Gatekeeper Internet Internet MXP Endpoint Firewall Firewall IMTC Forum – May 2005 – Eibsee, Germany

  15. An ITU standard is coming • ITU-T Question 5/16 has been tasked to find a solution. • Conferencing manufacturers are working together to produce a standard. • TANDBERG is the editor of H.FANTAS (Firewall and NAT Traversal Applying Signalling) which will be one of the key elements of the NAT/firewall standards suite. IMTC Forum – May 2005 – Eibsee, Germany

  16. New Opportunities • The ability to traverse firewalls in a secure way opens up a number of new opportunities and markets • Telecommuters, home workers and small offices • Enhanced endpoint register with the Border Controller as if the Border Controller was the enterprise Gatekeeper • Video enable branch offices • The enterprise and its branch office share a common dial plan, the Border Controllers at the branches are connected • Supply chain, enterprise-to-enterprise • Enterprises do not share dial-plans. Solution: Use DNS-based dialing – the same mechanism used for web-browsing and email • Imagine bringing an videophone to a customer’s office for a demo, plugging it into the LAN, and placing a call through the firewall IMTC Forum – May 2005 – Eibsee, Germany

  17. Thank you!

More Related