Intertex Data AB, Sweden Talking NATs & Firewalls Prepared for: Voice On the Net, Spring 2002 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate Systems AB karl. stahl@intertex. se © 2002 Intertex Data AB Moderator Scott Wharton 11
Vo. IP as we have seen it… Do we want the PC as a phone? PC Wanna talk to me? PC Internet Are cheaper phone bills all we want? Gateway Internet STO LA © 2002 Intertex Data AB Moderator Scott Wharton 2
Vo. IP as we have seen it… PSTN Internet Europe Gateway IP VPN Gateway VPN US IP Vo. IP between branch offices - But NOT globally to others! © 2002 Intertex Data AB Moderator Scott Wharton 3
Hmm, didn’t we pass this stage… Organization 1 Email system 1 PSTN Organization 2 Email system 2 fax fax printer email Paper was a very compatible media - So is POTS today… But we need to move beyond! © 2002 Intertex Data AB Moderator Scott Wharton 4
Vo. IP and SIP Services Out to the Edge Internet SIP Server PSTN Status until now: SIP is the Protocol for IP Communication SIP/PSTN Person-to-Person, Gateway PIM DSL BUT IT DOES Cable REACH THE EDGE! NOT XP MTU IP Phone Operator network with NAT Firewall NAT IP Phone Home LAN IP Phone Business LAN IAP Firewall/NAT problems! IP Phone 5
SIP Firewall Problems: Sessions initiated from outside the firewall - OK, open port 5060, but… Media streams on dynamically allocated port numbers - Ooops… ! © 2002 Intertex Data AB Even with public IP addresses inside Moderator Scott Wharton 6
SIP NAT/PAT Problems NAT & PAT Problems: Where is the device? - Registration/location function Private IP addresses and ports in SIP messages - Rewrite with globally routable addresses IP address and port of media stream has to be modified - NAT engine has to be dynamically controlled © 2002 Intertex Data AB Worse with private IP addresses inside Moderator Scott Wharton 7
![Suggested Solutions § Dynamically controlled Firewall/NATs [Aravox, …] Midcom: By Firewall Control Proxy [Dynamicsoft…]](https://present5.com/presentation/07093eb86970182606650d2aeba1ba9f/image-8.jpg "Suggested Solutions § Dynamically controlled Firewall/NATs [Aravox, …] Midcom: By Firewall Control Proxy [Dynamicsoft…]")
Suggested Solutions § Dynamically controlled Firewall/NATs [Aravox, …] Midcom: By Firewall Control Proxy [Dynamicsoft…] u. Pn. P: By the client (Windows) [Microsoft] § SIP aware Firewall/NATs (SIP Proxy + Registrar) [Intertex (SOHO), Ingate (enterprise), …] § SIP aware Firewall/NATs (SIP ALG) [Cisco, …: client location? , TLS not possible] § Modifying the SIP protocol, Drafts in progress: • draft-rosenberg-sipping-nat-scenarios-00. txt • draft-rosenberg-midcom-stun-01. txt • draft-ietf-sip-nat-01. txt © 2002 Intertex Data AB Moderator Scott Wharton 8
Adding SIP Support to a Firewall Important components: Firewall & NAT ü Dynamic Firewall Engine ü SIP Proxy Server, controlling the firewall Firewall Control Protocol ü SIP Registrar, user location information ü Communication between SIP Proxy and firewall © 2002 Intertex Data AB SIP Proxy User Location Moderator Scott Wharton 9
NAT Friendly SIP Draft SIP Registrar INTERNET SIGNALLING LAN STUN Server RTP Proxy Mods to SIP, SDP RTP SIP clients need upgrade NAT IP Phone New servers § Use STUN to find out on the net “looks” from outside § Keep registrar NAT path (TCP or UDP) always open by frequent registrations § Route new signalling through this open path © 2002 Intertex Data AB Firewall NAT RTP LAN IP Phone § RTP media streams always start from inside + symmetric § For some NATs, if both parties are behind firewalls, RTP streams must bounce through a server Moderator Scott Wharton 10
SIP Enabling the Private Networks Internet SIP Server PSTN in. Gate SIParator DMZ SIP/PSTN Gateway DSL Cable MTU IP Phone Operator network with NAT IX 66 NAT IP Phone Home LAN in. Gate Firewall NAT Firewall Business LAN Firewall/NAT SIP Firewall/NAT transparency! problems! IP Phone IAP IP Phone 11
IP Communications Using IP Networks …other… IM Conf Vmail OSS SIP Server Global IP Comm SIP Phone Router Firewall Intranet IP Comm SIP Routing World. Com Public IP Network IN Dialing Plans Network GWY IP VPN Enterprise Gateway Managed Services World. Com PSTN Customer Premises PBX Many call routing options: • Private/Public IP address • DNS and DNS SRV records • SIP aware NAT/PAT servers Henry Sinnreich 4/10/2002 PSTN Phone • Intranet IP VPN with IP communications • Domestic and global IP communications • PBX and PSTN – E. 164 resolution 12
IP Communications Using IP Networks …other… No IP PBX Needed! IM Conf Vmail OSS Enhanced Functionality SIP Capable Firewall Ingate and Intertex First through SIT SIP Phone Router Enterprise LAN Customer Premises SIP Server Global IP Comm Firewall Intranet IP Comm SIP Routing World. Com Public IP Network IN Dialing Plans Network GWY IP VPN Enterprise Gateway Managed Services World. Com PSTN Integration with existing phones PBX PSTN Phone 13
Product Examples – Ingate Systems AB Enterprise Products A Complete Firewall An add-on to an Existing Firewall 1400 SIParator 40 DMZ § Firewall & NAT/PAT § SIP Proxy § SIP Registrar © 2002 Intertex Data AB Moderator Scott Wharton 14
Product Examples – Intertex Data AB SOHO Products IX 66 Internet Gate with or without ADSL modem built-in OEM as: Telia Surfin. Bird Gate Power. Bit Safe. Gate Review at: www. adslguide. org. uk/hardware/reviews/2002/q 1/intertex_ix 66 -edflc. asp © 2002 Intertex Data AB Moderator Scott Wharton 15
See Intertex and in. Gate! Booth #400 SIP Capable Firewalls! Intertex Data AB Ingate Systems AB www. intertex. se www. ingate. com Rissneleden 45 SE-174 44 Sundbyberg, Sweden President Karl Erik Ståhl karl. stahl@intertex. se Tel +46 8 6282828 Box 10013, Slakthusplan 4 SE-121 26 Stockholm, Sweden CEO Olle Westerberg olle. westerberg@ingate. com Tel +46 8 6007750 © 2002 Intertex Data AB Moderator Scott Wharton 16
Скачать презентацию Intertex Data AB Sweden Talking NATs Firewalls
07093eb86970182606650d2aeba1ba9f.ppt