Intertex Data AB, Sweden VoIP to the Edge: Firewalls - The Missing Link Prepared for:Voice On the Net, Fall 2001 By: Karl Erik Ståhl President Intertex

Intertex Data AB, Sweden

VoIP to the Edge:

Firewalls - The Missing Link

Prepared for: Voice On the Net, Fall 2001

By: Karl Erik Ståhl

President Intertex Data AB

Chairman Ingate Systems AB

[email protected]

© 2001 Intertex Data AB, All Rights Reserved 1Moderator Matt Noah

© 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah

2

VoIP as we have seen it…

InternetPC

PCWanna talkto me?

Do we want the PC as a phone?

Gateway

Internet

Gateway

STO

LA

Are cheaper phone bills all we want?


3

VoIP as we have seen it…

VoIP between branch offices

Gateway

PSTN

Europe

IP

InternetVPN VPN

USGateway

IP

- But NOT globally to others!


4

Hmm, didn’t we pass this stage…

Paper was a very compatible media - So is POTS today…

But we need to move beyond!

PSTN

email

printer

fax

Organization 1Email system 1

email

Organization 2Email system 2

fax faxfax


5

Time to Get IP Telephony Out to Edge

Wouldn’t that be fine?

Black Phone

RJ45

LAN Intranet Internet

IP Phone

PSTN

RJ11

IAP

Firewall/NAT problems! IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Internet

Home LANBusiness LAN

DSLCableMTU

VoIP and SIP Services Out to the Edge

Operator network with NAT

NATFirewall

NAT

XP

PIM

Current status:SIP is the protocol for IP Communication person to person,BUT IT DOES NOT REACH THE EDGE!


7

SIP Firewall Problems

Firewall Problems:

Sessions initiated from outside of the firewall

- OK, open port 5060, but…

Media streams on dynamically allocated port numbers

- Ooops… !Even with public IP addresses inside


8

SIP NAT/PAT Problems

NAT & PAT Problems:Where is the device?

- Registration/location function

Private IP addresses and ports in SIP messages

- Rewrite with globally routable addresses

IP address and port of media stream has to be modified

- NAT engine has to be dynamically controlled

Worse with privateIP addresses inside


9

Suggested Solutions

SIP aware Firewall/NATs (SIP ALG)

[Intertex (SOHO), Ingate (enterprise), …]

Dynamically controlled Firewall/NATs [Aravox, …]• Midcom: By Firewall Control Proxy [Dynamicsoft…]• uPnP: By the client (Windows) [Microsoft]

Modifying the SIP protocol

Draft in progress: http://www.ietf.org/internet-drafts/

draft-rosenberg-sip-entfw-02.txt


10

Adding SIP Support to a Firewall

Important components:

Dynamic Firewall Engine

SIP Proxy Server, controlling the firewall

SIP Registrar, user location information

Communication between SIP Proxy and firewall SIP

Proxy

Firewall & NAT

FirewallControl

Protocol

UserLocation


11

NAT Friendly SIP Draft

IP Phone

LAN

NAT

SIPRegistrar

Not easy!All SIP clientsneed upgrade IP Phone

SIPBounceServer

LAN

FirewallNATRTP

If both parties are behind firewalls, RTP streams must bounce through a server

RTP

RTP media streams always start from inside

Keep registrar NAT path (TCP or UDP) always open by frequent registrations

SIGNALING

Route new signalling through this open path

Firewall/NAT problems!

Firewall/NAT SIP transparency! IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Operator network with NAT

Internet

Home LAN

NATFirewall

NAT

Business LAN

DSLCableMTU

DMZinGateSIParator

SIP Enabling the Private Networks

inGateFirewall

IP Phone IP Phone

IP Phone

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC IX66

IAP


13

Product Examples – Ingate Systems AB

A Complete Firewall An add-on to an Existing Firewall

inGateFirewall

DMZinGateSIParator

Existing Firewall

Firewall & NAT/PAT SIP Proxy SIP Registrar

Enterprise Products


14

Product Examples – Intertex Data AB

IX66 Internet Gate with or withoutADSL modem built-in

OEM as: Telia SurfinBird Gate PowerBit SafeGate

SOHO Products


15

The Intertex IX66 Internet Gate

A closer look

Firewall & NAT/PAT SIP Proxy and Registrar DHCP Server and Client WEB Server for configuration SIP Appliance Control, LAC via expansion port

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC


16

The Intertex IX66 Internet Gate

Goodies

Two Ethernet and one USB port Expansion port, e.g. for appliance control Smart Card Reader Upgradeable

ON DC USB ET2 ET1 EXP LINE PHONE

Optional ADSL Built-in


17

See Intertex and inGate!

SIP Enabled Firewalls!

Ingate Systems ABwww.ingate.comLundagatan 31 SE-117 27 Stockholm, SwedenCEO Olle [email protected] Tel +46 8 720 89 31

Booth #724 Booth #722

Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenPresident Karl Erik Stå[email protected] Tel +46 8 6282828

Documents

Intertex Data AB, Sweden VoIP to the Edge: Firewalls - The Missing Link Prepared for:Voice On the Net, Fall 2001 By: Karl Erik Ståhl President Intertex