© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 1

Intertex Data AB, Sweden

IX66 Internet GateA Firewall with SIP Support

Prepared for: Voice On the Net DEMO, Spring 2001 By: Henrik Bergstrom

Research and Development Intertex Data ABhenrik.bergstrom@intertex.se

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 2

Demo Setup

Internet(public addresses)

PSTN

GSM

LAN(private addresses)

SIPHome

AppliancesController

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 3

SIP to GSM through Firewall

LANPSTN

Gateway

InternetInternet

PSTN

Firewall/NAT

SIPProxy

Registrar

SIPServer

GSMGateway

Dialling:lars@siplab.net

Dynamic session setup

siplab.net

SIP forwarding

RINGING!

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 4

SIP to SIP through Firewall

Internet(public addresses)

LAN(private addresses)

REGISTER

OUTBOUND CALL

INBOUND CALL

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 5

SIP Home Appliances ControlDO sip:lamp@207.137.6.52<Device>lamp</Device><Action>power on</Action>

Internet(Ethernet)

LAN(Ethernet)InternetInternet

SIPServer

siplab.net SIPHome

AppliancesController

SIP

SIP

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 6

”Media Proxy” Setup

InternetInternetNon

SIP capable

firewall

DMZ

LANWAN

Media streams

and

SIP signalling

SIP capable firewall

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 7

SIP Capable Firewall functionality

General Dynamic control of access lists (“holes”), based

on SIP and SDP data Session statefulness, e.g. to track end of call Understanding of security issues in SIP, i.e.

don’t allow everything in the protocol

Additional for NAT (Network Addr. Translation) Rewriting of SIP and SDP data Media stream translation

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 8

Accessing Protected Devices

Firewall Problems:

• Sessions initiated from outside of the firewall- OK, open port 5060, but…

• Media streams on dynamically allocated port numbers- Ooops… !

Even with public IP addresses inside

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 9

Accessing Protected Devices

NAT & PAT Problems:• Where is the device?

- Registration/location function

• Private IP addresses and ports in SIP messages- Rewrite with globally routable addresses

• IP address and port of media stream has to be modified- NAT engine has to be dynamically controlled

Worse with privateIP addresses inside

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 10

Home Appliances Control

Control your temperature, refrigerator, alarm, toaster and more…

An extension to SIP in progress See www.research.telcordia.com/iapp/ http://search.ietf.org/internet-drafts/draft-moyer-

sip-appliances-framework-01.txt

Submitted to OSGI See http://www.osgi.org

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 11

The Intertex IX66 Internet Gate

As Internet Gate ”only” or with integrated ADSL modem

The Intertex IX66 series OEM as:

• PowerBit• Telia SurfinBird

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 12

The Intertex IX66 Internet Gate

A closer look

Firewall & NAT/PAT SIP Proxy and Registrar DHCP Server WEB Server for configuration Appliance control, LAC via expansion port

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 13

The Intertex IX66 Internet Gate

Goodies

Two Ethernet and one USB port Expansion port, e.g. for appliance control Smart Card Reader Upgradeable And more…

ON DC USB ET2 ET1 EXP LINE PHONE

Optional ADSL Built-in

© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 14

SIP Capable Firewalls

Products from Intertex

IX66 for the SOHO market, with or without ADSL

Linux based firewall for larger LANs

Linux based Media Proxy as an add on to existing firewalls. Handles large systems.