NATs & Firewalls

The General SIP Proxy Firewall

Prepared for: Spring VON 2003

By: Karl Erik Ståhl

President Intertex Data AB

Chairman Ingate Systems AB

karl.stahl@intertex.se

© 2003 Intertex Data AB 1

IP PhoneIP Phone

IP Phone

IP Phone

Internet

SOHO LANEnterprise LAN

We have a “new” network

XP

PIM

But do we use it for person to person communication?

Everyone has a connection…

Operator Network

© 2003 Ingate Systems AB© 2003 Intertex Data AB 3

VoIP as we have seen it…

PSTN

But no connectivity between the IP clouds!

Europe

IP

US

VPNTunnel

IP

Gateway

Gateway

Gateway

TollBypass

SOFTSWITCH

MGCP

© 2003 Ingate Systems AB© 2003 Intertex Data AB 4

What about universal connectivity?

Wouldn’t that be fine?

Black Phone

RJ45

LAN Intranet Internet

IP Phone

PSTN

RJ11

IP PhoneIP Phone

IP Phone

IP Phone

PSTN

SIP/PSTNGateway

Internet

SOHO LANBusiness LAN

SIPServer

IAP

XP

PIM

Firewall/NAT problems!

DSLCableMTU

Operator network with NAT

NATFirewall

NAT

Status until recently:SIP is the Protocol for IP Communication Person to Person,BUT IT DOES NOT REACH THE EDGE!

So, why don’t we just connect?

© 2003 Ingate Systems AB© 2003 Intertex Data AB 6

What is the difference?

Typical Internet protocol (SMTP, HTTP…)

Internet

HOSTSERVER

SIP (and H.323…) connects person to person

Internet

PERSONPERSON

Locate the person - Set up a session - Open real time media streams

© 2003 Ingate Systems AB© 2003 Intertex Data AB 7

SIP Firewall Problems

Firewall Problems:

Sessions initiated from outside the firewall

- OK, open port 5060, but…

Media streams on dynamically allocated port numbers

- Ooops… !Even with public IP addresses inside

© 2003 Ingate Systems AB© 2003 Intertex Data AB 8

SIP NAT/PAT Problems

NAT & PAT Problems:Where is the device?

- Registration/location function

Private IP addresses and ports in SIP messages

- Rewrite with globally routable addresses

IP address and port of media stream has to be modified

- NAT engine has to be dynamically controlled

Worse with privateIP addresses inside

© 2003 Ingate Systems AB© 2003 Intertex Data AB 9

Suggested Solutions

Dynamically controlled Firewall/NATs

Midcom: By Firewall Control Proxy (IETF work)

uPnP: By the client (Windows)

SIP aware Firewall/NATs (SIP Proxy + Registrar)

General, handles complex scenarios

[Intertex (SOHO), Ingate (enterprise), …]

SIP aware Firewall/NATs (SIP ALG – non Proxy)

TLS not possible

STUN - Can cope with certain types of existing NATs

SIP clients need to get STUN into their SIP stacks

Requires STUN servers on the net, RTCP is lost

Tunnelling - Connects SIP clients to an operator or a corporate LAN

Requires ALG for each client with NATed address

Tunnels by IPSec or proprietary

© 2003 Ingate Systems AB© 2003 Intertex Data AB 10

Adding General SIP Traversal to a Firewall

Important components:Firewall & NAT

Dynamic Firewall Engine

SIPProxy

SIP Proxy Server, controlling the firewall

UserLocation

SIP Registrar, user location information

FirewallControl

Protocol Communication between

SIP Proxy and firewall

Firewall/NAT problems!

Firewall/NAT SIP transparency!

Office or home LAN

IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Operator network with NAT

Internet

NATFirewall

NAT

Enterprise LAN

DSLCableMTU

DMZinGateSIParator

SIP Enabling the Private Networks

inGateFirewall

IP Phone IP Phone

IP Phone

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC IX66

IAP

© 2003 Ingate Systems AB© 2003 Intertex Data AB 12

What have we got?

Important components:Firewall & NAT

Dynamic Firewall Engine

SIPProxy

SIP Proxy Server, controlling the firewall

UserLocation

SIP Registrar, user location information

FirewallControl

Protocol Communication between

SIP Proxy and firewall

In the Ingate and Intertex products:

You’ve got a SIP server!Use it just for firewall traversalAND/OR as your

- SIP Server - Outgoing proxy- Inbound proxy

InternetJust Another Internet Service…

Enterprise LAN

XP

inGateFirewall

PSTNSIP/PSTNGateway

DNSSRV

DMZinGateSIParator

XP

Ingate Linköping LAN

IX66

Intertex Stockholm LAN

Sweden

IX66

FWD Booth #301

IX66SIP Forum Booth #210 USA

Sweden

IX66

Home Office UsersSOHO LAN

IX66

XP

San Jose

Booth#520

14

IP Communications Using IP NetworksIP Communications Using IP Networks

• Intranet IP VPN with IP communications• Domestic and global IP communications• PBX and PSTN – E.164 resolution

Customer Customer PremisesPremises

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Many call routing options:• Private/Public IP address• DNS and DNS SRV records• SIP aware NAT/PAT servers

Henry Sinnreich 4/10/2002

WorldComPublic

IP Network

15

IP Communications Using IP NetworksIP Communications Using IP Networks

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Integration with existing phones

SIP Capable FirewallIngate and IntertexFirst through SIT

Customer Customer PremisesPremises

No IP PBX Needed!

Enhanced Functionality

Enterprise LAN

WorldComPublic

IP Network

Firewall

PresenceIM

GreenwichEdge Proxy

DMZMicrosoft GreenwichHome Server:PresenceIMAudioVideoData Col.

TLS

© 2003 Ingate Systems AB© 2003 Intertex Data AB 17

Product Examples – Ingate Systems AB

Complete Firewalls Add-on to Existing Firewalls

Firewall & NAT/PAT SIP Proxy SIP Registrar

Enterprise Products

DMZ

Existing Firewall

SIParator

© 2003 Ingate Systems AB© 2003 Intertex Data AB 18

Product Examples – Intertex Data AB

IX66 Internet Gate with or withoutADSL modem built-in

OEM as: Telia SurfinBird Gate PowerBit SafeGateReview at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp

SOHO Products

© 2003 Ingate Systems AB© 2003 Intertex Data AB 19

The Intertex IX66 Internet Gate

A closer look

Firewall & NAT/PAT Router SIP Proxy and Registrar DHCP Server and Client WEB Server for configuration Smart Card Reader for security applications Optional 802.11b Wireless Lan SIP Appliance Control, LAC via expansion port

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC

Optional ADSLand Splitter Built-in

© 2003 Ingate Systems AB© 2003 Intertex Data AB 20

SIP Capable Firewalls!

Ingate Systems ABwww.ingate.comBox 10013, Slakthusplan 4 SE-121 26 Stockholm, SwedenCEO Olle Westerbergolle.westerberg@ingate.com Tel +46 8 6007750

Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenPresident Karl Erik Ståhlkarl.stahl@intertex.se Tel +46 8 6282828