Embed Size (px)
Citation preview
Quintum Confidential and Proprietary1
Quintum Technologies, Inc.
Session Border Controller and VoIP Devices Behind
Firewalls
Tim Thornton, CTO
Quintum Confidential and Proprietary2
Firewalls Not Designed for Voice Applications
Voice and data are separate networks
Firewalls provide a barrier between data networks
Firewall controls inside-out data flow
Headquarters
PBX
WAN
Branch Office
PSTN
LAN LAN
PBX
Quintum Confidential and Proprietary3
VoIP Introduces Application Level Issues with Firewalls
VoIP works inside the LAN but has problems across the WAN
Any to Any connectivity means all devices must be on the same network
H.323 and SIP require application intelligence at firewall
Headquarters
PBX
Branch Office
PSTN
LAN LAN
PBX
Tenor Gateway
Tenor Gateway
IP Phone
WAN
Signaling
Media
?
Quintum Confidential and Proprietary4
Solutions Using Existing Firewalls Compromise Network Security
Problems:• Two way voice applications
require access from outside• Each VoIP endpoint requires
numerous port to be open through firewall
• Devices in DMZ compromise security policies
• Open ports increase vulnerability & allows access into the network topology
Internet
Gateway
IP Phone
DMZ
Quintum Confidential and Proprietary5
Session Border Controllers Address the VoIP Security Issues
VoIP Network Security• Provides a single demarcation point for access through the
firewall• Acts as a firewall proxy for VoIP devices inside the LAN• Allows security policies to remain intact • Can provide application level control for access (AAA)
Additional Administration Benefits• Single point at network edge for call routing and call detail
recording.
Quintum Confidential and Proprietary6
The Session Border Controller Becomes the VoIP Firewall
There are two approaches to supporting VoIP through firewalls:
• Application Aware solutions• Session Border Controller acts as VoIP firewall to modify signaling
before passing through firewall
• Integrated Applications-Level firewalls that understand VoIP protocol issues
• Firewall Transparent solution• Session Border Controller handles media routing
• VoIP Endpoints create a signaling tunnel through existing firewall
Quintum Confidential and Proprietary7
Application Aware Works with Existing Firewall to Modify VoIP Addressing
Obtains external addressing information through configuration or discovery
NatAccess requires port mapping in the firewall and the external address is configured.
STUN uses external address obtained from a public server
Headquarters
PBX
WAN
PSTN
Session Border
Controller
Gateway
Stun Server
NATAccess™
Quintum Confidential and Proprietary8
Firewall Transparent Session Border Controller Works Independent of Existing Firewall
Obtains address information through packet inspection
Endpoints establish a tunnel to SBC
Media is switched through the SBC
Headquarters
PBX
WAN
PSTN
Gateway
Session Border Controller
Signaling
Media
Quintum Confidential and Proprietary9
Case StudyAn International NextGen carrier is using Session Border Controllers at the edge of
their network to deploy services to Enterprise customers.
TenorPBX
Tenor CMS
KuangdongBeijing
Internet
Tenor SBC Tenor CMS
Tenor SBC
Beijing
Tenor
PBX
Tenor SBCIP Phone
Quintum Confidential and Proprietary10
Session Border Controllers at the Edge of the Enterprise Offer Other Opportunities
Configure, manage, and support devices behind the firewall
Troubleshooting and diagnostics
Demarcation points for Service Providers
Headquarters
PBX
WAN
PSTN
LAN
Gateway
Network ManagementSession Border
Controller
Quintum Confidential and Proprietary11
Summary
• Advances in VoIP deployment has raised serious concerns that are addressed with Session Border Controllers
• There are variety of Session Border Controller implementation choices:
• Application Aware• Firewall Transparent
• Session Border Controllers are in the early stages of developments and will offer opportunities to provide edge support for network configuration and management
Quintum Confidential and Proprietary12
END
