The Firewall as a SIP Server Much more than firewall SIP traversal! Prepared for:Spring VON 2003 Enterprise Solutions By: Karl Erik Ståhl President Intertex

The Firewall as a SIP ServerMuch more than firewall SIP traversal!

Prepared for: Spring VON 2003Enterprise Solutions

By: Karl Erik Ståhl

President Intertex Data ABChairman Ingate Systems [email protected]

© 2003 Intertex Data AB 1

IP PhoneIP Phone

IP Phone

IP Phone

Internet

SOHO LANEnterprise LAN

We have a “new” network

XP

PIM

But do we use it for person to person communication?

Everyone has a connection…

Operator Network

© 2003 Ingate Systems AB© 2003 Intertex Data AB 3

VoIP as we have seen it…

PSTN

But no connectivity between the IP clouds!

Europe

IP

US

VPNTunnel

IP

Gateway

Gateway

Gateway

TollBypass

SOFTSWITCH

MGCP


What about universal connectivity?

Wouldn’t that be fine?

Black Phone

RJ45

LAN Intranet Internet

IP Phone

PSTN

RJ11


We have SIP – Session Initiation Protocol

An Internet Standard IETF RFC 2543, replaced by new RFC 3261

Used for real time person to person IP Communication

VoIP, IP TelephonyAudio, Video, Data CollaborationPresence, Instant Messaging

Lots of activity, ongoing work and developmenthttp://www.cs.columbia.edu/~hgs/sip/http://www.sipforum.orghttp://www.sipcenter.com

http://www.pulver.com


“We need QoS of PSTN…”

3 kHz bandwith?

Video?

Presence?

draft-ietf-simple-presence-07.txt

Instant Messaging?RFC3428, December 2002

And more…

Is black telephony all we want?

Voice & Video (XP)

Greenwich includes SIP server with API (3Q3)

Applications will arise

Windows Messenger 4.6 and later has SIP-mode Presence & IM

10:s of millions of RTC (SIP) users within a year

4255551212

Dial to phone Rich SIP APIs

Microsoft is pushing – New RTC is SIP-based


The Next Big Usage of the Internet!

HTTP created the Web

SIP will create IP Communication person to person!

SMTP created Email

IP PhoneIP Phone

IP Phone

IP Phone

PSTN

SIP/PSTNGateway

Internet

SOHO LANBusiness LAN

SIPServer

IAP

XP

PIM

Firewall/NAT problems!

DSLCableMTU

Operator network with NAT

NATFirewall

NAT

Status until recently:SIP is the Protocol for IP Communication Person to Person,BUT IT DOES NOT REACH THE EDGE!

So, why don’t we just connect?


What is the difference?

Typical Internet protocol (SMTP, HTTP…)

Internet

HOSTSERVER

SIP (and H.323…) connects person to person

Internet

PERSONPERSON

Locate the person - Set up a session - Open real time media streams


SIP Firewall Problems

Firewall Problems:

Sessions initiated from outside the firewall

- OK, open port 5060, but…

Media streams on dynamically allocated port numbers

- Ooops… !Even with public IP addresses inside


SIP NAT/PAT Problems

NAT & PAT Problems:Where is the device?

- Registration/location function

Private IP addresses and ports in SIP messages

- Rewrite with globally routable addresses

IP address and port of media stream has to be modified

- NAT engine has to be dynamically controlled

Worse with privateIP addresses inside


Suggested Solutions

Dynamically controlled Firewall/NATs

Midcom: By Firewall Control Proxy (IETF work)

uPnP: By the client (Windows)

SIP aware Firewall/NATs (SIP Proxy + Registrar)

General, handles complex scenarios

[Intertex (SOHO), Ingate (enterprise), …]

SIP aware Firewall/NATs (SIP ALG – non Proxy)

TLS not possible

STUN - Can cope with certain types of existing NATs

SIP clients need to get STUN into their SIP stacks

Requires STUN servers on the net, RTCP is lost

Tunnelling - Connects SIP clients to an operator or a corporate LAN

Requires ALG for each client with NATed address

Tunnels by IPSec or proprietary

Firewall/NAT problems!

Firewall/NAT SIP transparency!

Office or home LAN

IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Operator network with NAT

Internet

NATFirewall

NAT

Enterprise LAN

DSLCableMTU

DMZinGateSIParator

SIP Enabling the Private Networks

inGateFirewall

IP Phone IP Phone

IP Phone

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC IX66

IAP


Adding General SIP Traversal to a Firewall

Important components:Firewall & NAT

Dynamic Firewall Engine

SIPProxy

SIP Proxy Server, controlling the firewall

UserLocation

SIP Registrar, user location information

FirewallControl

Protocol Communication between

SIP Proxy and firewall

In the Ingate and Intertex products:

You got a SIP server!Use it just for firewall traversalAND/OR as your

- SIP Server - Outgoing proxy- Inbound proxy

What have you got?

InternetJust Another Internet Service…

Enterprise LAN

XP

inGateFirewall

PSTNSIP/PSTNGateway

DNSSRV

DMZinGateSIParator

XP

Ingate Linköping LAN

IX66

Intertex Stockholm LAN

Sweden

IX66

FWD Booth #301

IX66SIP Forum Booth #210 USA

Sweden

IX66

Home Office UsersSOHO LAN

IX66

XP

San Jose

Booth#520

17

IP Communications Using IP NetworksIP Communications Using IP Networks

• Intranet IP VPN with IP communications• Domestic and global IP communications• PBX and PSTN – E.164 resolution

Customer Customer PremisesPremises

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Many call routing options:• Private/Public IP address• DNS and DNS SRV records• SIP aware NAT/PAT servers

Henry Sinnreich 4/10/2002

WorldComPublic

IP Network

18

IP Communications Using IP NetworksIP Communications Using IP Networks

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Integration with existing phones

SIP Capable FirewallIngate and IntertexFirst through SIT

Customer Customer PremisesPremises

No IP PBX Needed!

Enhanced Functionality

Enterprise LAN

WorldComPublic

IP Network

Firewall

PresenceIM

GreenwichEdge Proxy

DMZMicrosoft GreenwichHome Server:PresenceIMAudioVideoData Col.

TLS


Product Examples – Ingate Systems AB

Complete Firewalls Add-on to Existing Firewalls

Firewall & NAT/PAT SIP Proxy SIP Registrar

Enterprise Products

DMZ

Existing Firewall

SIParator


Product Examples – Intertex Data AB

IX66 Internet Gate with or withoutADSL modem built-in

OEM as: Telia SurfinBird Gate PowerBit SafeGateReview at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp

SOHO Products


The Intertex IX66 Internet Gate

A closer look

Firewall & NAT/PAT Router SIP Proxy and Registrar DHCP Server and Client WEB Server for configuration Smart Card Reader for security applications Optional 802.11b Wireless Lan SIP Appliance Control, LAC via expansion port

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC

Optional ADSLand Splitter Built-in


SIP Capable Firewalls!

Ingate Systems ABwww.ingate.comBox 10013, Slakthusplan 4 SE-121 26 Stockholm, SwedenCEO Olle [email protected] Tel +46 8 6007750

Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenPresident Karl Erik Stå[email protected] Tel +46 8 6282828

Documents

The Firewall as a SIP Server Much more than firewall SIP traversal! Prepared for:Spring VON 2003 Enterprise Solutions By: Karl Erik Ståhl President Intertex