Transcript SIP-4 - TMCnet

SIP? NAT? NOT!
Traversing the Firewall
for SIP Call Completion
Steven Johnson
President, Ingate Systems Inc.
The Third Wave of the Internet
SMTP created Email
HTTP created the Web
SIP can create universal live IP
Communication person-to-person!
It’s all there – almost…
A single network (IP)
Everyone has a connection
High capacity and good performance
A single protocol (SIP)
But SIP does not traverse common firewalls
and NATs
It’s All There – Almost…
•
•
•
•
A Single Network (IP)
High capacity and good performance
Everyone has a connection
A single protocol - SIP
Firewalls exclude inbound traffic
SIP does not traverse common firewalls and NATs
What’s the difference?
Typical Internet protocol (SMTP, HTTP…)
SERVER
HOST
Internet
SIP (and H.323…) connects person-to-person
PERSON
PERSON
Internet
More than IP Telephony!
SMTP created Email
HTTP created the Web
SIP can create universal live IP
Communication person-to-person!
It’s the Third Wave of the Internet
It’s Presence
It’s Instant
Messaging
4255551212
It’s Video
And it’s voice
A richer communications experience
Converged Networks
Realtime Communications
+ A change in the work paradigm
+ A change in communications style
+ A change in communications tools
= An opportunity for productivity improvement
Connect people, information and
processes in real-time
One Way: VoIP Islands…
Vendor
Headquarters
IP
Partner
IP
Internet
Customer
IP
VPN
Tunnel
Branch Office
Customer
IP
IP
IP
VPN is fine for branch to branch connections
But the goal is global connectivity
The Global All IP Way
SIP-capable firewalls make the difference
Suggested CPE Solutions
STUN  TURN  ICE
–
–
–
–
Can cope with certain types of existing NATs
Complexity has grown in trial to increase reliability/handle more NATs
Needs to be implemented in the SIP clients and servers on the Net
Tight firewalls will not be handled
Dynamically-controlled firewalls/NATs
– Midcom: By Firewall Control Proxy (no activity known at this time)
– UPnP: By the client (Windows) (Microsoft)
ALG (non-Proxy) SIP-aware firewall
– TLS not possible
ALG + Proxy SIP-aware firewall
– General, handles complex scenarios, PBX functionality
Tunnelling - Brings the SIP-client to an operator or a corporate LAN
– Requires ALG for each client on LAN with own address space
–
IPSec, Proprietary
STUN  TURN  ICE
• Evolving ITEF Standard
• Requires client on the inside of the LAN and “reflector” in the network
• Client “pings” the reflector which returns the internal IP address that is
being broadcast by the SIP end point
• Once the internal IP address is known, then all communications carry
that IP address in the header information
STUN  TURN  ICE
Benefits
• Simple solution to NAT traversal
• Offers alternative to home users
and small businesses that don’t
wish to incorporate a full firewall
solution
•
•
•
•
Problems
Exposes the internal IP
addressing scheme
Circumvents the protection
offered by the firewall
Inappropriate for enterprises
and others with valuable
information to protect on their
LAN
Only works for certain types of
NATs
Midcom
• Developing IETF standard for managing controllable firewalls with a
Firewall Control Proxy
• Elegant solution that puts the solution at the point where the problem
occurs
• Firewall Control Proxy would dynamically control the firewall to accept
SIP media only when authorized
• Control resides with the Firewall Control Proxy and the existing firewall
takes care of all of the logging
Midcom
Benefits
• Based on an IETF Standard
• Leaves the firewall in place
• Offers a separate device to just
manage SIP sessions
Problems
• No companies are currently
developing this technology
• There are currently no firewalls
that are controllable by an
outside agent
• Leaves vulnerabilities on the
Firewall Control Proxy which
could result in a violation of
network security
UPnP
• Universal Plug and Play
• Proposed by Microsoft
• Allows all end points to be controlled by the Microsoft
agent
UPnP
•
•
•
•
Benefits
Simple implementation
Nothing to set up or configure
Excellent implementation for
home users
Would expand the use of SIP
•
•
•
•
•
Problems
Limited utility for enterprises of
any size
Cannot handle complex call
scenarios
Solution handles NAT only
Cannot handle hard phones,
only soft clients
Security of the network
controlled by Windows server
ALG (non-Proxy)
SIP-Aware Firewall
• Implementation which sits between two hosts and modifies the
information flow between them on the fly
• ALGs normally do small modifications to the packets
ALG (non-Proxy)
SIP-Aware Firewall
Benefits
• Theoretically faster
processing times than
proxy-based solutions
• Performs most of the
important functions of
allowing traversal of the
NATed firewall
• Able to dynamically open
and close ports for media
•
•
•
•
Problems
Cannot read deeply into
the packet headers
Cannot support encryption
(TLS); ALGs see
everything in the clear so
modifying authenticated
packets is impossible
Setup of complex call
scenarios a problem
Current implementations
do not support soft clients
ALG + Proxy
SIP-Aware Firewall
•
•
ALG performs NAT Traversal Function
Proxy terminates a packet flow, then reinitiates flow to the destination address
– Records SIP client address to locate behind NAT
– Digest authentication
– Rewrites headers
•
Proxies can look deeply into the header information because it stops packet
briefly
– Inspection of SIP signaling (including Instant Messages)
•
Support for Transport Layer Security (TLS)
– Adds privacy and authentication to communications
– TLS is being used for adding security to Microsoft Office Live Communications
Server, Avaya, Reuters and others
•
Can also be used as a separate SIP firewall when all data ports are
permanently closed
ALG + Proxy
SIP-Aware Firewall
•
•
•
•
•
•
•
Benefits
Most flexible solution
Able to support all call
scenarios, despite complexity
Can support servers on the
inside of the LAN
Supports TLS
Flexible and adaptable
Offers a backup registration/
location server option
Simple PBX functions can be
added
Problems
• Theoretically slower
performance
Summary of Advantages
Capability
ALG with Proxy
ALG
Support for TLS
Yes
No
Flexible support for complex
call scenarios
Yes
No
Backup registrar and other
services
Yes
No
Support for soft clients
Yes
No
Real and Complex Scenarios
Internet
IP
TLS
XP
Sooner or later:
SIP
Server 3
SIP
Server 2
SIP/PSTN
Gateway
The NAT/Firewall Problem
needs to be solved
where it occurs
Firewall/NAT
Complications for non-proxy solutions:
LAN
Tight firewalls
Call transfer
SIP
Server 4
IP Phone
SIP
SIP server on the LAN
Trusted connections: TLS
SIP? NAT? NOT!
Traversing the Firewall
for SIP Call Completion
Steven Johnson
President, Ingate Systems Inc.