Intertex Data AB, Sweden

Download Report

Transcript Intertex Data AB, Sweden

Dealing with NATs and Firewalls!
Prepared for:
Fall VON 2003 Boston
By:
Karl Erik Ståhl
President Intertex Data AB
Chairman Ingate Systems AB
[email protected]
© 2003 Intertex Data AB
Moderator G. Hamilton
1
How do we connect?
Non Real Time
OR
Real Time
SERVER
IP
GSM
PSTN
3G
XP
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
2
VoIP: Still island interworking over the PSTN!
Just like message handling before mid 90s…
Organization 1
Email system 1
PSTN
fax
printer
emai
l
Organization 2
Email system 2
fax
fax
fax
emai
l
Paper was a very compatible media - So is POTS today…
But isn’t it time to move beyond?
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
3
We have a global single new network…
IP
PIM
XP
IP Phone
Operator Network
SOHO LAN
IP Phone
IP Phone
Enterprise LAN
IP Phone
Everyone has a connection…
…but it is seldom used for person to person communication!
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
4
…and are rapidly moving towards a single protocol!
SIP – Session Initiation Protocol
An Internet Standard
Used for live person-to-person IP Communication
VoIP, IP Telephony
Audio, Video, Data Collaboration
Presence, Instant Messaging
Lots of activity, ongoing work and development
“Everyone” is on the wagon
MCI/Worldcom, Microsoft, Nortel, AT&T, Alcatel,
Siemens, Sprint…
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
5
So There is a Big Potential!
SMTP created Email
HTTP created the Web
SIP can create universal live IP
Communication person-to-person!
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
6
The Next Big Usage of the Internet!
How do we get there?
A. Go beyond replacing sections of the PSTN by IP!
The PSTN is something to interwork with, not the core to
build around!
B. Go beyond the “quality” and “services” of the PSTN!
The mobile phone world has shown that there is more than
“black telephony”! POTS is 50-100 years old!
C. Get connectivity out to the end users!
Aren’t we there??? THE TICKING BOMB!
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
7
So, why don’t we just connect?
IP
SIP
Server
PSTN
SIP/PSTN
SIP
is
the
Protocol
for
Live
Gateway
PIM
DSL
Person-to-Person
Communication,
Cable
XP
MTU
BUT IT DOES
NOT REACH THE EDGE!
IP Phone
Operator network with NAT
SIP does not traverse common NATs and Firewalls!
And they are still being installed…Firewall
NAT
NAT
IP Phone
SOHO LAN
Business LAN
IP Phone
IAP
Firewall/NAT
Everyone
has
a connection
problems!
IP Phone
SIP Firewall Problems
Firewall Problems:
Sessions initiated from outside
the firewall
- OK, open port 5060, but…
Media streams on dynamically
allocated port numbers
- Ooops…  !
Even with public
IP addresses inside
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
9
SIP NAT/PAT Problems
NAT & PAT Problems:
Where is the device?
- Registration/location function
Private IP addresses and ports
in SIP messages
- Rewrite with globally routable
addresses
IP address and port of media
stream has to be modified
- NAT engine has to be
dynamically controlled
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Worse with private
IP addresses inside
Moderator G. Hamilton
10
Suggested Solutions
Dynamically controlled Firewall/NATs
Midcom: By Firewall Control Proxy
UPnP: By the client (Windows)
SIP aware Firewall/NATs (SIP Proxy + Registrar)
General, handles complex scenarios, PBX functionality
[Intertex (SOHO), Ingate (enterprise), …]
SIP aware Firewall/NATs (SIP ALG – non Proxy)
TLS not possible
STUN  TURN  ICE Can cope with certain types existing NATs
Complexity has grown in effort to make reliable and handle more
NATs. Needs to be implemented in the SIP clients and servers on the
net. Still, tight firewalls can not be handled.
Tunnelling - Brings the SIP-client to an operator or a corporate LAN
Requires ALG for each client on LAN with own address space
IPSec, Proprietary
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
11
Adding General SIP Traversal to a Firewall
Important components:
Firewall & NAT
 Dynamic Firewall Engine
the Ingate and Intertex products:
 SIP ProxyInServer,
controlling
the got
firewall
You
a SIP server!
Use ituser
just location
for firewall traversal
 SIP Registrar,
AND/OR as your
information
- SIP Server
- Outbound
proxy
 Communication
between
- Inbound
proxy
SIP Proxy
and firewall
SIP
- PBX (The SIP Swich)
Proxy
What have you got?
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
Firewall
Control
Protocol
User
Location
12
SIP Enabling the Private Networks
Internet
SIP
Server
PSTN
inGate
SIParator
DMZ
SIP/PSTN
Gateway
DSL
Cable
MTU
IP Phone
Operator network with NAT
SET
SELECT
SC
ADR CFG DHP RST
A U
I S
R B
E
T
1
IX66NAT
LQ
TX
RX
E W T
T A X
2 N D
R
X
D
ALT CFG
IP Phone
Office or home LAN
inGate
Firewall
NAT
Firewall
Enterprise LAN
Firewall/NAT
SIP
Firewall/NAT
transparency!
problems!
IP Phone
Phone
IP
IAP
IP Phone
Phone
IP
A Future of Live All IP Connectivity
SIP capable firewalls make the difference!
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
14
Just Another Internet Service…
inGate
Firewall
Internet
Sweden
Networks
Boston
VON
Telecom
Sweden
ENUM
Booth
#421
USA
Sweden
IX66
+43 1 25397 531
SIP/PSTN
Gateway
IX66
IX66
SOHO LAN
PSTN
Intertex Stockholm LAN
Home Office Users
XP
+43 1 25397 511 +43 1 25397 521 +43 1 25397 512
inGate
Firewall
Enterprise LAN
inGate
SIParator
DMZ
DNS
SRV
Ingate Linköping LAN
XP
XP
+43 1 25397 513
+43 1 25397 522
Use as Your Main SIP Server
Get a DNS entry!
DynDNS if you don’t
have a fixed IP address
Your own SIP server ready to go!
Firewall traversal requires NO setup!
Features can be applied to other SIP server domains also
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
16
Dial Plan with ENUM and Authentication
Use both URLs and E.164 numbers conveniently
Mimics PBX, e.g. dial 9 for PSTN
ENUM checking before passing to PSTN gateway
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
17
User Accounts
Authentication
Forwarding, Forking
Voice mail forwarding
Speed Dial
Mapping of incoming PSTN call
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Moderator G. Hamilton
18
Restriction of Incoming Callers
SPAM calling may need to be controlled…
Allow callers based on
various criteria
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Or blacklist unwanted
(Although easy to
bypass)
Moderator G. Hamilton
19
SIP Capable Firewalls!
See us in booth 421!
Intertex Data AB
www.intertex.se
[email protected]
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Rissneleden 45
SE-174 44 Sundbyberg,
Sweden
Tel +46 8 6282828
Moderator G. Hamilton
20