Intertex Data AB, Sweden

Download Report

Transcript Intertex Data AB, Sweden 

NATs & Firewalls
The General SIP Proxy Firewall
Prepared for:
Spring VON 2003
By:
Karl Erik Ståhl
President Intertex Data AB
Chairman Ingate Systems AB
[email protected]
© 2003 Intertex Data AB
1
We have a “new” network
Internet
PIM
XP
IP Phone
Operator Network
SOHO LAN
IP Phone
IP Phone
Enterprise LAN
IP Phone
Everyone has a connection…
But do we use it for person to person communication?
VoIP as we have seen it…
Gateway
US
Gateway
Toll
Bypass
PSTN
IP
Gateway
VPN
Tunnel
SOFT
SWITCH
Europe
IP
MGCP
But no connectivity
between the IP clouds!
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
3
What about universal connectivity?
RJ11
Black
Phone
PSTN
RJ45
LAN
Intranet
Internet
IP
Phone
Wouldn’t that be fine?
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
4
So, why don’t we just connect?
SIP
Server
Internet
Status until recently:
SIP is the Protocol for IP Communication
Person to Person,
SIP/PSTN
Gateway
PIM
BUT IT DOES DSL
NOT REACH THE EDGE!
Cable
XP
MTU
PSTN
IP Phone
Operator network with NAT
Firewall
NAT
NAT
IP Phone
SOHO LAN
Business LAN
IP Phone
IAP
Firewall/NAT
problems!
IP Phone
What is the difference?
Typical Internet protocol (SMTP, HTTP…)
SERVER
HOST
Internet
SIP (and H.323…) connects person to person
PERSON
PERSON
Internet
Locate the person - Set up a session - Open real time media streams
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
6
SIP Firewall Problems
Firewall Problems:
Sessions initiated from outside
the firewall
- OK, open port 5060, but…
Media streams on dynamically
allocated port numbers
- Ooops…  !
Even with public
IP addresses inside
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
7
SIP NAT/PAT Problems
NAT & PAT Problems:
Where is the device?
- Registration/location function
Private IP addresses and ports
in SIP messages
- Rewrite with globally routable
addresses
IP address and port of media
stream has to be modified
- NAT engine has to be
dynamically controlled
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Worse with private
IP addresses inside
8
Suggested Solutions
Dynamically controlled Firewall/NATs
Midcom: By Firewall Control Proxy (IETF work)
uPnP: By the client (Windows)
SIP aware Firewall/NATs (SIP Proxy + Registrar)
General, handles complex scenarios
[Intertex (SOHO), Ingate (enterprise), …]
SIP aware Firewall/NATs (SIP ALG – non Proxy)
TLS not possible
STUN - Can cope with certain types of existing NATs
SIP clients need to get STUN into their SIP stacks
Requires STUN servers on the net, RTCP is lost
Tunnelling - Connects SIP clients to an operator or a corporate LAN
Requires ALG for each client with NATed address
Tunnels by IPSec or proprietary
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
9
Adding General SIP Traversal to a Firewall
Important components:
Firewall & NAT
 Dynamic Firewall Engine
 SIP Proxy Server,
controlling the firewall
Firewall
Control
Protocol
 SIP Registrar, user location
information
 Communication between
SIP Proxy and firewall
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
SIP
Proxy
User
Location
10
SIP Enabling the Private Networks
Internet
SIP
Server
PSTN
inGate
SIParator
DMZ
SIP/PSTN
Gateway
DSL
Cable
MTU
IP Phone
Operator network with NAT
SET
SELECT
SC
ADR CFG DHP RST
A U
I S
R B
E
T
1
IX66NAT
LQ
TX
RX
E W T
T A X
2 N D
R
X
D
ALT CFG
IP Phone
Office or home LAN
inGate
Firewall
NAT
Firewall
Enterprise LAN
Firewall/NAT
SIP
Firewall/NAT
transparency!
problems!
IP Phone
Phone
IP
IAP
IP Phone
Phone
IP
What have we got?
Important components:
Firewall & NAT
 Dynamic Firewall Engine
the Ingate and Intertex products:
 SIP ProxyInServer,
controlling
the firewall
You’ve
got a SIP server!
 SIP Registrar,
Use ituser
just location
for firewall traversal
information
AND/OR as your
- SIP Server
 Communication
between
- Outgoing
proxy
SIP Proxy and
firewallproxy
- Inbound
SIP
Proxy
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
Firewall
Control
Protocol
User
Location
12
Just Another Internet Service…
IX66
FWD Booth #301
Internet
San Jose
Sweden
SIP/PSTN
Gateway
Booth
#520
IX66
SIP Forum Booth #210
USA
Sweden
IX66
IX66
IX66
SOHO LAN
PSTN
Intertex Stockholm LAN
Home Office Users
inGate
SIParator
XP
inGate
Firewall
Enterprise LAN
DMZ
DNS
SRV
Ingate Linköping LAN
XP
XP
IP Communications Using IP Networks
…other…
IM Conf Vmail
OSS
SIP Server
Global
IP Comm
SIP Phone
Firewall
Router
Intranet
IP Comm
SIP
Routing
WorldCom
Public
IP Network
Network GWY
IP VPN
Enterprise
Gateway
Managed
Services
WorldCom
PSTN
Customer
Premises
PBX
Many call routing options:
• Private/Public IP address
• DNS and DNS SRV records
• SIP aware NAT/PAT servers
Henry Sinnreich 4/10/2002
PSTN
Phone
PSTN
Phone
• Intranet IP VPN with IP communications
• Domestic and global IP communications
• PBX and PSTN – E.164 resolution
IN
Dialing
Plans
IP Communications Using IP Networks
…other…
IM Conf Vmail
OSS
No IP PBX Needed!
Enhanced Functionality
SIP Capable Firewall
Ingate and Intertex
First through SIT
SIP Phone
SIP Server
Global
IP Comm
Firewall
Router
Intranet
IP Comm
SIP
Routing
WorldCom
Public
IP Network
Network GWY
Enterprise LAN
Customer
Premises
IP VPN
Enterprise
Gateway
Managed
Services
WorldCom
PSTN
Integration with
existing phones
PBX
PSTN
Phone
PSTN
Phone
IN
Dialing
Plans
Presence
IM
TLS
Greenwich
Edge
DMZ
Proxy
Firewall
Microsoft Greenwich
Home Server:
Presence
IM
Audio
Video
Data Col.
Product Examples – Ingate Systems AB
Enterprise Products
Complete Firewalls
Add-on to Existing Firewalls
Existing
Firewall
SIParator
DMZ
 Firewall & NAT/PAT
 SIP Proxy
 SIP Registrar
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
17
Product Examples – Intertex Data AB
SOHO Products
IX66 Internet Gate
with or without
ADSL modem
built-in
OEM as:
Telia SurfinBird Gate
PowerBit SafeGate
Review at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
18
The Intertex IX66 Internet Gate
A closer look
SET







SELECT
SC
ADR CFG DHP RST
LQ
TX
RX
A U
I S
R B
E
T
1
E W T
T A X
2 N D
R
X
D
ALT CFG
Firewall & NAT/PAT Router
Optional ADSL
SIP Proxy and Registrar
and Splitter
DHCP Server and Client
Built-in
WEB Server for configuration
Smart Card Reader for security applications
Optional 802.11b Wireless Lan
SIP Appliance Control, LAC via expansion port
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
19
SIP Capable Firewalls!
Intertex Data AB
Ingate Systems AB
www.intertex.se
www.ingate.com
Rissneleden 45
SE-174 44 Sundbyberg, Sweden
President Karl Erik Ståhl
[email protected]
Tel +46 8 6282828
Box 10013, Slakthusplan 4
SE-121 26 Stockholm, Sweden
CEO Olle Westerberg
[email protected]
Tel +46 8 6007750
© 2003 Ingate Systems
© 2003AB
Intertex Data AB
20