11/12/2018
Traversing The Firewall for SIP Call Completion Steven J. Johnson President Ingate Systems Inc.
The Third Big Wave of Internet Usage <Let the animation play to the end> SIP is really the third big wave of Internet usage that will change the way we work and communicate forever. SIP is so much more than just IP-telephony, one have to use it to understand that in full. So what does this concept of Global Connectivity mean for you as a Service Provider? You need to understand the challenges in bringing SIP to the enterprise, the consumer side is far less complex when it comes to requirements and security. The Third Big Wave of Internet Usage SMTP created E-mail HTTP created the Web SIP will create realtime global connectivity from person to person!
Trends in SIP Adoption 2005 was a watershed year and VoIP is now mainstream Lots of use cases are coming on line: Branch office connections Call center applications Click to Talk for customer service centers International calling New service offerings for residential and commercial customers Extension of Microsoft Office Live Communications Server beyond the Local Area Network
It’s All There – Almost… <Repeat the text in the slide> This issue is a major show stopper in implementing VoIP services in the Enterprise. In the future every firewall must be SIP capable but on our way there we will need interims solutions for solving this issue. Let us start with the basics for VoIP and security, how to let the SIP traffic traverse the enterprise firewall in a secure way. A single network (IP) Everyone has a connection High capacity and good performance A single protocol - SIP Firewalls are meant to exclude inbound communications SIP won’t traverse common firewalls and NATs
Alternative NAT Traversal Solutions Standard Method Our take on this VPN Tunnels Force SIP signaling and media to use a VPN tunnel Increases traffic at central site Limits promise of global connectivity STUN, TURN, ICE Rewrite IP addresses based on information obtained from unknown servers Reduces enterprise control Places control with clients Carrier based solutions Create pinholes in NAT routers, from a central location Places control with carrier ALG Firewall Solutions Provide a mechanism for rewriting header information Limited ability to inspect the SIP signal Proxy based firewall and parallel CPE solutions Couples an ALG with a SIP Proxy to manage the admission and provide control for enterprises adopting SIP Robust solution to solve the problem where it occurs – at the enterprise edge Enables signal inspection Enables media and signaling encryption Provides enhanced features
Why not Use VPN? VPN - not a flexible solution Office LAN IP to IP to any external user! VPN - not a flexible solution No Global Connectivity Works where you have control, home etc Does not always work from Hotels etc (~50%) WiFi phones and dual Mobile/WiFi handsets normally have no VPN clients. Start a VPN client just to receive a call?! QoS can be taken out of play in some VPN’s If headers are encrypted end-to-end. Encryption may occur before it reach the unit that handles queuing. Trend:Client-Server encryption replaces VPN E-mail, Citrix etc VPN potentially open up the network to others No ”media release”, VPN does not scale. Home Office LAN Mobil+WiFi WiFi Hotspot SIP unaware Firewall with VPN termination Laptop Soft phone Hotell SIP unaware Firewalls VPN SIP Media, Voice/Video etc
Why not Use ICE? Reliance on 3rd party servers to enable call setup Some consider this to be a security issue Gives control to the client Difficult to configure and maintain in a large corporate environment Current lack of endpoints that support ICE
What about Carrier Session Border Controllers? Site A Centralized Telecom Network-centric Site B Service Provider Session Border Controller Distributed Enterprise-centric Site B Site A SIP-capable firewall or SIP-enabling CPE device Service Provider
What About a SIP ALG Firewall Check the SIP signaling Can be encrypted for privacy Rewrite for the different address spaces Forward the signaling to the correct SIP proxy or client -For inbound calls – need to know location of each SIP user (unless registrar is on the inside) Open pinholes in the firewall for the media -Only for the duration of the call -Only between the exact endpoints Close pinholes after the call SIP capable Firewall SIP Proxy/Registrar SIP Signaling 10.x.xx 168.x.xx Media Cannot handle encryption
What About Proxy Based Firewalls? Robust solution to solve the problem where it occurs – at the enterprise edge Enables signal inspection Enables Media and signaling encryption Remote SIP Connectivity for mobile users Routing in complex environments Branch office failover Prioritized voice and video Allows the enterprise to control Sources and destinations of communications Content of the media Offers protection against: Spoofing Denial of Service attacks
Chose the Right SIP Firewall Architecture SIP ALG Firewall SIP Proxy Firewall ALG ALG PROXY Encryption N Y REGISTRAR Authentication N Y SIP Filtering L Y Call Control L Y Extra SIP functions L Y
VoIP, Security and SIP The good news VoIP and SIP - no security problems in themselves. On the contrary, SIP: Is robust, flexible and scaleable. Supports authentication. Signaling (TLS) and media streams (SRTP) can be encrypted. Select products that leverage these benefits Full SIP Proxy SIP signaling inspection. Ports only opened between the specific parties of the call and for the duration of the call. SIP Registrar Support for TLS and SRTP
Support for Workers on the Road or Working from Home 40% of the work force is said to work away from the office occasionally Most of the remote workers would like access to the tools that the PBX offers at their office With SIP that is possible as long as the user can connect back to the company infrastructure A proxy based firewall solution allows the user to do this from wherever they may be working today.
Support for Remote Workers Home NAT Hotel NAT Internet Home user Traveling user Remote user module 802.11 Hotspot SIP capable proxy-basedfirewall
Branch Office Service Assurance Automatic failover from central SIP server (hosted or centralized IP-PBX) to distributed offices Automatic capture of user registrations to mirror configurations Frequent ping of central server to determine availability Basic call control features allow station to station dialing and dial plan to a local PSTN gateway
VoIP Survival in Hosted Environments VoIP services through Broadworks Servers hosted by the Service Provider or Enterprise main office 1 SIP/PSTN Gateway 3 Settings, user data downloaded Internet VoIP to PSTN services through Broadworks Servers and a PSTN Gateway hosted by the Service Provider or Enterprise main office 2 Other SIP Users Enterprise Workstations Workstations
Host Down-VoIP Survival Activated SIP/PSTN Gateway Local calls within the domain are handled by the Ingate Firewall or SIParator 1 Internet Other SIP Users Optional local backup PSTN Gateway is used for routing VoIP to PSTN calls. 2 Enterprise Workstations Workstations SIP/PSTN Gateway
SIP Proxy-based Solution for SIP Adoption Solves the FW/NAT traversal problem at the enterprise edge The enterprise gains control over the IP Communications applications A scalable solution that enables global connectivity Robust solutions that add value to the enterprise: QoS enables the organization to prioritize Voice and Video Remote SIP Connectivity connects road warriors and home workers Advanced SIP Routing for flexibility in complex scenarios Security for SIP based communications Stateful signal inspection MIME / Content types consistent with negotiated parameters Ability to set admission policies on various criteria Protection from denial of service attacks and spoofing Media and signaling encryption for privacy - Termination and Transcoding
The Ingate Solution…. Fully SIP-Capable Firewalls Normal Firewalls Ingate Firewall® SIP With SIP-Proxy and -Registrar
You Don’t Need to Replace your Firewall! SIP Normal Firewalls Ingate SIParator® DMZ SIP-enables any firewall SIP
The Ingate Family 800 Mbit/s 385 Mbit/s 310 Mbit/s 120 Mbit/s Firewall® 1880 & SIParator® 88 Firewall® 1600 & SIParator® 60 800 Mbit/s 800 RTP sessions Firewall® 1450+ & SIParator®45+ 385 Mbit/s 500 RTP sessions Firewall® 1450 & SIParator®45 310 Mbit/s 240 RTP sessions 120 Mbit/s 150 RTP sessions Firewall® 1180 & SIParator® 18 30 Mbit/s 30 RTP sessions
Please contact me at any time: Bringing SIP to the Enterprise Please contact me at any time: Steve Johnson President Mail & SIP: steve@ingate.com Mobile: 1-603-557-7918 Direct: 1-603-883-6569