H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

Slides:



Advertisements
Similar presentations
SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Advertisements

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
IUT– Network Security Course 1 Network Security Firewalls.
STUN Date: Speaker: Hui-Hsiung Chung 1.
SCSC 455 Computer Security Virtual Private Network (VPN)
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Internet Protocol Security (IPSec)
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
Network Address Translation (NAT) CS-480b Dick Steflik.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Intranet, Extranet, Firewall. Intranet and Extranet.
SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
NAT Traversal Speaker: Chin-Chang Chang Date:
Chapter 6: Packet Filtering
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.
1 NAT & RTP Proxy Date: 2009/7/2 Speaker: Ni-Ya Li Advisor: Quincy Wu.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Omar A. Abouabdalla Network Research Group (USM) SIP – Functionality and Structure of the Protocol SIP – Functionality and Structure of the Protocol By.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.
Security fundamentals Topic 10 Securing the network perimeter.
Firewalls Original slides prepared by Theo Benson.
Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.
Firewall Technology and InterCell Communication Peter T. Dinsmore Trusted Information Systems Network Associates Inc 3060 Washington Rd (Rt. 97) Glenwood,
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.
Kittiphan Techakittiroj (25/06/59 19:10 น. 25/06/59 19:10 น. 25/06/59 19:10 น.) Network Address Translation Kittiphan Techakittiroj
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
An Analysis on NAT Security
Firewalls, Network Address Translators(NATs), and H.323
Security fundamentals
NAT、DHCP、Firewall、FTP、Proxy
Original slides prepared by Theo Benson
Firewall Techniques Matt Cupp.
Lecture # 7 Firewalls الجدر النارية. Lecture # 7 Firewalls الجدر النارية.
* Essential Network Security Book Slides.
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Presentation transcript:

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken

About this document It’s an IETF Draft Not an official standard Expired July It describes the problems with trying to use H.323 through firewalls and NAT devices

What is H.323? Carries (video) phone over TCP/UDP/IP A telecommunications standard Rather complex protocol (compared with HTTP) Uses multiple TCP / UDP connections per call to carry the data

What is a firewall? Protects internal network from external threats by filtering traffic Can perform Network Address Translation (NAT) Internal Network External Network (Internet) FIRE WALL * *.*.*.*

The Combined Problem H.323 embeds connection addresses in signalling connection mismatch NAT causes a mismatch between IP header and H.323 stream End-to-end encryption prevents H.323 aware NAT rewriting the traffic Breaks IP address based authentication But we want encryption and NAT!

Further problems RFC 2663: “NAT devices operate on the assumption that each session is independent.” gateways Applications like H.323 that use control and follow-on sessions require gateways to interpret and translate the payload. Simple packet filtering will not work more We need something more than just NAT or simple firewalls.

Possible solutions Stateful Inspection Application Proxy Virtual Private Network Circuit Proxies RSIP Firewall control protocol

User B Virtual User D Application Proxy Have a go-between that: Is “an instance of the application (H.323)” Runs on a trusted host Like two phones taped together No end-to-end encryption Efficiency Considerations Application Proxy User A Virtual User C

Circuit Proxy / Firewall Control End clients open pinholes in firewall and communicate through them For example, the SOCKS protocol End system must be aware of the circuit proxy—it’s not transparent. Works at the connection level (Circuit Proxy) or packet level (Firewall Control Protocol)

Session Initiation Protocol IETF Competitor to H323 Uses SIP proxy and RTP proxy The same RTP that carries H323 data SIP proxy uses MCGP to open/close/control RTP proxy In effect circuit level This slide is hidden and will not be presented.

Conclusion Firewalls and NATs are often difficult for some complex protocols H.323 alone can’t handle this problem. I think networks will end up having call servers for H.323 and similar protocols.

Questions? What applications (if any) need end-to- end encrypted signalling?

Another Question What to do about incoming connections? The author has not dealt with them