SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

Slides:

Advertisements

Similar presentations

The leader in session border control for trusted, first class interactive communications.

Advertisements

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Intertex Data AB, Sweden VoIP to the Edge: Firewalls - The Missing Link Prepared for:Voice On the Net, Fall 2001 By: Karl Erik Ståhl President Intertex.

Lync /11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

Enabling IPv6 in Corporate Intranet Networks

Voice over IP Fundamentals

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Guide to Network Defense and Countermeasures Second Edition

Steven J. Johnson President Ingate Systems Inc. Enabling SIP to the Enterprise.

The NAT/Firewall Problem! And the benefits of our cure… Prepared for:Summer VON Europe 2003 SIP Forum By: Karl Erik Ståhl President Intertex Data AB Chairman.

SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, ~ndk/apanSIP.pdf.

Karl Stahl CEO/CTO Ingate Systems Ingate’s SBCs do more than POTSoIP SIP. They were developed.

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.

The Firewall as a SIP Server Much more than firewall SIP traversal! Prepared for:Spring VON 2003 Enterprise Solutions By: Karl Erik Ståhl President Intertex.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Intertex Data AB, Sweden Talking NATs & Firewalls Prepared for:Voice On the Net, Spring 2002 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate.

Wi-Fi Structures.

Circuit & Application Level Gateways CS-431 Dick Steflik.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

NATs & Firewalls The General SIP Proxy Firewall Prepared for:Spring VON 2003 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate Systems AB.

Steven J. Johnson President, Ingate Systems Inc. Enabling Trusted Unified Communications.

Enterprise Infrastructure Solutions for SIP Trunking

Enabling SIP to the Enterprise Steven Johnson, Ingate Systems.

Copyright © 2002 ACNielsen a VNU company Key Features and Benefits of the 3CX PBX for Windows Server.

Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.

Presence Applications in the Real World Patrick Ferriter VP of Product Marketing.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Ingate & Dialogic Technical Presentation SIP Trunking Focused.

PART 2: Product Line. Tenor Switches & Gateways Tenor AX Series Solution For Medium to Large Enterprises  Available in 8, 16, 24 and 48 port Available.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

Intertex Data AB, Sweden Future of VoIP Networks and Services Edgy Solutions Prepared for:Voice On the Net, Spring 2002 By: Karl Erik Ståhl President Intertex.

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

Quintum Confidential and Proprietary 1 Quintum Technologies, Inc. Session Border Controller and VoIP Devices Behind Firewalls Tim Thornton, CTO.

TMC Internet Telephony Show Leveraging IP Telephony for Telecommuting SIP in Telecommuting and Teleworking Internet Telephony Show, Long Beach CA 10/14/03-10/16/03.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Identifying Application Impacts on Network Design Designing and Supporting.

Time to Connect Over IP! Don’t we already? Prepared for:Summer VON Europe 2003 Industry Perspective By: Karl Erik Ståhl President Intertex Data AB Chairman.

Intertex Data AB, Sweden Tillämpad IP-telefoni Brandväggen och LANet Förberedd för:IP-dagarna 2002 Av: Karl Erik Ståhl VD Intertex Data AB Ordförande Ingate.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Intertex Data AB, Sweden Firewall and NAT Traversal Bringing SIP the LAN Prepared for:International SIP 2003 By: Karl Erik Ståhl President Intertex Data.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Securing Open Source Enterprise VoIP Christian Stredicke/snom.

Dealing with NATs and Firewalls! Prepared for:Fall VON 2003 Boston By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate Systems AB

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

1 What’s Next For SIP Trunking? Carriers Enabling and Bringing WebRTC Features With Their Trunks © 2015 Ingate Systems AB Prepared for:Ingate SIP Trunking,

Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.

Security fundamentals Topic 10 Securing the network perimeter.

Solutions for Unified Enterprise IP Communication Steven J. Johnson President, Ingate Systems Inc.

Introduction Steven Johnson President Ingate Systems Inc.

Add Global Connectivity to your Live Communication Server Ingate Systems

“End to End VoIP“ The Challenges of VoIP Access to the Enterprise Charles Rutledge VP Marketing Quintum Technologies

Securing Access to Data Using IPsec Josh Jones Cosc352.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Security fundamentals

Trends in Enterprise VoIP

Enterprise Infrastructure Solutions for SIP Trunking

Intertex Data AB, Sweden

Protecting Yourself in a WebRTC World

Helping to Achieve ROI Targets with SIP Trunking

Ingate & Dialogic Technical Presentation

Presentation transcript:

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

The Third Wave of the Internet HTTP created the Web SMTP created SIP can create universal live IP Communication person-to-person!

It’s all there – almost… A single network (IP) Everyone has a connection High capacity and good performance A single protocol (SIP) But SIP does not traverse common firewalls and NATs

It’s All There – Almost…  Firewalls exclude inbound traffic  SIP does not traverse common firewalls and NATs Everyone has a connection High capacity and good performance A single protocol - SIP A Single Network (IP)

What’s the difference? Typical Internet protocol (SMTP, HTTP…) Internet HOST SERVER SIP (and H.323…) connects person-to-person Internet PERSON

More than IP Telephony! HTTP created the Web SMTP created SIP can create universal live IP Communication person-to-person! It’s the Third Wave of the Internet

It’s Presence It’s Instant Messaging And it’s voice A richer communications experience It’s Video

Converged Networks Realtime Communications Connect people, information and processes in real-time + A change in communications style = An opportunity for productivity improvement + A change in the work paradigm + A change in communications tools

One Way: VoIP Islands… VPN is fine for branch to branch connections Branch Office Vendor IP Partner IP Customer IP Customer IP VPN Tunnel IP Headquarters IP Internet But the goal is global connectivity

The Global All IP Way SIP-capable firewalls make the difference

Suggested CPE Solutions STUN  TURN  ICE –Can cope with certain types of existing NATs –Complexity has grown in trial to increase reliability/handle more NATs –Needs to be implemented in the SIP clients and servers on the Net –Tight firewalls will not be handled Dynamically-controlled firewalls/NATs –Midcom: By Firewall Control Proxy (no activity known at this time) –UPnP: By the client (Windows) (Microsoft) ALG (non-Proxy) SIP-aware firewall –TLS not possible ALG + Proxy SIP-aware firewall –General, handles complex scenarios, PBX functionality Tunnelling - Brings the SIP-client to an operator or a corporate LAN –Requires ALG for each client on LAN with own address space –IPSec, Proprietary

STUN  TURN  ICE Evolving ITEF Standard Requires client on the inside of the LAN and “reflector” in the network Client “pings” the reflector which returns the internal IP address that is being broadcast by the SIP end point Once the internal IP address is known, then all communications carry that IP address in the header information

STUN  TURN  ICE Benefits Simple solution to NAT traversal Offers alternative to home users and small businesses that don’t wish to incorporate a full firewall solution Problems Exposes the internal IP addressing scheme Circumvents the protection offered by the firewall Inappropriate for enterprises and others with valuable information to protect on their LAN Only works for certain types of NATs

Midcom Developing IETF standard for managing controllable firewalls with a Firewall Control Proxy Elegant solution that puts the solution at the point where the problem occurs Firewall Control Proxy would dynamically control the firewall to accept SIP media only when authorized Control resides with the Firewall Control Proxy and the existing firewall takes care of all of the logging

Midcom Benefits Based on an IETF Standard Leaves the firewall in place Offers a separate device to just manage SIP sessions Problems No companies are currently developing this technology There are currently no firewalls that are controllable by an outside agent Leaves vulnerabilities on the Firewall Control Proxy which could result in a violation of network security

UPnP Universal Plug and Play Proposed by Microsoft Allows all end points to be controlled by the Microsoft agent

UPnP Benefits Simple implementation Nothing to set up or configure Excellent implementation for home users Would expand the use of SIP Problems Limited utility for enterprises of any size Cannot handle complex call scenarios Solution handles NAT only Cannot handle hard phones, only soft clients Security of the network controlled by Windows server

ALG (non-Proxy) SIP-Aware Firewall Implementation which sits between two hosts and modifies the information flow between them on the fly ALGs normally do small modifications to the packets

ALG (non-Proxy) SIP-Aware Firewall Benefits Theoretically faster processing times than proxy-based solutions Performs most of the important functions of allowing traversal of the NATed firewall Able to dynamically open and close ports for media Problems Cannot read deeply into the packet headers Cannot support encryption (TLS); ALGs see everything in the clear so modifying authenticated packets is impossible Setup of complex call scenarios a problem Current implementations do not support soft clients

ALG + Proxy SIP-Aware Firewall ALG performs NAT Traversal Function Proxy terminates a packet flow, then reinitiates flow to the destination address –Records SIP client address to locate behind NAT –Digest authentication –Rewrites headers Proxies can look deeply into the header information because it stops packet briefly –Inspection of SIP signaling (including Instant Messages) Support for Transport Layer Security (TLS) –Adds privacy and authentication to communications –TLS is being used for adding security to Microsoft Office Live Communications Server, Avaya, Reuters and others Can also be used as a separate SIP firewall when all data ports are permanently closed

ALG + Proxy SIP-Aware Firewall Benefits Most flexible solution Able to support all call scenarios, despite complexity Can support servers on the inside of the LAN Supports TLS Flexible and adaptable Offers a backup registration/ location server option Simple PBX functions can be added Problems Theoretically slower performance

Summary of Advantages CapabilityALG with ProxyALG Support for TLSYes No Flexible support for complex call scenarios Yes No Backup registrar and other services Yes No Support for soft clientsYes No

Internet IP Real and Complex Scenarios SIP /PSTN Gateway Complications for non-proxy solutions: Tight firewalls Call transfer SIP server on the LAN Trusted connections: TLS XP SIP Server 2 SIP Server 3 SIP Server 4 LAN Firewall/NAT IP Phone SIP TLS Sooner or later: The NAT/Firewall Problem needs to be solved where it occurs

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.