09999/2106 Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video Conferencing AREN.

Slides:



Advertisements
Similar presentations
Unleashing the Power of IP Communications Calling Across The Boundaries Mike Burkett, VP Products April 25, 2002.
Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Any Questions?.
Configuring and Troubleshooting ACLs
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Mitigating Layer 2 Attacks
Route Optimisation RD-CSY3021.
Is Your School Ready for An Access Grant? Tommy Whitten & Nathan Curry Madison County Schools Is Your School Ready for An ACCESS Grant? Presented By Tommy.
Ch. 23, 25 Q and A (NAT and UDP) Victor Norman IS333 Spring 2014.
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Virtual LANs.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
Understanding Internet Protocol
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
Guide to Network Defense and Countermeasures Second Edition
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0.
M. Dahshan - TCOM52721 TCOM 5272 Telecomm Lab Dr. Mostafa Dahshan OU-Tulsa 4W 2 nd floor
Computer Network (MASQ/NAT/PROXY)
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
InterVLAN Routing Design and Implementation. What Routers Do Intelligent, dynamic routing protocols for packet transport Packet filtering capabilities.
TCOM 515 Lecture 6.
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Introduction to Network Address Translation
CS 540 Computer Networks II Sandy Wang
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
EMEA Partners XTM Network Training
Mr. Mark Welton.  Firewalls are devices that prevent traffic from entering or leaving a network  Firewalls are often used between networks, or when.
Network Address Translations Project no. : 12 Prof. Edmund Gean Presented by DhruvaPatel( ) Sweta Patel( ) Rushika Patel ( ) Guided.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Networking Fundamentals Network Protocols. Protocol Rule for how networks communicate Each OSI layer handled by one or more protocols Protocol Suites.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.
1 12-Jan-16 OSI network layer CCNA Exploration Semester 1 Chapter 5.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
Cisco 3 - Switch Perrine. J Page 12/4/2016 Chapter 9 Which protocol is Cisco proprietary and designed to carry traffic from multiple VLANs? A Q.
NAT/PAT by S K SATAPATHY
 Router Configurations part2 2 nd semester
Cisco I Introduction to Networks Semester 1 Chapter 6 JEOPADY.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
Basic Edge Core switch Training for Summit Communication.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI network layer CCNA Exploration Semester 1 – Chapter 5.
ICND1 v3.0 Exam CCNA Routing and Switching ICND1 Exam
Network Concepts.
Security fundamentals
100% Exam Passing Guarantee & Money Back Assurance
Examcollection VCE Download
Network Address Translation
Instructor Materials Chapter 9: NAT for IPv4
NAT / PAT.
Routing and Switching Essentials v6.0
Introducing To Networking
Firewalls.
NAT , Device Discovery Chapter 9 , chapter 10.
New Solutions For Scaling The Internet Address Space
Routing and Switching Essentials v6.0
NAT / PAT.
Cabrillo College Building Cisco Remote Access Network
Instructor Materials Chapter 9: NAT for IPv4
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
AbbottLink™ - IP Address Overview
Chapter 11: Network Address Translation for IPv4
Prepared by :Adeel Ahmad
Presentation transcript:

09999/2106 Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video Conferencing AREN

09999/2106 AREN Quick Overview Multiple Star Network –Stars originate at the hub sites and hubs are connected by a North-South backbone DS3/Partial OC-3 backbone DS1 (T1) or Multiple T1 to clients Multiple Internet access points (DS3+)

09999/2106 So Whats the Problem? H.323 based VTC systems are increasingly used for K-20 distance learning Many Education Networks have limited bandwidth connections with little funding for upgrades Most school system networks (many University Networks) are behind firewalls and NAT

09999/2106 The Small Pipe Issue In Alabama, most schools connect to their systems network (and then the Internet) through point to point DS1 (T1s) – 1.5Mbps A single H.323 VTC connection with decent quality uses 384kbps (+overhead) Conservative Rule of Thumb recommended by Cisco is 20% overhead ~460kbps So… a single H.323 session at 384kbps uses almost 1/3 of a T1 line (for design purposes) And the real problem…. Most large schools fill the pipe with just Internet traffic

09999/2106 The Huntsville Example

09999/2106 Where did we enable QoS? Schools were not using VLANs and most had no QoS support at the LAN level –So No CoS 802.1p could be used QoS enabled using DSCP tagging and CBWFQ on routers and layer3 switches –Differentiated Services Code Point (DSCP) –Class-Based Weighted Fair Queueing (CBWFQ) Traffic is classified and tagged at routers based on source/destination IP address

09999/2106 Cisco Router Config Example class-map match-all VTC-hosts match access-group name VTC-list ! policy-map QoS-VTC class VTC-hosts bandwidth percent 50 set ip dscp ef class class-default fair-queue ! ip access-list extended VTC-list permit ip any any precedence critical permit ip any any dscp ef permit ip any host permit ip host any interface FastEthernet0/0 description School LAN bandwidth ip address speed 100 full-duplex service-policy output QoS-VTC ! interface Serial0/0 description to Core Router bandwidth 1544 ip address service-policy output QoS-VTC !

09999/2106 QoS Through Firewalls? Most (all?) firewalls offer no support for QoS guarantees The official Cisco comment is that their PIX is so fast there is no congestion The PIX firewall does not alter DSCP tagged packets (so QoS can be done on either side of the PIX)

09999/2106 Problems With Firewalls (and NAT) H.323 uses multiple tcp connections and udp ports simultaneously for VTC The H.323 standard assigns ports dynamically from 1024 to During call setup, the IP address of the calling party is sent to the called party in the data field of the IP packet (so NAT cant translate it)

09999/2106 Solutions to the Firewall Problem Dont NAT H.323 clients –Well…. whats the firewall doing then? –May or may not open the H.323 client to all ports Probably not a good idea to open everything! NAT H.323 and rely on the client to be smart enough to work through the firewall/NAT –A Polycom client can be told to use specific ports. The client can also be configured to know its real outside address and can use this address in handshaking NAT H.323 and rely on the firewall to be smart enough to work everything out –Application Proxy etc. Use an additional device to perform the Application Proxy –May be useful when deploying a standard solution across diverse networks

09999/2106 What do you mean Dont NAT? If public IP space is available, you could form small public subnets at each site in parallel with the privately addressed network Firewall could pass these address on into the Internet without NATing Client would need to predefine which TCP/UDP ports will be used so they can be opened through the firewall –Otherwise all ports above 1024 would have to be opened (back to… Why have a firewall?)

09999/2106 NAT with a Smart Client PAT wont work but NAT can work with a smart client –I mean true one to one static NAT here (1 public to 1 private) Example: Polycom clients have settings in their QoS menu that allow pre-definition of the Clients outside, public address. There is a check box that says this client is behind NAT Polycom units also allow pre-definition of TCP/UDP ports used –default is No application proxy (or fixup) would be configured on the firewall. Pre-defined data ports and TCP 1720 (call setup) would be allowed to the statically NATed addresses of the clients This method was used for Shelby County schools due to old software version on their PIX firewall.

09999/2106 Polycom Setup Example

09999/2106 NAT with a Smart Firewall Firewall must either serve as an H.323 Application proxy or somehow snoop the H.323 setup (looking at all the handshaking) Cisco PIX version 6.14 and up supports an H.323 fixup protocol that overcomes the NAT and port problems by snooping. Some PIX versions prior to 6.14 have an H.323 fixup protocol but it will only work with Netmeeting, CUSeeMe, etc… Even with snooping the call setup port 1720 must be opened to allow calls originating from the outside

09999/2106 Additional Application Proxy Most new firewall versions support some form of Application Proxy or snooping –ISA Microsoft Proxy –Checkpoint –Firebox New interesting concept (read about but not driven) –Ridgeway Systems