Presentation is loading. Please wait.

Presentation is loading. Please wait.

11/12/2018.

Published byBlake Gaines Modified over 5 years ago

Similar presentations

Presentation on theme: "11/12/2018."— Presentation transcript:

1 11/12/2018

2 Traversing The Firewall for SIP Call Completion
Steven J. Johnson President Ingate Systems Inc.

3 The Third Big Wave of Internet Usage
<Let the animation play to the end> SIP is really the third big wave of Internet usage that will change the way we work and communicate forever. SIP is so much more than just IP-telephony, one have to use it to understand that in full. So what does this concept of Global Connectivity mean for you as a Service Provider? You need to understand the challenges in bringing SIP to the enterprise, the consumer side is far less complex when it comes to requirements and security. The Third Big Wave of Internet Usage SMTP created HTTP created the Web SIP will create realtime global connectivity from person to person!

4 Trends in SIP Adoption 2005 was a watershed year and VoIP is now mainstream Lots of use cases are coming on line: Branch office connections Call center applications Click to Talk for customer service centers International calling New service offerings for residential and commercial customers Extension of Microsoft Office Live Communications Server beyond the Local Area Network

5 It’s All There – Almost…
<Repeat the text in the slide> This issue is a major show stopper in implementing VoIP services in the Enterprise. In the future every firewall must be SIP capable but on our way there we will need interims solutions for solving this issue. Let us start with the basics for VoIP and security, how to let the SIP traffic traverse the enterprise firewall in a secure way. A single network (IP) Everyone has a connection High capacity and good performance A single protocol - SIP Firewalls are meant to exclude inbound communications SIP won’t traverse common firewalls and NATs

6 Alternative NAT Traversal Solutions
Standard Method Our take on this VPN Tunnels Force SIP signaling and media to use a VPN tunnel Increases traffic at central site Limits promise of global connectivity STUN, TURN, ICE Rewrite IP addresses based on information obtained from unknown servers Reduces enterprise control Places control with clients Carrier based solutions Create pinholes in NAT routers, from a central location Places control with carrier ALG Firewall Solutions Provide a mechanism for rewriting header information Limited ability to inspect the SIP signal Proxy based firewall and parallel CPE solutions Couples an ALG with a SIP Proxy to manage the admission and provide control for enterprises adopting SIP Robust solution to solve the problem where it occurs – at the enterprise edge Enables signal inspection Enables media and signaling encryption Provides enhanced features

7 Why not Use VPN? VPN - not a flexible solution Office LAN
IP to IP to any external user! VPN - not a flexible solution No Global Connectivity Works where you have control, home etc Does not always work from Hotels etc (~50%) WiFi phones and dual Mobile/WiFi handsets normally have no VPN clients. Start a VPN client just to receive a call?! QoS can be taken out of play in some VPN’s If headers are encrypted end-to-end. Encryption may occur before it reach the unit that handles queuing. Trend:Client-Server encryption replaces VPN , Citrix etc VPN potentially open up the network to others No ”media release”, VPN does not scale. Home Office LAN Mobil+WiFi WiFi Hotspot SIP unaware Firewall with VPN termination Laptop Soft phone Hotell SIP unaware Firewalls VPN SIP Media, Voice/Video etc

8 Why not Use ICE? Reliance on 3rd party servers to enable call setup
Some consider this to be a security issue Gives control to the client Difficult to configure and maintain in a large corporate environment Current lack of endpoints that support ICE

9 What about Carrier Session Border Controllers?
Site A Centralized Telecom Network-centric Site B Service Provider Session Border Controller Distributed Enterprise-centric Site B Site A SIP-capable firewall or SIP-enabling CPE device Service Provider

10 What About a SIP ALG Firewall
Check the SIP signaling Can be encrypted for privacy Rewrite for the different address spaces Forward the signaling to the correct SIP proxy or client -For inbound calls – need to know location of each SIP user (unless registrar is on the inside) Open pinholes in the firewall for the media -Only for the duration of the call -Only between the exact endpoints Close pinholes after the call SIP capable Firewall SIP Proxy/Registrar SIP Signaling 10.x.xx 168.x.xx Media Cannot handle encryption

11 What About Proxy Based Firewalls?
Robust solution to solve the problem where it occurs – at the enterprise edge Enables signal inspection Enables Media and signaling encryption Remote SIP Connectivity for mobile users Routing in complex environments Branch office failover Prioritized voice and video Allows the enterprise to control Sources and destinations of communications Content of the media Offers protection against: Spoofing Denial of Service attacks

12 Chose the Right SIP Firewall Architecture
SIP ALG Firewall SIP Proxy Firewall ALG ALG PROXY Encryption N Y REGISTRAR Authentication N Y SIP Filtering L Y Call Control L Y Extra SIP functions L Y

13 VoIP, Security and SIP The good news
VoIP and SIP - no security problems in themselves. On the contrary, SIP: Is robust, flexible and scaleable. Supports authentication. Signaling (TLS) and media streams (SRTP) can be encrypted. Select products that leverage these benefits Full SIP Proxy SIP signaling inspection. Ports only opened between the specific parties of the call and for the duration of the call. SIP Registrar Support for TLS and SRTP

14 Support for Workers on the Road or Working from Home
40% of the work force is said to work away from the office occasionally Most of the remote workers would like access to the tools that the PBX offers at their office With SIP that is possible as long as the user can connect back to the company infrastructure A proxy based firewall solution allows the user to do this from wherever they may be working today.

15 Support for Remote Workers
Home NAT Hotel NAT Internet Home user Traveling user Remote user module 802.11 Hotspot SIP capable proxy-basedfirewall

16 Branch Office Service Assurance
Automatic failover from central SIP server (hosted or centralized IP-PBX) to distributed offices Automatic capture of user registrations to mirror configurations Frequent ping of central server to determine availability Basic call control features allow station to station dialing and dial plan to a local PSTN gateway

17 VoIP Survival in Hosted Environments
VoIP services through Broadworks Servers hosted by the Service Provider or Enterprise main office 1 SIP/PSTN Gateway 3 Settings, user data downloaded Internet VoIP to PSTN services through Broadworks Servers and a PSTN Gateway hosted by the Service Provider or Enterprise main office 2 Other SIP Users Enterprise Workstations Workstations

18 Host Down-VoIP Survival Activated
SIP/PSTN Gateway Local calls within the domain are handled by the Ingate Firewall or SIParator 1 Internet Other SIP Users Optional local backup PSTN Gateway is used for routing VoIP to PSTN calls. 2 Enterprise Workstations Workstations SIP/PSTN Gateway

19 SIP Proxy-based Solution for SIP Adoption
Solves the FW/NAT traversal problem at the enterprise edge The enterprise gains control over the IP Communications applications A scalable solution that enables global connectivity Robust solutions that add value to the enterprise: QoS enables the organization to prioritize Voice and Video Remote SIP Connectivity connects road warriors and home workers Advanced SIP Routing for flexibility in complex scenarios Security for SIP based communications Stateful signal inspection MIME / Content types consistent with negotiated parameters Ability to set admission policies on various criteria Protection from denial of service attacks and spoofing Media and signaling encryption for privacy - Termination and Transcoding

20 The Ingate Solution…. Fully SIP-Capable Firewalls
Normal Firewalls Ingate Firewall® SIP With SIP-Proxy and -Registrar

21 You Don’t Need to Replace your Firewall!
SIP Normal Firewalls Ingate SIParator® DMZ SIP-enables any firewall SIP

22 The Ingate Family 800 Mbit/s 385 Mbit/s 310 Mbit/s 120 Mbit/s
Firewall® 1880 & SIParator® 88 Firewall® 1600 & SIParator® 60 800 Mbit/s 800 RTP sessions Firewall® 1450+ & SIParator®45+ 385 Mbit/s 500 RTP sessions Firewall® 1450 & SIParator®45 310 Mbit/s 240 RTP sessions 120 Mbit/s 150 RTP sessions Firewall® 1180 & SIParator® 18 30 Mbit/s 30 RTP sessions

23 Please contact me at any time:
Bringing SIP to the Enterprise Please contact me at any time: Steve Johnson President Mail & SIP: Mobile: Direct:

Download ppt "11/12/2018."

Similar presentations

The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
1 What’s Next For SIP Trunking? Carriers Enabling and Bringing WebRTC Features With Their Trunks © 2015 Ingate Systems AB Prepared for:Ingate SIP Trunking,

1 What’s Next For SIP Trunking? Carriers Enabling and Bringing WebRTC Features With Their Trunks © 2015 Ingate Systems AB Prepared for:Ingate SIP Trunking,
TANDBERG Video Communication Server March 2008. TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.

TANDBERG Video Communication Server March TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
The NAT/Firewall Problem! And the benefits of our cure… Prepared for:Summer VON Europe 2003 SIP Forum By: Karl Erik Ståhl President Intertex Data AB Chairman.

The NAT/Firewall Problem! And the benefits of our cure… Prepared for:Summer VON Europe 2003 SIP Forum By: Karl Erik Ståhl President Intertex Data AB Chairman.
Karl Stahl CEO/CTO Ingate Systems Ingate’s SBCs do more than POTSoIP SIP. They were developed.

Karl Stahl CEO/CTO Ingate Systems Ingate’s SBCs do more than POTSoIP SIP. They were developed.
Solutions for SIP The SIP enabler We enable SIP communication for business What the E-SBC can do for you.

Solutions for SIP The SIP enabler We enable SIP communication for business What the E-SBC can do for you.
1 SIP Trunking. What is SIP Trunking? Termination of SIP calls directly to Service Provider(s) via IP.  For Session Initiation Protocol (SIP) based IP-PBXs.

1 SIP Trunking. What is SIP Trunking? Termination of SIP calls directly to Service Provider(s) via IP.  For Session Initiation Protocol (SIP) based IP-PBXs.
Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.
The Firewall as a SIP Server Much more than firewall SIP traversal! Prepared for:Spring VON 2003 Enterprise Solutions By: Karl Erik Ståhl President Intertex.

The Firewall as a SIP Server Much more than firewall SIP traversal! Prepared for:Spring VON 2003 Enterprise Solutions By: Karl Erik Ståhl President Intertex.
Intertex Data AB, Sweden Talking NATs & Firewalls Prepared for:Voice On the Net, Spring 2002 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate.

Intertex Data AB, Sweden Talking NATs & Firewalls Prepared for:Voice On the Net, Spring 2002 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate.
NATs & Firewalls The General SIP Proxy Firewall Prepared for:Spring VON 2003 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate Systems AB.

NATs & Firewalls The General SIP Proxy Firewall Prepared for:Spring VON 2003 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate Systems AB.
1 The Need for Enterprise Session Border Controller The E-SBC allows the enterprise to control its SIP implementation The Ingate SIParator ®

1 The Need for Enterprise Session Border Controller The E-SBC allows the enterprise to control its SIP implementation The Ingate SIParator ®
Enterprise Infrastructure Solutions for SIP Trunking

Enterprise Infrastructure Solutions for SIP Trunking
Unified. Simplified. Unified Communications Launch 2007.

Unified. Simplified. Unified Communications Launch 2007.
Enabling SIP to the Enterprise Steven Johnson, Ingate Systems.

Enabling SIP to the Enterprise Steven Johnson, Ingate Systems.
Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.

Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.
IT Expo SECURITY Scott Beer Director, Product Support Ingate +1-613-963-0933.

IT Expo SECURITY Scott Beer Director, Product Support Ingate
Remote Workers Without the Hassle

Remote Workers Without the Hassle

Similar presentations

Ads by Google