Intertex Data AB, Sweden

Download Report

Transcript Intertex Data AB, Sweden 

Intertex Data AB, Sweden
VoIP to the Edge:
Firewalls - The Missing Link
Prepared for: Voice On the Net, Fall 2001
By:
Karl Erik Ståhl
President Intertex Data AB
Chairman Ingate Systems AB
[email protected]
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah 1
VoIP as we have seen it…
Do we want the PC as a phone?
PC
Wanna talk
to me?
PC
Internet
Are cheaper phone bills all we want?
Gateway
Gateway
Internet
STO
LA
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
2
VoIP as we have seen it…
PSTN
Internet
Europe Gateway
IP
VPN
Gateway
VPN
US
IP
VoIP between branch offices
- But NOT globally to others!
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
3
Hmm, didn’t we pass this stage…
Organization 1
Email system 1
PSTN
fax
Organization 2
Email system 2
fax
fax
fax
printer
emai
l
emai
l
Paper was a very compatible media - So is POTS today…
But we need to move beyond!
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
4
Time to Get IP Telephony Out to Edge
RJ11
Black
Phone
PSTN
RJ45
LAN
Intranet
Internet
IP
Phone
Wouldn’t that be fine?
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
5
VoIP and SIP Services Out to the Edge
Internet
SIP
Server
PSTN
Current status:
SIP is the protocol for IP Communication
SIP/PSTN
person
to
person,
Gateway
PIM
DSL
BUT IT DOES Cable
NOT REACH THE EDGE!
XP
MTU
IP Phone
Operator network with NAT
Firewall
NAT
NAT
IP Phone
Home LAN
Business LAN
IP Phone
IAP
Firewall/NAT
problems!
IP Phone
SIP Firewall Problems
Firewall Problems:
Sessions initiated from outside
of the firewall
- OK, open port 5060, but…
Media streams on dynamically
allocated port numbers
- Ooops…  !
Even with public
IP addresses inside
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
7
SIP NAT/PAT Problems
NAT & PAT Problems:
Where is the device?
- Registration/location function
Private IP addresses and ports
in SIP messages
- Rewrite with globally routable
addresses
IP address and port of media
stream has to be modified
- NAT engine has to be
dynamically controlled
© 2001 Intertex Data AB, All Rights Reserved
Worse with private
IP addresses inside
Moderator Matt Noah
8
Suggested Solutions
SIP aware Firewall/NATs (SIP ALG)
[Intertex (SOHO), Ingate (enterprise), …]
Dynamically controlled Firewall/NATs [Aravox, …]
• Midcom: By Firewall Control Proxy [Dynamicsoft…]
• uPnP: By the client (Windows) [Microsoft]
Modifying the SIP protocol
Draft in progress: http://www.ietf.org/internet-drafts/
draft-rosenberg-sip-entfw-02.txt
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
9
Adding SIP Support to a Firewall
Important components:
Firewall & NAT
 Dynamic Firewall Engine
 SIP Proxy Server,
controlling the firewall
Firewall
Control
Protocol
 SIP Registrar, user location
information
 Communication between
SIP Proxy and firewall
© 2001 Intertex Data AB, All Rights Reserved
SIP
Proxy
User
Location
Moderator Matt Noah
10
NAT Friendly SIP Draft
SIP
Bounce
Server
SIP
Registrar
SIGNALING
NAT
RTP
RTP
Firewall
NAT
LAN
Not easy!
All SIP clients
need upgrade
IP Phone
 Keep registrar NAT path
(TCP or UDP) always open
by frequent registrations
 Route new signalling
through this open path
LAN
IP Phone
 RTP media streams always
start from inside
 If both parties are behind
firewalls, RTP streams must
bounce through a server
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
11
SIP Enabling the Private Networks
Internet
SIP
Server
PSTN
inGate
SIParator
DMZ
SIP/PSTN
Gateway
DSL
Cable
MTU
IP Phone
Operator network with NAT
SET
SELECT
SC
ADR CFG DHP RST
A U
I S
R B
E
T
1
IX66NAT
LQ
TX
RX
E W T
T A X
2 N D
R
X
D
ALT CFG
IP Phone
Home LAN
inGate
Firewall
NAT
Firewall
Business LAN
Firewall/NAT
SIP
Firewall/NAT
transparency!
problems!
IP Phone
IAP
IP Phone
Phone
IP
Product Examples – Ingate Systems AB
Enterprise Products
A Complete Firewall
An add-on to an Existing
Firewall
Existing
Firewall
inGate
Firewall
inGate
SIParator
DMZ
 Firewall & NAT/PAT
 SIP Proxy
 SIP Registrar
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
13
Product Examples – Intertex Data AB
SOHO Products
IX66 Internet Gate
with or without
ADSL modem
built-in
OEM as:
Telia SurfinBird Gate
© 2001 Intertex Data AB, All Rights Reserved
PowerBit SafeGate
Moderator Matt Noah
14
The Intertex IX66 Internet Gate
A closer look
SET





SELECT
SC
ADR CFG DHP RST
LQ
TX
RX
A U
I S
R B
E
T
1
E W T
T A X
2 N D
R
X
D
ALT CFG
Firewall & NAT/PAT
SIP Proxy and Registrar
DHCP Server and Client
WEB Server for configuration
SIP Appliance Control, LAC via expansion port
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
15
The Intertex IX66 Internet Gate
Goodies
ON




DC
USB
ET2
ET1
EXP
LINE PHONE
Optional ADSL
Built-in
Two Ethernet and one USB port
Expansion port, e.g. for appliance control
Smart Card Reader
Upgradeable
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
16
See Intertex and inGate!
Booth #724
Booth #722
SIP Enabled Firewalls!
Intertex Data AB
Ingate Systems AB
www.intertex.se
www.ingate.com
Rissneleden 45
SE-174 44 Sundbyberg, Sweden
President Karl Erik Ståhl
[email protected]
Tel +46 8 6282828
Lundagatan 31
SE-117 27 Stockholm, Sweden
CEO Olle Westerberg
[email protected]
Tel +46 8 720 89 31
© 2001 Intertex Data AB, All Rights Reserved
Moderator Matt Noah
17