Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intertex Data AB, Sweden VoIP to the Edge: Firewalls - The Missing Link Prepared for:Voice On the Net, Fall 2001 By: Karl Erik Ståhl President Intertex.

Similar presentations


Presentation on theme: "Intertex Data AB, Sweden VoIP to the Edge: Firewalls - The Missing Link Prepared for:Voice On the Net, Fall 2001 By: Karl Erik Ståhl President Intertex."— Presentation transcript:

1 Intertex Data AB, Sweden VoIP to the Edge: Firewalls - The Missing Link Prepared for:Voice On the Net, Fall 2001 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate Systems AB © 2001 Intertex Data AB, All Rights Reserved 1 Moderator Matt Noah

2 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 2 VoIP as we have seen it… Internet PC Wanna talk to me? Do we want the PC as a phone? Gateway Internet Gateway STO LA Are cheaper phone bills all we want?

3 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 3 VoIP as we have seen it… VoIP between branch offices Gateway PSTN Europe IP Internet VPN US Gateway IP - But NOT globally to others!

4 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 4 Hmm, didn’t we pass this stage… Paper was a very compatible media - So is POTS today… But we need to move beyond! PSTN emai l printer fax Organization 1 system 1 emai l Organization 2 system 2 fax

5 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 5 Time to Get IP Telephony Out to Edge Wouldn’t that be fine? Black Phone RJ45 LAN Intranet Internet IP Phone PSTN RJ11

6 IAP Firewall/NAT problems! IP Phone SIP Server PSTN SIP /PSTN Gateway Internet Home LAN Business LAN DSL Cable MTU VoIP and SIP Services Out to the Edge Operator network with NAT NAT Firewall NAT XP PIM Current status: SIP is the protocol for IP Communication person to person, BUT IT DOES NOT REACH THE EDGE!

7 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 7 SIP Firewall Problems Firewall Problems: Sessions initiated from outside of the firewall - OK, open port 5060, but… Media streams on dynamically allocated port numbers - Ooops…  ! Even with public IP addresses inside

8 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 8 SIP NAT/PAT Problems NAT & PAT Problems: Where is the device? - Registration/location function Private IP addresses and ports in SIP messages - Rewrite with globally routable addresses IP address and port of media stream has to be modified - NAT engine has to be dynamically controlled Worse with private IP addresses inside

9 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 9 Suggested Solutions SIP aware Firewall/NATs (SIP ALG) [Intertex (SOHO), Ingate (enterprise), …] Dynamically controlled Firewall/NATs [Aravox, …] Midcom: By Firewall Control Proxy [Dynamicsoft…] uPnP: By the client (Windows) [Microsoft] Modifying the SIP protocol Draft in progress: draft-rosenberg-sip-entfw-02.txt

10 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 10 Adding SIP Support to a Firewall Important components: Dynamic Firewall Engine SIP Proxy Server, controlling the firewall SIP Registrar, user location information Communication between SIP Proxy and firewall SIP Proxy Firewall & NAT Firewall Control Protocol User Location

11 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 11 NAT Friendly SIP Draft IP Phone LAN NAT SIP Registrar Not easy! All SIP clients need upgrade IP Phone SIP Bounce Server LAN Firewall NAT RTP  If both parties are behind firewalls, RTP streams must bounce through a server RTP  RTP media streams always start from inside  Keep registrar NAT path (TCP or UDP) always open by frequent registrations SIGNALING  Route new signalling through this open path

12 Firewall/NAT problems! Firewall/NAT SIP transparency! IP Phone SIP Server PSTN SIP /PSTN Gateway Operator network with NAT Internet Home LAN NAT Firewall NAT Business LAN DSL Cable MTU DMZ inGate SIParator SIP Enabling the Private Networks inGate Firewall IP Phone IX66 IAP

13 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 13 Product Examples – Ingate Systems AB A Complete Firewall An add-on to an Existing Firewall inGate Firewall DMZ inGate SIParator Existing Firewall  Firewall & NAT/PAT  SIP Proxy  SIP Registrar Enterprise Products

14 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 14 Product Examples – Intertex Data AB IX66 Internet Gate with or without ADSL modem built-in OEM as: Telia SurfinBird Gate PowerBit SafeGate SOHO Products

15 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 15 The Intertex IX66 Internet Gate A closer look  Firewall & NAT/PAT  SIP Proxy and Registrar  DHCP Server and Client  WEB Server for configuration  SIP Appliance Control, LAC via expansion port

16 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 16 The Intertex IX66 Internet Gate Goodies  Two Ethernet and one USB port  Expansion port, e.g. for appliance control  Smart Card Reader  Upgradeable Optional ADSL Built-in

17 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 17 See Intertex and inGate! SIP Enabled Firewalls! Ingate Systems AB Lundagatan 31 SE Stockholm, Sweden CEO Olle Westerberg Tel Booth #724 Booth #722 Intertex Data AB Rissneleden 45 SE Sundbyberg, Sweden President Karl Erik Ståhl Tel

18 Internet Appliances Control

19 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 19 Internet IP Phone DMZ inGate SIParator IP Phone Existing Firewall The Ingate SIParator

20 © 2001 Intertex Data AB, All Rights Reserved Moderator Matt Noah 20 The Ingate SIParator Existing Firewall InternetLAN Private IP Addresses SIP traffic (5060 UDP/TCP) RTP traffic (UDP port interval) SIParator RTP Proxy NAT/PAT Engine SIP Proxy DMZ SIP Registrar


Download ppt "Intertex Data AB, Sweden VoIP to the Edge: Firewalls - The Missing Link Prepared for:Voice On the Net, Fall 2001 By: Karl Erik Ståhl President Intertex."

Similar presentations


Ads by Google