Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls, Network Address Translators(NATs), and H.323

Published by曹婉 戴 Modified over 6 years ago

Similar presentations

Presentation on theme: "Firewalls, Network Address Translators(NATs), and H.323"— Presentation transcript:

1 Firewalls, Network Address Translators(NATs), and H.323
Joon Maeng Chief Scientist VTEL Corp. October 11, 2000

2 Network Layers H.323 SIP FTP HTTP SNMP RTP TCP UDP IP ARP Ethernet SW
Application (7) Presentation(6) Session (5) Transport(4) Layer Network(3) Data Link (2) Physical (1) H.323 SIP FTP HTTP SNMP RTP Header A/V RTP Port No TCP UDP * Dynamic port UDP Header RTP Header A/V Protocol ID IP ARP IP Header UDP Header RTP Header A/V Type Code H H Ethernet Header IP Header UDP Header RTP Header A/V Ethernet SW Ethernet HW Media Stream MAC Address

3 Shared IP Network Landscape (e.g., Internet, Shared IP Backbone)
Individuals w/ single host (no firewalls) Individual w/ multi-hosts Firewall NAT Mostly dialup modem Mostly DSL and Cable IP Network Firewall Corporate Network Universities NAT

4 Network Address Translator (NAT)*
Corporate Network, Home Network (Private Network) NAT Internet or Public IP network NAT Address translation between public and private networks A large private network can use a small set of public addresses Security (private addresses are not known to public network) Private IP address (RFC 1918) (10/8 prefix) (172.16/12 prefix) ( /16 prefix) * ftp://ftp.isi.edu/in-notes/rfc2663.txt

5 NAT (Cont’d) Types of NATs
Traditional NAT (Unidirectional NAT): Outbound NAT From private address realm to public address realm Network address and port translator (NAPT) s = d = s = d = Host Sever s = d = s = d = NAT Host A s = :1257 d = :80 s = :6345 d = :80 Sever s = :8896 d = :80 NAPT s = :237 d = :80 Host B

6 NAT (Cont’d) Bi-directional NAT or Two-way NAT Twice NAT: translate source and destination addresses Multi-homed NAT A NAT is a logical function, usually embedded in a border router (or in the same device with firewall) NATs are stateful devices. They maintain a table with a established list of active sessions Session termination TCP: detection of FIN in the packet or timeout UDP: timeout NATs default timeout (configurable) udp-timeout is 300 seconds (5 minutes) dns-timeout is 60 seconds (1 minute) tcp-timeout is seconds (24 hours) finrst-timeout is 60 seconds (1 minute)

7 Firewalls A system designed to prevent unauthorized
Corporate Network, Home Network (Private Network) Firewall Internet or Public IP network A system designed to prevent unauthorized access to or from a network domain. Firewalls can be implemented in both hardware and software, or combination of both. Firewalls are used within private networks also.

8 Packet Filter Firewalls
Operate purely at the IP and UDP/TCP layer Allowing or disallowing packets on the basis of the source and/or destination IP address Allowing or disallowing packets according to protocol (port number). Common policies No UDP packets in or out, TCP packets are allowed out. TCP packets are allowed in for specific servers such as http server on port 80 and for the open connections from inside

9 Application Level Firewalls
Acts as a proxy for applications, performing all data exchanges with the remote system in their behalf. SOCKS (version 5, RFC 1928). Requires special proxy-client H.323 proxy firewalls, SIP proxy firewalls, etc Considered as the most secure firewalls A new proxy must be written for each protocol that you want to pass through the firewall. Proxy services introduce performance delays

10 Circuit Level Firewalls
Validate the fact that a packet is either a connection request or a data packet belonging to a connection between two peer transport layers (TCP). Unlike the application level firewalls, it create a circuit between a client and a server without requiring that either application knows anything about the service. Generally faster than application level firewalls Cannot perform strict security checks on a higher-level protocol

11 H.323 Call Establishment Public Network H.323 Zone A H.323 Zone B
Router H.323 Zone A Router Bob Alice H.323 Zone B H.323 GK-A H.323 GK-B Call scenario (from Alice to Bob) Alice asks GK-A to call Bob. GK-A finds IP address of GK-B from DNS GK-A asks GK-B Bob’s IP address GK-A sends “setup” message to Bob Bob sends “connect” to GK-A GK-A relays “connect” to Alice Alice exchanges H.245 (or media) with Bob

12 Problem 1: Private IP Address
DNS Public Network (Public IP) Firewall, NAT H.323 Zone A (Private IP) Firewall, NAT Bob Alice H.323 Zone B (Private IP) H.323 GK-A H.323 GK-B Call scenario (from Alice to Bob) Alice asks GK-A to call Bob. GK-A finds IP address of GK-B from DNS (Private GK IP address) GK-A asks GK-B Bob’s IP address (Private IP address) GK-A sends “setup” message to Bob Bob sends “connect” to GK-A GK-A relays “connect” to Alice Alice exchanges H.245 (or media) with Bob (firewalls)

13 Issues in Deploying H.323* (also SIP**)
Problem 2: Dynamic ports for media traffics H.323 (and SIP) uses TCP or UDP for call establishment and UDP for media transmission Dynamic ports are used for session bundling of media streams Most firewalls will not allow UDP ports It is not realistic to open all the dynamic ports H.323 application firewalls are needed * **Session Initiation Protocol.

14 Issues (Cont’d) Problem 3: IP addresses and port numbers within IP payloads H.225 and H.245 may embed IP addresses in payloads (not in the IP header) For instance, “calling party” information element in the H.225 signaling stream contains the private address of calling the calling party. (SIP:Contact header, Record-Route, Via header, Call-ID, To and From fields may have IP addresses and port numbers) NATs cannot translate addresses and ports in the payloads unless it has Application Level Gateway (ALG) H.323 is harder to handle since it uses ASN.1 encoding compared to SIP (text based)

15 Issues (cont’d) Problem 4: Security and Authentication
IPsec does not traverse NATs IPsec through firewall works but firewall cannot open the payloads nor determine which ports to open Bottom line: End-to-end encryption at IP layer will not work through firewalls Any changes by NAT with ALG will cause the signature to become invalid and fail the data integrity check

16 Issues (Cont’d) Problem 5: Lifetime issues
NAT’s address binding has a lifetime equal to that of TCP connection. NAT will terminate the media streams as soon as TCP is closed. Problem 6: Multicast does not run through NAT Multicast protocol is defined for routers Devices behind a NAPT will not receive multicast since attached networks can appear like a single end station.

17 Realm Specific IP* Motivation: to restore end-to-end transparency in the Internet Granting a host from one addressing realm a presence in another addressing realm by allowing it to use resources from the second addressing realm ( borrowing a public address for a fixed duration in private network) This is being defined at IETF. Has a potential but too early to tell *

18 Other Attempts Firewall control protocol*?
Interaction between firewalls and media servers was proposed at IETF meeting in Adelaide No consensus was reached H.323 application level firewalls and VPNs *

19 Conclusions NATs and firewalls are here to stay between public and private networks. They are problems for H.323 as well as most media applications in IP networks To handle firewalls in H.323, one may have to use application level firewalls or VPNs depending on the network topologies and types of WAN To handle private addresses, one may have to use H.323 proxies

Download ppt "Firewalls, Network Address Translators(NATs), and H.323"

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Introduction To Networking

Introduction To Networking
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
1 26-Aug-15 Addressing the network using IPv4 Lecture # 2 Engr. Orland G. Basas Prepared by: Engr. Orland G. Basas IT Lecturer.

1 26-Aug-15 Addressing the network using IPv4 Lecture # 2 Engr. Orland G. Basas Prepared by: Engr. Orland G. Basas IT Lecturer.

Similar presentations

Ads by Google