Download
1 / 23

Traversing The Firewall for SIP Call Completion - PowerPoint PPT Presentation


  • 401 Views
  • Uploaded on

Traversing The Firewall for SIP Call Completion. Steven J. Johnson President Ingate Systems Inc. The Third Big Wave of Internet Usage. SMTP created E - mail. HTTP created the Web. SIP will create realtime global connectivity from person to person!. Trends in SIP Adoption.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Traversing The Firewall for SIP Call Completion' - medwin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Traversing the firewall for sip call completion l.jpg
Traversing The Firewall for SIP Call Completion

Steven J. Johnson

President

Ingate Systems Inc.


The third big wave of internet usage l.jpg
The Third Big Wave of Internet Usage

SMTP created E-mail

HTTP created the Web

SIP will create realtime global connectivity from person to person!


Trends in sip adoption l.jpg
Trends in SIP Adoption

  • 2005 was a watershed year and VoIP is now mainstream

  • Lots of use cases are coming on line:

    • Branch office connections

    • Call center applications

    • Click to Talk for customer service centers

    • International calling

    • New service offerings for residential and commercial customers

    • Extension of Microsoft Office Live Communications Server beyond the Local Area Network


It s all there almost l.jpg
It’s All There – Almost…

  • A single network (IP)

  • Everyone has a connection

  • High capacity and good performance

  • A single protocol - SIP

  • Firewalls are meant to exclude inbound communications

  • SIP won’t traverse common firewalls and NATs



Why not use vpn l.jpg

Home

Mobil+WiFi

Hotell

Laptop

Soft phone

SIP unaware Firewalls

Why not Use VPN?

IP to IP to any external user!

  • VPN - not a flexible solution

    • No Global Connectivity

    • Works where you have control, home etc

    • Does not always work from Hotels etc (~50%)

    • WiFi phones and dual Mobile/WiFi handsets normally have no VPN clients.

    • Start a VPN client just to receive a call?!

    • QoS can be taken out of play in some VPN’s

      • If headers are encrypted end-to-end.

      • Encryption may occur before it reach the unit that handles queuing.

    • Trend:Client-Server encryption replaces VPN

      • E-mail, Citrix etc

    • VPN potentially open up the network to others

    • No ”media release”, VPN does not scale.

Office LAN

WiFi

Hotspot

SIP unaware

Firewall with

VPN termination

VPN

SIP Media, Voice/Video etc


Why not use ice l.jpg
Why not Use ICE?

  • Reliance on 3rd party servers to enable call setup

    • Some consider this to be a security issue

  • Gives control to the client

    • Difficult to configure and maintain in a large corporate environment

  • Current lack of endpoints that support ICE


What about carrier session border controllers l.jpg

Centralized

Telecom Network-centric

Distributed

Enterprise-centric

Service Provider

Service Provider

Site A

Site B

Site A

Site B

SIP-capable firewall or

SIP-enabling CPE device

Session Border Controller

What about Carrier Session Border Controllers?


What about a sip alg firewall l.jpg

SIP capable Firewall

168.x.xx

10.x.xx

SIP Proxy/Registrar

SIP Signaling

Media

What About a SIP ALG Firewall

  • Check the SIP signaling

    • Can be encrypted for privacy

  • Rewrite for the different address spaces

  • Forward the signaling to the correct SIP proxy or client

    • -For inbound calls – need to know location of each SIP user (unless registrar is on the inside)

  • Open pinholes in the firewall for the media

    • -Only for the duration of the call

    • -Only between the exact endpoints

  • Close pinholes after the call

  • Cannot handle encryption


What about proxy based firewalls l.jpg
What About Proxy Based Firewalls?

  • Robust solution to solve the problem where it occurs – at the enterprise edge

  • Enables signal inspection

  • Enables

    • Media and signaling encryption

    • Remote SIP Connectivity for mobile users

    • Routing in complex environments

    • Branch office failover

    • Prioritized voice and video

  • Allows the enterprise to control

    • Sources and destinations of communications

    • Content of the media

  • Offers protection against:

    • Spoofing

    • Denial of Service attacks


Chose the right sip firewall architecture l.jpg
Chose the Right SIP FirewallArchitecture

SIP ALG Firewall

SIP Proxy Firewall

ALG

ALG

PROXY

Encryption

N

Y

REGISTRAR

Authentication

N

Y

SIP Filtering

L

Y

Call Control

L

Y

Extra SIP functions

L

Y


Voip security and sip l.jpg
VoIP, Security and SIP

  • The good news

    • VoIP and SIP - no security problems in themselves.

    • On the contrary, SIP:

      • Is robust, flexible and scaleable.

      • Supports authentication.

      • Signaling (TLS) and media streams (SRTP) can be encrypted.

  • Select products that leverage these benefits

    • Full SIP Proxy

      • SIP signaling inspection.

      • Ports only opened between the specific parties of the call and for the duration of the call.

    • SIP Registrar

    • Support for TLS and SRTP


Support for workers on the road or working from home l.jpg
Support for Workers on the Road or Working from Home

  • 40% of the work force is said to work away from the office occasionally

  • Most of the remote workers would like access to the tools that the PBX offers at their office

  • With SIP that is possible as long as the user can connect back to the company infrastructure

  • A proxy based firewall solution allows the user to do this from wherever they may be working today.


Support for remote workers l.jpg

Internet

802.11

Hotspot

Remote user module

Support for Remote Workers

Home NAT

Hotel NAT

Home user

Traveling user

SIP capable proxy-basedfirewall


Branch office service assurance l.jpg
Branch Office Service Assurance

  • Automatic failover from central SIP server (hosted or centralized IP-PBX) to distributed offices

  • Automatic capture of user registrations to mirror configurations

  • Frequent ping of central server to determine availability

  • Basic call control features allow station to station dialing and dial plan to a local PSTN gateway


Voip survival in hosted environments l.jpg

1

VoIP services through Broadworks Servers hosted by the Service Provider or Enterprise main office

2

VoIP toPSTN services through Broadworks Servers and a PSTN Gateway hosted by the Service Provider or Enterprise main office

Settings, user data

downloaded

3

Workstations

Workstations

VoIP Survival in Hosted Environments

SIP/PSTN Gateway

Internet

Other SIP Users

Enterprise


Host down voip survival activated l.jpg

1

Local calls within the domain are handled by the Ingate Firewall or SIParator

2

Optional local backup PSTN Gateway is used for routing VoIP to PSTN calls.

Workstations

Workstations

Host Down-VoIP Survival Activated

SIP/PSTN Gateway

Internet

Other SIP Users

Enterprise

SIP/PSTN Gateway


Sip proxy based solution for sip adoption l.jpg
SIP Proxy-based Solution for SIP Adoption

  • Solves the FW/NAT traversal problem at the enterprise edge

  • The enterprise gains control over the IP Communications applications

  • A scalable solution that enables global connectivity

  • Robust solutions that add value to the enterprise:

    • QoS enables the organization to prioritize Voice and Video

    • Remote SIP Connectivity connects road warriors and home workers

    • Advanced SIP Routing for flexibility in complex scenarios

  • Security for SIP based communications

    • Stateful signal inspection

    • MIME / Content types consistent with negotiated parameters

    • Ability to set admission policies on various criteria

    • Protection from denial of service attacks and spoofing

    • Media and signaling encryption for privacy - Termination and Transcoding


The ingate solution fully sip capable firewalls l.jpg
The Ingate Solution….Fully SIP-Capable Firewalls

SIP

Normal Firewalls

Ingate Firewall®

SIP

With SIP-Proxy and -Registrar


Slide21 l.jpg

You Don’t Need to Replace your Firewall!

SIP

Normal

Firewalls

Ingate SIParator®

DMZ

SIP-enables any firewall

SIP


The ingate family l.jpg

Firewall® 1880

&

SIParator® 88

The Ingate Family

Firewall® 1600

&

SIParator® 60

800 Mbit/s

800 RTP sessions

Firewall® 1450+

&

SIParator®45+

385 Mbit/s

500 RTP sessions

Firewall® 1450

&

SIParator®45

310 Mbit/s

240 RTP sessions

120 Mbit/s

150 RTP sessions

Firewall® 1180

&

SIParator® 18

30 Mbit/s

30 RTP sessions


Slide23 l.jpg

Bringing SIP to the Enterprise

Please contact me at any time:

Steve Johnson

President

Mail & SIP: [email protected]

Mobile: 1-603-557-7918

Direct: 1-603-883-6569


ad