1 / 23

- PowerPoint PPT Presentation

  • Uploaded on

Traversing The Firewall for SIP Call Completion. Steven J. Johnson President Ingate Systems Inc. The Third Big Wave of Internet Usage. SMTP created E - mail. HTTP created the Web. SIP will create realtime global connectivity from person to person!. Trends in SIP Adoption.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - medwin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Traversing the firewall for sip call completion l.jpg
Traversing The Firewall for SIP Call Completion

Steven J. Johnson


Ingate Systems Inc.

The third big wave of internet usage l.jpg
The Third Big Wave of Internet Usage

SMTP created E-mail

HTTP created the Web

SIP will create realtime global connectivity from person to person!

Trends in sip adoption l.jpg
Trends in SIP Adoption

  • 2005 was a watershed year and VoIP is now mainstream

  • Lots of use cases are coming on line:

    • Branch office connections

    • Call center applications

    • Click to Talk for customer service centers

    • International calling

    • New service offerings for residential and commercial customers

    • Extension of Microsoft Office Live Communications Server beyond the Local Area Network

It s all there almost l.jpg
It’s All There – Almost…

  • A single network (IP)

  • Everyone has a connection

  • High capacity and good performance

  • A single protocol - SIP

  • Firewalls are meant to exclude inbound communications

  • SIP won’t traverse common firewalls and NATs

Why not use vpn l.jpg





Soft phone

SIP unaware Firewalls

Why not Use VPN?

IP to IP to any external user!

  • VPN - not a flexible solution

    • No Global Connectivity

    • Works where you have control, home etc

    • Does not always work from Hotels etc (~50%)

    • WiFi phones and dual Mobile/WiFi handsets normally have no VPN clients.

    • Start a VPN client just to receive a call?!

    • QoS can be taken out of play in some VPN’s

      • If headers are encrypted end-to-end.

      • Encryption may occur before it reach the unit that handles queuing.

    • Trend:Client-Server encryption replaces VPN

      • E-mail, Citrix etc

    • VPN potentially open up the network to others

    • No ”media release”, VPN does not scale.

Office LAN



SIP unaware

Firewall with

VPN termination


SIP Media, Voice/Video etc

Why not use ice l.jpg
Why not Use ICE?

  • Reliance on 3rd party servers to enable call setup

    • Some consider this to be a security issue

  • Gives control to the client

    • Difficult to configure and maintain in a large corporate environment

  • Current lack of endpoints that support ICE

What about carrier session border controllers l.jpg


Telecom Network-centric



Service Provider

Service Provider

Site A

Site B

Site A

Site B

SIP-capable firewall or

SIP-enabling CPE device

Session Border Controller

What about Carrier Session Border Controllers?

What about a sip alg firewall l.jpg

SIP capable Firewall



SIP Proxy/Registrar

SIP Signaling


What About a SIP ALG Firewall

  • Check the SIP signaling

    • Can be encrypted for privacy

  • Rewrite for the different address spaces

  • Forward the signaling to the correct SIP proxy or client

    • -For inbound calls – need to know location of each SIP user (unless registrar is on the inside)

  • Open pinholes in the firewall for the media

    • -Only for the duration of the call

    • -Only between the exact endpoints

  • Close pinholes after the call

  • Cannot handle encryption

What about proxy based firewalls l.jpg
What About Proxy Based Firewalls?

  • Robust solution to solve the problem where it occurs – at the enterprise edge

  • Enables signal inspection

  • Enables

    • Media and signaling encryption

    • Remote SIP Connectivity for mobile users

    • Routing in complex environments

    • Branch office failover

    • Prioritized voice and video

  • Allows the enterprise to control

    • Sources and destinations of communications

    • Content of the media

  • Offers protection against:

    • Spoofing

    • Denial of Service attacks

Chose the right sip firewall architecture l.jpg
Chose the Right SIP FirewallArchitecture

SIP ALG Firewall

SIP Proxy Firewall











SIP Filtering



Call Control



Extra SIP functions



Voip security and sip l.jpg
VoIP, Security and SIP

  • The good news

    • VoIP and SIP - no security problems in themselves.

    • On the contrary, SIP:

      • Is robust, flexible and scaleable.

      • Supports authentication.

      • Signaling (TLS) and media streams (SRTP) can be encrypted.

  • Select products that leverage these benefits

    • Full SIP Proxy

      • SIP signaling inspection.

      • Ports only opened between the specific parties of the call and for the duration of the call.

    • SIP Registrar

    • Support for TLS and SRTP

Support for workers on the road or working from home l.jpg
Support for Workers on the Road or Working from Home

  • 40% of the work force is said to work away from the office occasionally

  • Most of the remote workers would like access to the tools that the PBX offers at their office

  • With SIP that is possible as long as the user can connect back to the company infrastructure

  • A proxy based firewall solution allows the user to do this from wherever they may be working today.

Support for remote workers l.jpg




Remote user module

Support for Remote Workers

Home NAT

Hotel NAT

Home user

Traveling user

SIP capable proxy-basedfirewall

Branch office service assurance l.jpg
Branch Office Service Assurance

  • Automatic failover from central SIP server (hosted or centralized IP-PBX) to distributed offices

  • Automatic capture of user registrations to mirror configurations

  • Frequent ping of central server to determine availability

  • Basic call control features allow station to station dialing and dial plan to a local PSTN gateway

Voip survival in hosted environments l.jpg


VoIP services through Broadworks Servers hosted by the Service Provider or Enterprise main office


VoIP toPSTN services through Broadworks Servers and a PSTN Gateway hosted by the Service Provider or Enterprise main office

Settings, user data





VoIP Survival in Hosted Environments

SIP/PSTN Gateway


Other SIP Users


Host down voip survival activated l.jpg


Local calls within the domain are handled by the Ingate Firewall or SIParator


Optional local backup PSTN Gateway is used for routing VoIP to PSTN calls.



Host Down-VoIP Survival Activated

SIP/PSTN Gateway


Other SIP Users


SIP/PSTN Gateway

Sip proxy based solution for sip adoption l.jpg
SIP Proxy-based Solution for SIP Adoption

  • Solves the FW/NAT traversal problem at the enterprise edge

  • The enterprise gains control over the IP Communications applications

  • A scalable solution that enables global connectivity

  • Robust solutions that add value to the enterprise:

    • QoS enables the organization to prioritize Voice and Video

    • Remote SIP Connectivity connects road warriors and home workers

    • Advanced SIP Routing for flexibility in complex scenarios

  • Security for SIP based communications

    • Stateful signal inspection

    • MIME / Content types consistent with negotiated parameters

    • Ability to set admission policies on various criteria

    • Protection from denial of service attacks and spoofing

    • Media and signaling encryption for privacy - Termination and Transcoding

The ingate solution fully sip capable firewalls l.jpg
The Ingate Solution….Fully SIP-Capable Firewalls


Normal Firewalls

Ingate Firewall®


With SIP-Proxy and -Registrar

Slide21 l.jpg

You Don’t Need to Replace your Firewall!




Ingate SIParator®


SIP-enables any firewall


The ingate family l.jpg

Firewall® 1880


SIParator® 88

The Ingate Family

Firewall® 1600


SIParator® 60

800 Mbit/s

800 RTP sessions

Firewall® 1450+



385 Mbit/s

500 RTP sessions

Firewall® 1450



310 Mbit/s

240 RTP sessions

120 Mbit/s

150 RTP sessions

Firewall® 1180


SIParator® 18

30 Mbit/s

30 RTP sessions

Slide23 l.jpg

Bringing SIP to the Enterprise

Please contact me at any time:

Steve Johnson


Mail & SIP: [email protected]

Mobile: 1-603-557-7918

Direct: 1-603-883-6569