unleashing the power of ip communications calling across the boundaries mike burkett, vp products...

Unleashing the Power of IP Communications™

Calling Across The Boundaries

Mike Burkett, VP [email protected]

April 25, 2002

3April 25, 2002 Unleashing the Power of IP Communications

Why should you care about NATs and Firewalls?

Network Address Translation (NAT) and Firewalls will block your IP voice and video calls.


What is NAT?

• Network Address Translation

• Allows multiple users/devices to share a single public internet address

• Implemented within the router

• Think of it like a PBX with a public trunk number and private extensions for IP networks

SharedPublic

Address64.121.30.1

PrivateAddress10.1.1.1




What is a Firewall?

• Separates and “Protects” the Private Network from the outside world.

• Examines every packet that goes in to or out from the enterprise.

• Typically blocks all unsolicited inbound packets

• Think of a mail room clerk filtering your inbound and outbound mail

OutsideWorld

PrivateNetwork

Unsolicited

RequestResponse

Disallowed


Why H.323 & SIP Don’t Work…

• With firewalls– Require inbound connections for inbound calls– Each call requires multiple TCP and UDP

connections to random ports

• With NATs– Private addresses hidden from the outside

network – means no inbound calling– Outbound calling endpoints request media sent to

their private address – means one way video/audio


The Imaginary IP World

• No Firewalls• No NAT• No Security

• All public IP Addresses

• All Calls Successful

• Not the real world!Bob

64.123.31.15Susan

34.58.15.21Tom

216.115.109.7

Branch Office208.45.133.21

Teleworker24.30.203.101

Corporate207.46.230.5


Today’s Real IP Video World

WANWAN

WANWAN

Bob10.2.1.5

Susan192.168.0.107

Tom192.168.0.108

Teleworker10.100.5.4

Corporate10.1.1.25

Branch Office172.16.31.13

Firewall/NAT at the edge of the corporate network

NAT or Firewall hidden in the network


Firewalls & NAT: Where?

• Deployed Everywhere:– Corporate Networks– Home Networks– Individual PCs– And Hidden In the Net

• Anywhere someone wants to– Share a connection– Protect a network

WANWAN


What choices do you have?

1. Bypass– Public Endpoints– Private Network– Gateway– MCU

2. Replace– Upgrade Hardware Infrastructure

3. Traverse– Use Ridgeway Software


Bypass: Public Endpoints

• How– Give the endpoints public IP

addresses– Move them outside the

firewall

• Benefits– May be lowest capital cost?

• Issues– Requires Dedicated Public

IP Addresses– Removes Protection of

Firewall– Not easily scalable– Cannot overcome network

based NAT/FW

WANWAN


Bypass: Private Network

• How– Establish Virtual Private

Network (VPN), usually via Firewall configuration

• Benefits– Works for Intra-Company

communications– May already be in place

• Issues– Not for inter-enterprise

communications– Requires configuration at

every location– May have performance

impacts – increased delay– Some VPNs won’t handle

NAT

WANWAN

VPN


Bypass: PSTN/ISDN Gateway

• How– Gateway to PSTN or

ISDN at edge of network

• Benefits– May already be in place

for calling “off-net”

• Issues– Loses benefits of the

pure IP solution– Doesn’t solve problem

for the mobile IP endpoint

IP WANIP WAN

PSTN/ISDN

PSTN/ISDN


Bypass: MCU

• How– Deploy MCU with two

network interfaces, one inside & one outside of firewall/NAT

• Benefits– Natural extension for

existing MCU deployments• Issues

– Can be expensive solution; not appropriate for SOHO or consumer deployment

– Localized solution, needs to be deployed at every NAT/FW

– Cannot overcome network based NAT/FW

WANWAN


Replace: Upgrade Infrastructure

• How– Upgrade firewalls and

routers with Application Level Gateway (ALG)

• Benefits– Brand name solutions?

• Issues– This means changes to

mission critical network components for the enterprise network

– Fix every NAT & Firewall for every protocol

– Unreachable: Physically, Politically, or Intellectually?

– Cannot overcome network based NAT/FW

WANWAN


Host Network

Guest Network

Guest Network

DMZ Proxy/Registrar/GK

WANWAN

Traverse: Ridgeway

• How– Place single server at

“reachable address”– Download software client for

any “guest network”• Benefits

– No upgrade for existing mission critical components

– Handles any number of NATs & Firewalls, even network based

– Handles SIP or H.323– Compatible with your

existing infrastructure– Voice and Video– Mobile solution– Download-and-Call means no

waiting to call into a new location

Ridgeway Client

IP Freedom Server


The Ridgeway Method

1. Ridgeway (RW) Clients connect to the RW Server– Outbound

– Fixed ports: 2776/2777

2. RW Server/Clients “proxy” the GK so it appears at the RW Client

3. Endpoints set RW Client as their GK and register and then appear as a ports on the RW Server

4. Behind the scenes:• All TCP traffic goes over the pre-

established TCP connection

• As UDP streams are needed the RW client pushes a stream out to the server that the server can use for return traffic (outbound, fixed ports)

5. From endpoint perspective, calls proceed as usual

Host Network

Guest Network

DMZ

Proxy/Registrar/GK

WANWAN

Ridgeway Client

IP Freedom Server

Ridgeway Client


More On Ridgeway Traversal

• Commercially deployed today in both enterprise and service provider environments

• One server for multiple endpoints & networks• No upgrade to existing NAT/FW or endpoints• No open inbound firewall ports• No charge for client• Upgrade server capacity instantly• Add-on for VPN & PSTN gateway solutions


Summary

• Firewalls & NATs are everywhere• Firewalls & NATs block IP Voice & Video• Solution Choices:

– Bypass, Replace, Traverse• Traversal:

– Don’t mess with your critical components– Treat the network like a black box– Download and call today!

• Free trial– www.ridgewaysystems.com – http://www.vide.net/vpz/firewalls.html

unleashing the power of ip communications calling across the boundaries mike burkett, vp products...

Documents

network slide

network wan slide

ip networks

ip voice

outside network

enterprise network

network interfaces

corporate network nat