Where Firewalls and NATS affect SIP? michaeldavid23 21-July-2008 12:16:45 PMComments www.cs.columbia.edu/sip/drafts/Ther0005_SIP.pdf Posted by saqlain231 4.7. Firewalls and NAT Firewalls and Network Address Translation (NAT) affect IP telephony signaling protocols, making it impossible to call targets outside the private or protected network. While often firewalls and NATs go hand in hand, they impose two different problems which shall be described here. Firewalls and IP telephony Both SIP and H.323 calls use a number of different ports, out of which only the signaling ports are well defined - TCP port 1720 for H.323 and TCP port 5060 (early versions of SIP used 5060 UDP as well). To be able to place and receive calls to/from outside the protected network opening these ports is a minimal requirement. After signaling has started, further channels are required. H.323 often uses a separate TCP connection for capability exchange (H.245), which uses dynamically assigned port numbers. Likewise the RTP media stream uses dynamically assigned port numbers on each side. The only restriction that applies to these ports is that they are in the port range > 1023. As a result, a firewall protected IP telephony zone needs either a firewall that does not protect ports > 1023 or a firewall that is IP telephony aware - meaning that it monitors all SIP and H.323 messages in order to open and close the required ports on the fly. A third alternative is to deploy an H.323 or SIP proxy outside the protected zone protected by the firewall, perhaps in a DMZ, and configure the firewall to allow communication of endpoints only with this proxy. This is a mid-level security approach, as it permits the relatively safe communication between protected endpoints and a trusted proxy server outside the firewall. Posted by sagitraz Posted by caroline |
Posted: 22-July-2008 12:36:49 PM By: caroline | |
Posted: 22-July-2008 01:51:26 PM By: sagitraz 4.7. Firewalls and NAT Firewalls and Network Address Translation (NAT) affect IP telephony signaling protocols, making it impossible to call targets outside the private or protected network. While often firewalls and NATs go hand in hand, they impose two different problems which shall be described here. Firewalls and IP telephony Both SIP and H.323 calls use a number of different ports, out of which only the signaling ports are well defined - TCP port 1720 for H.323 and TCP port 5060 (early versions of SIP used 5060 UDP as well). To be able to place and receive calls to/from outside the protected network opening these ports is a minimal requirement. After signaling has started, further channels are required. H.323 often uses a separate TCP connection for capability exchange (H.245), which uses dynamically assigned port numbers. Likewise the RTP media stream uses dynamically assigned port numbers on each side. The only restriction that applies to these ports is that they are in the port range > 1023. As a result, a firewall protected IP telephony zone needs either a firewall that does not protect ports > 1023 or a firewall that is IP telephony aware - meaning that it monitors all SIP and H.323 messages in order to open and close the required ports on the fly. A third alternative is to deploy an H.323 or SIP proxy outside the protected zone protected by the firewall, perhaps in a DMZ, and configure the firewall to allow communication of endpoints only with this proxy. This is a mid-level security approach, as it permits the relatively safe communication between protected endpoints and a trusted proxy server outside the firewall. | |
Posted: 26-June-2009 01:22:37 PM By: saqlain231 www.cs.columbia.edu/sip/drafts/Ther0005_SIP.pdf |