Hi Friends, Explain the Firewall and NAT problem Summary?
michaeldavid23 16-July-2008 01:01:22 PM
Comments


Session Initiation Protocol (SIP) represents the third wave of Internet usage after SMTP (email) and HTTP (Web). Developed by the Internet Engineering Task Force (IETF), SIP has today become the signaling protocol of choice for establishing realtime communications, including Voice over IP (VoIP) calls. Research suggests that SIP is the VoIP protocol that has replaced H.323 and MGCP and that, for the foreseeable future, no replacement is expected (Business Communications Review, August 2005).

However, SIP-based communication does not reach users on the local area network (LAN) behind firewalls and Network Address Translation (NAT) routers automatically. Firewalls are designed to prevent inbound unknown communications and NAT stops users on a LAN from being addressed. Firewalls are almost always combined with NAT and typically still do not support the SIP protocol properly.

This issue of SIP traffic not traversing the enterprise firewall or NAT is critical to any SIP implementation, including VoIP.Eventually, all firewalls will need to be SIP capable in order to support the wide-scale deployment of enterprise person-to-person communications. In the interim, several solutions have been proposed to work around the firewall/NAT traversal problem.
Several of these solutions have serious security implications while there are also solutions that allow you to remain in control. It is important to consider to what level you are prepared to surrender the control of your corporate infrastructure when choosing a NAT/firewall traversal solution.
Posted by sagitraz


Implications: No users behind firewalls/NAT can interoperate with other
Internet users
- Problem Size: Unknown, probably huge
- Nobody knows how many users are behind FWs/NATs
- IP addresses shared by hosts, hosts shared by users
- Hugely deployed by enterprises, some ISPs deploy NATs as well

Brian Carpenter (January 2001): “My hand waving estimate is that 40% (160M) of users are behind a firewall and/or NAT, 50% (200M) on dial-up, and 10% (40M) have direct always-on access. But there is no way I can justify these numbers.”
- Solution Status: very few products have VoIP ALGs
- ALGs are no “Wunderwaffe” (all-disease-cure)
- Firewall ALGs fail to operate if data encrypted
- NAT ALGs fail to operate if data encrypted or authenticated
- Embedded ALGs suffer from dependency on vendor, lower performance, higher development costs
- Problems with multiple FW/NATs
Posted by yogendra


Posted: 17-July-2008 12:13:57 PM By: yogendra

Implications: No users behind firewalls/NAT can interoperate with other
Internet users
- Problem Size: Unknown, probably huge
- Nobody knows how many users are behind FWs/NATs
- IP addresses shared by hosts, hosts shared by users
- Hugely deployed by enterprises, some ISPs deploy NATs as well

Brian Carpenter (January 2001): “My hand waving estimate is that 40% (160M) of users are behind a firewall and/or NAT, 50% (200M) on dial-up, and 10% (40M) have direct always-on access. But there is no way I can justify these numbers.”
- Solution Status: very few products have VoIP ALGs
- ALGs are no “Wunderwaffe” (all-disease-cure)
- Firewall ALGs fail to operate if data encrypted
- NAT ALGs fail to operate if data encrypted or authenticated
- Embedded ALGs suffer from dependency on vendor, lower performance, higher development costs
- Problems with multiple FW/NATs

Posted: 17-July-2008 01:52:31 PM By: sagitraz

Session Initiation Protocol (SIP) represents the third wave of Internet usage after SMTP (email) and HTTP (Web). Developed by the Internet Engineering Task Force (IETF), SIP has today become the signaling protocol of choice for establishing realtime communications, including Voice over IP (VoIP) calls. Research suggests that SIP is the VoIP protocol that has replaced H.323 and MGCP and that, for the foreseeable future, no replacement is expected (Business Communications Review, August 2005).

However, SIP-based communication does not reach users on the local area network (LAN) behind firewalls and Network Address Translation (NAT) routers automatically. Firewalls are designed to prevent inbound unknown communications and NAT stops users on a LAN from being addressed. Firewalls are almost always combined with NAT and typically still do not support the SIP protocol properly.

This issue of SIP traffic not traversing the enterprise firewall or NAT is critical to any SIP implementation, including VoIP.Eventually, all firewalls will need to be SIP capable in order to support the wide-scale deployment of enterprise person-to-person communications. In the interim, several solutions have been proposed to work around the firewall/NAT traversal problem.
Several of these solutions have serious security implications while there are also solutions that allow you to remain in control. It is important to consider to what level you are prepared to surrender the control of your corporate infrastructure when choosing a NAT/firewall traversal solution.