|
Session Initiation Protocol (SIP) represents the third wave of Internet usage after SMTP (email) and HTTP (Web). Developed by the Internet Engineering Task Force (IETF), SIP has today become the signaling protocol of choice for establishing realtime communications, including Voice over IP (VoIP) calls. Research suggests that SIP is the VoIP protocol that has replaced H.323 and MGCP and that, for the foreseeable future, no replacement is expected (Business Communications Review, August 2005).
However, SIP-based communication does not reach users on the local area network (LAN) behind firewalls and Network Address Translation (NAT) routers automatically. Firewalls are designed to prevent inbound unknown communications and NAT stops users on a LAN from being addressed. Firewalls are almost always combined with NAT and typically still do not support the SIP protocol properly.
This issue of SIP traffic not traversing the enterprise firewall or NAT is critical to any SIP implementation, including VoIP. Eventually, all firewalls will need to be SIP capable in order to support the wide-scale deployment of enterprise person-to-person communications. In the interim, several solutions have been proposed to work around the firewall/NAT traversal problem. Several of these solutions have serious security implications while there are also solutions that allow you to remain in control. It is important to consider to what level you are prepared to surrender the control of your corporate infrastructure when choosing a NAT/firewall traversal solution.
The choice of method for traversing firewalls/NATs is, to a large extent, dependent on the answer to the questions: "Who should be in control of your security infrastructure: the firewall administrator, the user or a service provider?" and, "Do we want a solution that is predictable and functions reliably with SIP standard compliant equipment or is it sufficient with a best effort solution that works in certain scenarios and maybe only with a specific operator?"
Universal Plug-and-Play (UPnP) - The SIP client or Windows is in control
Universal Plug-and-Play (UPnP) for NAT control allows Microsoft Windows or a UPnP-capable SIP client to take control of the firewall. Both the client and firewall must support UPnP. This is a viable alternative only for those that can be sure there will never be anything malevolent on the LAN. UPnP is only supported by few firewalls and SIP clients. Due to the inherent high security risk in allowing a third party software to take control of the firewall this method is rarely used and in practice only for home users.
STUN, TURN, ICE - The SIP client is in control
These are all protocols proposed by the IETF for solving the firewall/NAT traversal issue with intelligence in the clients together with external servers. With these methods, pinholes are created in the NAT/firewall for SIP signaling and media to pass through. It is also the responsibility of the SIP client to emulate what the protocol should have looked like outside the firewall. These methods assume certain behavior from the NAT/firewall and cannot work in all scenarios. In addition, they remove control from the firewall, which must be sufficiently open to allow the users to create the necessary pinholes.
Session Border Controllers at Service Provider - The service provider is in control
Most service providers use some sort of session border controller (SBC) in their core network to perform a number of tasks related to their SIP services. One of these tasks is to make sure that the SIP services can be delivered to their customers. They may use STUN, TURN, ICE for this by acting as a server component for these protocols. However, not all clients support these protocols so the SBC may also use far-end-NAT traversal (FENT) technology for NAT traversal. The FENT function will aid remote SIP clients by transforming any SIP message by rewriting all relevant information and relay media, as well as keeping the client on the NATed network reachable. This solution only works with firewalls that are open from the inside, and may not work with all equipment and in all call scenarios. FENT is best suited for road warriors working at a hotel or at a conference, rather than at fixed location where there are more reliable and secure solutions. FENT also removes control from the firewall, which must be sufficiently open to allow FENT from the service provider SBC to work.
|
