Calling Across The Boundaries Mike Burkett, VP Products [email_address] April 25, 2002
Have you been on this video call?
Why should you care about  NATs and Firewalls? <ul><li>Network Address Translation (NAT) and Firewalls will  block your IP...
What is NAT? <ul><li>Network Address Translation </li></ul><ul><li>Allows multiple users/devices to share a single public ...
What is a Firewall? <ul><li>Separates and “Protects” the Private Network from the outside world. </li></ul><ul><li>Examine...
Why H.323 & SIP Don’t Work… <ul><li>With firewalls </li></ul><ul><ul><li>Require inbound connections for inbound calls </l...
The Imaginary IP World <ul><li>No Firewalls </li></ul><ul><li>No NAT </li></ul><ul><li>No Security </li></ul><ul><li>All p...
Today’s Real IP Video World WAN WAN Bob 10.2.1.5 Susan 192.168.0.107 Tom 192.168.0.108 Teleworker 10.100.5.4 Corporate 10....
Firewalls & NAT: Where? <ul><li>Deployed Everywhere: </li></ul><ul><ul><li>Corporate Networks </li></ul></ul><ul><ul><li>H...
What choices do you have? <ul><li>Bypass </li></ul><ul><ul><li>Public Endpoints </li></ul></ul><ul><ul><li>Private Network...
Bypass: Public Endpoints <ul><li>How </li></ul><ul><ul><li>Give the endpoints public IP addresses </li></ul></ul><ul><ul><...
Bypass: Private Network <ul><li>How </li></ul><ul><ul><li>Establish Virtual Private Network (VPN), usually via Firewall co...
Bypass: PSTN/ISDN Gateway <ul><li>How </li></ul><ul><ul><li>Gateway to PSTN or ISDN at edge of network </li></ul></ul><ul>...
Bypass: MCU <ul><li>How </li></ul><ul><ul><li>Deploy MCU with two network interfaces, one inside & one outside of firewall...
Replace: Upgrade Infrastructure <ul><li>How </li></ul><ul><ul><li>Upgrade firewalls and routers with Application Level Gat...
Traverse: Ridgeway <ul><li>How </li></ul><ul><ul><li>Place single server at “reachable address” </li></ul></ul><ul><ul><li...
The Ridgeway Method <ul><li>Ridgeway (RW) Clients connect to the RW Server </li></ul><ul><ul><li>Outbound </li></ul></ul><...
More On Ridgeway Traversal <ul><li>Commercially  deployed today  in both enterprise and service provider environments </li...
Summary <ul><li>Firewalls & NATs are everywhere </li></ul><ul><li>Firewalls & NATs block IP Voice & Video </li></ul><ul><l...
Upcoming SlideShare
Loading in …5
×

/conferences/spr2002/presentations/burkett_sura.ppt

237 views
186 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
237
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Implemented for security, cost savings, and simplified network management. For security, it hides the addresses of the internal devices – much like a PBX hides the numbers of individuals on the company phone system. They are implemented at the edge of the corporate network, in the service provider’s network, or in a SOHO router wherever multiple devices share a single public internet address. They are everywhere, and are frequently even cascaded.
  • One wire No barriers Known, Unique, reachable addresses
  • There are also ways for a service provider to create a private network by bringing in a separate network connection – sometimes referred to as an overlay network.
  • /conferences/spr2002/presentations/burkett_sura.ppt

    1. 1. Calling Across The Boundaries Mike Burkett, VP Products [email_address] April 25, 2002
    2. 2. Have you been on this video call?
    3. 3. Why should you care about NATs and Firewalls? <ul><li>Network Address Translation (NAT) and Firewalls will block your IP voice and video calls . </li></ul>
    4. 4. What is NAT? <ul><li>Network Address Translation </li></ul><ul><li>Allows multiple users/devices to share a single public internet address </li></ul><ul><li>Implemented within the router </li></ul><ul><li>Think of it like a PBX with a public trunk number and private extensions for IP networks </li></ul>Shared Public Address 64.121.30.1 Private Address 10.1.1.1 Private Address 10.1.1.2 Private Address 10.1.1.3
    5. 5. What is a Firewall? <ul><li>Separates and “Protects” the Private Network from the outside world. </li></ul><ul><li>Examines every packet that goes in to or out from the enterprise. </li></ul><ul><li>Typically blocks all unsolicited inbound packets </li></ul><ul><li>Think of a mail room clerk filtering your inbound and outbound mail </li></ul>Outside World Private Network Unsolicited Disallowed Request Response
    6. 6. Why H.323 & SIP Don’t Work… <ul><li>With firewalls </li></ul><ul><ul><li>Require inbound connections for inbound calls </li></ul></ul><ul><ul><li>Each call requires multiple TCP and UDP connections to random ports </li></ul></ul><ul><li>With NATs </li></ul><ul><ul><li>Private addresses hidden from the outside network – means no inbound calling </li></ul></ul><ul><ul><li>Outbound calling endpoints request media sent to their private address – means one way video/audio </li></ul></ul>
    7. 7. The Imaginary IP World <ul><li>No Firewalls </li></ul><ul><li>No NAT </li></ul><ul><li>No Security </li></ul><ul><li>All public IP Addresses </li></ul><ul><li>All Calls Successful </li></ul><ul><li>Not the real world! </li></ul>Bob 64.123.31.15 Susan 34.58.15.21 Tom 216.115.109.7 Branch Office 208.45.133.21 Teleworker 24.30.203.101 Corporate 207.46.230.5
    8. 8. Today’s Real IP Video World WAN WAN Bob 10.2.1.5 Susan 192.168.0.107 Tom 192.168.0.108 Teleworker 10.100.5.4 Corporate 10.1.1.25 Branch Office 172.16.31.13 Firewall/NAT at the edge of the corporate network NAT or Firewall hidden in the network
    9. 9. Firewalls & NAT: Where? <ul><li>Deployed Everywhere: </li></ul><ul><ul><li>Corporate Networks </li></ul></ul><ul><ul><li>Home Networks </li></ul></ul><ul><ul><li>Individual PCs </li></ul></ul><ul><ul><li>And Hidden In the Net </li></ul></ul><ul><li>Anywhere someone wants to </li></ul><ul><ul><li>Share a connection </li></ul></ul><ul><ul><li>Protect a network </li></ul></ul>WAN
    10. 10. What choices do you have? <ul><li>Bypass </li></ul><ul><ul><li>Public Endpoints </li></ul></ul><ul><ul><li>Private Network </li></ul></ul><ul><ul><li>Gateway </li></ul></ul><ul><ul><li>MCU </li></ul></ul><ul><li>Replace </li></ul><ul><ul><li>Upgrade Hardware Infrastructure </li></ul></ul><ul><li>Traverse </li></ul><ul><ul><li>Use Ridgeway Software </li></ul></ul>
    11. 11. Bypass: Public Endpoints <ul><li>How </li></ul><ul><ul><li>Give the endpoints public IP addresses </li></ul></ul><ul><ul><li>Move them outside the firewall </li></ul></ul><ul><li>Benefits </li></ul><ul><ul><li>May be lowest capital cost? </li></ul></ul><ul><li>Issues </li></ul><ul><ul><li>Requires Dedicated Public IP Addresses </li></ul></ul><ul><ul><li>Removes Protection of Firewall </li></ul></ul><ul><ul><li>Not easily scalable </li></ul></ul><ul><ul><li>Cannot overcome network based NAT/FW </li></ul></ul>WAN
    12. 12. Bypass: Private Network <ul><li>How </li></ul><ul><ul><li>Establish Virtual Private Network (VPN), usually via Firewall configuration </li></ul></ul><ul><li>Benefits </li></ul><ul><ul><li>Works for Intra-Company communications </li></ul></ul><ul><ul><li>May already be in place </li></ul></ul><ul><li>Issues </li></ul><ul><ul><li>Not for inter-enterprise communications </li></ul></ul><ul><ul><li>Requires configuration at every location </li></ul></ul><ul><ul><li>May have performance impacts – increased delay </li></ul></ul><ul><ul><li>Some VPNs won’t handle NAT </li></ul></ul>WAN VPN
    13. 13. Bypass: PSTN/ISDN Gateway <ul><li>How </li></ul><ul><ul><li>Gateway to PSTN or ISDN at edge of network </li></ul></ul><ul><li>Benefits </li></ul><ul><ul><li>May already be in place for calling “off-net” </li></ul></ul><ul><li>Issues </li></ul><ul><ul><li>Loses benefits of the pure IP solution </li></ul></ul><ul><ul><li>Doesn’t solve problem for the mobile IP endpoint </li></ul></ul>IP WAN PSTN/ ISDN
    14. 14. Bypass: MCU <ul><li>How </li></ul><ul><ul><li>Deploy MCU with two network interfaces, one inside & one outside of firewall/NAT </li></ul></ul><ul><li>Benefits </li></ul><ul><ul><li>Natural extension for existing MCU deployments </li></ul></ul><ul><li>Issues </li></ul><ul><ul><li>Can be expensive solution; not appropriate for SOHO or consumer deployment </li></ul></ul><ul><ul><li>Localized solution, needs to be deployed at every NAT/FW </li></ul></ul><ul><ul><li>Cannot overcome network based NAT/FW </li></ul></ul>WAN
    15. 15. Replace: Upgrade Infrastructure <ul><li>How </li></ul><ul><ul><li>Upgrade firewalls and routers with Application Level Gateway (ALG) </li></ul></ul><ul><li>Benefits </li></ul><ul><ul><li>Brand name solutions? </li></ul></ul><ul><li>Issues </li></ul><ul><ul><li>This means changes to mission critical network components for the enterprise network </li></ul></ul><ul><ul><li>Fix every NAT & Firewall for every protocol </li></ul></ul><ul><ul><li>Unreachable: Physically, Politically, or Intellectually? </li></ul></ul><ul><ul><li>Cannot overcome network based NAT/FW </li></ul></ul>WAN
    16. 16. Traverse: Ridgeway <ul><li>How </li></ul><ul><ul><li>Place single server at “reachable address” </li></ul></ul><ul><ul><li>Download software client for any “guest network” </li></ul></ul><ul><li>Benefits </li></ul><ul><ul><li>No upgrade for existing mission critical components </li></ul></ul><ul><ul><li>Handles any number of NATs & Firewalls, even network based </li></ul></ul><ul><ul><li>Handles SIP or H.323 </li></ul></ul><ul><ul><li>Compatible with your existing infrastructure </li></ul></ul><ul><ul><li>Voice and Video </li></ul></ul><ul><ul><li>Mobile solution </li></ul></ul><ul><ul><li>Download-and-Call means no waiting to call into a new location </li></ul></ul>Host Network Guest Network Guest Network DMZ Proxy/Registrar/GK WAN Ridgeway Client IP Freedom Server
    17. 17. The Ridgeway Method <ul><li>Ridgeway (RW) Clients connect to the RW Server </li></ul><ul><ul><li>Outbound </li></ul></ul><ul><ul><li>Fixed ports: 2776/2777 </li></ul></ul><ul><li>RW Server/Clients “proxy” the GK so it appears at the RW Client </li></ul><ul><li>Endpoints set RW Client as their GK and register and then appear as a ports on the RW Server </li></ul><ul><li>Behind the scenes: </li></ul><ul><ul><li>All TCP traffic goes over the pre-established TCP connection </li></ul></ul><ul><ul><li>As UDP streams are needed the RW client pushes a stream out to the server that the server can use for return traffic (outbound, fixed ports) </li></ul></ul><ul><li>From endpoint perspective, calls proceed as usual </li></ul>Host Network Guest Network DMZ Proxy/Registrar/GK WAN Ridgeway Client IP Freedom Server Ridgeway Client
    18. 18. More On Ridgeway Traversal <ul><li>Commercially deployed today in both enterprise and service provider environments </li></ul><ul><li>One server for multiple endpoints & networks </li></ul><ul><li>No upgrade to existing NAT/FW or endpoints </li></ul><ul><li>No open inbound firewall ports </li></ul><ul><li>No charge for client </li></ul><ul><li>Upgrade server capacity instantly </li></ul><ul><li>Add-on for VPN & PSTN gateway solutions </li></ul>
    19. 19. Summary <ul><li>Firewalls & NATs are everywhere </li></ul><ul><li>Firewalls & NATs block IP Voice & Video </li></ul><ul><li>Solution Choices: </li></ul><ul><ul><li>Bypass, Replace, Traverse </li></ul></ul><ul><li>Traversal: </li></ul><ul><ul><li>Don’t mess with your critical components </li></ul></ul><ul><ul><li>Treat the network like a black box </li></ul></ul><ul><ul><li>Download and call today! </li></ul></ul><ul><li>Free trial </li></ul><ul><ul><li>www.ridgewaysystems.com </li></ul></ul><ul><ul><li>http://www.vide.net/vpz/firewalls.html </li></ul></ul>

    ×