Newport Networks Session Border Controller
Home Company Investors Solutions Product News Contact White Papers
Search Site Map

White Papers

IPsec and VoIP
 Security and IMS
 Emergency Calls in VoIP
 UK Interconnect
 Session Control in IMS
 NAT Traversal
 QoS, Bandwidth
 SIP Security
 Lawful Intercept
 VoIP Bandwidth

Resources

Message Interop Tool
 Call Routing Engine
 What is a Session Border Controller?
 Glossary
 Bandwidth Calculator



NAT Traversal for Multimedia over IP Services - White Paper

NAT traversal - Executive Summary

NAT traversal is a challenge that all Service Providers looking to deliver public IP-based voice and multimedia services must solve. The challenge is to provide secure connection to subscribers behind NAT (Network Address Translation) devices and Firewalls. Overcoming this traversal problem will lead to widespread deployment of profitable voice and multimedia over IP services to any subscriber with a broadband connection.

This White Paper describes the various proposals for solving the Firewall and NAT traversal problems and shows how the Newport Networks 1460 session controller provides an optimum NAT traversal solution for Service Providers.

The Firewall and NAT Traversal Problems Defined

Firewalls and NAT devices are located at the edge of virtually all business networks. Often residential DSL packages bundle software-based NAT/Firewalls as well, so this problem affects both business users and residential users.

The problem actually consists of two components. While today's Firewalls are able to dynamically open and close multiple ports as required by VoIP signalling protocols, such as SIP, they remain ineffective at securely supporting unsolicited incoming media flows. NAT devices prevent two-way voice and multimedia communication, because the private IP addresses and ports inserted by client devices (IP phones, video conferencing stations etc.) in the packet payload are not routable in public networks. Thus, incoming calls that are essential in any service that is intended to replace the PSTN are not possible with existing NAT/Firewalls.

The 'Firewall Problem'

While the NAT does not intentionally block VoIP, the role of the Firewall is to protect the network from being accessed by unauthorised sources. It does this by blocking traffic based on three pieces of information: the source address, the destination address and the traffic type. Firewalls also make decisions based on the direction of traffic flow. Typically, incoming traffic (from the un-trusted, public domain) is only allowed if that session was initiated from a device on the trusted, private domain.

The Firewall problem
Figure 1 The Firewall Problem

SIP-based communication, like traditional telephony, is based on receiving incoming calls from a wide range of unknown (and therefore un-trusted) sources - as it must be to support true public services. However, this is not in line with the Firewall filtering policies described above. Most communication managers are reluctant to change these policies to allow unrestricted two-way communication because of the serious security risks created.

Any approach to solving this problem must not compromise normal NAT and Firewall functions, it must allow secure two-way communication - without major changes to Firewall filtering rules, or reducing the current level of security provided by Firewall and coexist with NAT traversal techniques.


Continued
1 | 2 | 3 | 4 | 5 | 6 | Next Page

Page 1 of 6


See Also

IPsec in VoIP Networks

IPsec encounters problems with NATs, this paper examines the issues and looks at how UDP encapsulation of IPsec enables NAT traversal.


Copyright © 2008 Newport Networks Ltd. All rights reserved. RSS | Site Map | Extranet | Blog | Terms of Use | Privacy