Firewall Control Proxy

Size: px

Start display at page:

Download "Firewall Control Proxy"

Dylan Jones
5 years ago
Views:

1 SS8 s, Inc. The (FCP) is an optional component of the switch. Background In order to gain widespread acceptance, Voice over IP technology requires a method to restrict access to specific devices and applications, and to limit packet flow for real-time streaming applications such as SIP and H.323. Entities that provide this sort of functionality have been termed middleboxes by the Internet Engineering Task Force, the standards body responsible for the Internet. Middleboxes can perform a variety of roles, but for VoIP, the middleboxes of concern are firewalls and Address Translators (NATs). The purpose of a firewall is to prevent intruders from accessing a private network. It does this by guarding all untrusted ingress points and preventing external entities from directly accessing network elements. A properly provisioned firewall limits the type and quantity of traffic allowed into the private network. It also includes rules that allow traffic to be filtered by source or destination IP address and port number. The benefit of a firewall is that the private network is protected from all manner of external threats either intentional (such as denial of service attacks) or unintentional (such as outages or compromises). Address Translators are often deployed with firewalls, providing an additional level of protection. The purpose of NAT is to allow devices using private addresses (such as x.x) to connect to the public network. A NAT device operates by rewriting addresses in data packets as they pass in and out of the private network. When the NAT device is properly configured, many internal devices can effectively timeshare a much smaller set of public, or registered, addresses. To the outside world, there appear to be only a few hosts, while in reality there may be thousands. This has two benefits: it saves precious public addresses, and (most important from the aspect of security) it keeps the private addresses hidden from the outside world. SS8 Solution The SS8 solution consists of the signaling elements, the (FCP) and one or more middleboxes that include firewall and NAT functionality. The signaling elements on the switch the H.323 gatekeeper and the SIP proxy are responsible for locating the called party and for arbitrating the call setup and teardown messages passed between the call endpoints. The FCP is co-located with the signaling elements on the switch. As its name implies, the FCP s job is to control the firewall(s). When a signaling element receives a call, it works with the FCP in order to provision the firewall and NAT. 204 ServiceController 1100/1200/1300/1400 User Guide

2 SS8 s, Inc. The firewall and the NAT are located on a platform produced by Aravox Technologies. This platform has been specially developed to meet the demands of the VoIP network. It offers the advantage of dynamic provisioning. The firewall is responsible for opening and closing pinholes to carry traffic. The pinhole only permits call data information to traverse the firewall, nothing more. When a call is initiated, the FCP contacts the firewall and provisions pinholes for both the inbound and outbound media streams. Then, when the call is terminated and needs to be torn down, the FCP instructs the firewall to close the pinhole. Because this process is carried out in real time, on a per-call basis, the firewall allows only the media for existing, authorized calls to pass through it and no other traffic. NAT operates similarly. IP addresses and port numbers are assigned dynamically. When a phone in the public network originates a call, it issues a call setup message to the target phone. The signaling elements on the switch intercept this message and interact with the co-located FCP. The FCP obtains rewritten addresses from the NAT, first for the originating phone and then for the destination. These are used in the call setup and media exchange processes. In the case of SIP, NAT control is available for all SIP and SDP signaling messages that can affect media. In the case of H.323, NAT control is available for H and H.245 signaling messages. These modes of operation are available with this release of the FCP: Pinholing but not NAT NAT1 (inbound NAT) but not pinholing PNAT1 (inbound NAT) and pinholing PNAT2 (inbound/outbound NAT) and pinholing The FCP includes these features: support for multiple firewalls supports control of both audio and video firewall bandwidth management provisionable inactivity timer for automatic pinhole closure FCP and Firewall/NAT Configuration As a minimum, your network should consist of one Aravox firewall/nat platform, two s and one SS8 Signaling Switch. The Aravox platform is equipped with up to three packet processing cards (PPCs) and a single management card mounted in a chassis. The PPCs provide firewalling and NAT services, while the management card provides a means for the FCP to manage the PPCs. Provisioning the System 205

3 SS8 s, Inc. Each PPC has two Ethernet interfaces, one labelled Open Port, the other Secure Port. Connect the Open interface to a leading to the public network (the Internet) and the Secure interface to a leading to the private network (your IP telephony domain). Figure 76 Aravox Configuration Managment Card Management Open Packet Processing Card Secure Open Port Secure Port Installed in this fashion, between two s, the PPC acts as a bump in the wire. It is invisible to the two networks, with no configurable or addressable ports. In order to cause traffic to flow through the PPC, you need to configure the two s to forward packets to each other. The on the secure side should be configured to forward outbound traffic to the on the open side. Similarly, the on the open side should be configured to forward inbound traffic to the on the secure side. Bear in mind that the on the secure side can have up to seven interfaces configured one to match each interface to the private network on the switch. The management card on the Aravox platform has a single interface which should be connected to the management network. The switch is equipped with one System Controller card, one Message Transport Card (MTC), and up to six Application Processing Cards (APCs). The System Controller provides a means for the FCP to communicate with the firewall. The role of the MTC and APCs varies depending on the application(s) they are running. In the case of SIP, the MTC simply distributes messages to the APCs. The APCs serve as registrars, plus provide proxy and redirect functionality. In the case of H.323, the MTC acts as a master gatekeeper. In this role it accepts H.323 registrations and redirects calls to the APCs. The APCs function as slave gatekeepers, providing the actual H.323 gatekeeper functionality. For every case, you need to configure the System Controller card s interface to the management network and the MTC s interface to the private network. Then, if H.323 is implemented, you need to configure an interface to the private network for each APC. The IP addresses for the MTC and the APCs are not publicized. Instead, when an endpoint in the outside world attempts to communicate with one of them for example, to transmit a registration message it addresses packets to an interface on the leading to the private network. As the packets pass through the PPC, they are re-addressed to the actual destination using NAT and forwarded to the, which sends them to the appropriate interface on the switch. 206 ServiceController 1100/1200/1300/1400 User Guide

4 SS8 s, Inc. In order to use FCP and link the interfaces on the with the interfaces on the switch, you must set up the SIP and H.323 configuration files. Session Initiation Protocol (SIP) on page 125 H.323 on page 150 The FCP itself relies on two configuration files. The fcpconfig.txt file enables/disables FCP functionality and defines the nature of the relationship between the FCP and the Aravox firewall. Among other things, use this file to enter the IP address of the firewall s management card, and to set the type of firewalling that is to be performed (pinholing alone, pinholing with inbound NAT, or inbound NAT without pinholing). The rtconfig.txt file identifies the private network(s) supported by the FCP. After configuring this file, source and destination addresses that the FCP sees as belonging to its private network(s) are subjected to firewall controls. Note: If you configure the FCP to interact with multiple firewalls, you will also need to configure multiple routes to destination gateways. For details, see the Routes parameter in High Availability Node Management (HANM) on page 87. FCP Limitations Release 2.1 of the FCP is subject to the following limitations: The FCP supports H.323 Fast Start and H.245 tunneling, but not H.323 Slow Start. This may impact the operation of some applications such a Microsoft NetMeeting that require Slow Start. Provisioning the System 207

5 SS8 s, Inc. FCP and Firewall/NAT Configuration Example The network configuration illustrated Figure 77, FCP and Firewall Detailed Configuration on page 208 serves of an example of how FCP can be implemented with multiple firewalls. The network contains two Aravox firewalls, four s, and one switch. Figure 77 FCP and Firewall Detailed Configuration Public Management Private SC / management MTC APC Aravox Firewall IP Address APC SC 1000 platform open management card packet processing card Aravox Firewall #1 secure Interface for Outbound Traffic Interface(s) for Inbound Traffic open management card packet processing card Aravox Firewall #2 secure This network has the following characteristics: 1. On the switch, the following items have been configured: System Controller s interface to the management network MTC s interface to the private network each APCs interface to the private network (because the APCs are running H.323 as well as SIP) SIP, H.323 and FCP configuration files 208 ServiceController 1100/1200/1300/1400 User Guide

6 SS8 s, Inc. 2. On each leading to the private network, the following items have been configured: interface to the private network interface(s) to the management network (These correspond to the interfaces on the MTC and APCs. Inbound traffic addresses these interfaces.) routing table entries to forward outbound traffic to the leading to the public network routing table entries to forward inbound traffic to the actual addresses of the MTC and APCs 3. On each leading to the public network, the following items have been configured: interface to the public network interface to the management network (Outbound traffic addresses this interface.) routing table entries to forward outbound traffic to entities on the public network routing table entries to forward inbound traffic to the leading to the private network 4. On the Aravox firewall/nat platform, the following items have been configured: management card s interface to the management network (The FCP on the switch addresses this interface.) firewall/nat rules and policy FCP and Firewall/NAT Call Flow This scenario illustrates the flow of messages between two phones (either SIP or H.323), an Arovox firewall/nat platform, and the FCP. Phone A, located in the public realm, attempts to locate Phone B located in the private realm. Both phones have already registered with the SIP Proxy or H.323 gatekeeper. 1. Phone A issues an H.323 SETUP or a SIP INVITE. 2. The FCP reads the message and obtains Phone A s address A. The FCP then instructs the firewall to use NAT to translate Phone A s address. 3. The firewall returns the translated address A1. 4. The FCP instructs the firewall to open the pinhole that will carry outbound media traffic to Phone A. 5. The firewall returns a response to the FCP. 6. The FCP send the SETUP or INVITE to Phone B, but substitutes the translated address (A1) for the original address (A). Provisioning the System 209

Secure Telephony Enabled Middle-box (STEM)

Report on Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen 04/14/2003 Dr. Mark Stamp - SJSU - CS 265 - Spring 2003 Table of Content 1. Introduction 1 2. IP Telephony Overview.. 1 2.1 Major Components