An IP Network: Application s View. SIP & NATs / Firewalls. An IP Network: Router s View. Reminder: Internet Architecture

Size: px
Start display at page:

Download "An IP Network: Application s View. SIP & NATs / Firewalls. An IP Network: Router s View. Reminder: Internet Architecture"

Transcription

1 An IP : Application s View SIP & s / Firewalls The primary purpose of firewalls has always been to shield buggy code from bad guys. Steve ellovin, IETF Security AD Source IP Address Source Port Number Destination IP Address Destination Port Number 80 Protocol ID TCP Slide contributions by Olaf ergmann (Uni remen TZI) 2010 Jörg Ott Jörg Ott 3 eminder: Architecture An IP : outer s View!! Transport and application s operate end-to-end!! Port numbers: addressing of processes (applications)!! -components and topology are invisible!! All functions performed end-to-end Application Protocols Transport Protocols Protocol Protocol s Application Protocols Transport Protocols Protocol Destination IP Address (Source IP Address) ( ) 2010 Jörg Ott Jörg Ott 4

2 Key Concepts of the Architecture Hosts know nothing about the network. outers know nothing about applications. ecap: Security Devices for IP s!! Packet Filter!! (dis)allow forwarding of packets to/from certain addresses!! Protect networks from stray traffic!! Application Layer Gateway (ALG) / Proxy!! control (and police) communications at application layer!! Firewall!! Combination of the above!! protect internal resources against access from the outside!! Address Translator ()!! minimize required fraction of address space!! hide internal IP addresses!! perform packet filtering for unknown traffic 2010 Jörg Ott Jörg Ott 7 A Sample Setup IP Layer: Packet Filter (via ISPs) Site 1 Site 2 IP A Corporate 2010 Jörg Ott Jörg Ott 8

3 Packet Filter Application Layer Gateway ALG Corporate Transport IP Transport IP Packet filter spec! Source, destination IP address! Protocol (UDP, TCP, ICMP)! Source, destination port! Direction of traffic May be dynamically configured. A Corporate 2010 Jörg Ott Jörg Ott 11 Stateful Packet Inspection Application Layer Gateway (Proxy) Application Transport Corporate H IP ftp server Access policies FTP proxy ftp client A Corporate Web browser client / server HTTP proxy SIP proxy http server client / server 2010 Jörg Ott Jörg Ott 12

4 Firewalls!! Packet filters, enforcing packet altering/forwarding policies!! Filter specification: Usually statically configured!! Most configurations disallow packets for non-standard ports!! Stateful packet inspection!! Detect transport or application context of packets!! Dynamically adapt filter specification!! Application layer gateways!! Terminate connections: act as transparent or explicitly visible proxies!! Monitor connection: parse contents of application s!! Functioning precludes end-to-end security!!! Dynamically adapt filter specification!! Policies may be applied at all layers Address Translators!! Intermediate systems that can translate addresses (and port numbers) in IP packets!! Often used to map global addresses to address/port number combination of hosts in a corporate network!! Different motivations!! Efficient usage of address space!! Share one globally unique address!! Use a private address space in the enterprise (10.x.x.x, x.x, )!! Security!! Make internal host inaccessible from the public!! Hide addresses / address structure!! Include dynamically configured packet filters, stateful packet inspection 2010 Jörg Ott Jörg Ott 15 Firewalls and SIP!! Default configuration of many firewalls:!! Allow outbound TCP and outbound UDP for DNS!! Allow inbound TCP for well-known TCP ports only (e.g. HTTP)!! SIP communication disallowed in most cases!! Port 5060 (UDP, TCP)!! Simple fix: change filter firewall policy to allow port 5060!! Still a problem with SIP communication on other ports!! The real problem: Media Sessions!! Transport parameters are signalled by SIP messages!! Negotiable, not known in advance!! Different transport mechanisms for different applications!! Solution approaches!! Have firewalls be controlled by ALGs!! Adapt SIP to make it more firewall-friendly!! Define firewall-control s to open firewalls dynamically!! Issues: Authentication and authorization SIP proxy server SIP firewall traversal MIDCOM 2010 Jörg Ott 14 (+Port) Address Translators () A Private Transport IP Mapping Function Public 2010 Jörg Ott 16

5 H1 H2 H3 H1: ftp H2: ftp H2: telnet H3: http Address Translators x Corporate Intranet : : : : Host IP Address, Port Translation table Fixed IP Address, Port : : : :20004 ftp server ftp server telnetd web server Endpoint-independent Mapping :12836! : :12836! :61795!! The same mapping is used for all external peers!! Outbound packets establish temporary address/port binding!! Incoming packets are dropped when no binding exists!! All bindings time out after some inactivity period!! May depend on the load situation 2010 Jörg Ott Jörg Ott 19 Operation of NA(P)Ts!! s usually only one-way permeable for initiating connections!! From private to public network!! Other direction limited to statically pre-configured addresses!! Mapping: s create address/port number mappings!! Mappings are usually created dynamically, e.g. on connection setup!! Static configurations also possible!! Works best with connection-oriented communication!! Most common case: TCP connection from client-server sessions!! Client in private address space, server in public!! s have to keep state for mappings that are tied to connections!! To allow for traffic in the opposite direction to pass!! Filtering: Which traffic is allowed back in depends on type!! Important for UDP traffic (i.e. media streams)! 2010 Jörg Ott 18 Address- (and Port-) dependent Mapping :12836! :61795 [ :80] :12836! :61795 [ :8080] :12836! :61800 [ :8080] :12836! :65432 [ ]!! Outbound packets establish temporary address/port binding!! Incoming packets are dropped when no binding exists!! inding re-used only for destination IP address (and optionally port) Address- and port-dependent 2010 Jörg Ott 20

6 Filtering ehavior: Who is allowed to send back? :12836! :61795; : :12836! :42123; : !! indings established by outgoing packets!! Endpoint-independent!! Packets from anyone are passed via the binding!! Address-dependent!! Only packets from hosts to which the source sent before may send via the binding!! Address- and port-dependent!! Only packets from (address,port) pairs sent to before are allowed Mapping: Port Assignment!! Port allocation regime in s varies widely!! Next assignment: what comes after port N?!! N+1? andom? Address-dependent? Port-dependent?!! Parity preservation!! Will internal even (odd) ports be mapped to external even (odd) ones?!! Continuity: what happens for adjacent internal ports!! Will they be mapped to adjacent external ones?!! How are assignments spread across different external IP addresses? 2010 Jörg Ott Jörg Ott 23 Internal Traffic: Hairpinning ehavior efreshing and Discarding Assignments :12836! : :12345! :65432!! Can nodes behind a use their external addresses to communicate via the?!! Packets going out of the are matched against local addresses before being forwarded!! If a match is found, they are sent back into the local network!! Improves connectivity!! Introduces overhead and a single point of failure!! Discarding assignments when no longer needed!! TCP: easy via FIN packet!! What to do for long-lasting connections? Timeout!!! ecommendation: keep binding for > 2 hours!! Often not honored in practice!! UDP: no explicit setup and teardown packets!! Discard based upon timeout!! ecommendation:! 2min!! Again frequently not honored in practice -! 15 second refresh intervals are recommended by some s!! efreshing through traffic!! Inbound traffic bears some DoS (and other) attack risks!! Outbound-only traffic appears safer 2010 Jörg Ott Jörg Ott 24

7 Some Assumptions for s and Firewalls!! Applications follow client-server paradigm!! Applications use well-defined ports!! Communications are usually invoked from the inside!! Communications from the outside limited to a few servers!! Often placed in a DMZ!! Connection-oriented s (e.g. TCP) dominate!! eginning and end of communication session can be identified!! Signaling-specific!! SIP/UDP through s!! SIP message routing!! SIP registration & SIP: Problems!! Media session-specific!! SDP description (endpoint parameters) 2010 Jörg Ott Jörg Ott 27 Some Issues with Firewalls and s!! Configuring s / firewalls!! Inbound vs. outbound connections what is inbound, what is outbound?!! Per-endpoint restriction (sender, receiver) may be desirable!! How to identify and authenticate users in a middlebox!! Dynamically negotiated addresses!! Symmetric communication relationships!! (Invocation of) communications from unknown peers & SIP: Signaling Problems!! Static ports for signaling traffic (typically 5060, 5061)!! Static configuration for port forwarding (if box supports this)!! Need multiplexing in subnets with multiple SIP clients (alternative: local SIP proxy)!! esponse routing!! FC3261: euse connection for stream-oriented s (TCP, SCTP)!! UDP requires overriding of entries in Via headers to honor binding!! Need frequent keep-alive messages for INVITE transactions!! Pretty much all of this applies to SIP!!! egistration!! No good solution yet!! Clients must construct working Contact UI!! Works if registrar and proxy are co-located 2010 Jörg Ott Jörg Ott 28

8 SIP Client esponse outing and s SIP message SIP Proxy INVITE sip:user@.com SIP/2.0 Via: SIP/2.0/UDP :5060; branch=z9hg4bkkjshdyff Symmetric esponse outing: ehavior SIP Client SIP message SIP Proxy 2 SIP Proxy 1 INVITE sip:user@.com SIP/2.0 Via: SIP/2.0/UDP proxy1; branch=z9hg4bkkjsh33 Via: SIP/2.0/UDP :5060; received= ; rport=4560; branch=z9hg4bkkjshdyff : :5060!! Forwarding!! Append port value to rport parameter!! Adding received parameter with IP address original message has been received from 2010 Jörg Ott Jörg Ott 31 SIP Extension for Symmetric esponse outing Processing esponse Messages (1) SIP Client SIP message SIP Proxy INVITE sip:user@.com SIP/2.0 Via: SIP/2.0/UDP :5060; rport;branch=z9hg4bkkjshdyff SIP Client SIP message SIP Proxy 2 SIP Proxy 1 SIP/ OK Via: SIP/2.0/UDP proxy1; branch=z9hg4bkkjsh33 Via: SIP/2.0/UDP :5060; received= ; rport=4560; branch=z9hg4bkkjshdyff :5060!! rport!! Parameter for Via-header-field!! Semantics!! Don t use endpoint address in Viaheader for response routing!! Use address this message has been received from : Jörg Ott Jörg Ott 32

9 Processing esponse Messages (2) Solutions (for Media Session Startup) SIP Client SIP message SIP Proxy 2 SIP Proxy 1 SIP/ OK Via: SIP/2.0/UDP :5060; received= ; rport=4560; branch=z9hg4bkkjshdyff!! [Application Layer Gateways]!! Middlebox Communications (MIDCOM)!! Simple Traversal of UDP through s (STUN*) :5060!! Strip top Via header field!! Send response message to!! Travel Using elay (TUN*)!! Interactive Connectivity Establishment (ICE*) *) Unilateral Self-address fixing (UNSAF) considerations (FC 3424) 2010 Jörg Ott Jörg Ott 35 SIP egistration and s!! SIP user agent registers contact address (current reachable endpoint address) with registrar!! Problem in the presence of s!! How to determine valid contact address?!! No standard solution today, but multiple approaches!! Send message to server and evaluate received and rport parameters!! Use non-sip servers for self-address fixing (STUN)!! Issue: Can only receive messages from server the EGISTE request has been sent to (depending on type)!! All messages to UA must traverse this proxy!! Solution: Path: extension header!! Discover and record sequence of proxies that must be used for contacting UA!! Use of pre-loaded oute mechanism 2010 Jörg Ott 34 SIP Application Layer Gateway (1)!! Gateway system with application intelligence!! Co-located with / firewall/router!! Different configurations!! Transparent/Nontransparent!! Fixes SIP messages by adapting SDP description and possibly headers SIP UA Corporate Intranet m=audio TP/AVP 0 c=in IP a= 2010 Jörg Ott 36 H SIP proxy SIP UA m=audio TP/AVP 0 c=in IP a=rtcp:58005 a=

10 S F SIP and s / Firewalls S N (via ISPs) S F F Site 1 Site 2 F 2010 Jörg Ott 37 MIDCOM!! Idea: Application-independent Control Protocol!! SIP UA (or proxy) controls on-path intermediaries!! Open pinholes, obtain bindings etc.!! Example: UPnP control of DSL routers!! equirements specification: FC 3304!! Abstract semantics: FC 3989!! Evaluation of Candidate Protocols: FC 4097!! Simple Management Protocol (SNMP)!! ealm-specific IP (SIP)!! Media Gateway Control (MEGACO)!! Diameter!! Common Open Policy Service (COPS)!! Next Steps in Signaling (NSIS): draft-ietf-nsis-nslp-natfw-20.txt 2010 Jörg Ott 39 SIP Application Layer Gateway (2) MIDCOM!! Issues!! SIP proxies not allowed to change session description!! Conflicts with security, i.e., SIP and S/MIME!! ALG solution requires application-specific support for each application!! Have to be upgraded for new applications!! Application s may be complex (ALG builders may not get them right)!! Scalability!! Functionality concentrated on single /ALG box S F N (via ISPs) F F Site 1 Site 2 F S!! eliability!! ewriting of SIP messages not robust with respect to extensions, future versions etc Jörg Ott Jörg Ott 40

11 MIDCOM Issues!! Needs to be standardized in the first place!! Must be supported by vendors (may loose their competitive edge)!! If so, products need to become available and to be deployed!! Needs to be really secure (authentication, authorization) hard to achieve!! Example: UPnP is rather insecure today!! Location problem: How to discover intermediaries?!! Organizational problems: Cannot control box of public ISP!! e.g., in a WLAN hot-spot!! Authentication of users and authorization of operations!! Motivation for the hot-spot operator? 2010 Jörg Ott 41 FC 3489: Simple Traversal of UDP Through s (STUN) 1.! inding request to STUN server 1 STUN Client : :3344 STUN STUN server :3345 (may be the same physical machine and just use a different IP address/port)!! No esponse?!! No UDP connectivity, give up!! esponse!! returns MAPPED-ADDESS ()!! eflexive address learned by the client!! "Client is behind!! ut what type of? 2010 Jörg Ott 43 FC 3489: Simple of UDP Through s (STUN)!! Detect type and public IP address!! External server echos observed source address and port!! Optionally request IP address and/or port change for response!! Still not available for requests from any host outside... STUN Client STUN STUN server 1.! Echo source address, send from recv port 2.! Client requested port change 3.! Client requested address change eceived/dropped responses determine type of 2010 Jörg Ott 42 FC 3489: Simple Traversal of UDP Through s (STUN) 2.! inding request to STUN server 1 with change IP and change port flags STUN Client : :3344 STUN STUN server :3345!! esponse?!! "Client is behind full cone!! No esponse?!! epeat Test 1 (1 )!! Send inding equest to server 2!! 2 returns MAPPED-ADDESS () "Client is behind restricted/ port restricted!! 2 returns other MAPPED-ADDESS " Client is behind a symmetric 2010 Jörg Ott 44

12 FC 3489: Simple Traversal of UDP Through s (STUN) 3.! inding request to STUN server 1 with change port flag STUN Client : :3344 STUN STUN server :3345!! esponse?!! "Client is behind restricted!! No esponse?!! "Client is behind port restricted!! epeat transmissions because of potential packet loss FC 5389 (3489bis)!! Simple Traversal Underneath Address Translators (STUN)!! emoves attempt to understand and identify types!! Only the mapping is obtained and connectivity can be checked!! Traversal realized differently " see TUN and ICE!! Adds XOed reflected transport addresses!! FINGEPINT to support demultiplexing STUN and data packets!! Challenge-response authentication!! Generalizes operations: base + usages!! equest-response pairs + server-initiated indications!! Short-term password usage: TLS-based sharing of a secret!! inding usage: simple address discovery!! Keepalive usage: maintain the bindings alive!! External: TUN usage: support packet reflection by a server 2010 Jörg Ott Jörg Ott 47 STUN Security!! Anybody could send UDP messages with faked IP addresses!! Gives rise to numerous attacks!! Establish a shared secret between client and server!! Performed via TLS (i.e., reliable and secured transport)!! authenticated by means of certificate!! issues temporary username and password!! Used in subsequent UDP-based STUN binding requests for authentication!! Alternative: STUN client and server share a signaling relationship!! E.g. a SIP dialog when the STUN server runs on the peer system!! STUN server dynamically instantiated on each TP or TCP port!! Leverage the trust previously established no need for TLS connection 2010 Jörg Ott 46 STUN Summary!! STUN provides a means for an application to traverse s!! Detect existence of s!! [Detect type of s]!! Maintain address bindings alive in!! Learn address bindings and usable public address!! Intended for enabling peer-to-peer communication in scenarios!! Not a complete solution!! Symmetric s still a problem!! Does not help if both peers are behind s!! Approach to deal with symmetric s!! un STUN server with each media endpoint!! (on each TP/TCP port)!! Does not help if both endpoints are behind different s 2010 Jörg Ott 48

13 Traversal Using elay (TUN)!! Idea: Provide forwarding service in the public internet!! Client behind has single connection to TUN server!! forwards incoming packets destined for TUN client # elay!! Protocol-agnostic no ALG needed!! Authentication to prevent DoS-attacks (similar to STUN) 1.! Allocate TUN port TUN-enabled SIP phone TUN SIP phone 2.! TUN-response, including address/port 3.! SIP registration with TUN contact 4.! SIP request from outside is routed to TUN (similar for media) 2010 Jörg Ott 49 STUN elay Details (2)!! Uses STUN framework for message exchanges!! Defines new STUN usage!! Uses the same authentication mechanisms!! STUN and TUN servers likely to be identical!! elaying of both UDP and TCP!! Mapping between different transport s possible UDP " UDP, TCP " TCP, TCP " UDP, TLS " TCP, TLS " UDP!! Identification of a transport relationship by means of a 5-tuple!! Source, Destination IP address and port, id!! Internal 5-tuple: STUN/TUN server!! External 5-tuple: STUN/TUN server remote peer!! Introduces additional 4-byte framing!! Distinguish STUN requests from application data!! Distinguish framed from unframed STUN messages 2010 Jörg Ott 51 Client goes for peer 1 Client Allocate (UDP) esp (IP Addr, port) Create Permission(1,2) esponse Send (dst=1, data) Send (dst=2, data) Data Ind. (src=1, data) Data Ind. (src=2, data) Channelind Data packets efresh request STUN elay Details TUN server Listening address created Creating forwarding permissions oth 1 and 2 have permission to send packets to the client Data packet Data packet Data packet Data packet Peer 1 uses efficient encaps. Peer 2 can still talk Data packets 1 Peers 2 Client may use Closeinding to Disable peer 2 Interactive Connectivity Establishment (ICE)!! s with segmented connectivity, different address realms!! Try to find optimal connection between endpoints!! Use relays only if necessary!! Support for STUN and TUN!! draft-ietf-mmusic-ice-19.txt!! An end-to-end solution avoiding assumptions about middle-boxes!! May be obsoleted by middlebox control some fine day!! Applies to media path, not signaling!! ut signaling must be aware of ICE (specific SDP attributes)!! Poor default behavior for non-ice clients!! Abstract signaling model!! Fits SIP, H.323, TSP and similar s 2010 Jörg Ott Jörg Ott 52

14 Operation!! Idea: peers exchange lists of transport addresses, mutual connectivity tests!! Clients must detect own transport addresses!! The more, the better!! Local interfaces (including private addresses, e.g. in 10/8 net)!! Detection using external reflectors (e.g. STUN, TUN)!! Assigned tunnel addresses (e.g. PPTP)!! Clients run STUN servers on every published transport address!! Explicit keep-alives for binding!! Shared with media streams A ICE: Address Gathering STUN TUN STUN TUN Host candidates: :51000, : reflexive candidates: :58000, 130: :58090 elayed candidates: :63673 Addresses need! per media stream (audio, video)! per component (TP, TCP) 2010 Jörg Ott Jörg Ott 55 Operation Details: 9 Steps [some of the following slides inspired by Jonathan osenberg s ICE tutorial given on 7 November 2006 at the 67 th IETF]!! Step 1: Allocation!! Step 2: Prioritization!! Step 3: Initiation!! Step 4: Allocation!! Step 5: Information!! Step 6: Verification!! Step 7: Coordination!! Step 8: Communication!! Step 9: Confirmation Address Gathering and Prioritization!! Address gathering can cause significant traffic!! Multiple interfaces, IP address versions, STUN servers!! Multiple media streams and components per stream!! May cause network or overload!! Pace transmission (20ms intervals)!! Prioritization across candidates:!! eflect the quality (e.g., in terms of minimal overhead)!! Host addresses are better than reflexive ones are better than relayed!! TP over TCP priority = (2^24)*(type preference) +(2^8)*(local preference) +(2^0)*(256 - component ID) 2010 Jörg Ott Jörg Ott 56

15 A ICE: Address Gathering and Encoding STUN STUN v=0 o=jo IN IP s=t=0 0 c=in IP m=audio TP/AVP 0 a=rtpmap:0 PCMU/8000 a=candidate:1 1 UDP typ local TUN TUN a=candidate:2 1 UDP typ local a=candidate:3 1 UDP typ srflx raddr rport a=candidate: UDP : typ srflx raddr rport a=candidate:5 1 UDP typ relay raddr rport Host candidates: :51000, : reflexive candidates: :58000, 130: :58090 elayed candidates: :63673 A ICE Address Verification STUN TUN STUN TUN 2010 Jörg Ott Jörg Ott 59 ICE Operation 6. ICE Address Verification 1, 2 Gather addresses Offer 3 5 Answer Gather addresses A STUN checks confirmation Media streams Offer Answer ring the phone 2010 Jörg Ott 58 TUN TUN! Send test messages and await replies: from all candidates to all candidates! Successively go (again paced) through all address pairs! Use priority ordering (pairing) to determine the trial order (shall ensure that better ones are tested first) 2010 Jörg Ott 60

16 A 6. ICE Address Verification TUN TUN! Nodes may learn further candidates from the address checks: peer-reflexive candidates (e.g., s view of an interface of A) Summary: Top 10 ICE Facts 1.! ICE makes use of Simple Traversal Underneath (STUN) and Traversal Using elay (TUN) 2.! ICE is a form of p2p traversal 3.! ICE only requires a network to provide STUN and TUN servers 4.! ICE allows for media to flow even in very challenging network conditions 5.! ICE can make sure the phone doesn t ring unless media connectivity exists 6.! ICE dynamically discovers the shortest path for media to travel between endpoints 7.! ICE has a side effect of eliminating a key DoS attack on SIP (Voice Hammer) 8.! ICE works through nearly any type of and firewall 9.! ICE does not require the endpoint to discover the s, their type, or their presence 10.! ICE only uses relays in the worst case when OTH sides are behind symmetric 2010 Jörg Ott Jörg Ott ICE Address Verification Summary: SIP and Firewalls / s!! Do not go together well!! SIP servers for enterprises may be reachable for SIP signaling!! -based address translation invalidates SIP message contents!! Firewalls do not let voice packets pass A TUN TUN! Successively go through multiple components and multiple media streams! Use previously successful candidate pairs earlier (adapt prioritization) 2010 Jörg Ott 62!! Problem not restricted to SIP!! TSP to signal media streams, multicast media streams, etc.!! New application s (yet) unknown to s!! Guidelines for application design for s: FC 3235!! Frequent fallback position: tunneling through HTTP (port 80)!! ALGs for controlled environments!! ICE: one solution set preserving end-to-end model 2010 Jörg Ott 64

17 Some eadings on Traversal!! Overview document in the Noppa repository (Ari Keränen)!! FC 4787: ehavioral equirements for UDP!! FC 5135: ehavioral equirements for Multicast!! FC 5382: ehavioral equirements for TCP!! FC 5508: s and ICMP!! FC 3489: STUN (obsoleted), FC 5389: STUN new!! draft-ietf-behave-turn-16.txt: TUN (+ related ones for TCP,...)!! draft-ietf-mmusic-ice-19.txt: ICE!! draft-ietf-mmusic-ice-tcp-08.txt: ICE for TCP!! draft-ietf-behave-nat-behavior-discovery-08.txt!! draft-ietf-nsis-nslp-natfw-20.txt: NSIS for MIDCOM signaling!! FC 4008: MI for s!! FC 5182: State of P2P through 2010 Jörg Ott 65

Designing for and Living with NATs and Firewalls

Designing for and Living with NATs and Firewalls Designing for and Living with NATs and Firewalls Protocol Design S-38.3157 2009 Jörg Ott & Carsten Bormann 1 The primary purpose of firewalls has always been to shield buggy code from bad guys. Steve Bellovin,

More information

Designing for and Living with NATs and Firewalls

Designing for and Living with NATs and Firewalls HELSINKI UNIVESITY OF TECHNOLOGY Designing for and Living with NATs and Firewalls Protocol Design S-38.3157 1 HELSINKI UNIVESITY OF TECHNOLOGY The primary purpose of firewalls has always been to shield

More information

Designing for and Living with NATs and Firewalls

Designing for and Living with NATs and Firewalls HELSINKI UNIVESITY OF TECHNOLOGY Designing for and Living with NATs and Firewalls Protocol Design S-38.3157 2008 Jörg Ott & Carsten Bormann 1 HELSINKI UNIVESITY OF TECHNOLOGY The primary purpose of firewalls

More information

Network Address Translators (NATs) and NAT Traversal

Network Address Translators (NATs) and NAT Traversal Network Address Translators (NATs) and NAT Traversal Ari Keränen ari.keranen@ericsson.com Ericsson Research Finland, NomadicLab Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN

More information

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example Contents Network Address Translation (NAT) 13.10.2008 Prof. Sasu Tarkoma Overview Background Basic Network Address Translation Solutions STUN TURN ICE Summary What is NAT Expand IP address space by deploying

More information

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013 Network Address Translation (NAT) Background Material for Overlay Networks Course Jan, 2013 Prof. Sasu Tarkoma University of Helsinki, Department of Computer Science Contents Overview Background Basic

More information

ICE / TURN / STUN Tutorial

ICE / TURN / STUN Tutorial BRKCOL-2986 ICE / TURN / STUN Tutorial Kristof Van Coillie, Technical Leader, Services Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session

More information

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT s MySip.ch SIP Network Address Translation () SIP Architecture with Version 1.0 Issued by DS MS, Software house Albisriederstr. 245, CH-8047 Zurich Copyright Siemens Schweiz AG 2004 All Rights Reserved.

More information

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Realtime Multimedia in Presence of Firewalls and Network Address Translation Realtime Multimedia in Presence of Firewalls and Network Address Translation Knut Omang Ifi/Oracle 9 Oct, 2017 1 Overview Real-time multimedia and connectivity Mobile users (roaming between devices) or

More information

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015 Realtime Multimedia in Presence of Firewalls and Network Address Translation Knut Omang Ifi/Oracle 9 Nov, 2015 1 Overview Real-time multimedia and connectivity Mobile users (roaming between devices) or

More information

Network Address Translation

Network Address Translation 10 Network Address Translation This chapter introduces Network Address Translation (NAT) and looks at the issues and challenges involved in making SIP and other Internet communications protocols work through

More information

P2PSIP, ICE, and RTCWeb

P2PSIP, ICE, and RTCWeb P2PSIP, ICE, and RTCWeb T-110.5150 Applications and Services in Internet October 11 th, 2011 Jouni Mäenpää NomadicLab, Ericsson Research AGENDA Peer-to-Peer SIP (P2PSIP) Interactive Connectivity Establishment

More information

Internet Networking recitation #

Internet Networking recitation # recitation # UDP NAT Traversal Winter Semester 2013, Dept. of Computer Science, Technion 1 UDP NAT Traversal problems 2 A sender from the internet can't pass a packet through a NAT to a destination host.

More information

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč SIP OVER NAT Pavel Segeč University of Žilina, Faculty of Management Science and Informatics, Slovak Republic e-mail: Pavel.Segec@fri.uniza.sk Abstract Session Initiation Protocol is one of key IP communication

More information

Network Address Translator Traversal Using Interactive Connectivity Establishment

Network Address Translator Traversal Using Interactive Connectivity Establishment HELSINKI UNIVERSITY OF TECHNOLOGY Department of Communications and Networking S-38.3138 Networking Technology, Special Assignment Veera Andersson Network Address Translator Traversal Using Interactive

More information

Technical White Paper for NAT Traversal

Technical White Paper for NAT Traversal V300R002 Technical White Paper for NAT Traversal Issue 01 Date 2016-01-15 HUAWEI TECHNOLOGIES CO., LTD. 2016. All rights reserved. No part of this document may be reproduced or transmitted in any form

More information

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA) security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, 29.03.2006, Atlanta, GA (USA) 2006 SWITCH Content and Firewall and NAT Privacy / Encryption SpIT / Authentication Identity General

More information

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions [MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open

More information

Internet Engineering Task Force (IETF) Request for Comments: 7604 Category: Informational. September 2015

Internet Engineering Task Force (IETF) Request for Comments: 7604 Category: Informational. September 2015 Internet Engineering Task Force (IETF) Request for Comments: 7604 Category: Informational ISSN: 2070-1721 M. Westerlund Ericsson T. Zeng PacketVideo Corp September 2015 Comparison of Different NAT Traversal

More information

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1 NAT Tutorial Dan Wing, dwing@cisco.com IETF77, Anaheim March 21, 2010 V2.1 1 Agenda NAT and NAPT Types of NATs Application Impact Application Layer Gateway (ALG) STUN, ICE, TURN Large-Scale NATs (LSN,

More information

ICE: the ultimate way of beating NAT in SIP

ICE: the ultimate way of beating NAT in SIP AG Projects Saúl Ibarra Corretgé AG Projects Index How NAT afects SIP Solving the problem In the client In the network ICE: the ultimate solution Why ICE doesn't didn't work Fixing ICE in the server OpenSIPS

More information

Department of Computer Science. Burapha University 6 SIP (I)

Department of Computer Science. Burapha University 6 SIP (I) Burapha University ก Department of Computer Science 6 SIP (I) Functionalities of SIP Network elements that might be used in the SIP network Structure of Request and Response SIP messages Other important

More information

Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal. R. Naber

Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal. R. Naber Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal R. Naber April 22, 2005 Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal Research Assignment

More information

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013 Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive

More information

Application Scenario 1: Direct Call UA UA

Application Scenario 1: Direct Call UA UA Application Scenario 1: Direct Call UA UA Internet Alice Bob Call signaling Media streams 2009 Jörg Ott 1 tzi.org INVITE sip:bob@foo.bar.com Direct Call bar.com Note: Three-way handshake is performed only

More information

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter When the LAN interface is in a private IP DMZ, you can write the firewall rule-set to restrict the number of hosts the VBP can communicate with to only those devices. This enhances security. You can also

More information

Cisco Expressway with Jabber Guest

Cisco Expressway with Jabber Guest Cisco Expressway with Jabber Guest Deployment Guide First Published: Decemeber 2016 Cisco Expressway X8.9 Cisco Jabber Guest Server 10.6.9 (or later) Cisco Systems, Inc. www.cisco.com Contents Preface

More information

[MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0

[MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0 [MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0 Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open Specifications

More information

NAT Traversal for VoIP

NAT Traversal for VoIP NAT Traversal for VoIP Dr. Quincy Wu National Chi Nan University Email: solomon@ipv6.club.tw.tw 1 TAC2000/2000 NAT Traversal Where is NAT What is NAT Types of NAT NAT Problems NAT Solutions Program Download

More information

From POTS to VoP2P: Step 1. P2P Voice Applications. Renato Lo Cigno

From POTS to VoP2P: Step 1. P2P Voice Applications. Renato Lo Cigno Advanced Networking P2P Voice Applications Renato Lo Cigno Credits for part of the original material to Saverio Niccolini NEC Heidelberg The Client/Server model in conversationsl communications User-plan

More information

Computer Security and Privacy

Computer Security and Privacy CSE P 590 / CSE M 590 (Spring 2010) Computer Security and Privacy Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for

More information

NAT and Firewall Traversal Technical Report

NAT and Firewall Traversal Technical Report PacketCable 2.0 CLOSED Notice This PacketCable technical report is the result of a cooperative effort undertaken at the direction of Cable Television Laboratories, Inc. for the benefit of the cable industry

More information

Implementing SBC Firewall Traversal and NAT

Implementing SBC Firewall Traversal and NAT CHAPTER 15 The Session Border Controller (SBC) enables voice over IP (VoIP) signaling and media to be received from and directed to a device behind a firewall and NAT (Network Address Translator) at the

More information

INTERFACE SPECIFICATION SIP Trunking. 8x8 SIP Trunking. Interface Specification. Version 2.0

INTERFACE SPECIFICATION SIP Trunking. 8x8 SIP Trunking. Interface Specification. Version 2.0 8x8 Interface Specification Version 2.0 Table of Contents Introduction....3 Feature Set....3 SIP Interface....3 Supported Standards....3 Supported SIP methods....4 Additional Supported SIP Headers...4

More information

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Ingate Firewall & SIParator Product Training. SIP Trunking Focused Ingate Firewall & SIParator Product Training SIP Trunking Focused Common SIP Applications SIP Trunking Remote Desktop Ingate Product Training Common SIP Applications SIP Trunking A SIP Trunk is a concurrent

More information

UCM6102/6104/6108/6116 Configuration

UCM6102/6104/6108/6116 Configuration UCM6102/6104/6108/6116 Configuration This document introduces manual configuration steps performed for interoperability testing between AccessLine and Grandstream UCM6102/6104/6108/6116. Configuration

More information

Expires: August 22, 2005 Microsoft R. Mahy Airspace February 21, 2005

Expires: August 22, 2005 Microsoft R. Mahy Airspace February 21, 2005 BEHAVE Internet-Draft Expires: August 22, 2005 J. Rosenberg Cisco Systems C. Huitema Microsoft R. Mahy Airspace February 21, 2005 Simple Traversal of UDP Through Network Address Translators (NAT) (STUN)

More information

IPV6 SIMPLE SECURITY CAPABILITIES.

IPV6 SIMPLE SECURITY CAPABILITIES. IPV6 SIMPLE SECURITY CAPABILITIES. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB. ABSTRACT The RFC which this presentation is based upon is focused on

More information

An Efficient NAT Traversal for SIP and Its Associated Media sessions

An Efficient NAT Traversal for SIP and Its Associated Media sessions An Efficient NAT Traversal for SIP and Its Associated Media sessions Yun-Shuai Yu, Ce-Kuen Shieh, *Wen-Shyang Hwang, **Chien-Chan Hsu, **Che-Shiun Ho, **Ji-Feng Chiu Department of Electrical Engineering,

More information

On the Applicability of knowledge based NAT-Traversal for Home Networks

On the Applicability of knowledge based NAT-Traversal for Home Networks On the Applicability of knowledge based NAT-Traversal for Home Networks Andreas Müller, Andreas Klenk, and Georg Carle University of Tübingen, Computer Networks and Internet, Sand 13, 72076 Tübingen, Germany

More information

Category: Standards Track June Mobile IPv6 Support for Dual Stack Hosts and Routers

Category: Standards Track June Mobile IPv6 Support for Dual Stack Hosts and Routers Network Working Group H. Soliman, Ed. Request for Comments: 5555 Elevate Technologies Category: Standards Track June 2009 Status of This Memo Mobile IPv6 Support for Dual Stack Hosts and Routers This document

More information

CSC Network Security

CSC Network Security CSC 474 -- Security Topic 9. Firewalls CSC 474 Dr. Peng Ning 1 Outline Overview of Firewalls Filtering Firewalls Proxy Servers CSC 474 Dr. Peng Ning 2 Overview of Firewalls CSC 474 Dr. Peng Ning 3 1 Internet

More information

Internet Technology 4/29/2013

Internet Technology 4/29/2013 Session Initiation Protocol (SIP) Internet Technology 14. VoIP and Traversal Paul Krzyzanowski Rutgers University Spring 2013 Dominant protocol for Voice over IP (VoIP) RFC 3261 llows a call to be established

More information

Unified Communications in RealPresence Access Director System Environments

Unified Communications in RealPresence Access Director System Environments [Type the document title] 2.1.0 March 2013 3725-78704-001A Deploying Polycom Unified Communications in RealPresence Access Director System Environments Polycom Document Title 1 Trademark Information POLYCOM

More information

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions [MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open

More information

On the Applicability of Knowledge Based NAT-Traversal for Home Networks

On the Applicability of Knowledge Based NAT-Traversal for Home Networks On the Applicability of Knowledge Based NAT-Traversal for Home Networks Andreas Müller, Andreas Klenk, and Georg Carle University of Tübingen, Computer Networks and Internet, Sand 13, 72076 Tübingen, Germany

More information

Layering and Addressing CS551. Bill Cheng. Layer Encapsulation. OSI Model: 7 Protocol Layers.

Layering and Addressing CS551.  Bill Cheng. Layer Encapsulation. OSI Model: 7 Protocol Layers. Protocols CS551 Layering and Addressing Bill Cheng Set of rules governing communication between network elements (applications, hosts, routers) Protocols define: Format and order of messages Actions taken

More information

Desktop sharing with the Session Initiation Protocol

Desktop sharing with the Session Initiation Protocol Desktop sharing with the Session Initiation Protocol Willem Toorop willem.toorop@os3.nl February 25, 2009 How can application and desktop sharing, initiated by SIP, be realised in existing SIP infrastructure

More information

Network Address Translation (NAT)

Network Address Translation (NAT) The following topics explain and how to configure it. Why Use NAT?, page 1 NAT Basics, page 2 Guidelines for NAT, page 7 Dynamic NAT, page 12 Dynamic PAT, page 21 Static NAT, page 40 Identity NAT, page

More information

Section 3 - Configuration. Enable Auto Channel Scan:

Section 3 - Configuration. Enable Auto Channel Scan: Enable Auto Channel Scan: Wireless Channel: The Auto Channel Scan setting can be selected to allow the DGL-4500 to choose the channel with the least amount of interference. Indicates the channel setting

More information

4. The transport layer

4. The transport layer 4.1 The port number One of the most important information contained in the header of a segment are the destination and the source port numbers. The port numbers are necessary to identify the application

More information

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others. Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization

More information

History Page. Barracuda NextGen Firewall F

History Page. Barracuda NextGen Firewall F The Firewall > History page is very useful for troubleshooting. It provides information for all traffic that has passed through the Barracuda NG Firewall. It also provides messages that state why traffic

More information

Chapter 8 roadmap. Network Security

Chapter 8 roadmap. Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing

More information

20-CS Cyber Defense Overview Fall, Network Basics

20-CS Cyber Defense Overview Fall, Network Basics 20-CS-5155 6055 Cyber Defense Overview Fall, 2017 Network Basics Who Are The Attackers? Hackers: do it for fun or to alert a sysadmin Criminals: do it for monetary gain Malicious insiders: ignores perimeter

More information

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015 Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:

More information

Configuring Access Rules

Configuring Access Rules Configuring Access Rules Rules > Access Rules About Access Rules Displaying Access Rules Specifying Maximum Zone-to-Zone Access Rules Changing Priority of a Rule Adding Access Rules Editing an Access Rule

More information

Configuring NAT Policies

Configuring NAT Policies Configuring NAT Policies Rules > NAT Policies About NAT in SonicOS About NAT Load Balancing About NAT64 Viewing NAT Policy Entries Adding or Editing NAT or NAT64 Policies Deleting NAT Policies Creating

More information

Voice over IP (VoIP)

Voice over IP (VoIP) Voice over IP (VoIP) David Wang, Ph.D. UT Arlington 1 Purposes of this Lecture To present an overview of Voice over IP To use VoIP as an example To review what we have learned so far To use what we have

More information

How to Configure a Remote Management Tunnel for an F-Series Firewall

How to Configure a Remote Management Tunnel for an F-Series Firewall How to Configure a Remote Management Tunnel for an F-Series Firewall If the managed NextGen Firewall F-Series cannot directly reach the NextGen Control Center, it must connect via a remote management tunnel.

More information

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12 TCP/IP Networking Training Details Training Time : 9 Hours Capacity : 12 Prerequisites : There are no prerequisites for this course. About Training About Training TCP/IP is the globally accepted group

More information

VPN-1 Power/UTM. Administration guide Version NGX R

VPN-1 Power/UTM. Administration guide Version NGX R VPN-1 Power/UTM Administration guide Version NGX R65.2.100 January 15, 2009 2003-2009 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by

More information

Using Application Level Gateways with NAT

Using Application Level Gateways with NAT Using Application Level Gateways with NAT Network Address Translation (NAT) performs translation service on any Transmission Control Protocol/User Datagram Protocol (TCP/UDP) traffic that does not carry

More information

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls How to Configure a Remote Management Tunnel for Barracuda NG Firewalls If the managed NG Firewall can not directly reach the NG Control Center it must connect via a remote management tunnel. The remote

More information

OpenScape Business V2

OpenScape Business V2 OpenScape Business V2 Tutorial Support of SIP Endpoints connected via the internet Version 3.1 Definitions HowTo An OpenScape Business HowTo describes the configuration of an OpenScape Business feature

More information

Grandstream Networks, Inc. UCM6100 Security Manual

Grandstream Networks, Inc. UCM6100 Security Manual Grandstream Networks, Inc. UCM6100 Security Manual Index Table of Contents OVERVIEW... 3 WEB UI ACCESS... 4 UCM6100 HTTP SERVER ACCESS... 4 PROTOCOL TYPE... 4 USER LOGIN... 4 LOGIN TIMEOUT... 5 TWO-LEVEL

More information

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund Real-Time Communications for the Web Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund What is the paper about? Describes a peer-to-peer architecture that allows direct,interactive,rich

More information

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005 Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks

More information

CS519: Computer Networks. Lecture 7: Apr 14, 2004 Firewalls and NATs

CS519: Computer Networks. Lecture 7: Apr 14, 2004 Firewalls and NATs : Computer Networks Lecture 7: Apr 14, 2004 Firewalls and NATs Network security topics I m going to limit work security to three topic areas: Network access issues (user or host authentication, and VPNs)

More information

Internet Engineering Task Force (IETF) Request for Comments: 5780 Category: Experimental ISSN: May 2010

Internet Engineering Task Force (IETF) Request for Comments: 5780 Category: Experimental ISSN: May 2010 Internet Engineering Task Force (IETF) D. MacDonald Request for Comments: 5780 B. Lowekamp Category: Experimental Skype ISSN: 2070-1721 May 2010 NAT Behavior Discovery Using Session Traversal Utilities

More information

Research Article NAT Traversing Solutions for SIP Applications

Research Article NAT Traversing Solutions for SIP Applications Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2008, Article ID 639528, 9 pages doi:10.1155/2008/639528 Research Article NAT Traversing Solutions for SIP

More information

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help,

More information

NAT (NAPT/PAT), STUN, and ICE

NAT (NAPT/PAT), STUN, and ICE NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen bonds between the water molecules are shown as dashed lines. Lengths are in angstroms.'' (Hobbs, 1970, p.

More information

Mobile IP Support for RFC 3519 NAT Traversal

Mobile IP Support for RFC 3519 NAT Traversal The Mobile IP: Support for RFC 3519 NAT Traversal feature introduces an alternative method for tunneling Mobile IP data traffic. New extensions in the Mobile IP registration request and reply messages

More information

Internet Security: Firewall

Internet Security: Firewall Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits

More information

Network Interconnection

Network Interconnection Network Interconnection Covers different approaches for ensuring border or perimeter security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Lecture

More information

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues v Noriyuki Fukuyama v Shingo Fujimoto v Masahiko Takenaka (Manuscript received September 26, 2003) IP telephony services using VoIP (Voice

More information

Information About NAT

Information About NAT CHAPTER 27 This chapter provides an overview of how Network Address Translation (NAT) works on the adaptive security appliance. This chapter includes the following sections: Why Use NAT?, page 27-1 NAT

More information

Anatomy. 1. NAT Motivation. 2. NAT Operation. - A Look Inside Network Address Translators. Geoff Huston August 2004

Anatomy. 1. NAT Motivation. 2. NAT Operation. - A Look Inside Network Address Translators. Geoff Huston August 2004 Anatomy - A Look Inside Network Address Translators Geoff Huston August 2004 Over the past decade there have been a number IP-related technologies that have generated some level of technical controversy.

More information

Firewall Control Proxy

Firewall Control Proxy SS8 s, Inc. The (FCP) is an optional component of the switch. Background In order to gain widespread acceptance, Voice over IP technology requires a method to restrict access to specific devices and applications,

More information

Firepower Threat Defense Site-to-site VPNs

Firepower Threat Defense Site-to-site VPNs About, on page 1 Managing, on page 3 Configuring, on page 3 Monitoring Firepower Threat Defense VPNs, on page 11 About Firepower Threat Defense site-to-site VPN supports the following features: Both IPsec

More information

Unofficial IRONTON ITSP Setup Guide

Unofficial IRONTON ITSP Setup Guide September 13 Unofficial IRONTON ITSP Setup Guide Author: Zultys Technical Support This unofficial configuration guide was created to assist knowledgeable vendors with configuring the Zultys MX Phone System

More information

Outline. Goals of work Work since Atlanta Extensions Updates Made Open Issues Ad-hoc meeting & Next Teleconference Links

Outline. Goals of work Work since Atlanta Extensions Updates Made Open Issues Ad-hoc meeting & Next Teleconference Links Update of RTSP draft-ietf-mmusic-rfc2326bis-03.txt Authors: Henning Schulzrinne / Columbia University Robert Lanphier / Real Networks Magnus Westerlund / Ericsson (Presenting) Anup Rao / Cisco Outline

More information

Implementation Guide - VPN Network with Static Routing

Implementation Guide - VPN Network with Static Routing Implementation Guide - VPN Network with Static Routing This guide contains advanced topics and concepts. Follow the links in each section for step-by-step instructions on how to configure the following

More information

13. Internet Applications 최양희서울대학교컴퓨터공학부

13. Internet Applications 최양희서울대학교컴퓨터공학부 13. Internet Applications 최양희서울대학교컴퓨터공학부 Internet Applications Telnet File Transfer (FTP) E-mail (SMTP) Web (HTTP) Internet Telephony (SIP/SDP) Presence Multimedia (Audio/Video Broadcasting, AoD/VoD) Network

More information

[MS-EUMSDP]: Exchange Unified Messaging Session Description Protocol Extension

[MS-EUMSDP]: Exchange Unified Messaging Session Description Protocol Extension [MS-EUMSDP]: Exchange Unified Messaging Session Description Protocol Extension Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open

More information

CASP Cross- Application Signaling Protocol

CASP Cross- Application Signaling Protocol CASP Cross- Application Signaling Protocol Henning Schulzrinne August 27, 2002 Overview Protocol properties Message delivery Transport protocol usage Message forwarding Message format Next-hop discovery

More information

The Internetworking Problem. Internetworking. A Translation-based Solution

The Internetworking Problem. Internetworking. A Translation-based Solution Cloud Cloud Cloud 1 The Internetworking Problem Internetworking Two nodes communicating across a network of networks How to transport packets through this heterogeneous mass? A B The Internetworking Problem

More information

A Firewall/NAT Traversal Client for CASP

A Firewall/NAT Traversal Client for CASP Internet Engineering Task Force INTERNET-DRAFT draft-tschofenig-nsis-casp-midcom-01.ps Status of this Memo A Firewall/NAT Traversal Client for CASP H. Tschofenig, H. Schulzrinne, C. Aoun Siemens/Columbia

More information

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Internet Security Internet security is difficult Internet protocols were not originally designed for security The

More information

Application Note Asterisk BE with SIP Trunking - Configuration Guide

Application Note Asterisk BE with SIP Trunking - Configuration Guide Application Note Asterisk BE with SIP Trunking - Configuration Guide 23 January 2009 Asterisk BE SIP Trunking Table of Contents 1 ASTERISK BUSINESS EDITION AND INGATE... 1 1.1 SIP TRUNKING SUPPORT... 2

More information

CSC 474/574 Information Systems Security

CSC 474/574 Information Systems Security CSC 474/574 Information Systems Security Topic 7.4 Firewalls CSC 474/574 Dr. Peng Ning 1 Outline What are firewalls? Types Filtering Packet filtering Session filtering Proxy Circuit Level Application Level

More information

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation W is a Firewall firewall = wall to protect against fire propagation Internet Security: Firewall More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits

More information

VG422R. User s Manual. Rev , 5

VG422R. User s Manual. Rev , 5 VG422R User s Manual Rev 1.0 2003, 5 CONGRATULATIONS ON YOUR PURCHASE OF VG422R... 1 THIS PACKAGE CONTAINS... 1 CONFIRM THAT YOU MEET INSTALLATION REQUIREMENTS... 1 1. INSTALLATION GUIDE... 2 1.1. HARDWARE

More information

M. Petit-Huguenin. Obsoletes: 5389 (if approved) Intended status: Standards Track Expires: September 6, D. Wing

M. Petit-Huguenin. Obsoletes: 5389 (if approved) Intended status: Standards Track Expires: September 6, D. Wing TRAM Internet-Draft Obsoletes: 5389 (if approved) Intended status: Standards Track Expires: September 6, 2018 M. Petit-Huguenin Impedance Mismatch G. Salgueiro J. Rosenberg Cisco D. Wing R. Mahy Unaffiliated

More information

CDCS: a New Case-Based Method for Transparent NAT Traversals of the SIP Protocol

CDCS: a New Case-Based Method for Transparent NAT Traversals of the SIP Protocol CDCS: a New Case-Based Method for Transparent NAT Traversals of the SIP Protocol Mustapha GUEZOURI LISSI/SCTIC, University of Paris XII-Val de Marne, France e-mail mguezouri@yahoo.fr and Abdelhamid MELLOUK

More information

Common Components. Cisco Unified Border Element (SP Edition) Configuration Profile Examples 5 OL

Common Components. Cisco Unified Border Element (SP Edition) Configuration Profile Examples 5 OL The following components of the Cisco Unified Border Element are common to all of the configuration profile examples in this document. Secure Media Adjacencies Call Policies CAC Policies SIP Profiles 5

More information

Network and Security: Introduction

Network and Security: Introduction Network and Security: Introduction Seungwon Shin KAIST Some slides are from Dr. Srinivasan Seshan Some slides are from Dr. Nick Mckeown Network Overview Computer Network Definition A computer network or

More information

Read the following information carefully, before you begin an upgrade.

Read the following information carefully, before you begin an upgrade. Read the following information carefully, before you begin an upgrade. Review Supported Upgrade Paths, page 1 Review Time Taken for Upgrade, page 1 Review Available Cisco APIC-EM Ports, page 2 Securing

More information

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California Security and Lawful Intercept In VoIP Networks Manohar Mahavadi Centillium Communications Inc. Fremont, California Agenda VoIP: Packet switched network VoIP devices VoIP protocols Security and issues in

More information