Editor's note: This article is excerpted from Securing VoIP Networks, Addison Wesley, 2007
This passage is from Chapter 8: VoIP and Network Security Controls, pp. 280-290.
VoIP Firewalls and NAT
VoIP firewalls help protect against various attacks by enforcing policies on inbound and outbound traffic and supporting Network and Port Address Translation (NAPT). NAT provides internal network topology hiding and suppresses external attacks against internal hosts.
Providing NAT also introduces an impediment to properly manage Internet multimedia sessions. One of the deployment issues with VoIP and firewalls is proper session management. When a VoIP phone that is located behind a NAT firewall initiates a call to another phone, the signaling messages include information that reflect properties of the originating phone. This information includes the phone's local IP address and port that the message was sent from and the ports on which signaling and media messages should be received. If the remote phone is located outside the NAT firewall, the information contained in the signaling messages will be invalid because they reflect the addressing of the internal network.
|FIGURE 8.9: SIP NAT traversal problem|
Figure 8.9 (below) provides an example in which a signaling message from host 192.168.1.5 is sent to Bob's phone at email@example.com with address 192.168.200.5. Note two important items here. First, the IP address of the message has changed from 192.168.1.5 to 192.168.100.60. Second, the IP address advertised in the SIP message where the signaling and media messages should be sent is 192.168.1.5, which is incorrect. When Bob answers the phone, it will start transmitting media to IP address 192.168.1.5 rather than 192.168.100.60, and all packets will be discarded. The NAT firewall has to be able to inspect the SIP messages and make the necessary modifications to the SIP/SDAP headers to reflect the appropriate IP addresses and ports that should be used (in this case, the NAT firewall's external IP address and port from which the request was sent). In addition, the NAT firewall should be ready to accept RTP traffic from Bob's phone by inspecting the SDP headers and identifying which ports have been negotiated between the two end points.
The IETF has developed approaches to overcome problems with SIP and NAT'ing. These solutions are defined within the ICE methodology and include the STUN (Simple Traversal of UDP through NAT, RFC 3489) protocol and TURN (Traversal Using Relay NAT).
Although VoIP firewalls provide some protection, as mentioned earlier, and they can recognize and handle VoIP communications, they cannot offer the necessary scalability that is required to support IP multimedia communications in carrier-grade environments where it is required to manage millions of simultaneous multimedia sessions. Therefore, the functionality to manage multimedia sessions is dedicated to devices such as SBCs (session border controllers). [continued on page 2]
Reproduced from the book Securing VoIP Networks, Addison Wesley, Copyright 2008, Pearson Education, Inc.
Reproduced by permission.
Visit www.aw-bc.com for a detailed description and to learn how to purchase this title.
This excerpt first appeared on our sister website, ISP-Planet.com.