Editor’s note: This article is excerpted from Securing VoIP Networks, Addison Wesley, 2007
This passage is from Chapter 8: VoIP and Network Security Controls, pp. 280-290.
VoIP Firewalls and NAT
VoIP firewalls help protect against various attacks by enforcing policies
on inbound and outbound traffic and supporting Network and Port Address
Translation (NAPT). NAT provides internal network topology hiding and
suppresses external attacks against internal hosts.
Providing NAT also introduces an impediment to properly manage Internet
multimedia sessions. One of the deployment issues with VoIP and firewalls
is proper session management. When a VoIP phone that is located behind
a NAT firewall initiates a call to another phone, the signaling messages
include information that reflect properties of the originating phone.
This information includes the phone’s local IP address and port that the
message was sent from and the ports on which signaling and media messages
should be received. If the remote phone is located outside the NAT firewall,
the information contained in the signaling messages will be invalid because
they reflect the addressing of the internal network.
|FIGURE 8.9: SIP NAT traversal problem|
Figure 8.9 (below) provides an example in which a signaling message from host
192.168.1.5 is sent to Bob’s phone at firstname.lastname@example.org with address
192.168.200.5. Note two important items here. First, the IP address of
the message has changed from 192.168.1.5 to 192.168.100.60. Second, the
IP address advertised in the SIP message where the signaling and media
messages should be sent is 192.168.1.5, which is incorrect. When Bob answers
the phone, it will start transmitting media to IP address 192.168.1.5
rather than 192.168.100.60, and all packets will be discarded. The NAT
firewall has to be able to inspect the SIP messages and make the necessary
modifications to the SIP/SDAP headers to reflect the appropriate IP addresses
and ports that should be used (in this case, the NAT firewall’s external
IP address and port from which the request was sent). In addition, the
NAT firewall should be ready to accept RTP traffic from Bob’s phone by
inspecting the SDP headers and identifying which ports have been negotiated
between the two end points.
The IETF has developed approaches to overcome problems with SIP and
NAT’ing. These solutions are defined within the ICE methodology and include
the STUN (Simple Traversal of UDP through NAT, RFC 3489) protocol and
TURN (Traversal Using Relay NAT).
Although VoIP firewalls provide some protection, as mentioned earlier,
and they can recognize and handle VoIP communications, they cannot offer
the necessary scalability that is required to support IP multimedia communications
in carrier-grade environments where it is required to manage millions
of simultaneous multimedia sessions. Therefore, the functionality to manage
multimedia sessions is dedicated to devices such as SBCs (session border
controllers). [continued on page 2]
Reproduced from the book Securing VoIP Networks, Addison Wesley, Copyright 2008, Pearson Education, Inc.
Reproduced by permission.
for a detailed description and to learn how to purchase this title.
This excerpt first appeared on our sister website, ISP-Planet.com.