Post on 11-Feb-2016
description
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 1
Intertex Data AB, Sweden
IX66 Internet GateA Firewall with SIP Support
Prepared for: Voice On the Net DEMO, Spring 2001 By: Henrik Bergstrom
Research and Development Intertex Data ABhenrik.bergstrom@intertex.se
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 2
Demo Setup
Internet(public addresses)
PSTN
GSM
LAN(private addresses)
SIPHome
AppliancesController
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 3
SIP to GSM through Firewall
LANPSTN
Gateway
InternetInternet
PSTN
Firewall/NAT
SIPProxy
Registrar
SIPServer
GSMGateway
Dialling:lars@siplab.net
Dynamic session setup
siplab.net
SIP forwarding
RINGING!
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 4
SIP to SIP through Firewall
Internet(public addresses)
LAN(private addresses)
REGISTER
OUTBOUND CALL
INBOUND CALL
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 5
SIP Home Appliances ControlDO sip:lamp@207.137.6.52<Device>lamp</Device><Action>power on</Action>
Internet(Ethernet)
LAN(Ethernet)InternetInternet
SIPServer
siplab.net SIPHome
AppliancesController
SIP
SIP
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 6
”Media Proxy” Setup
InternetInternetNon
SIP capable
firewall
DMZ
LANWAN
Media streams
and
SIP signalling
SIP capable firewall
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 7
SIP Capable Firewall functionality
General Dynamic control of access lists (“holes”), based
on SIP and SDP data Session statefulness, e.g. to track end of call Understanding of security issues in SIP, i.e.
don’t allow everything in the protocol
Additional for NAT (Network Addr. Translation) Rewriting of SIP and SDP data Media stream translation
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 8
Accessing Protected Devices
Firewall Problems:
• Sessions initiated from outside of the firewall- OK, open port 5060, but…
• Media streams on dynamically allocated port numbers- Ooops… !
Even with public IP addresses inside
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 9
Accessing Protected Devices
NAT & PAT Problems:• Where is the device?
- Registration/location function
• Private IP addresses and ports in SIP messages- Rewrite with globally routable addresses
• IP address and port of media stream has to be modified- NAT engine has to be dynamically controlled
Worse with privateIP addresses inside
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 10
Home Appliances Control
Control your temperature, refrigerator, alarm, toaster and more…
An extension to SIP in progress See www.research.telcordia.com/iapp/ http://search.ietf.org/internet-drafts/draft-moyer-
sip-appliances-framework-01.txt
Submitted to OSGI See http://www.osgi.org
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 11
The Intertex IX66 Internet Gate
As Internet Gate ”only” or with integrated ADSL modem
The Intertex IX66 series OEM as:
• PowerBit• Telia SurfinBird
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 12
The Intertex IX66 Internet Gate
A closer look
Firewall & NAT/PAT SIP Proxy and Registrar DHCP Server WEB Server for configuration Appliance control, LAC via expansion port
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 13
The Intertex IX66 Internet Gate
Goodies
Two Ethernet and one USB port Expansion port, e.g. for appliance control Smart Card Reader Upgradeable And more…
ON DC USB ET2 ET1 EXP LINE PHONE
Optional ADSL Built-in
© 2001 Intertex Data AB, All Rights Reserved Spring VON 2001 Demo 14
SIP Capable Firewalls
Products from Intertex
IX66 for the SOHO market, with or without ADSL
Linux based firewall for larger LANs
Linux based Media Proxy as an add on to existing firewalls. Handles large systems.