How to use voice and video communication through firewalls and NAT

Q: How does voice and video communication go through firewalls and NAT?

A: Actually, the simplest way to solve firewall and NAT problems is to avoid using them. For most organizations, this method is too risky and network security is not guaranteed, it may be difficult and expensive to obtain enough IP addresses that can be routed.

Therefore, most organizations that want to use IP addresses for multimedia communication will inevitably face the challenges of firewalls or NAT. In fact, most organizations use both firewall and NAT, so it is not enough to solve one of the problems. Some existing solutions are as follows:

1. Use the PSTN Gateway

If you are not very concerned about IP-based communication outside the LAN, you can use the gateway to convert the IP voice and video on the LAN to the public circuit to switch the PSTN voice and video on the Internet. When using such a gateway, you do not need to worry about the network firewall penetration problem, because no data packets need to pass through the firewall. This also solves the NAT problem. All calls to terminals in the LAN are routable, because the calls to the LAN through the gateway are routable. Today, most IP phones communicate through a gateway and non-IP Phone. The gateway method is a local solution that requires all callers to have a corresponding Gateway after the last NAT and firewall.

2. DMZ MCU

Some organizations solve firewall and NAT traversal problems by placing MCU in the so-called DMZ area. The DMZ area is usually located between the external Internet and the internal network firewall, and wants to provide their own Internet services (such as web Services, ftp services, email services, and domain name services) organizations generally place these services in the DMZ region, which can well protect their private networks.

The MCU in the DMZ area is mounted with two NICs. This way, one Nic provides an entry to access the private network and the other Nic provides an entry to access the Internet. One of the biggest disadvantages of this solution is that MCU is required even for point-to-point calls. If there are multiple NAT devices in the call path, therefore, a MCU must be placed at each NAT device location.

3. H.323 proxy

The H.323 proxy can be used to solve NAT problems or solve NAT and firewall problems at the same time, depending on how the proxy is configured. The proxy is actually a special type of gateway, but it does not convert the IP protocol to another. The same protocol is used on both sides of the proxy. The proxy makes the call process from a terminal to a terminal look like two separate calls: one is from a private network terminal to a proxy, and the other is from a proxy to a public network terminal, the proxy solves the NAT problem by performing a transit call.

H.323 proxy is generally combined with the standard network guard function and the RTP/RTCP multimedia stream proxy function. A typical application of this solution is to put an H.323 proxy behind the firewall, and the proxy needs to be assigned a public IP address. The firewall is configured to allow the proxy to communicate with external media. Sometimes a NAT device is applied in many locations along the network path. In this case, you need to place a proxy in each location where NAT is used.

4. Application Layer Gateway

Application layer gateways is a Firewall designed to recognize specific IP protocols (such as H.323 and SIP protocols). It is also called ALG Firewall. It does not simply check the packet header information to determine whether data packets can pass through, but to analyze the data in the packet load in a deeper layer, that is, the data at the application layer. Both the H.323 and SIP protocols provide important control information in the load, such as the data port used by the voice and video terminals to receive voice and video data from other terminals. By analyzing which port needs to be opened, the firewall dynamically opens those ports to be applied, and all other ports remain safely closed.

If a NAT is used to block internal IP addresses, then ALG needs a proxy. Some firewall manufacturers combine the proxy into ALG and cross the NAT.

Major Firewall vendors, such as Cisco, Checkpoint, and Gauntlet, provide the H.323 ALG upgrade function for their firewall products. However, most firewalls do not yet support ALG. This solution also has some disadvantages: the packet load analysis increases the firewall's processing tasks and affects network operation and becomes a potential network bottleneck; if there are multi-layer firewalls and NAT, each firewall on the call path must be upgraded to support the ALG function. For most companies, the firewall is a key component of the network, adding an ALG in some companies may be difficult.

5. Virtual Private Network (VPN)

VPN technology is currently one of the methods to provide secure communication over an IP network. It can solve the firewall traversal problem within the same VPN network. In the near future, the VPRN technology that ensures network security and QoS will be the most promising solution for multimedia communication over IP networks.

In VPN technology, the IPSec layer on the UDP and TCP layers is used to provide secure IP communication, however, because the IPSec Layer Based on VPN technology uses its own connection identifier instead of UDP or TCP port, and the layer above the IPSec needs to be encrypted, this mechanism is not available for NAT, especially NAPT. To solve the NAT traversal problem, it is best to choose a solution that provides integrated firewall, NAPT and VPN functions provided by a producer.

In addition, although the VPN solution is safe, it only allows devices in the same VPN to communicate, and cannot communicate with end users in the public network.

6. tunnel penetration plan

Generally, CEN does not want to upgrade or modify the configurations of their firewalls and NAT devices, nor allow internal and external interactions to bypass these devices, it may be most appropriate to adopt a tunneling solution that allows IP voice and video to penetrate the firewall and NAT. Currently, Ridgeway companies in the United States provide such solutions.

The tunnel penetration solution consists of two components: Server software and Client software. The Client is placed on the private network in the firewall. It also has the network guard and proxy functions. terminals in the private network are registered on the Client. It creates a signaling and control channel with the Server outside the firewall, all registration and call control signals can be forwarded to the Server, and audio and video data can be forwarded to the Server, during forwarding, it replaces the address and port number of the packets sent from the internal terminal and sent from the external terminal with its own. The Server is placed in a public space outside the firewall. It can be located in the network of the service provider or in the DMZ area of the enterprise network. The Server acts as the network guard agent, all registration and call signals received from the Client are forwarded by the Server to the central gatekeeper.

The communication between the Server and Client mainly transmits data through two fixed ports: PORTS 2776 and 2777, which are allocated to the Ridgeway system by the IANA organization.

When the private network Client is started:

1. It establishes a fixed connection with port 2776 on the Server to transmit control and status information;

2. It listens to the registration and request information of H.323 network guard in the private network;

When a terminal is started:

1. The terminal sends registration information to the central gatekeeper through a connection between the Client and Server;

2. The Server assigns a unique port number (corresponding to the IP address of the Server) to each registered terminal ).

When one terminal calls another terminal outside the firewall, all data packets are routed to the Server through the Client, and the returned data is also routed from the Server to the terminal through the Client. After a call is established, the Client ensures that all necessary audio and video channels that pass through the firewall are open, so that audio and video data can be transmitted through the channels opened on these firewalls.

Using this method, IP address information is well shielded, because all data packets are routed and forwarded through the Server, and each terminal seems to be directly communicating with the Server, rather than other terminals, this ensures that the IP address of the terminal is not available outside the network. In most cases, you do not need to modify the firewall configuration. The administrator can create a simple rule to allow external connections from the Client to the Server on two fixed ports 2776 and 2777.

The biggest drawback of this method is that all communications through the firewall must be transferred through the Server, which may cause potential bottlenecks. This process through the Client and Server will increase the Latency by less than 5 ms. However, this is required because the Server is the only device trusted by the firewall.