Firewalls, Network Address TranslatorsNATs, and H'323

1
Firewalls,Network Address Translators(NATs),
and H.323

• Joon Maeng
• joon_maeng_at_vtel.com
• Chief Scientist
• VTEL Corp.
• October 11, 2000

2
Network Layers
Application (7) Presentation(6) Session
(5) Transport(4) Layer Network(3) Layer Dat
a Link (2) Layer Physical (1) Layer
H.323
SIP
FTP
SNMP
HTTP
RTP Header
A/V
RTP
Port No. 2 80 1720 5060 161
TCP
UDP
Dynamic port
RTP Header
A/V
UDP Header
Protocol ID 6 17
ARP
IP
RTP Header
A/V
IP Header
UDP Header
Type Code 0800H 0806H
Ethernet Header
RTP Header
A/V
IP Header
UDP Header
Ethernet SW
Ethernet HW
Media Stream
MAC Address
3
Shared IP Network Landscape(e.g., Internet,
Shared IP Backbone)
Individuals w/ single host (no firewalls)
Individual w/ multi-hosts
Firewall
NAT
Mostly dialup modem
Mostly DSL and Cable
IP Network
Firewall
Corporate
Network
Universities
NAT
4
Network Address Translator (NAT)
Corporate Network, Home Network
(Private Network)
NAT
Internet or Public IP network
NAT

• Address translation between public and private
  networks
• A large private network can use a small set of
  public addresses
• Security (private addresses are not known to
  public network)

Private IP address (RFC 1918) 10.0.0.0 -
10.255.255.255 (10/8 prefix) 172.16.0.0 -
172.31.255.255 (172.16/12 prefix) 192.168.0.0
- 192.168.255.255 (192.168/16 prefix)
ftp//ftp.isi.edu/in-notes/rfc2663.txt
5
NAT (Contd)

• Types of NATs
• Traditional NAT (Unidirectional NAT) Outbound
  NAT
• From private address realm to public address
  realm
• Network address and port translator (NAPT)

s 10.33.96.5 d 198.76.28.4
s 198.76.29.7 d 198.76.28.4
Host
Sever
s 198.76.28.4 d 198.76.29.7
s 198.76.28.4 d 10.33.96.5
NAT
Host A
s 10.33.96.51257 d 198.76.28.480
s 198.76.29.76345 d 198.76.28.480
Sever
NAPT
s 198.76.29.78896 d 198.76.28.480
s 10.33.96.10237 d 198.76.28.480
Host B
6
NAT (Contd)

• Bi-directional NAT or Two-way NAT
• Twice NAT translate source and destination
  addresses
• Multi-homed NAT
• A NAT is a logical function, usually embedded in
  a border router (or in the same device with
  firewall)
• NATs are stateful devices. They maintain a table
  with a established list of active sessions
• Session termination
• TCP detection of FIN in the packet or timeout
• UDP timeout
• NATs default timeout (configurable)
• udp-timeout is 300 seconds (5 minutes)dns-timeout
  is 60 seconds (1 minute)tcp-timeout is 86400
  seconds (24 hours)finrst-timeout is 60 seconds
  (1 minute)

7
Firewalls
Corporate Network, Home Network
(Private Network)
Firewall
Internet or Public IP network
A system designed to prevent unauthorized access
to or from a network domain. Firewalls can be
implemented in both hardware and software, or
combination of both. Firewalls are used within
private networks also.
8
Packet Filter Firewalls

• Operate purely at the IP and UDP/TCP layer
• Allowing or disallowing packets on the basis of
  the source and/or destination IP address
• Allowing or disallowing packets according to
  protocol (port number).
• Common policies
• No UDP packets in or out, TCP packets are
  allowed out. TCP packets are allowed in for
  specific servers such as http server on port 80
  and for the open connections from inside

9
Application Level Firewalls

• Acts as a proxy for applications, performing all
  data exchanges with the remote system in their
  behalf.
• SOCKS (version 5, RFC 1928). Requires special
  proxy-client
• H.323 proxy firewalls, SIP proxy firewalls, etc
• Considered as the most secure firewalls
• A new proxy must be written for each protocol
  that you want to pass through the firewall.
• Proxy services introduce performance delays

10
Circuit Level Firewalls

• Validate the fact that a packet is either a
  connection request or a data packet belonging to
  a connection between two peer transport layers
  (TCP).
• Unlike the application level firewalls, it create
  a circuit between a client and a server without
  requiring that either application knows anything
  about the service.
• Generally faster than application level firewalls
  
• Cannot perform strict security checks on a
  higher-level protocol

11
H.323 Call Establishment
Public Network
Router
H.323 Zone A
Router
Bob
Alice
H.323 Zone B
H.323 GK-A
H.323 GK-B

• Call scenario (from Alice to Bob)
• Alice asks GK-A to call Bob.
• GK-A finds IP address of GK-B from DNS
• GK-A asks GK-B Bobs IP address
• GK-A sends setup message to Bob
• Bob sends connect to GK-A
• GK-A relays connect to Alice
• Alice exchanges H.245 (or media) with Bob

12
Problem 1 Private IP Address
DNS
Public Network (Public IP)
Firewall, NAT
H.323 Zone A (Private IP)
Firewall, NAT
Bob
Alice
H.323 Zone B (Private IP)
H.323 GK-A
H.323 GK-B

• Call scenario (from Alice to Bob)
• Alice asks GK-A to call Bob.
• GK-A finds IP address of GK-B from DNS (Private
  GK IP address)
• GK-A asks GK-B Bobs IP address (Private IP
  address)
• GK-A sends setup message to Bob
• Bob sends connect to GK-A
• GK-A relays connect to Alice
• Alice exchanges H.245 (or media) with Bob
  (firewalls)

13
Issues in Deploying H.323 (also SIP)

• Problem 2 Dynamic ports for media traffics
• H.323 (and SIP) uses TCP or UDP for call
  establishment and UDP for media transmission
• Dynamic ports are used for session bundling of
  media streams
• Most firewalls will not allow UDP ports
• It is not realistic to open all the dynamic ports
• H.323 application firewalls are needed

http//search.ietf.org/internet-drafts/draft-shor
e-h323-firewalls-00.txt Session Initiation
Protocol. http//www.ietf.org/rfc/rfc2543.txt
14
Issues (Contd)

• Problem 3 IP addresses and port numbers within
  IP payloads
• H.225 and H.245 may embed IP addresses in
  payloads (not in the IP header)
• For instance, calling party information element
  in the H.225 signaling stream contains the
  private address of calling the calling party.
  (SIPContact header, Record-Route, Via header,
  Call-ID, To and From fields may have IP addresses
  and port numbers)
• NATs cannot translate addresses and ports in the
  payloads unless it has Application Level Gateway
  (ALG)
• H.323 is harder to handle since it uses ASN.1
  encoding compared to SIP (text based)

15
Issues (contd)

• Problem 4 Security and Authentication
• IPsec does not traverse NATs
• IPsec through firewall works but firewall cannot
  open the payloads nor determine which ports to
  open
• Bottom line End-to-end encryption at IP layer
  will not work through firewalls
• Any changes by NAT with ALG will cause the
  signature to become invalid and fail the data
  integrity check

16
Issues (Contd)

• Problem 5 Lifetime issues
• NATs address binding has a lifetime equal to
  that of TCP connection. NAT will terminate the
  media streams as soon as TCP is closed.
• Problem 6 Multicast does not run through NAT
• Multicast protocol is defined for routers
• Devices behind a NAPT will not receive multicast
  since attached networks can appear like a single
  end station.

17
Realm Specific IP

• Motivation to restore end-to-end transparency in
  the Internet
• Granting a host from one addressing realm a
  presence in another addressing realm by allowing
  it to use resources from the second addressing
  realm ( borrowing a public address for a fixed
  duration in private network)
• This is being defined at IETF. Has a potential
  but too early to tell

http//ietf.org/internet-drafts/draft-ietf-nat-rs
ip-framework-05.txt
18
Other Attempts

• Firewall control protocol?
• Interaction between firewalls and media servers
  was proposed at IETF meeting in Adelaide
• No consensus was reached
• H.323 application level firewalls and VPNs

http//search.ietf.org/internet-drafts/draft-tip
hon-foglamps-00.txt, http//search.ietf.org/inte
rnet-drafts/draft-lear-foglamps-02.txt
19
Conclusions

• NATs and firewalls are here to stay between
  public and private networks. They are problems
  for H.323 as well as most media applications in
  IP networks
• To handle firewalls in H.323, one may have to use
  application level firewalls or VPNs depending on
  the network topologies and types of WAN
• To handle private addresses, one may have to use
  H.323 proxies