Getting Through The Firewall
When business communications are interrupted, the financial ramifications can range from a slight annoyance to simply disastrous. This is why research firm In-Stat expects $3.8 billion will be spent on firewall products this year alone.
After weeks of preparation, the big day has finally arrived — the big board meeting everyone's been talking about. With senior executives on hand in three remote offices gearing up for presentations , everyone anxiously awaits the start of the videoconference. Unfortunately, the enterprise security systems (firewalls and network address translation/network address translation routers) make it impossible to connect to the client's video system. After 15 minutes of troubleshooting by senior-level IT support staff, the participants finally give up, opting instead for the antiquated but reliable audio call — not exactly the way you want to start an important meeting.
When business communications like these are interrupted, the financial ramifications can range from a slight annoyance to simply disastrous. This is why research firm In-Stat expects $3.8 billion will be spent on firewall products this year alone. In order to avoid a replay of the scenario described above, it's important to understand the technical issues behind the network address translation (NAT)/firewall videoconferencing problem. Let's take a closer look at how all of this fits together.Underlying issues
On an IP network, each connected device (computer, IP telephone, printers, servers, and even videoconferencing devices) is assigned a unique IP address. Within an isolated network, IP addresses can be assigned at random, as long as each one is unique. These private IP addresses are referred to as local, local area network (LAN), or private IP addresses.
- The IP address of the source device.
- The port number used by the source device for this communication transaction.
- The IP address of the destination device.
- The port number on the destination device that should receive the message.
- The data to be transmitted (often called the payload).
Data packets also include additional information such as the transport protocol in use (TCP, UDP, etc.), the quality of service requested (which determines how quickly the routers process and re-transmit the packets as they arrive), a packet identification tag, and other key items to help the network process and manage the transmission of the data packet.Inside the firewall
As shown in the figure at right, firewalls are installed at the periphery of the data network (also called the network edge) to protect that network from unauthorized access. In the typical enterprise, a firewall is used to keep external (Internet) users from gaining access to the computers, servers, and devices on the enterprise network.
Firewalls do their job by inspecting all data packets — both incoming and outgoing — as they attempt to traverse between the internal (private) and external networks. Specifically, the firewall looks at the source and destination IP address of each data packet and then follows a pre-configured set of rules regarding which traffic is allowed to pass through the firewall. Most enterprise firewall rule sets include some form of the following:
Rule #1 – Traffic sent from a computer or device inside the firewall to the outside world is permitted. Some enterprises choose to limit certain types of outgoing traffic, such as instant messenger.
Rule #2 – Traffic sent from outside the firewall and in response to a data request made from inside the firewall is permitted.
Rule #3 – All “unsolicited” traffic from outside the firewall destined for a computer or device inside the firewall is rejected and discarded.
The first two rules allow internal computer users to reach out to and request data from the public Internet. The third rule ensures that external traffic can't permeate the internal network and reach internal computers and devices.