Getting Through The Firewall
When business communications are interrupted, the financial ramifications can range from a slight annoyance to simply disastrous. This is why research firm In-Stat expects $3.8 billion will be spent on firewall products this year alone.
NAT is a technique that allows a LAN to use one set of IP addresses for internal traffic and a second address (or set of addresses) for external traffic. NAT occurs at the network edge, and in many cases is a function within an enterprise firewall/router.
To the Internet, a network using NAT looks like one (or a small number of) computers, but on the LAN each computer has its own local internal IP address. As traffic traverses between the private and public network, the NAT device translates and replaces the local IP addresses and ports into the public IP address (or addresses). The NAT device also maintains a temporary record of the IP address translations so that it can properly route incoming traffic to the proper local device. NAT provides several key benefits, including:
- The ability to share a single IP address between large numbers of computers, which simplifies internal network management and saves money (each reserved public IP address has an associated cost).
- The ability to use large numbers of internal IP addresses without conflicting with IP addresses used on external networks.
- The ability to “hide” internal devices from the outside world by assigning them private IP addresses that aren't accessible to outside devices.
The NAT router replaces the private IP address and communication port in each data packet with an assigned port on the public IP address. The NAT router maintains a translation table (see below) of these address and port assignments, and deletes entries as each particular communication session ends.
The result is that the external computer has no direct connection to the local computer (all connections bounce through the NAT router), and that the external computer remains unaware of the local computer's IP address and communication port.The NAT/firewall problem
In order to conduct a videoconference, the participating video systems must be able to successfully send data back and forth. Unfortunately, NATs and firewalls often block this seemingly simple process.
To a network firewall, an incoming video (or voice) call request presents itself as unsolicited traffic from an outside network, which is exactly the type of traffic the typical firewall is designed to prevent. Fortunately, most firewalls are configured to allow outgoing IP traffic (including IP video calls). However, if the remote video endpoint is also behind a firewall, this call attempt is likely to fail as the remote firewall will see the incoming call request as unsolicited inbound traffic.
Even if the host organizations are somehow able to circumvent the enterprise firewall, NAT may cause the video call to fail for two reasons:
- Endpoints behind an NAT don't have publicly accessible IP addresses, which means that one endpoint would be unable to reach out to and call the other endpoint.
- H.323 and SIP, the two protocols most frequently used for IP videoconferencing today, embed the IP address of the initiating endpoint within the data packet payload. In an NAT environment, the initiating endpoint's IP address is its private IP address, which can't be reached directly from the outside world. This means that the receiving endpoint may be able to receive data from the initiating endpoint, but will not be able to successfully send data back to the initiating system.
Fortunately, there are various ways that enterprises can resolve, or at least circumvent, the NAT/firewall issue without significantly compromising network security.Overcoming obstacles
From a 10,000-foot view, there are four different ways to enable IP videoconferencing in NAT/firewall environments.
Method 1: Firewall/NAT disabling or forwarding. Disabling NAT isn't a preferred method because it requires a public IP address for each network device and leaves the network unprotected from unauthorized access.
Alternatively, the enterprise can lease additional fixed public IP addresses (one for each video system) and configure the firewall to allow traffic destined for these systems to pass through. This has the advantage of maintaining the firewall and NAT benefits for the majority of the data network, but introduces several disadvantages, including:
- Additional cost ranging from a few dollars to hundreds of dollars or more depending upon the number of IP addresses needed and your network service provider.
- The need to use custom firewall configurations.
- A total lack of firewall and NAT protection for the video systems.
This approach is useful only in environments with a small number of video systems in place.
Method 2: Application-level gateways and proxies. Application-level gateways, or ALGs, are firewalls that are programmed to understand and process specific types of IP communications. Rather than simply looking at the packet header (source IP address, destination IP address, etc.), ALGs dig deeper into the data packet to determine whether to allow the information to pass. In addition, the ALG's understanding of the specific protocol allows the ALGs to open (and eventually close) only the appropriate data ports in the firewall needed for that video session. This technique of dynamically opening only a small number of ports in the firewall is called “pin-holing.” Note that ALGs don't resolve NAT issues, and therefore a proxy (device used to translate public and private IP addresses) is also required. Fortunately, some ALG solutions also include proxy functionality.
ALGs are available in several flavors: 1) as a standalone firewall that can either augment or replace the existing firewall(s), or 2) as a software upgrade/add-on to many popular enterprise firewalls. Although ALGs and proxies can effectively resolve the NAT/firewall issue, the fact that they involve either an upgrade or modification of the existing enterprise firewall(s) means that they may be difficult and costly (software upgrades can cost thousands of dollars) for some organizations to deploy.