Getting Through The Firewall
When business communications are interrupted, the financial ramifications can range from a slight annoyance to simply disastrous. This is why research firm In-Stat expects $3.8 billion will be spent on firewall products this year alone.
Method 3: MCU traversal. Some organizations overcome NAT and firewall traversal issues by placing a multipoint video bridge (or multipoint control unit/MCU) between the private and public networks. This requires an MCU with two network interface cards (or NICs) — one connected to the private network and one to the public network. In this configuration, all video calls involving both internal and external sites connect through the MCU, regardless of the number of sites in the meeting.
From a data networking perspective, this method is quite secure because the participating video sites don't actually connect to each other. Instead, each site is connecting to the video bridge, which then passes only the audio, video, and shared content data between the participating systems.
The primary advantage of this method is that it allows video calls between internal and external sites without having to modify or update the enterprise firewall. The disadvantages are that even point-to-point calls require the use of expensive video bridge ports, which can cost several thousand dollars per port, and that environments with multiple NATs will require multiple MCUs. For these reasons, this method doesn't scale very well.
Method 4: Firewall tunneling. Most organizations are reluctant to modify, upgrade, or bypass their existing NAT and firewall configurations. Firewall tunneling solutions, which are covered under the ITU H.460 standard ratified in 2005, avoid the NAT/firewall problem by tunneling videoconferencing traffic through a limited number of firewall ports. The typical firewall tunneling solution involves two parts:
- A session border controller (SBC) installed outside the firewall.
- A local software client running behind the firewall, either within the video endpoints themselves or elsewhere (perhaps as part of a gatekeeper or other piece of software).
Tunneling solutions take advantage of the fact that most organizations allow data traffic originating from inside the network to pass through the firewall. When the local software client starts up, which usually happens automatically when the H.460 capable video endpoint is turned on, it registers with and maintains a communication session with the SBC located outside the firewall. The SBC then tracks the IP address and port information for each video system and routes incoming and outgoing video traffic accordingly. Because the video system has already initiated a communication session with the SBC, an incoming call routed via the SBC is seen as a response to a request from a system behind the firewall, and is permitted to pass through. The result is that video systems behind the firewall are able to place and receive video calls from endpoints outside the firewall.
The primary advantages of tunneling solutions are ease of deployment, the fact that the traffic doesn't bypass the enterprise NAT/firewall systems, and that the private IP addresses of internal endpoints aren't revealed. The disadvantages of these solutions include:
- The need to purchase the SBC and potentially the client software (total cost ranging from $7,000 to more than $40,000, depending upon the manufacturer, call volume, and number of sites involved).
- The fact that all traffic must travel through the SBC, creating both a potential bottleneck and single point of failure.
Weinstein is a senior analyst and partner at Wainhouse Research LLC in Boston. He can be reached at firstname.lastname@example.org.