Table of Contents
Advertisement
Going around the firewall or NAT device is not the best solution for most companies.
Removing the firewall or placing videoconferencing equipment on an unshielded
section of the network could seriously compromise the network's security.
Using these devices is very expensive and besides this an access policy for Firewalls
and NATs would be needed. These devices should be located along the communication
path at every point where a NAT and Firewall are present.
A second solution is the improvement of the network by the introduction of an ALG,
but this is intrusive and potentially expensive. ALGs are software packages
specifically designed for firewalls from various producers that examine every packet
attempting to pass through the firewall in order to determine whether it concerns a
known protocol like H.323 or SIP. If the packet contains a known protocol, the
Firewall allows it through. However, like Proxies and MCUs that go around firewalls,
ALGs also need an access policy for firewalls and every firewall or NAT device needs
up-to-date ALG software. Because new protocols are continually being developed,
ALG software must be updated frequently.
IP Voice and Video Crossing NAT and Firewall
The use of existing network infrastructures for the transmission of voice, video and
data promises interesting strategic advantages for companies of all sizes. Commonly
known as "rich media communications" or "Internet Protocol (IP) communications"
these technologies for converging networks offer new opportunities to communicate,
coordinate and collaborate with customers, suppliers, commercial partners and others
all over the world.
Unfortunately, the protocols used for IP communications conflict with most of the
security mechanisms for networks (such as Firewalls and NAT), resulting in protracted
or late implementation times for IP video and voice applications.
Firewalls and NATs – How they work
In an IP network, every device is assigned a unique IP address. All computers,
telephones, and videoconference terminals have at their disposal approximately
65,000 ports for the purpose of establishing communication channels to transmit data
to other devices on the network.
Messages between IP network devices are composed of packets that contain the
following information:
•
the IP address of the terminal that has generated the message, the port number from which the
message has been sent.
•
the IP address of the destination terminal, the port number at the destination.
•
the data being sent.
Firewalls
Companies that allow connection to the Internet by their employees typically install a
firewall in order to prevent external access of or tampering with internal data.
The firewall examines the destination IP address and port number of every packet
received from outside. Usually, firewalls are configured in such a way that if a
computer from inside the firewall requests data from a computer outside the firewall,
the response packets will be allowed through from the external computer, but only if
they are sent to the IP address and port of the internal computer that generated the
request.
99
Advertisement
Table of Contents
