Aethra Vega X3 User Manual page 97

If the Firewall receives a packet destined for a computer that is located internally and
determines that the destination computer has not initiated any communication, the
firewall discards the incoming packet.
Firewalls are nearly always configured to block all incoming traffic that has not been
explicitly requested. Internal web servers are the exception: they must be accessible
from the outside. To allow this, the network administrator configures the Firewall to let
through packets destined for port 80 of the IP address of the web server. This
operation allows external users to send requests to connect to the company's web
server in order to access data on that server.
NAT (Network Address Translation)
Network Address Translation is an Internet standard that allows a LAN (Local Area
Network) to use a set of IP addresses for internal traffic and another address (or set of
addresses) to connect to services on an external network (the internet, for example).
Devices that implement NAT are located at boundaries between the LAN and the
external network, and their purpose is to provide translation of IP addresses for all
packets that are destined for the external network. Many organizations use NAT as a
security mechanism because it masks the internal IP addresses—if hackers do not
know the IP address of a machine, they cannot attack it and cause disruptions. NAT
also allows a company to use more IP addresses than they might otherwise be
allocated. Since these addresses are only used internally, there is no problem with IP
address conflicts with other organizations.
Problems with Video and Voice Communications on NAT/Firewall Protected
Networks
The IP based voice and video protocols like H.323 require that terminals be capable of
establishing audio-video communication channels using IP addresses and data ports.
In this situation, a problem arises: terminals must "listen" for incoming calls to
establish IP connections, but the firewall is generally configured in such a way as not
to allow packets past that are not expressly requested. Even if the network
administrator left a port open for the terminal to receive notification of a call (port
1720, designated as a "well-known TCP port") the video and voice communication
protocols for IP necessitate the opening of other ports in order to receive control
messages and open audio and video channels.
The identities of these additional ports are determined dynamically, not in advance,
meaning that the network administrator would have to open all the firewall ports to
allow video and voice communication, thus virtually disabling the firewall. Network
administrators are unlikely to do this (and wisely so), since it effectively eliminates
network security policies. NAT also creates an obstacle for voice and video
communications over IP. NAT allows an organization to assign private IP addresses to
machines on the local network, but routers that control the flow of data towards the
Internet can handle only packets with routable addresses or public IP addresses.
A terminal located behind the NAT device on the LAN can initiate communication with
any other terminal in the same LAN because the IP addresses within the LAN are
routable, meaning that it is possible to have subnets in a company managed by an
internal router. This allows the establishment of audio-video communications on
different branches of the subnet.
97