|
|
XymphonyProgramming-FirewallNATPortForwardingIssuesWhen an ideal internet is considered, all devices should have a public IP address and there would be end to end communication among these. However, in reality, this is not the case due to the limited number of public IP addresses. Instead, enterprises own one or some public reachable or routable IP address and any number of private IP addresses for their local area network. NAT and NAPT devices are the solutions to translate IP addresses and port numbers in private address ranges to public addresses for internet connectivity. Second, enterprises would like to protect their network from unauthorized accesses with firewalls. Usually, software based NATs and firewalls are embedded into DSL modem/router devices so that they become a concern for small home offices not only for large enterprises. Sometimes, these devices may create problems for VoIP interconnection and IP Telephony services. Sometimes, VoIP and other services may not be easy applications to negotiate through Firewalls and NAT since these devices are used to provide security by limiting access to private ports, IP addresses and the traffic type. Firewall is mainly an issue for incoming traffic whereas NAT is the one for both-way traffic. This document intends to make you aware of possible problems and describes how to deal with these in the simplest way for a Telesis IP Telephony application. Without Firewall Installing the Telesis system with a public IP address and outside of your firewall is an easy way. In this case, un-trusted sources may be able to access to the Telesis system that is outside a firewall, but can do little. Most internet viruses and worms attack to the PC operating systems. However, Telesis systems do not use such an operating system. Consequently, there should not be a serious security risk if the Telesis system is outside the Firewall. Using the Telesis System Behind a Firewall Traffic for VoIP and other IP Telephony services requires the use of several ports that may be protected by the firewall. Specifically VoIP is like traditional communication such that incoming calls could be from a wide-range of unknown sources that can not be classified as trusted or un-trusted. If a firewall is between the Telesis system and the public network, certain ports must be set properly before a connection can be made between the two sites. The firewall policy should allow VoIP and other protocols, which are intended to be used, accesses from the public domain to these ports. The network owner may define further filtering rules specifying the endpoints that are allowed to communicate. The Ports to be Considered in Firewall Filtering Policy Telesis systems use default of user programmed ports for IP services:
Although these ports are programmable in Telesis systems, some of them are standard worldwide and keeping the above mentioned default values are recommended for inter-operability issues. In Firewall filtering, any of used ports should not be blocked. Using the Telesis System Behind a NAT A NAT maintains a table that links private ports and IP addresses to public ports and IP addresses. Similar to the Firewall issue, the NAT should be configured properly for the traffic. The ports to considered are the ones mentioned above for Firewall configuration. The NAT may be manually configured with static mappings, i.e., bindings or without bindings. |