NAT – FIREWALL Interoperability
Introduction
There are many strategic advantages for companies that succeed in making all traffic converge from voice applications, video
and data to one IP network infrastructure.
Unfortunately, the drive to concentrate all IP communications onto one single network has reduced. The connection between a
company’s corporate network and the Internet world is accomplished with firewalls and devices using NAT (Network Address
Translation), which block voice and video calls via IP. Firewalls block IP traffic for video and voice by preventing any
unsolicited communication from the outside. Devices implementing NAT block IP traffic because all equipment on the internal
network uses private IP addresses, and can therefore not be contacted from outside the local domain.
There are several solutions to the problem of getting IP communications past NAT and firewalls: bypassing the firewall or NAT
device, upgrading the network infrastructure with an Application Level Gateway (ALG), and going out through the firewall or
NAT using semi-tunnelling connections. Going around the firewall or NAT device is not the best solution for most companies.
Removing the firewall or placing videoconferencing equipment on an unshielded section of the network could seriously
compromise the network’s security.
Using these devices is very expensive and besides this an access policy for Firewalls and NATs would be needed. These
devices should be located along the communication path at every point where a NAT and Firewall are present.
A second solution is the improvement of the network by the introduction of an ALG, but this is intrusive and potentially
expensive. ALGs are software packages specifically designed for firewalls from various producers that examine every packet
attempting to pass through the firewall in order to determine whether it concerns a known protocol like H.323 or SIP. If the
packet contains a known protocol, the Firewall allows it through. However, like Proxies and MCUs that go around firewalls,
ALGs also need an access policy for firewalls and every firewall or NAT device needs up-to-date ALG software. Because new
protocols are continually being developed, ALG software must be updated frequently.
IP Voice and Video Crossing NAT and Firewall
The use of existing network infrastructures for the transmission of voice, video and data promises interesting strategic
advantages for companies of all sizes. Commonly known as “rich media communications” or “Internet Protocol (IP)
communications” these technologies for converging networks offer new opportunities to communicate, coordinate and
collaborate with customers, suppliers, commercial partners and others all over the world.
Unfortunately, the protocols used for IP communications conflict with most of the security mechanisms for networks (such as
Firewalls and NAT), resulting in protracted or late implementation times for IP video and voice applications.
Firewalls and NATs – How they work
In an IP network, every device is assigned a unique IP address. All computers, telephones, and videoconference terminals have
at their disposal approximately 65,000 ports for the purpose of establishing communication channels to transmit data to other
devices on the network.
Messages between IP network devices are composed of packets that contain the following information: the IP address of the
terminal that has generated the message, the port number from which the message has been sent, the IP address of the
destination terminal, the port number at the destination, and the data being sent.
83