Getting Through The Firewall

When business communications are interrupted, the financial ramifications can range from a slight annoyance to simply disastrous. This is why research firm In-Stat expects $3.8 billion will be spent 8/25/2006 10:52 PM Eastern

Getting Through The Firewall

When business communications are interrupted, the financial ramifications can range from a slight annoyance to simply disastrous. This is why research firm In-Stat expects $3.8 billion will be spent on firewall products this year alone.

After weeks of preparation, the big day has finally arrived — the big board meeting everyone's been talking about. With senior executives on hand in three remote offices gearing up for presentations , everyone anxiously awaits the start of the videoconference. Unfortunately, the enterprise security systems (firewalls and network address translation/network address translation routers) make it impossible to connect to the client's video system. After 15 minutes of troubleshooting by senior-level IT support staff, the participants finally give up, opting instead for the antiquated but reliable audio call — not exactly the way you want to start an important meeting.

When business communications like these are interrupted, the financial ramifications can range from a slight annoyance to simply disastrous. This is why research firm In-Stat expects $3.8 billion will be spent on firewall products this year alone. In order to avoid a replay of the scenario described above, it's important to understand the technical issues behind the network address translation (NAT)/firewall videoconferencing problem. Let's take a closer look at how all of this fits together.

Underlying issues

On an IP network, each connected device (computer, IP telephone, printers, servers, and even videoconferencing devices) is assigned a unique IP address. Within an isolated network, IP addresses can be assigned at random, as long as each one is unique. These private IP addresses are referred to as local, local area network (LAN), or private IP addresses.

When devices communicate, they transmit information on specific communication channels or network data ports. Transmissions between devices can use one or many of the roughly 65,000 network data ports available per device/IP address. Messages sent between devices are transferred in the form of blocks of information called data packets, with each data packet containing the following pieces of information:
  • The IP address of the source device.
  • The port number used by the source device for this communication transaction.
  • The IP address of the destination device.
  • The port number on the destination device that should receive the message.
  • The data to be transmitted (often called the payload).
  • Data packets also include additional information such as the transport protocol in use (TCP, UDP, etc.), the quality of service requested (which determines how quickly the routers process and re-transmit the packets as they arrive), a packet identification tag, and other key items to help the network process and manage the transmission of the data packet.

    Inside the firewall

    As shown in the figure at right, firewalls are installed at the periphery of the data network (also called the network edge) to protect that network from unauthorized access. In the typical enterprise, a firewall is used to keep external (Internet) users from gaining access to the computers, servers, and devices on the enterprise network.

    Firewalls do their job by inspecting all data packets — both incoming and outgoing — as they attempt to traverse between the internal (private) and external networks. Specifically, the firewall looks at the source and destination IP address of each data packet and then follows a pre-configured set of rules regarding which traffic is allowed to pass through the firewall. Most enterprise firewall rule sets include some form of the following:

    Rule #1 – Traffic sent from a computer or device inside the firewall to the outside world is permitted. Some enterprises choose to limit certain types of outgoing traffic, such as instant messenger.

    Rule #2 – Traffic sent from outside the firewall and in response to a data request made from inside the firewall is permitted.

    Rule #3 – All “unsolicited” traffic from outside the firewall destined for a computer or device inside the firewall is rejected and discarded.

    The first two rules allow internal computer users to reach out to and request data from the public Internet. The third rule ensures that external traffic can't permeate the internal network and reach internal computers and devices.

1 2 3 Next

Getting Through The Firewall

When business communications are interrupted, the financial ramifications can range from a slight annoyance to simply disastrous. This is why research firm In-Stat expects $3.8 billion will be spent on firewall products this year alone.

Understanding NAT

NAT is a technique that allows a LAN to use one set of IP addresses for internal traffic and a second address (or set of addresses) for external traffic. NAT occurs at the network edge, and in many cases is a function within an enterprise firewall/router.

To the Internet, a network using NAT looks like one (or a small number of) computers, but on the LAN each computer has its own local internal IP address. As traffic traverses between the private and public network, the NAT device translates and replaces the local IP addresses and ports into the public IP address (or addresses). The NAT device also maintains a temporary record of the IP address translations so that it can properly route incoming traffic to the proper local device. NAT provides several key benefits, including:

  • The ability to share a single IP address between large numbers of computers, which simplifies internal network management and saves money (each reserved public IP address has an associated cost).
  • The ability to use large numbers of internal IP addresses without conflicting with IP addresses used on external networks.
  • The ability to “hide” internal devices from the outside world by assigning them private IP addresses that aren't accessible to outside devices.
  • The NAT router replaces the private IP address and communication port in each data packet with an assigned port on the public IP address. The NAT router maintains a translation table (see below) of these address and port assignments, and deletes entries as each particular communication session ends.

    The result is that the external computer has no direct connection to the local computer (all connections bounce through the NAT router), and that the external computer remains unaware of the local computer's IP address and communication port.

    The NAT/firewall problem

    In order to conduct a videoconference, the participating video systems must be able to successfully send data back and forth. Unfortunately, NATs and firewalls often block this seemingly simple process.

    To a network firewall, an incoming video (or voice) call request presents itself as unsolicited traffic from an outside network, which is exactly the type of traffic the typical firewall is designed to prevent. Fortunately, most firewalls are configured to allow outgoing IP traffic (including IP video calls). However, if the remote video endpoint is also behind a firewall, this call attempt is likely to fail as the remote firewall will see the incoming call request as unsolicited inbound traffic.

    Even if the host organizations are somehow able to circumvent the enterprise firewall, NAT may cause the video call to fail for two reasons:

  • Endpoints behind an NAT don't have publicly accessible IP addresses, which means that one endpoint would be unable to reach out to and call the other endpoint.
  • H.323 and SIP, the two protocols most frequently used for IP videoconferencing today, embed the IP address of the initiating endpoint within the data packet payload. In an NAT environment, the initiating endpoint's IP address is its private IP address, which can't be reached directly from the outside world. This means that the receiving endpoint may be able to receive data from the initiating endpoint, but will not be able to successfully send data back to the initiating system.
  • Fortunately, there are various ways that enterprises can resolve, or at least circumvent, the NAT/firewall issue without significantly compromising network security.

    Overcoming obstacles

    From a 10,000-foot view, there are four different ways to enable IP videoconferencing in NAT/firewall environments.

    Method 1: Firewall/NAT disabling or forwarding. Disabling NAT isn't a preferred method because it requires a public IP address for each network device and leaves the network unprotected from unauthorized access.

    Alternatively, the enterprise can lease additional fixed public IP addresses (one for each video system) and configure the firewall to allow traffic destined for these systems to pass through. This has the advantage of maintaining the firewall and NAT benefits for the majority of the data network, but introduces several disadvantages, including:

  • Additional cost ranging from a few dollars to hundreds of dollars or more depending upon the number of IP addresses needed and your network service provider.
  • The need to use custom firewall configurations.
  • A total lack of firewall and NAT protection for the video systems.
  • This approach is useful only in environments with a small number of video systems in place.

    Method 2: Application-level gateways and proxies. Application-level gateways, or ALGs, are firewalls that are programmed to understand and process specific types of IP communications. Rather than simply looking at the packet header (source IP address, destination IP address, etc.), ALGs dig deeper into the data packet to determine whether to allow the information to pass. In addition, the ALG's understanding of the specific protocol allows the ALGs to open (and eventually close) only the appropriate data ports in the firewall needed for that video session. This technique of dynamically opening only a small number of ports in the firewall is called “pin-holing.” Note that ALGs don't resolve NAT issues, and therefore a proxy (device used to translate public and private IP addresses) is also required. Fortunately, some ALG solutions also include proxy functionality.

    ALGs are available in several flavors: 1) as a standalone firewall that can either augment or replace the existing firewall(s), or 2) as a software upgrade/add-on to many popular enterprise firewalls. Although ALGs and proxies can effectively resolve the NAT/firewall issue, the fact that they involve either an upgrade or modification of the existing enterprise firewall(s) means that they may be difficult and costly (software upgrades can cost thousands of dollars) for some organizations to deploy.

Getting Through The Firewall

When business communications are interrupted, the financial ramifications can range from a slight annoyance to simply disastrous. This is why research firm In-Stat expects $3.8 billion will be spent on firewall products this year alone.

Method 3: MCU traversal. Some organizations overcome NAT and firewall traversal issues by placing a multipoint video bridge (or multipoint control unit/MCU) between the private and public networks. This requires an MCU with two network interface cards (or NICs) — one connected to the private network and one to the public network. In this configuration, all video calls involving both internal and external sites connect through the MCU, regardless of the number of sites in the meeting.

From a data networking perspective, this method is quite secure because the participating video sites don't actually connect to each other. Instead, each site is connecting to the video bridge, which then passes only the audio, video, and shared content data between the participating systems.

The primary advantage of this method is that it allows video calls between internal and external sites without having to modify or update the enterprise firewall. The disadvantages are that even point-to-point calls require the use of expensive video bridge ports, which can cost several thousand dollars per port, and that environments with multiple NATs will require multiple MCUs. For these reasons, this method doesn't scale very well.

Method 4: Firewall tunneling. Most organizations are reluctant to modify, upgrade, or bypass their existing NAT and firewall configurations. Firewall tunneling solutions, which are covered under the ITU H.460 standard ratified in 2005, avoid the NAT/firewall problem by tunneling videoconferencing traffic through a limited number of firewall ports. The typical firewall tunneling solution involves two parts:

  • A session border controller (SBC) installed outside the firewall.
  • A local software client running behind the firewall, either within the video endpoints themselves or elsewhere (perhaps as part of a gatekeeper or other piece of software).
  • Tunneling solutions take advantage of the fact that most organizations allow data traffic originating from inside the network to pass through the firewall. When the local software client starts up, which usually happens automatically when the H.460 capable video endpoint is turned on, it registers with and maintains a communication session with the SBC located outside the firewall. The SBC then tracks the IP address and port information for each video system and routes incoming and outgoing video traffic accordingly. Because the video system has already initiated a communication session with the SBC, an incoming call routed via the SBC is seen as a response to a request from a system behind the firewall, and is permitted to pass through. The result is that video systems behind the firewall are able to place and receive video calls from endpoints outside the firewall.

    The primary advantages of tunneling solutions are ease of deployment, the fact that the traffic doesn't bypass the enterprise NAT/firewall systems, and that the private IP addresses of internal endpoints aren't revealed. The disadvantages of these solutions include:

  • The need to purchase the SBC and potentially the client software (total cost ranging from $7,000 to more than $40,000, depending upon the manufacturer, call volume, and number of sites involved).
  • The fact that all traffic must travel through the SBC, creating both a potential bottleneck and single point of failure.

Weinstein is a senior analyst and partner at Wainhouse Research LLC in Boston. He can be reached at

Want to read more stories like this?
Get our Free Newsletter Here!
Past Issues
October 2015

September 2015

August 2015

July 2015

June 2015

May 2015

April 2015

March 2015