| Author |
|
Pete
Intermediate
Joined: December 05 2006
Posts: 12
|
| Posted: December 06 2006 at 5:09pm | IP Logged
|
|
|
Lanscape folks:
From my research I've learned that the NAT/firewall traversal issue has traditionally been a major problem for VoIP systems. I know your Server/Media Proxy products address the issue but I'm having trouble envisioning how to utilize them to exchange secure VoIP data. I was wondering if you could provide examples/diagrams of a typical lanscape secure VoIP system? I've seen diagrams from other vendors (sigh) which shows items similar to your Proxies sitting either inside or outside the NAT/firewall boundary. I'm curious where yours would typically reside.
One specific question I can think of - can I use just one set of Proxies to cover my entire SIP domain, even if that domain includes several NAT/firewalls at different sites?
|
| Back to Top |
|
| |
support
Administrator
Joined: January 26 2005
Location: United States
Posts: 1666
|
| Posted: December 06 2006 at 6:23pm | IP Logged
|
|
|
Hi Pete,
You are correct. For all the great things that NAT does for us, NAT is the worst thing that ever happened to VOIP and other peer-to-peer technologies.
If you want to see how we recommend deploying the proxy products, take a look in the Centrex SIP proxy or VOIP media proxy user references. Those docs have some deployment diagrams that are similar. The proxy products can be deployed in the global IP address space (the internet) or behind your outermost NAT router/firewall. At LanScape, we deploy all our voip proxies behind hardware NAT routers for additional network security.
Regarding a “secure VOIP system”:
I’m not sure what you mean. Do you mean keeping your VOIP server secure from the internet or do you mean VOIP security like in encrypted SIP session data and encrypted RTP media streams?
<<< You
One specific question I can think of - can I use just one set of Proxies to cover my entire SIP domain, even if that domain includes several NAT/firewalls at different sites?
Support >>>
Yes. That’s OK. You just have to locate your VOIP server(s) so all SIP devices can access them. Then just keep adding user to your VOIP domain until your VOIP servers can no longer keep up with the load.
Support
|
| Back to Top |
|
| |
Pete
Intermediate
Joined: December 05 2006
Posts: 12
|
| Posted: December 07 2006 at 3:43pm | IP Logged
|
|
|
Yo Mr. support,
I realized on the way home last night my "secure VOIP system" phrase might be confusing. I was working out two different issues in my head.
At some point I'll probably start (yet another!) forum thread about DATA security (i.e. encryption), but this particular thread should only have been about NAT/firewall.
Sorry about that folks - sleep deprivation is highly underrated. ;-)
|
| Back to Top |
|
| |
support
Administrator
Joined: January 26 2005
Location: United States
Posts: 1666
|
| Posted: December 07 2006 at 4:21pm | IP Logged
|
|
|
Hi Pete,
Go ahead and post to other new thread topics. What ever you need. If we start something that is of no use to us or others, we can just delete it. No worries.
Sleep: Yup. Been there, done that. Got the T-shirt.
Note regarding encryption:
We have other customers that want encrypted SIP and RTP capabilities. I know our engineers are formulating an approach for SIP encryption but I can't say much more than that.
Encryption of the session (SIP) protocol and the RTP media stream data will be VERY useful for many individuals that reside on restricted networks (i.e. IP networks that are restricted due to country boundaries).
Application defined RTP encryption is also useful if you don’t want “any old network” sniffer like ethereal to be able to packet capture your call’s RTP media stream for later analysis.
Support
|
| Back to Top |
|
| |
Active Topics 
Member List 
Search 
Help 
Register 
Login
LanScape Support Forum -> LanScape VOIP Media Engine™ - Pre-Sales Technical Support
Topic: Security
