April 2004
Migrating to SIP: Five Myths
BY OLLE WESTERBERG
The promise of IP-based real-time communications services is now being
made possible by SIP (Session Initiation Protocol), the new standard for
Internet telephony, instant messaging and a host of applications that can
save any business time and money. But what�s the cost of bringing SIP to the
enterprise? What should the IT purchaser look for when making the investment
in SIP services? Is it really necessary to replace the entire network just
to accept SIP? And what about security?
You may have realized, it�s time to migrate your network to SIP. Some of
the industry�s most influential giants are developing products and
applications that rely exclusively on SIP. For instance, Microsoft has
chosen SIP for its real-time communications strategy and has deployed it in
its Office Live Communications Server as well as other platforms.
Following are the top five myths in migrating your network to SIP:
Myth #1: I have to replace the entire network.
It is not necessary to replace your entire network to accept SIP. The
critical stopgap for adopting SIP-based communications is the enterprise
firewall. Frequently, swapping your current firewall for one that is
SIP-enabled is all that�s necessary. The investment in a new firewall is far
less expensive than upgrading the equipment it likely took years to
aggregate.
Myth #2: I can SIP-enable my current enterprise firewall, can�t I?
It is impossible to SIP-enable any enterprise firewall that�s not already
engineered to accept the protocol. Even high-end firewalls, from the biggest
brand name companies, cannot be retrofitted to accept SIP. Remember, not all
enterprise firewalls are the same. There are only a few firewalls on the
market that are SIP-enabled. Be sure that the firewall you purchase is
SIP-ready at the outset.
Myth #3: Traversing the firewall is impossible for SIP-based communications.
Not true. Firewalls make the LAN private and not a part of the public
Internet. They block unwanted access and generally prohibit inbound traffic.
The shortage of IP addresses has also led to the need for NATs (Network
Address Translators) that allow the use of many private IP addresses behind
a single public IP address. NATs and firewalls (often combined into a single
product) both create problems for the SIP protocol. There are two types of
problems:
� Normal firewalls will not let SIP-based traffic through, since they do
not know which ports to open for the media. For security reasons a large
range of ports cannot be left open at all times.
� The private IP address of the recipient SIP end-point device is
unknown.
It is critical that your SIP-capable firewall incorporate a SIP ALG, a
SIP Proxy, and a SIP registrar. With these functions, the firewall
understands the SIP signaling, directs the signal to the proper private IP
address, controls the firewall and opens the media ports only when they are
needed and closes them as soon as the session is finished. This means that
the SIP traffic is let through, while the unwanted traffic is still stopped
by the firewall. With a proxy, SIP signaling can even be encrypted using TLS
(Transport Layer Security) to hide the signaling and the content of instant
messages, a concern for many IT security managers.
Myth #4: My network will never be secure if I use SIP.
Using a firewall to bring SIP to your enterprise will be the single most
important step you take in ensuring the security of your network with VoIP
and other SIP-based applications. Firewalls are designed to protect your
enterprise; if you purchase a firewall specifically designed to do just that
� protect the network � that�s also geared to enabling SIP, you can be
confident in your purchase. A SIP registrar is also a must-have if your
firewall is going to keep your network secure while allowing the use of SIP
applications. A SIP registrar records the location of every SIP device on
the private network. This allows the SIP registrar to direct incoming and
outgoing traffic to the correct device, while still hiding the private IP
address from the outside.
Myth #5: Configuring a SIP-capable firewall will be next to impossible.
Some SIP-capable firewalls boast a Graphical User Interface (GUI) that
makes set-up, and day-to-day use, easy. The GUI can also be a tremendous
benefit with regard to troubleshooting. Several companies also have
help-desk support. It�s critical to choose a firewall with free help support
� preferably available online as well as by phone � for issues that need
immediate resolution.
In short, SIP-enabling an enterprise network can be limited to installing
a SIP-capable firewall or adding a SIP proxy to your existing network.
Rather than being a costly and difficult task, the upgrade can be
accomplished simply and easily, with minimal cost, and the benefits in
productivity far outweigh those costs. With applications on the market
today, and perhaps already installed on your desktop, a SIP-enabled network
will allow your firm to enjoy the benefits of the next evolution of the
Internet. c
Olle Westerberg is CEO of Ingate Systems a leader in next generation
firewall technology. For more information, visit
www.ingate.com.
If you are interested in purchasing reprints of this article (in either
print or HTML format), please visit Reprint Management Services online at
www.reprintbuyer.com or contact a representative via e-mail at
[email protected]
or by phone at 800-290-5460.
[
Return
To The April 2004 Table Of Contents ]
|