August 2004
Hosted NAT Traversal Unlocks VoIP Offerings
BY JIM GREENWAY
Carriers and next generation service providers are rolling out VoIP services
like IP Centrex and hosted SOHO/residential VoIP services at an increasingly
rapid pace. A key enabler for these hosted IP telephony services is an
application called Hosted NAT (Network Address Translator) Traversal. The
application is usually delivered via a session border controller that is
deployed in the carrier/service provider�s network. The goal for service
providers and carriers is to be able to seamlessly deliver VoIP services
without territorial boundaries or NAT/firewall devices limiting that
capability and without changing the IP infrastructure that is typically
already in place.
Network Address Translation (NAT) has been in use for years by IT managers
and serves a critical, well-understood role as the gatekeeper and point of
demarcation between a trusted LAN and the untrusted Internet. NAT provides a
solution to several problems, most importantly, IP address preservation and
security functions. By using �private� addresses for endpoints and devices
on a LAN and by assigning a single public IP address to the firewall, both
of these problems are addressed. With a few exceptions, NAT�s role has
remained unchanged for years.
The proliferation of VoIP is changing things however, as traditional NAT
devices are unable to handle the demands of real time packet traffic.
Session Border Control (SBC) has been introduced over the last couple of
years to address the nuances embodied in sending point-to-point IP packets
across legacy firewalls and other NAT devices. VoIP is the primary
application of focus, but video conferencing, online gaming, and other
real-time applications suffer from the same problems.
VoIP and Legacy Firewall Issues
VoIP is fundamentally incompatible with traditional firewalls. The key
problems are:
� Firewalls admit external traffic only if it was initiated from the private
LAN.
� VoIP calls that are initiated from the outside are discarded by the
firewall.
� VoIP packets consist of signaling and media packets with embedded
signaling that is not understood by the firewall.
� VoIP calls use dynamically assigned UDP ports instead of the statically
allocated ones that firewalls usually dedicate to specific users or
applications.
� VoIP generates many smaller packets and can easily overwhelm traditional
firewalls and NAT devices.
These issues can be addressed by adding SBC functionality. SBCs essentially
intercept VoIP packets and change them so that they are recognizable by the
legacy firewall or NAT device. The SBC mediates between the LAN and the
Internet by modifying the signaling and bearer packets in both directions.
This functionality is referred to as network-hosted NAT traversal (aka
far-end NAT traversal), since the SBC is located typically in the VoIP
service provider�s network and performs the modifications to the incoming
and outgoing VoIP packets from a centralized location.
The benefits of network-hosted NAT traversal to VoIP service providers are
many:
� No additional customer premise equipment is required thus making this a
very cost effective solution.
� No changes are required to existing network infrastructure or to
firewalls, IADs, or other NAT devices that are located at the customer site.
� Security is kept intact as private addresses can be utilized for all VoIP
end-user devices.
� The solution is compatible with most VoIP end devices and NAT/firewall
premise equipment types making it easy and fast to implement.
A VoIP Service Provider Example
New Global Telecom (www.ngt.com) provides
telephony solutions to service providers worldwide, including wholesale VoIP
telephony services that enable service providers to rapidly and
cost-effectively enter the Hosted IP Telephony marketplace. The company�s
network includes international gateway switches in New York, Los Angeles,
and Miami, a 24x7 voice and data network operations center (NOC), as well as
comprehensive tools and systems to monitor/manage TDM and IP telephony
networks.
New Global Telecom (NGT) developed its outsourced wholesale IP services
suite for service providers seeking entry into the VoIP marketplace. The
suite includes Hosted IP PBX and Class 5 feature services, end-customer
support, network and facilities management (including NOC), and back office
support. New Global Telecom�s customers include ISPs, carriers, and other
service providers seeking to expand revenue via a low-risk, low-cost,
managed wholesale solution.
NGT
needed to solve the NAT issue to deliver its service to its domestic and
international customers. The key requirements they were looking for were:
� Remote NAT traversal � the ability to deliver Class 5 services to VoIP
endpoints that utilize existing NAT and firewall devices (sometimes more
than one NAT device);
� Portability � support for roaming VoIP users;
� Security � utilizing private IP addresses for VoIP users;
� Co-media support � the ability to send media between co-located devices
where it does not make sense to route the media back to the IP network; and
� No added equipment, eliminating the need to add any CPE.
They chose to deploy SBC technology to address these issues. The solution is
a network-hosted, carrier-grade product supporting both SIP and MGCP in a
very secure, fault-tolerant configuration.
Added Hosted NAT Traversal Benefits
In addition to solving the firewall NAT traversal problem, using a session
border controller has additional benefits to carriers/service providers like
NGT. Security is enhanced since customer VoIP endpoints are utilizing a
private address and cannot be hacked or accessed directly from the Internet.
Thus, the SBC is actually a �VoIP-enabled firewall� that protects the VoIP
endpoints from the public Internet and also protects the service providers
VoIP infrastructure elements (softswitch, application server, etc.) from
malicious attacks and/or from misbehaving endpoints and other IP security
issues.
Another key benefit is support for �roaming� and remote- users. As companies
utilize more teleworkers, and as users increasingly need to work remotely,
VoIP is becoming the preferred technology to enable total mobility. Hotels
and �hotspots� like Starbucks can be accommodated with the use of network
NAT traversal.
Conclusion
Hosted NAT traversal is being deployed by service providers like New Global
Telecom as well as by most large worldwide carriers who are targeting SOHO/residential
or small enterprises with a scalable, VoIP service. The key benefits
translate into faster time to market and dramatically lower costs than
solutions requiring premise equipment or upgrades or change-out of
customers� existing firewall/NAT devices. IP address preservation, enhanced
security, no additional CPE or changes to existing NAT/firewall devices,
minimal or no configuration and support for roaming users are all advantages
afforded by the addition of a SBC that delivers a network-hosted NAT
traversal capability.
Jim Greenway is vice president of marketing for Kagoor Networks. For more
information, please visit the company online at
www.kagoor.com
If you are interested in purchasing reprints of this article (in either
print or HTML format), please visit Reprint Management Services online at
www.reprintbuyer.com or contact a representative via e-mail at
[email protected]
or by phone at 800-290-5460.
[
Return
To The April 2004 Table Of Contents ]
|