Network Address Translation and Firewalls

Introduction

Security is an important issue when it comes to networking. Two products have been developed to help in this area: Network Address Translation (NAT) devices and firewalls. Both have an impact on the successful use of videoconferencing. Most videoconferencing products have the capability of working in an environment where one or both of these devices exist. The following describes in technical detail how these devices work and how to have them configured so that they will not block videoconferencing information from getting through.

Network Address Translation

The Network Translation device or NAT box was developed for two reasons:

• To increase the amount of IP address space that is available to connect devices to the Internet
• To provide a measure of security so that unauthorized devices can not access the local network to which they are attached.

With the ever increasing installation of devices that are connected to the public Internet and that require IP addresses, we are in danger of running out of address space. In the home environment, users typically have one or more devices they whish to have connected to the Internet. Connectivity is typically made through a commercial Internet Service Provider (ISP). Given the limited number of IP addresses that the ISP has available to them, they would rather only a lot one IP address to each residential site. The user must then figure out how to support all of there devices using one IP address. This is where the NAT box comes into play.

The IP address assigned by the ISP is called a "routable" IP address. Anyone on the Internet can send information to that IP address and the Internet will know how to route the information to the device (normally a cable modem at the residential site) and there is only one device in the entire Internet that has that particular IP address assigned to it.

There is a large part of the IP address space, however, that is assigned as non-routable addresses. That is these each of these addresses may be assigned to more that one device in the Internet. The technique then is to assign these unroutable IP addresses to devices that are located behind a NAT. The NAT is a special type of router. It keeps a table of all of the devices connected to its local network (connected to the NAT either by Ethernet or by wireless connectivity).

As a device on the local network (perhaps a browser on a laptop) sends a packet of information to a port on a particular device with a routable IP address some where out on the Internet, it travels through the NAT. The packet will have the port number and IP address (non-routable) of the local device as well as the port number and IP address (routable) of the destination device in the header of the packet. The NAT will save the port/IP address in a table and change the local IP address in the packet header to be the routable IP address assigned by the ISP. When the remote device returns a packet of information (e.g. the response to the browser's request for information), the NAT will match up the destination port number in the packet header with the saved port number in its table and change the IP address back to the local non-routable address. The packet will then be sent on the local network to the device that originated the request to the remote site.

So the NAT provides two functions: it allows non-routable addresses to be used thus conserving on the use of the routable IP address space, and it only allows access to devices on the local network from the public Internet when the local device has first initiated a request. A remote device that sends an unsolicited packet of information to the NAT will have it "dropped in the bit bucket" because it will not have any port information in the NAT's table to tell the NAT which local device it should send the packet.

The NAT Problem for Videoconferencing

Well then we should be all set for videoconferencing. If the Nat can handle applications like browser and such, it should work for videoconferencing. Unfortunately this is not the case. The developers of the protocol for videoconferencing (H.323), made one unfortunate choice. As an example, when a H.323 client wants to register with a gatekeeper, it sends a packet of information to the gatekeeper. The header of that packet contains the non-routable IP address of the videoconferencing client and the associated port number. The body of the packet (the data field) also contains the non-routable IP address of the client. The NAT will dutifully change the IP address in the header to be the routable IP address of the NAT, but it does not know anything about the fact that the non-routable address is buried in the data portion of the packet. When the packet reaches the gatekeeper, it picks up the non-routable IP address from the data field and not the routable address from the header. The gatekeeper then tries to respond to the videoconferencing client using the non-routable address and the registration fails.

Configuring the videoconferencing Client for NAT Usage

Fortunately most venders of videoconferencing clients have provided a method for configuring their software/hardware to accommodate for the usage of a NAT. First you must configure the client with the fact that that you are using (behind) a NAT. Then you must configure the client with the routable address of the client. The client when configuring a packet of information will put the routable address in the data portion of the packet, and things work just fine.

The Firewall

The firewall, like the NAT, provides a measure of network security. Unlike a NAT which is usually found in a residential environment, you will typically find a firewall in a commercial or educational environment. The firewall is usually administered by the people that administer the organizations network. A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network. If an incoming packet of information is flagged by the filters in the firewall, it is not allowed through.

Network administrators will typically block (filter) packets based on port numbers that are used by videoconferencing systems. It is thus necessary to work with the network administrator for your site to have them unblock (open) the ports that are used by videoconferencing. Rather than opening those ports for all devices connected to the organizations network, they will typically only open the specified ports for packets that are going to a given videoconferencing system. Thus the IP address of the videoconferencing system(s) that are being connected will have to be given to the network administrator. Because both unicast and TCP/IP-based traffic is involved, the respective ports on each type of packet will have to be opened.

Following are the ports that must be opened:

• The list for TCP ports is 1503, 1718-1720, 1731, and 3230- 3235
• The list for UDP ports is3230-323

Other Firewall Issues

There are two other issues related to firewalls. First there are firewalls that have special software that attempts to recognize H.323 traffic and let it through the firewall. We have found difficulties using this type of firewall software. It may be that it is just not interoperable across a large range of vender H.323 offerings. We have found it better to have this software turned off in their firewall and have the network administrator manually open the necessary ports.

The second issue relates to special software/hardware that can be purchase from videoconferencing manufacturers to do firewall transversal. Because of the differences in offerings, this is beyond the scope of this paper. It is sufficient to say that Northwestern does not have any transversal software in place.