Section 4 Firewalls And Nat - NEC Sl2100 Networking Manual

ISSUE 1.0
that reside between our two VoIP endpoints. This means that we cannot specify any QoS parameter
on these devices.
The only point where the QoS can be controlled is at the VPN or firewall. This allows VoIP traffic to be
prioritized over any other data that is sent out to the Internet. This helps to maintain reasonable quality
speech – but once the data has exited the local router/cable modem it is at the mercy of the Internet.
When implementing NEC SL2100 IP over Internet based connections it is very important that these
factors are considered, and that the customer is made aware that neither the installer nor NEC are
held responsible for any quality issues experienced.
S 4 FIREWALLS AND NAT
ECTION
The ways in which networks are designed to be secure (firewall, VPN services, proxy servers, etc.)
and integration of NAT create problems for VoIP. This is due in part, to the endless number of different
scenarios for non-real time protocols and their limited solutions.
4.1 Understanding the Infrastructure
The networks in place today look very different than the networks of yesterday. In the past, only
computers and servers were connected to the network. The network was built to be as a best effort
delivery mechanism, where delay and lost of information between devices was something we dealt
with. Today, there is an over saturation of devices needing to gain access to the IP network. Desktop
computers, fax machines, wireless PDAs, Servers, home appliances, video servers and now VoIP
terminals all are fighting for bandwidth, precedence, and addresses on this converged network.
It is necessary to create some kind of Intranet environment (across the Internet), with fixed network
characteristics, where VoIP solutions can tolerate some minor variations. IT personnel have been
tasked with implementing different mechanisms in the network to support the new demands required
on the converged network. Some solutions that have been implemented are:
• QoS devices to support precedence settings of voice packets.
• Elimination of hubs in place of switches to support 100Mbps full-duplex transmission.
• Firewall integration to protect the internal network from external attack.
• Network Address Translation (NAT) devices are widely deployed to support the addressing issues.
• Virtual Private Network (VPN) Servers were added to Enterprise networks to support the security
and connectivity issues for remote users.
Some solutions, such as the hub replacement and integration of QoS, are done behind the scenes
and should have no effect on the voice application. Other solutions such as NAT and Firewall cause
major disturbance to VoIP.
4.2 Firewall Integration
Network security is always a concern when connecting the Local Area Network (LAN) to the Wide
Area Network (WAN). There are many ways to integrate security in the network – the most popular are
Firewalls and Proxy servers.
• Firewalls
Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls
are frequently used to prevent unauthorized Internet users from accessing private networks
connected to the Internet, especially Intranets. All messages entering or leaving the Intranet pass
through the firewall, which examines each message and blocks those that do not meet the specified
security criteria.
• Proxy Server
Proxy server intercepts all messages entering and leaving the network. The proxy server effectively
hides the true network address.
Networking Manual
SL2100
6-5