Sunday

NAT as a Topology Shield



NAT provides a security function by segregating private hosts from the publicly routed Internet. Depending upon your addressing requirements, NAT can isolate, to some extent, your VoIP network IP space from the balance of your internal network IP space. The large number of private RFC1918 IP addresses allows system architects to intelligently address hosts and other network elements based upon location, function, or other criteria during the design phase of the VoIP network.
External hosts cannot directly access a particular internal host if a NAT intervenes since the external host has no way of targeting its payload to a chosen IP address. Of course, when addresses are assigned dynamically, it becomes even more problematic for an attacker to point to a specific host within the NAT domain. This may help protect internal hosts from external malicious content. At worst, NAT is an additional layer of security controls that you implement as part of your overall security architecture.
The IPsec model is instructive in that it illustrates a complex interaction between encryption and NAT. However, IPsec is not the only functional or proposed security mechanism for VoIP environments. SSL/TLS, S/MIME, HTTP 1.1 digest, and ZRTP have also been proposed as security instruments. Nor are all environments as simple as the symmetric examples we have seen where one or more devices reside on opposite sides of a NAT device. Asymmetric or hairpin call routing (a call from one phone behind a NAT to another phone behind the same NAT), in an environment where basic NAT and encryption issues have been resolved, can cause communications to fail. The point here is to introduce some of the concepts that you will come across as you design and troubleshoot in this area. We’ll see in the next section how encryption, NAT, and VoIP protocols work (or don’t work) together.

2 comments:

pc sharma said...


Thanks for great information you write it very clean. I am very lucky to get this tips
from you.IP centrex

telcan said...

Now days Business Phone Service come packed with a lot of features. You can basically customize your business phone service to fit your business needs. When you see the features, you will know how your current phone system is not good enough. I have been using hosted pbx from Telcan. With this business phone service, I can customize the welcome greeting, route calls to multiple numbers, even program what phone number to call at what time, have a professional voicemail, get my voicemail emailed and the list goes on. It is very easy to set up using wizard. Check out Business Phone Service

Related Posts with Thumbnails

Link Exchange