Installation manual
79
Firewalls
Companies that allow connection to the Internet by their employees typically install a firewall in
order to prevent external access of or tampering with internal data.
The firewall examines the destination IP address and port number of every packet received from
outside. Usually, firewalls are configured in such a way that if a computer from inside the firewall
requests data from a computer outside the firewall, the response packets will be allowed through
from the external computer, but only if they are sent to the IP address and port of the internal
computer that generated the request.
If the Firewall receives a packet destined for a computer that is located internally and determines
that the destination computer has not initiated any communication, the firewall discards the
incoming packet.
Firewalls are nearly always configured to block all incoming traffic that has not been explicitly
requested. Internal web servers are the exception: they must be accessible from the outside. To
allow this, the network administrator configures the Firewall to let through packets destined for port
80 of the IP address of the web server. This operation allows external users to send requests to
connect to the company’s web server in order to access data on that server.
NAT (Network Address Translation)
Network Address Translation is an Internet standard that allows a LAN (Local Area Network) to
use a set of IP addresses for internal traffic and another address (or set of addresses) to connect to
services on an external network (the internet, for example). Devices that implement NAT are
located at boundaries between the LAN and the external network, and their purpose is to provide
translation of IP addresses for all packets that are destined for the external network. Many
organisations use NAT as a security mechanism because it masks the internal IP addresses – if
hackers do not know the IP address of a machine, they cannot attack it and cause disruptions. NAT
also allows a company to use more IP addresses than they might otherwise be allocated. Since these
addresses are only used internally, there is no problem with IP address conflicts with other
organisations.
Problems with Video and Voice Communications on NAT/Firewall Protected Networks
The IP based voice and video protocols like H.323 require that terminals be capable of establishing
audio-video communication channels using IP addresses and data ports. In this situation, a problem
arises: terminals must “listen” for incoming calls to establish IP connections, but the firewall is
generally configured in such a way as not to allow packets past that are not expressly requested.
Even if the network administrator left a port open for the terminal to receive notification of a call
(port 1720, designated as a “well-known TCP port”) the video and voice communication protocols
for IP necessitate the opening of other ports in order to receive control messages and open audio
and video channels.
The identities of these additional ports are determined dynamically, not in advance, meaning that
the network administrator would have to open all the firewall ports to allow video and voice
communication, thus virtually disabling the firewall. Network administrators are unlikely to do this
(and wisely so), since it effectively eliminates network security policies.
NAT also creates an obstacle for voice and video communications over IP. NAT allows an
organisation to assign private IP addresses to machines on the local network, but routers that control
the flow of data towards the internet can handle only packets with routable addresses or public IP
addresses.
A terminal located behind the NAT device on the LAN can initiate communication with any other
terminal in the same LAN because the IP addresses within the LAN are routable, meaning that it is
possible to have subnets in a company managed by an internal router. This allows the establishment
of audio-video communications on different branches of the subnet.