Get to know what Voice over IP is, how it works and to use it.

1. Efficient Telecommunication Infrastructure
with Internet Telephony (VoIP)
Thomas Siegers 3 July 2007
Songfuli Co., Ltd.
1

2. Information
Hosted by:
American Chamber of Commerce Taiwan
Communications Technology Workshop
This presentation is publicly available at:
http://www.slideshare.net/thomasjs
This presentation is published under the
Creative Commons Attribution Share Alike License.
For more information, see http://creativecommons.org/about/licenses/
2

3. Agenda
 Introduction  Hardware
 Basics of telephony  Service providers
 and networking  Integration into network
and telephone system
 Skype
 Scenarios and examples
 SIP protocol
2 hours
30 minutes
3

4. Hype Cycle
www.gartner.com –2006
4

5. Introduction
 Internet Telephony
VoIP – Voice over IP (IP – Internet Protocol)
 Pro: more economic
no telephone charge for computer-to-computer calls*
charge of local call for computer-to-telephone call
*) except of charge for network access
 Con: more complicated and less reliable
relies on electric power
emergency calls cannot be mapped to location
network: connection interruptions, packet loss
security: easier to trace calls over the Internet
configuration: firewall traversal
5

6. Return of Investment
Accumulated cost over
6 months 140 NTD
60 min calls per day to 120
Germany,
20 days per month 100
CHT 16 NTD/min VoIP 80
CHT
1 €¢/min VoIP
60
Investment for VoIP
40
100,000 NTD
ROI after 5 months, 20
months
after that savings of 0
>18,500 NTD/month 1 2 3 4 5 6
6

7. How does it work?
Network
Computer
Telephone adapter
+ sound card
+ analog telephone
+ headset
+ software
Computer Network transports Telephone adapter
converts voice digital signals as converts digital
into digital data packets. signals into voice.
signals.
7

8. Telephony
 PSTN
Public Switched Telephone Network
 POTS
Plain Old Telephone Service
 ISDN
Integrated Services Digital Network
 PBX
Private Branch Exchange
 FXO
Foreign Exchange Office
 FXS
Foreign Exchange Station
8

9. PSTN
PSTN–Public Switched Telephone Network
Circuit-Switching
TX
TX
TX
TX
TX
TX TX TX
TX
TX
TX
TX - Telephone Exchange
9

10. PBX
PBX = PABX–Private Automatic Branch Exchange
Extensions
Trunk
PSTN FXO FXS
FXO–goes on-hock and off-hook
FXS–provides power, ring signal, dial tone
10

11. Network
Packet-Switching
Clients R Server
R R
R
R
R R R
R
R
R
R–Router
11

12. Layer Concept
Message
SENDER
Delivery tere
d
Regis
Address
Service
Transport
Network
12

13. Protocol Stack
ISO/OSI* Internet Examples
7 Application Application www : HTTP, FTP, DNS
6 Presentation mail : SMTP, POP, IMAP
5 Session p2p : SIP, eD2k, XMPP
4 Transport Transport TCP, UDP, NetBEUI, WAP
3 Network Internet IP, IGMP, ICMP, IPsec, ARP
2 Data Link Network PPP, L2TP, GPRS, ATM, FR
Access**
1 Physical Ethernet, USB, Wi-Fi, ISDN
*) ISO –International Organization for Standardization, OSI –Open Systems Interconnection
**) original TCP/IP model, recently 5-layer model with data link and physical layer 13

14. TCP/IP Packet
TCP-packet header data
source port application data
destination port (HTTP, FTP, SMPT)
IP-packet
header data
source address TCP-packet
destination address
14

15. Request – Response
Request
Source 10.0.0.100:1234 Server
Client Destin. 203.66.88.89:80
HTTP
Source 203.66.88.89:80
Destin. 10.0.0.100:1234
IP-address: IP-address:
10.0.0.100 Response 203.66.88.89
TCP-port: >1024 TCP-port: 80
15

16. Network Address Translation
 NAT, IP masquerading
 Address shortage of IP ver. 4
32 bit => 4 G ~ 4 billion addresses
 Address ranges only for private use
class A : 10.x.x.x, class B : 172.16.x.x – 172.31.x.x, class C : 192.168.x.x
 Internet gateway (firewall) translates
between private and public addresses.
 Firewall rules: Internet
request LAN  Internet : allow
response Internet  LAN : allow
request Internet  LAN : deny
 Internet can only connect to the LAN,
NAT
when the LAN had sent a request before.
LAN
16

17. Peer-to-Peer Communication
 Peer-to-Peer (P2P)
VoIP, file sharing, instant messaging
 VoIP Protocols
two protocols involved: SIP and RTP
SIP - session initiation protocol: signalling, UDP port 5060
RTP - real-time transport protocol: voice communication,
UDP port range 10000-20000
 NAT Traversal
- different kinds of NAT: symmetric, asymmetric
- UDP hole punching
- STUN - Simple Traversal of UDP through NATs
necessary when both clients are behind NAT
doesn’t work with symmetric NAT
17

18. UDP Hole Punching
Before Process After
18

19. UDP Hole Punching Process
19

20. Firewall Application Filter
20

21. Skype
 Peer-to-peer Internet telephony (VoIP) network
 Software is free, but not open source
 Proprietary protocol, traffic encrypted
 Founded by the founders of the file sharing application
Kazaa
 Acquired by eBay in October 2005
 Easy to deploy even behind firewall and NAT
 Heavy use of network bandwidth and other resources
 Difficult to integrate into organization’s security strategy
21

22. Getting Granular on Skype
 2004 – Columbia University, New York, USA
An Analysis of the Skype Peer-to-Peer Internet Telephony
Protocol
http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
Analysis of network structure and traffic
 2006 - EADS Corporate Research Center, France
Silver Needle in the Skype
http://www.secdev.org/conf/skype_BHEU06.handout.pdf
Developers of Skype made immense effort to prevent
reverse engineering, i.e. getting an inside view. The Skype
client detects, when it is running within a debugger and
then changes its behavior. Parts of its code are ciphered
and will be decrypted during runtime.
22

23. Problems with Skype
From a network security administrator point of view
 Almost everything is obfuscated
 Peer to peer architecture
 Traffic even when the software is not used
From a system security administrator point of view
 Many protections, anti-debugging tricks, ciphered code
 A product that works well for free from a company not involved on
Open Source ?!
The Chief Security Officer point of view
 Is Skype a backdoor ?
 Can I distinguish Skype’s traffic from real data exfiltration ?
 Is Skype a risky program for my sensitive business ?
23

24. Conclusion
Good points
 Skype was made by clever people
 Good use of cryptography
Bad points
 Hard to enforce a security policy with Skype
 Jams traffic, can’t be distinguished from data exfiltration
 Incompatible with traffic monitoring, IDS
 Impossible to protect from attacks (which would be obfuscated)
 Total blackbox. Lack of transparency.
No way to know if there is/will be a backdoor
 Fully trusts anyone who speaks Skype.
24

25. SIP Protocol
 SIP – session initiation protocol
- application layer protocol used for Internet telephone calls,
multimedia distribution, and multimedia conferences
- standardized by the Internet Engineering Task Force (IETF)
- open specification: RFC 3261 (like all Internet standards)
 SIP - The De-facto VoIP Standard
http://en.wikipedia.org/wiki/SIP_Telephony#SIP_-_The_De-facto__VoIP_Standard
 SIP – signalling, UDP port 5060
RTP – real-time transport protocol
voice communication, UDP port range 10000-20000
 Codec – audio data compression algorithm for voice
G.729a – 8kbps, G.711 – 64kbps,
G.723 obsolete, superseded by G.726 – 16-40kbps
25

26. VoIP Provider
SIP – open protocol => everyone can offer services for it
 VoIP provider is connected to both Internet and PSTN.
 Over 2000 SIP VoIP providers
Dialing between providers
e.g. FreeWorldDialup no. 740218 => *393 740218
http://www.sipbroker.com/sipbroker/action/providerWhitePages
 Advanced Features
- monthly rate, flat rate
- unlimited local and distance calling
- voicemail, call forwarding, caller ID
- dial-in number with home area code
- direct inward dialing (DID)
- fax receipt with e-mail notification
26

27. VoIP Services
PSTN Internet
IP Telephone
 
VoIP Provider
Gateway
 Computer,
Analog
Telephone Soft Phone &
Headset
1) VoIP call–free
2) dial-out–charged
3) dial-in–charged
27

28. VoIP Hardware
SIP – open protocol => everyone can build devices for it
 Router
 Analog Telephony Adapter (ATA)
 SIP-Phone
 Wireless Phone
 USB-Devices
 Integrated Systems
 Large Systems
 Hardware bundled by VoIP providers
http://www.voipbuster.com/en/hardware.html
http://www.sipgate.de/voipshop
28

29. Router
 ADSL Internet access
 VoIP (SIP)
 FXS, (FXO)
 Packet filter
 VPN (virtual private network)
 WLAN (wireless LAN)
29

30. Analog Telephony Adapter
 ATA
connects standard analog
telephones to a VoIP network
30

31. SIP-Phone
 Connected to LAN
or directly to the Internet
 Bridge to PC
to share network cable
31

32. Wireless Phone
 Wireless USB phones
 USB Bluetooth phones
 Wi-Fi phones
32

33. USB-Devices
 Headsets
 USP-Phones
 Wireless USB-Phones
33

34. Integrated Systems
 Multiple analog ports
FXS, FXO
 PBX
 Firewall
 VPN-gateway
 WLAN
 ISDN
34

35. Large System
Used by VoIP Providers
 SIP Proxy Server
 T1/E1 Gateway
 RTP Resource Server
 Session Border Controller
 Voice Mail, Auto-Attendant
 Application Server
 Conference Server
 IP Recorder
 Billing server
 Universal SIP/H.323 Signal
Converter
35

36. IP PBX
 Software PBX
 Can be installed on standard hardware
from PC to Unix-server
 Additional hardware required
connection to POTS (FXO/FXS) or ISDN
 Embedded appliances available
 Asterisk
popular open source software, another is sipX
Linux distributions: Trixbox, AstLinux, AsteriskNOW
used as basis for embedded appliances
used by leading VoIP providers, e.g. iotum*
*) iotum was named “Cool Vendor” in Enterprise Communications by Gartner in 2007
http://www.asterisk.org
36

37. Asterisk
 Analog cards
PCI bus, half or full length
1-8 FXO/FXS interfaces
 Digital cards
PRI E1/T1, ISDN
 Appliance
IP-PBX embedded in device with
analog interfaces
 Developer kits
version ITSPs, OEMs, resellers,
and integrators
37

38. IP-PBX
 Software PBX
embedded in robust hardware
mostly based on Asterisk
configurable via web browser
 Primary rate interface
23 (T1) or 30 (E1) channels
 Multiple extensions
FXS or ISDN
38

39. Application Examples
 Integration with PBX
 VoIP gateway without PBX
 VoIP gateway with PBX connected via FXS
 VoIP gateway with PBX connected via FXO
 Integration with Network
 VoIP gateway as Firewall
 VoIP gateway in LAN with private IP address
 VoIP gateway in DMZ with private IP address
 VoIP gateway in DMZ with public IP address
 IP-PBX
 SIP only / SIP and Skype
39

40. VoIP Gateway without PBX
PSTN Internet
FXO
VoIP
FXS
LAN
40

41. VoIP Gateway
41

42. VoIP Gateway with PBX (FXS)
PSTN Internet
FXO
VoIP
PBX
FXS
FXS
42

43. VoIP Gateway with PBX (FXO)
PSTN Internet
FXO FXO
VoIP
PBX
FXS
FXS
43

44. Application Examples
 Integration with PBX
 VoIP gateway without PBX
 VoIP gateway with PBX connected via FXS
 VoIP gateway with PBX connected via FXO
 Integration with Network
 VoIP gateway as Firewall
 VoIP gateway in LAN with private IP address
 VoIP gateway in DMZ with private IP address
 VoIP gateway in DMZ with public IP address
 IP-PBX
 SIP only / SIP and Skype
44

45. VoIP Gateway in LAN
VoIP
Provider Internet
STUN
public IP address
NAT FW FW–firewall
VoIP
LAN–local
area
LAN network
private IP address
45

46. VoIP Gateway in DMZ
DMZ–demilitarized zone
Internet
public IP address
VoIP DMZ
FW
NAT
private IP address
LAN
46

47. VoIP Gateway with public IP
Internet
public IP address
FW outer firewall
VoIP
DMZ inner firewall
FW
private IP address NAT
LAN
47

48. Application Examples
 Integration with PBX
 VoIP gateway without PBX
 VoIP gateway with PBX connected via FXS
 VoIP gateway with PBX connected via FXO
 Integration with Network
 VoIP gateway as Firewall
 VoIP gateway in LAN with private IP address
 VoIP gateway in DMZ with private IP address
 VoIP gateway in DMZ with public IP address
 IP-PBX
 SIP only / SIP and Skype
48

49. IP-PBX
PSTN Internet
FW
FXO
FXS LAN
analog
telephone digital (IP)
IP-PBX telephone
49

50. SIP and Skype
PSTN Internet
VoIP
FXO
FXS
PBX FXS
FXS
LAN
PC, FXS-card,
Skype software
50

51. VoIP Scenarios
 Transfer call between two VoIP Providers
dial via caller’s VoIP provider
transfer call to company’s VoIP provider
transfer call to company’s internal extension
 Transfer incoming call to teleworker
teleworker is registered to company’s PBX (no provider)
customer calls in via PSTN
company’s operator transfers call to teleworker*
 Setup multi-location corporate infrastructure
headquarter serve as central registrar (no provider)
branch offices register to headquarter
*) http://en.wikipedia.org/wiki/Teleworker
51

52. Two VoIP Providers
VoIP provider A
PSTN  Internet
VoIP provider B


FXO
VoIP
PBX Caller
FXS
FXS


Operator Extension
52

53. Teleworker
PSTN Internet
Teleworker 
Wi-Fi
FXO FXO
VoIP
PBX
 Mobile Worker
Customer FXS

Operator
53

54. Corporate Infrastructure
Factory
PSTN Internet


FXO FXO
VoIP
PBX
 Sales Office
Customer FXS

54

55. Q&A
Thomas Siegers
Songfuli Co., Ltd.
Taipei, Taiwan
松福禮股份有限公司
http://www.songfuli.com
thomas.siegers@songfuli.com
http://www.slideshare.net/thomasjs
55