Extracts of document:
"5.2 Firewalls and VoIP
Firewalls can be divided in two major groups: residential firewalls and corporate firewalls. Residential and personal firewalls are easily configured to allow media to be transported through certain port numbers, but this presents a security risk. Residential firewalls do not normally implement application layer gateways or stateful inspection.
Corporate firewalls normally provide high security and open very few ports types (such as http, https, smtp, and pop3) and those ports are usually “subject to stateful inspection” or similar mechanisms. It is very unlikely that new ports (or range of ports) would be opened for VoIP connections (particularly inbound ones) on corporate firewalls, therefore solutions with media relays (see later) are the most likely ones to be successful. Paradial, by using HTTP tunnelling would pass fine stateful inspection and would not need any additional port to be opened. In contrast RTP relays would need certain ports to be opened and so require additional stringent security monitoring of those ports in order to ensure that only RTP media packets are allowed through."
"6.5 Solutions for Firewalls and NATs
Firewalls typically block media packet types such as UDP and so the traversal solution is to use TCP tunnelling and relays for media in order to provide NAT and firewall traversal. Current solutions include:
- Tunnelling the media packets within TCP or HTTP packets to a relay. This solution is used by Paradial (www.paradial.com) and is called "Real-Tunnel". This solution uses additional functionality that operates in conjunction with SIP (or other real time communications clients) and packages the media packets into a TCP stream and sends the TCP packets to the relay. The relay then extracts the packets and send them on to the other endpoint. If the other endpoint is behind a symmetrical NAT or corporate firewall that does not allow VOIP traffic, the relay would transfer the packets to another tunnel. TCP was not designed for real time traffic such as voice, so a number of optimizations have been made by Paradial to adapt it to the needs of real time communications. This solution is effective but introduces additional delay and requires more bandwidth because of the tunnelling overhead.
- Skype (www.skype.com) wraps media packets in TCP and delivers good quality. Skype uses temporary relays that run on the machines of other users and minimises delay by choosing a machine that is close to the endpoint. It also uses advanced playout controllers to reduce effects of the additionally introduced delay. Skype uses a proprietary protocol and so does not interoperate with SIP endpoints. "
