Regarding the skype instant messanger and firewall

Hi all ,

Today I was studying about the Skype instant messager. Here I read one statement regarding firewall configuration and skype messanger.

Link where did I get this?

formatting link

********************************************************************************* Firewall and NAT (Network Address Translation) traversal:

Non-firewalled clients and clients on publicly routable IP addresses are able to help NAT'ed nodes to communicate by routing calls. This allows two clients who otherwise would not be able to communicate to speak with each other. Because the calls are encrypted end-to-end, proxies present no security or privacy risk.

Likewise, only proxies with available spare resources are chosen so that the performance for these users is not affected.

Several new techniques were also developed in order to avoid end-user configuration of gateways and firewalls, whose non-intuitive configuration settings typically prohibit the majority of users from communicating successfully. In short, Skype works behind the majority of firewalls and gateways with no special configuration.

***********************************************************************************

Here Above I just paste a stanza regarding configuration of firewall in skype messanger.

Can Any body tell me the meaning of this line;

"Skype works behind the majority of firewalls and gateways with no special configuration"

Means how can it is possible in skype works without configuration. please give me brief explanation and link.

I request all the member of this group to discuss this query.

Ravi

Reply to
ravicse04
Loading thread data ...

Thanx for your good response.

But I am not getting you fully so can u tell me in briefly with an example.

And one more doubt , Which I have that why Skype is better than other Instant Messanger like Yahoo,MSN etc. means Skype provided the facilities to work behind the firewall but other messanger don't do.

I think that skype uses point to point networking concept. please explain me in briefly.

Ravi

Reply to
ravicse04

If you read closely, they used un-firewalled machines as routers; presumably, they have clients initiating outbound connections to these unfirewalled machines. This will bypass simple NAT routers, but will not pass a decently-configured firewall. (And only works against NAT routers because they are very basic, security-wise.)

Learning to configure a firewall is a lot less bother than trying to bypass one. A well configured one, at least.

Joachim

Reply to
Joachim Schipper

In article , wrote: :And one more doubt , Which I have that why Skype is better than other :Instant Messanger like Yahoo,MSN etc. means Skype provided the :facilities to work behind the firewall but other messanger don't do.

:I think that skype uses point to point networking concept. :please explain me in briefly.

Please see the thread starting at

formatting link

And please stop multi-posting. When you believe your question is appropriate for multiple newsgroups, instead of posting essentially the same question to each of them, post the question -once- with the Newsgroups: header set to include all the appropriate newsgroups, separated by commas (and no spaces). For example,

Newsgroups: comp.security.misc,comp.security.firewalls

Reply to
Walter Roberson

Other IM's work behind firewalls, if the firewall admin is either properly setup the firewall for IM or if the firewall admin hasn't properly configured the firewall to block IM.

Reply to
Leythos

Hi walter,

I want to know only why is it necessary to configuration of firewall in voip application instant messanger program. My question is Why???? this facilities is given in skype instant messanger.

thanx in advance Ravi

Walter Robers> > :And one more doubt , Which I have that why Skype is better than other

Reply to
ravicse04

Hi Walter,

I am trying to understand your answer. I think I can do in write direction due to this Input which is given by you. But while reading the answer I have a more doubt that

1) " What is the need of firewall in voip application" why did we bother about firewall in skype". Can u briefly explain and provide me some link if u have?

2) If the need is essential means in skype instant messanger then how can we over come?

Hoping for a postive response.

Regards, ravi

Walter Robers> > :I want to know only why is it necessary to configuration of firewall in

Reply to
ravicse04

Hi walter,

I am trying to more clear my question to you:

Lets think If we are sitting behind the firewall and want to do browsing then I just write the DNS of the site and page will open but the same way if I want to talk to the other person and still now I am behind the firewall. then why firewall feature comes to Limelite.

In short Where we talk about Voip application firewall comes automatically. Why??

I ask two question in past mail I want to slight change in my previous question. this new one is

1) " What is the significance of firewall in VOIP application" Why did we bother about firewall in skype". Can u briefly explain and provide me some link if u have?

2) If the significance is essential means in skype instant messanger then how can we over come?

Reply me soon Ravi.

Walter Robers> > :I want to know only why is it necessary to configuration of firewall in

Reply to
ravicse04

In article , wrote: :I want to know only why is it necessary to configuration of firewall in :voip application instant messanger program. My question is Why???? this :facilities is given in skype instant messanger.

skype works by having central servers that coordinate information about which systems world-wide are connected on which port, and by figuring out which of those are not protected by stateful firewalls and then exploting the resources of those unprotected systems to make them act as "switchboards" to allow protected systems to cross-connect to each other.

There is no theoretical reason why Netmeeting and kin could not be written the same way, but that is not their design goal. Instead, the design goal of Netmeeting is that it is point to point, with the only systems involved being the direct systems that will be meeting with each other, and possibly local systems on one or both ends that act as resource mediators.

There is no central Netmeeting server that coordinates information about who is active on which port, and there are no central (or exploited) Netmeeting switchboard sites designed to exchange information on behalf of systems that are protected by real firewalls. These things -could- have been done, but Netmeeting was designed to only use the resources of the systems that are trying to commuicate -- and if both systems that are trying to communicate are protected by real firewalls, then one or both of the two must be configured to allow the transaction.

It is also a mistake to believe that skype does NOT require firewall configuration. Skype relies on the fact that nearly all consumer firewalls (and a lot of company firewalls) allow all -outgoing- connections by default. On companies with real security policies, firewalls are instead configured to allow only outgoing traffic that fits in with the organization's analyzed needs, with all other traffic being blocked by default. On the firewalls for such companies, it is necessary to reconfigure the firewall in order to connect to skype.

When someone here tries to use skype, it's very obvious in the firewall logs -- the pattern of firewall Deny log messages is unmistakable once one has seen it a few times.

Reply to
Walter Roberson

In article , wrote: :I am trying to more clear my question to you:

Sorry, I find your sentance construction difficult to understand at times, so I do not always understand your question clearly.

:Lets think If we are sitting behind the firewall and want to do :browsing then I just write the DNS of the site and page will open but :the same way if I want to talk to the other person and still now I am :behind the firewall. then why firewall feature comes to Limelite.

The first part of your premise is not correct.

When you want to browse a web page, your system consults its internal tables of IP addresses, and if necessary consults whatever name resolution service has been configured for it, with the goal of finding the IP address from the hostname of the web page.

If you are using Windows (as is implied by your references to Instant Messanger and Skype), then there are different ways that the name resolution service can be configured; the order can include contacting a WINS server [internal or external], contacting a local PDC (Primary Domain Controller) [internal] or BDC (Backup Domain Controller) [internal], having your system attempt to contact NETBIOS name resolution service on some machine (with rules about which machines are tried) [via UDP 137 or TCP 445] -- or, as is the case for non-Windows machines, contacting a DNS (Domain Naming Service) host [internal or external.]

If your system attempts to contact an internal system for more information, then that particular transaction will not touch the firewall -- but that internal system might attempt to contact external systems for information, which gets into the case below.

In each of the cases involving contacting an external host, your firewall has to be configured to allow the transaction attempt. It is possible, for example, that -your- host is blocked from placing Domain Naming System (DNS) enquiries to anywhere outside, but that your firewall has been configured to allow your DNS server to place such queries (and probably not to place http requests...)

Most consumer firewalls, and a number of company firewalls, are configured to allow all outgoing requests. Higher quality firewalls deployed at locations with better security policies, only allow outgoing requests that they have been configured for.

When your system has, through some mechanism or other, determined the IP address of the remote web page, it will attempt an http or https transaction.

If your system has been configured to send requests through a proxy server, then it will send the request to that server [internal or external] and that server will handle the request and report back on the result. The most common proxy server port is TCP 3128 ("squid"). Again, if the proxy server is external then the firewall must be configured to allow through the proxy request; if it is internal, then the firewall must be configured to allow the proxy server itself to place http/https requests.

If your system has been configured so that it will attempt to place the requests directly, then it will attempt a connection on TCP port 80 (http) or 443 (https), or whatever port the URL specifies {if any.} The firewall must have been configured to allow those requests through. Again, many consumer and small businesses firewalls allow all outgoing requests but bigger companies may only allow requests to some sites -- especially so for ports other than 80 and 443.

The situation is no different for Skype. To contact the Skype servers, your firewall must be configured to allow the access... whether that's because it's a cheap firewall that allows everything or because your site's security administrators have deliberately opened the ports or have not chosen to block the necessary ports.

The same situation holds for Netmeeting: you can initiate a call if and only if your firewall configuration allows you to do so.

Why is Netmeeting more commonly blocked than Skype? The answer is that because [as explained last message] Netmeeting has no single central server, in order to allow other people to place Netmeeting calls to you, your firewall must have been configured to allow incoming connections from all the places you wish to be able to contact you. That's noticably more configuration work than allowing an outgoing connection to a single server (Skype.)

As indicated earlier, Netmeeting -could- have been designed the way Skype was, but it was instead designed to only involve the equipment of the systems that wish to connect together, without involving any third-party site (e.g., Skype's main servers, or any of the random hosts around the world that Skype might delegate to.)

:1) " What is the significance of firewall in VOIP application" Why did :we :bother about firewall in skype". Can u briefly explain and provide me :some link if u have?

Firewall configurations are involved in both cases. -More- firewall configuration is involved for typical VOIP applications than is the case for Skype, because of the difference in design goals.

Communicating directly, point to point, is always more efficient than routing through a third party, so protocols that use direct connections can achieve higher quality connections, better audio quality, larger video, and better frame rate, than if an intermediate is used.

Another factor that applies in locations such as mine here, is that our link to our main headquarters goes through a line that we pay a small flat yearly fee for, but Skype is not on that private network and it is unlikely that any system that Skype might delegate to would be on that private network either. We have to pay bandwidth usage charges (about $US500 per month at present) for "commercial" traffic -- so a point to point protocol such as Netmeeting that travels directly over our private link is a lot less expensive for us to operate than Skype over the public network.

:2) If the significance is essential means in skype instant messanger :then how can we over come?

Sorry, I found that question particularily difficult to understand. I will answer as best I can make out:

a) Unless you have some unusual legal constraint (e.g., you are inside a hospital network or at a Top Secret defence labratory), you are not REQUIRED to use a firewall at all. A firewall is a *tool*. You can skip the tool, if you don't care if your network gets broken into, or if you have developed some other protection mechanisms, or if the cost to you to repair your network after a break-in is less than the cost to purchase/construct and maintain the security tool.

b) If you *choose* to use a firewall, then if it is a consumer firewall, it is going to let everything out by default, and you can use any VOIP-like application that operates a switching service that allows both sides to contact it and have it exchange packets for the two sides.

c) The firewall considerations for Skype and HTTP are nearly the same, but firewall administrators are more likely to allow HTTP requests out than to allow Skype. That's a matter of security risk assessment, not of technology.

d) If you choose to use a point-to-point communications protocol such as when you use Netmeeting, then at least one of the two sides must not have a firewall or must have configured the firewall to allow incoming connections.

e) If you allow outgoing Skype connections, then firewall reconfiguration isn't necessary for Skype because Skype will connect you directly if it figures out it can do so, but it will otherwise tell both systems where to contact to find a system that will act as a go-between.

f) Point to point communication services such as Netmeeting *could* have been designed the same way but weren't, and there are various good reasons why they weren't (e.g., security, maximum quality, possibility of different link economics.)

: and provide me some link if u have?

Sorry, I can't be bothered finding links. I've already posted links to discussions that included links to the Skype mechanisms. The Netmeeting protocols are well defined standards such as H.323 and SIP; you can research those as easily as I can.

I am not particularily aware of any sites or books that discuss the advantages and disadvantages of various communications protocols. Those might exist, but I have never bothered to look for them.

Reply to
Walter Roberson

Hi walter,

I felt very happy to see ur response. Walter can u tell me that in ur last to last message that "skype works by having central servers that coordinate information about which systems world-wide are connected on which port, and by figuring out which of those are not protected by stateful firewalls and then exploting the resources of those unprotected systems to make them act as "switchboards" to allow protected systems to cross-connect to each other."

Here I in Last line you have written "Unprotected system to make them act as a switch board with the protected system". Can u explain the meaning of this statement in brief.

Thanx in advance. Ravi

Walter Robers> > :I am trying to more clear my question to you:

Reply to
ravicse04

Hi,

I want to ask one general question. Can u tell me

" What is the role of firewall in Voip application."

Ravi

Walter Robers> > :I am trying to more clear my question to you:

Reply to
ravicse04

Hi,

can U give me brief discription of your this statment

"In a VOIP application, is in allowing one to have more internal devices than one has public IP addresses. Other than that NAT function, the role of a firewall in VOIP is to "get in the way" and make life more difficult."

Actually for this information I am not able to getting you. please provide me some more valuable suggestio.

Ravi

Walter Robers> > :I want to ask one general question. Can u tell me

Reply to
ravicse04

In article , wrote: :I want to ask one general question. Can u tell me

:" What is the role of firewall in Voip application."

The same as in any other application: it operates according to its configured ruleset to prevent inside systems from connecting to unauthorized locations, and it prevents unauthorized outside sysems from connecting inward.

The rest is just full about how to use static rulesets to -usually- block ports, but to open up the ports temporarily if a trusted protocol has need of the ports.

Firewalls are often also NAT (Network Address Translation) devices. Amongst other uses, NAT devices allow large numbers of internal devices to share a small number of public IP addresses. The NAT aspect of a firewall has to know how to connect temporarily a public port and an internal machine. Formally speaking that is not a firewall function but rather a NAT function, but if you call it a firewall function then not many people will get upset.

If one -does- call the NAT function a firewall function, then the only benefit from having a firewall (other than the usual security ones of preventing unauthorized people from initiating connections) in a VOIP application, is in allowing one to have more internal devices than one has public IP addresses. Other than that NAT function, the role of a firewall in VOIP is to "get in the way" and make life more difficult.

Reply to
Walter Roberson

Hi walter,

I have tried to understand your answer regarding my query. " Role of Firewall in VOIP application"

But it is not clear to me. i think that in simple client application same role play by NAT. So why we do too much worry about VOIP application.

Why We will so careful about firewall in VOIP application. Please Give me the full explation.

Ravi

Walter Robers> > :I want to ask one general question. Can u tell me

Reply to
ravicse04

Actually, there is, but you don't *have* to use it. "Microsoft Internet Directory" is MS' global ldap server.

formatting link
Regards,

Reply to
Arthur Hagen

Hi all,

Which I understood, I am writing can u suggest me whether I am write or wrong. "My question is ---> Role of firewall in VOIP application".

Ans:

The standard approach is to close all ports except those the enterprise specifically needs to keep open-e.g., for HTTP (Web) traffic. In legacy firewalls, open ports can only be closed via manual configuration.

But if you want to let VOIP traffic move from a public IP network onto your premises, you have to leave lots of ports open, For each voice conversation, two TCP or UDP ports have to be opened to allow H.323 signaling-one port for each direction. Then, for the voice traffic itself, two UDP ports must be opened and, optionally, two more UDP ports may be opened for Real-Time Control Protocol (RTCP), which monitors performance.

The VOIP ports run in sequences starting with Port 1024, which is a talk port, then 1025 to monitor 1024, then Port 1026 to listen, 1027 to monitor 1026, and so on.

Note that 2-4 UDP ports must be open for the duration of each call. If you need to support more than one simultaneous phone call, you'll have to open up a pool of many more ports. "You can create a blocking environment at your firewall if you run out of ports that are in your pool,"

Note: Suggestion is needed..

And one thing is more Can u tell me that when we will be behind the firewall then every time why we have to need to request to the outside the person. its means that when we will try to commuicate(I am not behind the firewall_) to other person which is behind the firewall then I have to wait for request to that person which is behind the firewall.

Why out side person not sent the request first which is sitting the person behind the firewall.

waiting for ur valuable suggestion.

ravi

Walter Robers> > :I want to ask one general question. Can u tell me

Reply to
ravicse04

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.