Method for stateful firewall inspection of ICE messages

US 7,472,411 B2
Filed: 11/01/2005
Issued: 12/30/2008
Est. Priority Date: 11/01/2005
Status: Active Grant

First Claim

Patent Images

1. A management system, comprising:

a processor generating a token to be inserted into a signaling message and then comparing the token with an unauthorized message received at a security device to authorize forwarding by the security device; and

the processor receiving an authorization request including an entire Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) request that includes the token and the processor removing the token and sending the entire tokenless STUN request back to the security device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An endpoint uses Interactive Connectivity Establishment (ICE) to enable multimedia communications to traverse Network Address Translators (NATs). A security policy enables security devices and asymmetric security devices to forward ICE messages. A management device stores information about an initial message. Later, a security device receives an ICE message and sends and authorization request to the management device. The management device compares information in the authorization request to information in memory. According to the comparison, the management device authorizes the security device to forward the ICE message.

57 Citations

View as Search Results

25 Claims

1. A management system, comprising:
- a processor generating a token to be inserted into a signaling message and then comparing the token with an unauthorized message received at a security device to authorize forwarding by the security device; and
  
  the processor receiving an authorization request including an entire Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) request that includes the token and the processor removing the token and sending the entire tokenless STUN request back to the security device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The management system of claim 1 wherein the unauthorized message is an Interactive Connectivity Establishment (ICE) message.
  - 3. The management system according to claim 1 wherein the processor further compares contact information included in the signaling message to contact information included in the unauthorized message.
  - 4. The management system according to claim 1, wherein the processor operates in a policy server or a firewall controller.
  - 5. The management system according to claim 4 wherein an authorization is sent by the processor to a firewall, a NAT, or any other security device.

6. A security system comprising:
- a processor sending an authorization request for an unauthorized message, the unauthorized message including an authorization token; and
  
  forwarding the unauthorized message when the authorization request is validated; and
  
  where the processor opens a pinhole when a validation message is received back in response to the forwarded unauthorized message;
  
  wherein the pinhole is a path through a security device through which messages associated with a particular source address may pass.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The security system of claim 6, where the authorization request includes the authorization token to be used for validation.
  - 8. The security system of claim 6 further comprising the processor multicasting a Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) transaction identifier to other security devices in a same multicast group.
  - 9. The security system of claim 6 wherein the unauthorized message is an Interactive Connectivity Establishment (ICE) message including a STUN request.
  - 10. The security system of claim 6 wherein opening the pinhole further includes comparing a STUN transaction identifier included in the unauthorized message with a STUN transaction identifier included in the validation message.

11. A method for authorizing communications across asymmetric security devices comprising:
- receiving a first message that includes first media information associated with an outgoing communication, the first message sent from a first asymmetric security device processing the outgoing communication;
  
  storing the first media information;
  
  receiving a first authorization request from a second different asymmetric security device, the first authorization request including second media information associated with an unauthorized incoming communication;
  
  comparing a first value from the first media information to a second value from the second media information; and
  
  authorizing the second different asymmetric security device to forward the unauthorized incoming communication according to the comparison.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 including storing a Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) transaction identifier located in the first authorization request.
  - 13. The method of claim 12 including sending the STUN transaction identifier to a first asymmetric security device.
  - 14. The method of claim 11 further comprising:
    - receiving a second authorization request associated with an unauthorized outgoing communication received at a first asymmetric security device and comparing a value of a STUN transaction identifier located in the second authorization request to the stored value;
      
      authorizing the first asymmetric security device to forward the unauthorized outgoing communication according to the comparison.
  - 15. The method of claim 11 where the unauthorized incoming communication is an Interactive Connectivity Establishment (ICE) message.

16. A method comprising:
- identifying an outgoing message containing a payload having a unique identifier;
  
  attaching an opaque token to the unique identifier before communicating the outgoing message, the opaque token to be used for verifying an incoming message at a security device, said attachment to cause a remote endpoint originating a communication that contains the unique identifier to automatically include the opaque token therein independently of whether the remote endpoint is aware of the presence of the opaque token;
  
  receiving at the security device the incoming message having a payload containing the unique identifier, the unique identifier having the opaque token attached thereto;
  
  sending a verification message including the opaque token, the verification message sent from the security device to a management device; and
  
  communicating the incoming message if authorization is received for the incoming message.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16 wherein the verification message includes an entire Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) request.
  - 18. The method of claim 17 wherein the verification message is sent responsive to the security device observing the presence of the opaque token in the incoming message.
  - 19. The method of claim 18 including:
    - receiving an unauthorized outgoing communication after communicating the incoming message; and
      
      sending an authorization request to the management device to determine whether to forward the unauthorized outgoing communication.

20. A system for authorizing communications across asymmetric security devices comprising:
- means for receiving a first message that includes first media information associated with an outgoing communication;
  
  means for storing the first media information;
  
  means for receiving a first authorization request from a first asymmetric security device, the first authorization request including second media information associated with an unauthorized incoming communication;
  
  means for comparing a first value from the first media information to a second value from the second media information; and
  
  means for authorizing the first asymmetric security device to forward the unauthorized incoming communication according to the comparison.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The system of claim 20 including means for storing a Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) transaction identifier located in the first authorization request.
  - 22. The system of claim 20 further comprising:
    - means for receiving a second authorization request associated with an unauthorized outgoing communication received at a second asymmetric security device and comparing a value of a STUN transaction identifier located in the second authorization request to the stored value;
      
      means for authorizing the second asymmetric security device to forward the unauthorized outgoing communication according to the comparison.
  - 23. The system of claim 20 where the unauthorized incoming communication is an Interactive Connectivity Establishment (ICE) message.
  - 24. The system of claim 20 wherein the first message is received at a call controller.
  - 25. The system of claim 20 includingmeans for receiving an unauthorized outgoing communication after forwarding the first message;
    - andmeans for sending an authorization request to determine whether to drop or forward the unauthorized outgoing communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wing, Daniel G., Bell, Robert T.
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US11/265,596
Publication Number

US 20070101414A1
Time in Patent Office

1,155 Days
Field of Search

726/4, 726/5, 726/12, 726/13, 713/151, 713/155, 713/162
US Class Current

726/5
CPC Class Codes

H04L 61/2564   for a higher-layer protocol...

H04L 61/2578   without involvement of the ...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/20   for managing network securi...

H04L 65/1043   Gateway controllers, e.g. m...

H04L 65/1069   Session establishment or de...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

Method for stateful firewall inspection of ICE messages

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

57 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method for stateful firewall inspection of ICE messages

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links