Method for stateful firewall inspection of ICE messages
First Claim
Patent Images
1. A management system, comprising:
- a processor generating a token to be inserted into a signaling message and then comparing the token with an unauthorized message received at a security device to authorize forwarding by the security device; and
the processor receiving an authorization request including an entire Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) request that includes the token and the processor removing the token and sending the entire tokenless STUN request back to the security device.
1 Assignment
0 Petitions
Accused Products
Abstract
An endpoint uses Interactive Connectivity Establishment (ICE) to enable multimedia communications to traverse Network Address Translators (NATs). A security policy enables security devices and asymmetric security devices to forward ICE messages. A management device stores information about an initial message. Later, a security device receives an ICE message and sends and authorization request to the management device. The management device compares information in the authorization request to information in memory. According to the comparison, the management device authorizes the security device to forward the ICE message.
-
Citations
25 Claims
-
1. A management system, comprising:
-
a processor generating a token to be inserted into a signaling message and then comparing the token with an unauthorized message received at a security device to authorize forwarding by the security device; and the processor receiving an authorization request including an entire Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) request that includes the token and the processor removing the token and sending the entire tokenless STUN request back to the security device. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A security system comprising:
- a processor sending an authorization request for an unauthorized message, the unauthorized message including an authorization token; and
forwarding the unauthorized message when the authorization request is validated; and
where the processor opens a pinhole when a validation message is received back in response to the forwarded unauthorized message;
wherein the pinhole is a path through a security device through which messages associated with a particular source address may pass. - View Dependent Claims (7, 8, 9, 10)
- a processor sending an authorization request for an unauthorized message, the unauthorized message including an authorization token; and
-
11. A method for authorizing communications across asymmetric security devices comprising:
-
receiving a first message that includes first media information associated with an outgoing communication, the first message sent from a first asymmetric security device processing the outgoing communication; storing the first media information; receiving a first authorization request from a second different asymmetric security device, the first authorization request including second media information associated with an unauthorized incoming communication; comparing a first value from the first media information to a second value from the second media information; and authorizing the second different asymmetric security device to forward the unauthorized incoming communication according to the comparison. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method comprising:
-
identifying an outgoing message containing a payload having a unique identifier; attaching an opaque token to the unique identifier before communicating the outgoing message, the opaque token to be used for verifying an incoming message at a security device, said attachment to cause a remote endpoint originating a communication that contains the unique identifier to automatically include the opaque token therein independently of whether the remote endpoint is aware of the presence of the opaque token; receiving at the security device the incoming message having a payload containing the unique identifier, the unique identifier having the opaque token attached thereto; sending a verification message including the opaque token, the verification message sent from the security device to a management device; and communicating the incoming message if authorization is received for the incoming message. - View Dependent Claims (17, 18, 19)
-
-
20. A system for authorizing communications across asymmetric security devices comprising:
-
means for receiving a first message that includes first media information associated with an outgoing communication; means for storing the first media information; means for receiving a first authorization request from a first asymmetric security device, the first authorization request including second media information associated with an unauthorized incoming communication; means for comparing a first value from the first media information to a second value from the second media information; and means for authorizing the first asymmetric security device to forward the unauthorized incoming communication according to the comparison. - View Dependent Claims (21, 22, 23, 24, 25)
-
Specification