Routing VoIP calls through multiple security zones

US 8,200,827 B1
Filed: 10/25/2004
Issued: 06/12/2012
Est. Priority Date: 10/25/2004
Status: Active Grant

First Claim

Patent Images

1. A method for routing voice packets across multiple security zones, the method comprising:

performing, with a firewall, call setup signaling across at least a first security zone, a second security zone, and a third security zone to set up a call through the firewall between a first user device in the first security zone and a second user device in the third security zone, where setting up the call includes;

receiving, with the firewall, a call invitation message from the first user device in the first security zone, where the call invitation message includes private addressing information comprising;

a source address, associated with the first user device, included in a header of the call invitation message, andaddress information, associated with media to be transmitted between the first user device and the second user device, included in a body of the call invitation message,identifying, with the firewall, the private addressing information in the call invitation message,translating, with the firewall, the identified private addressing information into publicly routable addressing information,establishing, with the firewall and based on the private addressing information, at least one first gate between the first security zone and the second security zone, where the at least one first gate includes a discrete pinhole for signaling packets associated with the call and another discrete pinhole for media packets associated with the call,forwarding, with the firewall and based on establishing the at least one first gate, the call invitation message, including the publicly routable addressing information, to a proxy server in the second security zone,receiving, with the firewall, a processed call invitation message from the proxy server, where the processed call invitation message includes portions of the call invitation message,establishing, with the firewall, a link between the call invitation message and the processed call invitation message based on the included portions of the call invitation message,tearing down, based on establishing the link, the discrete pinhole for media packets,establishing, with the firewall and based on establishing the link and tearing down the discrete pinhole for media packets, at least one second gate between the first security zone and the third security zone,where the at least one second gate includes a discrete pinhole for media packets that permits media messages associated with the call to be transmitted, via the firewall, directly between the first security zone and the third security zone, andwhere the at least one second gate includes a discrete pinhole for signaling messages that points to the proxy server to direct signaling messages associated with the call through the proxy server, andforwarding, with the firewall, the processed call invitation message to the second user device in the third security zone.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Call setup signaling is performed across at least a first security zone, a second security zone, and a third security zone to set up a call. At least one gate is then established between the first security zone and the third security zone to enable traffic flow for the call between the first security zone and the third security zone.

Citations

20 Claims

1. A method for routing voice packets across multiple security zones, the method comprising:
- performing, with a firewall, call setup signaling across at least a first security zone, a second security zone, and a third security zone to set up a call through the firewall between a first user device in the first security zone and a second user device in the third security zone, where setting up the call includes;
  
  receiving, with the firewall, a call invitation message from the first user device in the first security zone, where the call invitation message includes private addressing information comprising;
  
  a source address, associated with the first user device, included in a header of the call invitation message, andaddress information, associated with media to be transmitted between the first user device and the second user device, included in a body of the call invitation message,identifying, with the firewall, the private addressing information in the call invitation message,translating, with the firewall, the identified private addressing information into publicly routable addressing information,establishing, with the firewall and based on the private addressing information, at least one first gate between the first security zone and the second security zone, where the at least one first gate includes a discrete pinhole for signaling packets associated with the call and another discrete pinhole for media packets associated with the call,forwarding, with the firewall and based on establishing the at least one first gate, the call invitation message, including the publicly routable addressing information, to a proxy server in the second security zone,receiving, with the firewall, a processed call invitation message from the proxy server, where the processed call invitation message includes portions of the call invitation message,establishing, with the firewall, a link between the call invitation message and the processed call invitation message based on the included portions of the call invitation message,tearing down, based on establishing the link, the discrete pinhole for media packets,establishing, with the firewall and based on establishing the link and tearing down the discrete pinhole for media packets, at least one second gate between the first security zone and the third security zone,where the at least one second gate includes a discrete pinhole for media packets that permits media messages associated with the call to be transmitted, via the firewall, directly between the first security zone and the third security zone, andwhere the at least one second gate includes a discrete pinhole for signaling messages that points to the proxy server to direct signaling messages associated with the call through the proxy server, andforwarding, with the firewall, the processed call invitation message to the second user device in the third security zone.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, where the at least one first gate is established to return traffic from the proxy server to the first user device.
  - 3. The method of claim 2, where the at least one first gate includes at least a first signaling gate that includes the discrete pinhole for signaling packets and a first media gate that includes the discrete pinhole for media packets.
  - 4. The method of claim 1, where establishing, with the firewall, the at least one second gate between the first security zone and the third security zone, further comprises:
    - determining, with the firewall, that a field of a header of the processed call invitation message matches a field of the header of the call invitation message received from the first user device, andestablishing, with the firewall, the at least one second gate between the first security zone and the third security zone when the firewall determines that the field of the header of the processed call invitation message matches the field of the header of the call invitation message received from the first user device.
  - 5. The method of claim 4, where establishing the at least one second gate between the first security zone and the third security zone further includes:
    - establishing the at least one second gate in a third security zone interface for enabling return traffic to pass from the second user device to the first user device.
  - 6. The method of claim 5, further comprising:
    - forwarding the processed call invitation message when a security policy exists that enables the received processed call invitation message to pass to the second user device from the proxy server.
  - 7. The method of claim 4, where determining that the field of the header of the processed call invitation message matches the field of the header of the call invitation message received from the first user device further comprises:
    - determining that a CALL-ID value in the header of the processed call invitation message matches a CALL-ID value in the header of the call invitation message received from the first user device.
  - 8. The method of claim 4, further comprising:
    - determining, upon receipt of the processed call invitation message, whether a security policy exists that enables the received processed call invitation message to pass to the second user device from the proxy server; and
      
      dropping the processed call invitation message when a security policy does not exist that enables the received processed call invitation message to pass to the second user device from the proxy server.
  - 9. The method of claim 4, where the processed call invitation message, received from the proxy server, includes proxy server private addressing information.
  - 10. The method of claim 9, further comprising:
    - identifying the proxy server private addressing information in the processed call invitation message;
      
      translating the identified proxy server private addressing information into publicly routable addressing information to generate a translated call invitation message; and
      
      forwarding the translated call invitation message to the second user device on the third security zone interface.
  - 11. The method of claim 1, where the proxy server comprises a session initiation protocol (SIP) proxy and the call invitation message comprises a SIP Invite message including at least contact information, via information, and SDP information.
  - 12. The method of claim 1, where the proxy server comprises an H.323 gatekeeper and the call invitation message comprises an H.323 Request message.
  - 13. The method of claim 1, where the at least one first gate, established between the first security zone and the second security zone, includes:
    - at least a first contact gate directed from the second security zone to the first user device,a first via gate directed from the second security zone to the first user device, anda first media gate directed from the second security zone to the first user device.
  - 14. The method of claim 13, where tearing down the discrete pinhole for media packets includes:
    - deleting the first contact gate and the first media gate, andwhere establishing the at least one second gate includes;
      
      establishing a second contact gate between the first security zone and the third security zone directed from the third security zone to the first user device; and
      
      establishing a second via gate between the first security zone and the third security zone directed from the third security zone to the proxy server for enabling return traffic relating to call setup and tear down messages to pass from the second user device to the proxy server.

15. A network device for routing voice over internet protocol (VoIP) call messages across multiple security zones, the network device comprising:
- at least one TRUST zone interface to receive a call invitation message from a first user device located in first security zone, where the call invitation message includes private addressing information;
  
  at least one demilitarized zone (DMZ) interface to communicate with at least one proxy server located in a second security zone;
  
  at least one UNTRUST interface to communicate with at least one second user device located in third security zone; and
  
  application level gateway (ALG) component to dynamically route the VoIP call messages between the first user device, the at least one proxy server, and the second user device, and to selectively control communication between the first user device, the at least one proxy server, and the second user device, where the ALG component is further to;
  
  receive the call invitation message,identify the private addressing information,translate the identified private addressing information into publicly routable addressing information,establish, based on the private addressing information, a first pinhole and a second pinhole in the DMZ interface, where the first pinhole is established to transmit signaling data and the second pinhole is established to transmit media data,forward, through the at least one DMZ interface, the call invitation message, including the publicly routable addressing information, to the at least one proxy server in the second security zone,receive, through the at least one DMZ interface, a processed call invitation message from the at least one proxy server, where the processed call invitation message includes portions of the call invitation message,tear down, in response to receiving the processed call invitation message, the second pinhole,establish, in response to tearing down the second pinhole, a third pinhole and a fourth pinhole in the at least one UNTRUST interface, where the third pinhole is to transmit media data and the fourth pinhole points to the at least one proxy server to direct signaling via the at least one proxy server and the first pinhole, andforward, through the at least one UNTRUST interface, the processed call invitation message to the second user device in the third security zone.
- View Dependent Claims (16, 17, 18)
- - 16. The network device of claim 15, where the ALG component is further to:
    - match the processed call invitation message with the call invitation message received from the first user device, and where the third pinhole and the fourth pinhole are established based on the matching; and
      
      create a signaling pinhole in the third security zone interface for enabling return traffic, relating to call setup and tear down messages, to pass from the second user device to the proxy server.
  - 17. The network device of claim 16, where the ALG component is further to:
    - determine, upon receipt of the processed call invitation message, whether a security policy exists that enables the received processed call invitation message to pass to the second user device from the proxy server; and
      
      drop the processed call invitation message when a security policy does not exist that enables the received processed call invitation message to pass to the second user device from the proxy server.
  - 18. The network device of claim 15, where the proxy server comprises a session initiation protocol (SIP) proxy and the call invitation message comprises a SIP Invite message.

19. A device, comprising:
- a memory to store instructions; and
  
  a processor to execute the instructions to;
  
  receive call invitation related messages from a private user device located in first security zone; and
  
  dynamically route the call invitation related messages, based on the call invitation messages, between the private user device, a proxy server, and a public user device in multiple security zones, where each of the private user device, the proxy server, and the public user device are in a separate one of the multiple security zones, and where communication between the private user device, the proxy server, and the public user device is selectively controlled,where, when dynamically routing the call invitation related messages, the processor is further to;
  
  receive a call invitation message from the first user device in the first security zone, where the call invitation message includes private addressing information,identify the private addressing information,translate the identified private addressing information into publicly routable addressing information to generate publicly routable addressing information,establish, based on the private addressing information, a plurality of pinholes in a security interface associated with the first security zone and the second security zone, where at least a first one of the plurality of pinholes is established to transmit signaling data and at least a second one of the plurality of pinholes is established to transmit media data,forward, via the security interface, the call invitation message, including the publicly routable addressing information, to a proxy server in the second security zone,receive, via the security interface, a processed call invitation message from the proxy server, where the processed call invitation message includes portions of the call invitation message,tear down the at least the second one of the plurality of pinholes,create, based on the processed call invitation message and tearing down the at least one of the plurality of pinholes, media pinholes and signaling pinholes, in a security interface, between the first security zone and the third security zone, that permit traffic flow for a call between the first security zone and the third security zone, where the signaling pinholes in the security interface between the first security zone and the third security zone are created to cause signaling messages to be routed through the proxy server and the at least the first signaling pinhole in the security interface between the first security zone and the second security zone, andforward the processed call invitation message to the second user device in the third security zone.
- View Dependent Claims (20)
- - 20. The device of claim 19, where, when dynamically routing the call invitation related messages, the processor is further to:
    - match the processed call invitation message with the call invitation message received from the private user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Hunyady, Attila J., Bollineni, Anil Kumar
Primary Examiner(s)
Nguyen, Thu
Assistant Examiner(s)
Widhalm, Angela

Application Number

US10/971,687
Time in Patent Office

2,787 Days
Field of Search

709217-219, 709/223, 709/225, 709227-229
US Class Current

709/227
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 65/1045   Proxies, e.g. for session i...

H04L 65/1053   IP private branch exchange ...

H04L 65/1069   Session establishment or de...

H04L 65/1076   Screening of IP real time c...

H04L 65/1104   Session initiation protocol...

H04L 65/1106   Call signalling protocols; ...

H04M 7/006   Networks other than PSTN/IS...

Routing VoIP calls through multiple security zones

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Routing VoIP calls through multiple security zones

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links