Routing VoIP calls through multiple security zones
First Claim
Patent Images
1. A method for routing voice packets across multiple security zones, the method comprising:
- performing, with a firewall, call setup signaling across at least a first security zone, a second security zone, and a third security zone to set up a call through the firewall between a first user device in the first security zone and a second user device in the third security zone, where setting up the call includes;
receiving, with the firewall, a call invitation message from the first user device in the first security zone, where the call invitation message includes private addressing information comprising;
a source address, associated with the first user device, included in a header of the call invitation message, andaddress information, associated with media to be transmitted between the first user device and the second user device, included in a body of the call invitation message,identifying, with the firewall, the private addressing information in the call invitation message,translating, with the firewall, the identified private addressing information into publicly routable addressing information,establishing, with the firewall and based on the private addressing information, at least one first gate between the first security zone and the second security zone, where the at least one first gate includes a discrete pinhole for signaling packets associated with the call and another discrete pinhole for media packets associated with the call,forwarding, with the firewall and based on establishing the at least one first gate, the call invitation message, including the publicly routable addressing information, to a proxy server in the second security zone,receiving, with the firewall, a processed call invitation message from the proxy server, where the processed call invitation message includes portions of the call invitation message,establishing, with the firewall, a link between the call invitation message and the processed call invitation message based on the included portions of the call invitation message,tearing down, based on establishing the link, the discrete pinhole for media packets,establishing, with the firewall and based on establishing the link and tearing down the discrete pinhole for media packets, at least one second gate between the first security zone and the third security zone,where the at least one second gate includes a discrete pinhole for media packets that permits media messages associated with the call to be transmitted, via the firewall, directly between the first security zone and the third security zone, andwhere the at least one second gate includes a discrete pinhole for signaling messages that points to the proxy server to direct signaling messages associated with the call through the proxy server, andforwarding, with the firewall, the processed call invitation message to the second user device in the third security zone.
1 Assignment
0 Petitions
Accused Products
Abstract
Call setup signaling is performed across at least a first security zone, a second security zone, and a third security zone to set up a call. At least one gate is then established between the first security zone and the third security zone to enable traffic flow for the call between the first security zone and the third security zone.
-
Citations
20 Claims
-
1. A method for routing voice packets across multiple security zones, the method comprising:
performing, with a firewall, call setup signaling across at least a first security zone, a second security zone, and a third security zone to set up a call through the firewall between a first user device in the first security zone and a second user device in the third security zone, where setting up the call includes; receiving, with the firewall, a call invitation message from the first user device in the first security zone, where the call invitation message includes private addressing information comprising; a source address, associated with the first user device, included in a header of the call invitation message, and address information, associated with media to be transmitted between the first user device and the second user device, included in a body of the call invitation message, identifying, with the firewall, the private addressing information in the call invitation message, translating, with the firewall, the identified private addressing information into publicly routable addressing information, establishing, with the firewall and based on the private addressing information, at least one first gate between the first security zone and the second security zone, where the at least one first gate includes a discrete pinhole for signaling packets associated with the call and another discrete pinhole for media packets associated with the call, forwarding, with the firewall and based on establishing the at least one first gate, the call invitation message, including the publicly routable addressing information, to a proxy server in the second security zone, receiving, with the firewall, a processed call invitation message from the proxy server, where the processed call invitation message includes portions of the call invitation message, establishing, with the firewall, a link between the call invitation message and the processed call invitation message based on the included portions of the call invitation message, tearing down, based on establishing the link, the discrete pinhole for media packets, establishing, with the firewall and based on establishing the link and tearing down the discrete pinhole for media packets, at least one second gate between the first security zone and the third security zone, where the at least one second gate includes a discrete pinhole for media packets that permits media messages associated with the call to be transmitted, via the firewall, directly between the first security zone and the third security zone, and where the at least one second gate includes a discrete pinhole for signaling messages that points to the proxy server to direct signaling messages associated with the call through the proxy server, and forwarding, with the firewall, the processed call invitation message to the second user device in the third security zone. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
15. A network device for routing voice over internet protocol (VoIP) call messages across multiple security zones, the network device comprising:
-
at least one TRUST zone interface to receive a call invitation message from a first user device located in first security zone, where the call invitation message includes private addressing information; at least one demilitarized zone (DMZ) interface to communicate with at least one proxy server located in a second security zone; at least one UNTRUST interface to communicate with at least one second user device located in third security zone; and application level gateway (ALG) component to dynamically route the VoIP call messages between the first user device, the at least one proxy server, and the second user device, and to selectively control communication between the first user device, the at least one proxy server, and the second user device, where the ALG component is further to; receive the call invitation message, identify the private addressing information, translate the identified private addressing information into publicly routable addressing information, establish, based on the private addressing information, a first pinhole and a second pinhole in the DMZ interface, where the first pinhole is established to transmit signaling data and the second pinhole is established to transmit media data, forward, through the at least one DMZ interface, the call invitation message, including the publicly routable addressing information, to the at least one proxy server in the second security zone, receive, through the at least one DMZ interface, a processed call invitation message from the at least one proxy server, where the processed call invitation message includes portions of the call invitation message, tear down, in response to receiving the processed call invitation message, the second pinhole, establish, in response to tearing down the second pinhole, a third pinhole and a fourth pinhole in the at least one UNTRUST interface, where the third pinhole is to transmit media data and the fourth pinhole points to the at least one proxy server to direct signaling via the at least one proxy server and the first pinhole, and forward, through the at least one UNTRUST interface, the processed call invitation message to the second user device in the third security zone. - View Dependent Claims (16, 17, 18)
-
-
19. A device, comprising:
-
a memory to store instructions; and a processor to execute the instructions to; receive call invitation related messages from a private user device located in first security zone; and dynamically route the call invitation related messages, based on the call invitation messages, between the private user device, a proxy server, and a public user device in multiple security zones, where each of the private user device, the proxy server, and the public user device are in a separate one of the multiple security zones, and where communication between the private user device, the proxy server, and the public user device is selectively controlled, where, when dynamically routing the call invitation related messages, the processor is further to; receive a call invitation message from the first user device in the first security zone, where the call invitation message includes private addressing information, identify the private addressing information, translate the identified private addressing information into publicly routable addressing information to generate publicly routable addressing information, establish, based on the private addressing information, a plurality of pinholes in a security interface associated with the first security zone and the second security zone, where at least a first one of the plurality of pinholes is established to transmit signaling data and at least a second one of the plurality of pinholes is established to transmit media data, forward, via the security interface, the call invitation message, including the publicly routable addressing information, to a proxy server in the second security zone, receive, via the security interface, a processed call invitation message from the proxy server, where the processed call invitation message includes portions of the call invitation message, tear down the at least the second one of the plurality of pinholes, create, based on the processed call invitation message and tearing down the at least one of the plurality of pinholes, media pinholes and signaling pinholes, in a security interface, between the first security zone and the third security zone, that permit traffic flow for a call between the first security zone and the third security zone, where the signaling pinholes in the security interface between the first security zone and the third security zone are created to cause signaling messages to be routed through the proxy server and the at least the first signaling pinhole in the security interface between the first security zone and the second security zone, and forward the processed call invitation message to the second user device in the third security zone. - View Dependent Claims (20)
-
Specification