Firewall interface configuration to enable bi-directional VOIP traversal communications
First Claim
1. A method comprising:
- preventing, by a firewall including an integrated intelligent network protocol gateway, interposed between an internal network and an external network, unauthorized network-layer access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts;
protecting, by the firewall, the plurality of internal hosts against application-layer threats from the external network and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, includingdistinguishing among VoIP packets and non-VoIP packets,parsing the VoIP packets at the application layer, andperforming content-aware NAT by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;
facilitating concurrent management by the firewall of a plurality of incoming VoIP calls byproviding a plurality of VoIP ports on an external VoIP interface of the firewall, andadvertising, by the firewall, a plurality of IP address/VoIP port pairs, wherein each IP address/VoIP port pair of the plurality of IP address/VoIP port pairs corresponds to one internal host of the plurality of internal hosts;
receiving, by the external VoIP interface, a plurality of incoming VoIP packets each of which contains therein a user alias and a port indication regarding one of the plurality of VoIP ports; and
causing each received incoming VoIP packet of the plurality of received incoming VoIP packets to be directed to an appropriate internal host of the plurality of internal hosts by port forwarding, by the firewall, the received incoming VoIP packet based on the port indication contained therein to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for an intelligent network protection gateway (NPG) are provided. According to one embodiment, a firewall prevents unauthorized network-lawyer access to internal hosts by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall facilitates concurrent management of multiple incoming VoIP calls by providing multiple VoIP ports and advertising multiple IP address/VoIP port pairs corresponding to internal hosts. When incoming VoIP packets are received, the packets are directed to an appropriate internal host by the firewall performing port forwarding based on a port indication contained within the packets to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.
-
Citations
10 Claims
-
1. A method comprising:
-
preventing, by a firewall including an integrated intelligent network protocol gateway, interposed between an internal network and an external network, unauthorized network-layer access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts; protecting, by the firewall, the plurality of internal hosts against application-layer threats from the external network and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, including distinguishing among VoIP packets and non-VoIP packets, parsing the VoIP packets at the application layer, and performing content-aware NAT by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network; facilitating concurrent management by the firewall of a plurality of incoming VoIP calls by providing a plurality of VoIP ports on an external VoIP interface of the firewall, and advertising, by the firewall, a plurality of IP address/VoIP port pairs, wherein each IP address/VoIP port pair of the plurality of IP address/VoIP port pairs corresponds to one internal host of the plurality of internal hosts; receiving, by the external VoIP interface, a plurality of incoming VoIP packets each of which contains therein a user alias and a port indication regarding one of the plurality of VoIP ports; and causing each received incoming VoIP packet of the plurality of received incoming VoIP packets to be directed to an appropriate internal host of the plurality of internal hosts by port forwarding, by the firewall, the received incoming VoIP packet based on the port indication contained therein to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An intelligent network protection gateway device comprising:
-
a network address translation (NAT) processing means, configured to be interposed between an internal network and an external network, for providing network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing translation of Internet Protocol (IP) addresses associated with the plurality of internal hosts; an application-layer protection means, for protecting the plurality of internal host from the external network and for supporting VoIP services without compromising internal network security by actively processing signaling protocols associated with Voice over IP (VoIP) sessions, including distinguishing among VoIP packets and non-VoIP packets, parsing the VoIP packets at the application layer, and changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network; an external VoIP interface including a plurality of VoIP ports configured to receive incoming VoIP packets each having contained therein a user alias and a port indication regarding one of the plurality of VoIP ports; wherein concurrent management of a plurality of incoming VoIP calls is facilitated by a plurality of IP address/VoIP port pairs being advertised by the intelligent network protection gateway device; wherein said external VoIP interface further comprises a means for directing the incoming VoIP packets to an appropriate internal host of the plurality of internal hosts by performing port forwarding based on the port indication to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts; and wherein one or more of said NAT processing means and said application-layer protection means includes (i) logic implemented within an application specific integrated circuit (ASIC) of the intelligent network protection gateway device or (ii) a non-transitory program storage device readable by one or more processors of the intelligent network protection gateway device, tangibly embodying a program of instructions executable by the one or more processors. - View Dependent Claims (8, 9, 10)
-
Specification