Firewall interface configuration to enable bi-directional VOIP traversal communications

US 8,201,236 B2
Filed: 09/09/2011
Issued: 06/12/2012
Est. Priority Date: 09/20/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

preventing, by a firewall including an integrated intelligent network protocol gateway, interposed between an internal network and an external network, unauthorized network-layer access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts;

protecting, by the firewall, the plurality of internal hosts against application-layer threats from the external network and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, includingdistinguishing among VoIP packets and non-VoIP packets,parsing the VoIP packets at the application layer, andperforming content-aware NAT by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;

facilitating concurrent management by the firewall of a plurality of incoming VoIP calls byproviding a plurality of VoIP ports on an external VoIP interface of the firewall, andadvertising, by the firewall, a plurality of IP address/VoIP port pairs, wherein each IP address/VoIP port pair of the plurality of IP address/VoIP port pairs corresponds to one internal host of the plurality of internal hosts;

receiving, by the external VoIP interface, a plurality of incoming VoIP packets each of which contains therein a user alias and a port indication regarding one of the plurality of VoIP ports; and

causing each received incoming VoIP packet of the plurality of received incoming VoIP packets to be directed to an appropriate internal host of the plurality of internal hosts by port forwarding, by the firewall, the received incoming VoIP packet based on the port indication contained therein to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for an intelligent network protection gateway (NPG) are provided. According to one embodiment, a firewall prevents unauthorized network-lawyer access to internal hosts by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall facilitates concurrent management of multiple incoming VoIP calls by providing multiple VoIP ports and advertising multiple IP address/VoIP port pairs corresponding to internal hosts. When incoming VoIP packets are received, the packets are directed to an appropriate internal host by the firewall performing port forwarding based on a port indication contained within the packets to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.

45 Citations

View as Search Results

10 Claims

1. A method comprising:
- preventing, by a firewall including an integrated intelligent network protocol gateway, interposed between an internal network and an external network, unauthorized network-layer access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts;
  
  protecting, by the firewall, the plurality of internal hosts against application-layer threats from the external network and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, includingdistinguishing among VoIP packets and non-VoIP packets,parsing the VoIP packets at the application layer, andperforming content-aware NAT by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;
  
  facilitating concurrent management by the firewall of a plurality of incoming VoIP calls byproviding a plurality of VoIP ports on an external VoIP interface of the firewall, andadvertising, by the firewall, a plurality of IP address/VoIP port pairs, wherein each IP address/VoIP port pair of the plurality of IP address/VoIP port pairs corresponds to one internal host of the plurality of internal hosts;
  
  receiving, by the external VoIP interface, a plurality of incoming VoIP packets each of which contains therein a user alias and a port indication regarding one of the plurality of VoIP ports; and
  
  causing each received incoming VoIP packet of the plurality of received incoming VoIP packets to be directed to an appropriate internal host of the plurality of internal hosts by port forwarding, by the firewall, the received incoming VoIP packet based on the port indication contained therein to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said changing data in headers of the VoIP packets further comprises changing a source IP address and a port number in the headers of the VoIP packets.
  - 3. The method of claim 1, wherein said distinguishing among VoIP packets and non-VoIP packets is based on a standard port address.
  - 4. The method of claim 1, further comprising conducting through the external VoIP interface a network meeting between an external network user and at least two internal network users.
  - 5. The method of claim 1, further comprising conducting through the external VoIP interface a network meeting between an internal network user and at least two external network users.
  - 6. The method of claim 1, further comprising implementing said firewall as an application specific integrated circuit (ASIC).

7. An intelligent network protection gateway device comprising:
- a network address translation (NAT) processing means, configured to be interposed between an internal network and an external network, for providing network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing translation of Internet Protocol (IP) addresses associated with the plurality of internal hosts;
  
  an application-layer protection means, for protecting the plurality of internal host from the external network and for supporting VoIP services without compromising internal network security by actively processing signaling protocols associated with Voice over IP (VoIP) sessions, includingdistinguishing among VoIP packets and non-VoIP packets,parsing the VoIP packets at the application layer, andchanging data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;
  
  an external VoIP interface including a plurality of VoIP ports configured to receive incoming VoIP packets each having contained therein a user alias and a port indication regarding one of the plurality of VoIP ports;
  
  wherein concurrent management of a plurality of incoming VoIP calls is facilitated by a plurality of IP address/VoIP port pairs being advertised by the intelligent network protection gateway device;
  
  wherein said external VoIP interface further comprises a means for directing the incoming VoIP packets to an appropriate internal host of the plurality of internal hosts by performing port forwarding based on the port indication to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts; and
  
  wherein one or more of said NAT processing means and said application-layer protection means includes (i) logic implemented within an application specific integrated circuit (ASIC) of the intelligent network protection gateway device or (ii) a non-transitory program storage device readable by one or more processors of the intelligent network protection gateway device, tangibly embodying a program of instructions executable by the one or more processors.
- View Dependent Claims (8, 9, 10)
- - 8. The network protection gateway device of claim 7, wherein said distinguishing among VoIP packets and non-VoIP packets is based on a standard port address.
  - 9. The network protection gateway device of claim 7, wherein the external VoIP interface facilitates network meetings among an external network user and at least two internal network users.
  - 10. The network protection gateway device of claim 7, wherein the external VoIP interface facilitates network meetings among an internal network user and at least two external network users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Xie, Michael
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/229,134
Publication Number

US 20120005741A1
Time in Patent Office

277 Days
Field of Search

726/14, 726/11, 713/151
US Class Current

726/11
CPC Class Codes

H04L 61/2521   Translation architectures o...

H04L 61/4535   using an address exchange p...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 65/1043   Gateway controllers, e.g. m...

H04L 65/1066   Session management

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

H04L 65/1106   Call signalling protocols; ...

H04L 69/22   Parsing or analysis of headers

Firewall interface configuration to enable bi-directional VOIP traversal communications

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall interface configuration to enable bi-directional VOIP traversal communications

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links