Firewall interface configuration to enable bi-directional VoIP traversal communications

US 9,172,677 B2
Filed: 04/30/2013
Issued: 10/27/2015
Est. Priority Date: 09/20/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing, by a firewall interposed between an internal network and an external network, network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts;

providing, by the firewall, application-layer protection from the external network on behalf of the plurality of internal hosts and supporting VoIP services without compromising internal network security by actively processing signaling protocols associated with Voice over IP (VoIP) sessions, includingdistinguishing among VoIP packets and non-VoIP packets,understanding and parsing the VoIP packets within an operating system kernel of the firewall, andperforming content-aware NAT within the operating system kernel by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;

providing a plurality of VoIP ports to an external VoIP interface of the firewall;

receiving by the external VoIP interface incoming VoIP packets each having associated therewith a user alias and an indication regarding one of the plurality of VoIP ports;

causing each of said received multiple incoming VoIP packets to be directed to an appropriate internal host of the plurality of internal hosts by performing by the firewall port address forwarding based on the port indication to a media gateway within the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a media gateway within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.

48 Citations

View as Search Results

19 Claims

1. A method comprising:
- providing, by a firewall interposed between an internal network and an external network, network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts;
  
  providing, by the firewall, application-layer protection from the external network on behalf of the plurality of internal hosts and supporting VoIP services without compromising internal network security by actively processing signaling protocols associated with Voice over IP (VoIP) sessions, includingdistinguishing among VoIP packets and non-VoIP packets,understanding and parsing the VoIP packets within an operating system kernel of the firewall, andperforming content-aware NAT within the operating system kernel by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;
  
  providing a plurality of VoIP ports to an external VoIP interface of the firewall;
  
  receiving by the external VoIP interface incoming VoIP packets each having associated therewith a user alias and an indication regarding one of the plurality of VoIP ports;
  
  causing each of said received multiple incoming VoIP packets to be directed to an appropriate internal host of the plurality of internal hosts by performing by the firewall port address forwarding based on the port indication to a media gateway within the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the user alias comprises an email address of a user associated with one of the plurality of internal hosts.
  - 3. The method of claim 1 wherein the firewall comprises an intelligent network protocol gateway.
  - 4. The method of claim 1, wherein said changing data in headers of the VoIP packets further comprises changing a source IP address and a port number in the headers of the VoIP packets.
  - 5. The method of claim 1, wherein said distinguishing among VoIP packets and non-VoIP packets is based on a standard port address.
  - 6. The method of claim 1, further comprising conducting through the external VoIP interface a network meeting between an external network user and at least two internal network users.
  - 7. The method of claim 1, further comprising conducting through the external VoIP interface a network meeting between an internal network user and at least two external network users.
  - 8. The method of claim 1, further comprising implementing said firewall as an application specific integrated circuit (ASIC).

9. An intelligent network protection gateway device comprising:
- a network address translation (NAT) processing means, configured to be interposed between an internal network and an external network, for providing network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing translation of Internet Protocol (IP) addresses associated with the plurality of internal hosts;
  
  an application-layer protection means, for protecting the plurality of internal host from the external network and for supporting VoIP services without compromising internal network security by actively processing signaling protocols associated with Voice over IP (VoIP) sessions, includingdistinguishing among VoIP packets and non-VoIP packets,understanding and parsing the VoIP packets within an operating system kernel of the application-layer protection means, andchanging data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers within the operating system kernel to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;
  
  an external VoIP interface including a plurality of VoIP ports configured to receive incoming VoIP packets each having contained therein a user alias and an indication regarding one of the plurality of VoIP ports;
  
  wherein said external VoIP interface further comprises a means for directing the incoming VoIP packets to an appropriate internal host of the plurality of internal hosts by performing port address forwarding based on the port indication to a media gateway within the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts;
  
  wherein one or more of said NAT processing means and said application-layer protection means includes (i) logic implemented within an application specific integrated circuit (ASIC) of the intelligent network protection gateway device or (ii) a program storage device readable by one or more processors of the intelligent network protection gateway device, tangibly embodying a program of instructions executable by the one or more processors.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The intelligent network protection gateway device of claim 9 wherein the user alias comprises an email address of a user associated with one of the plurality of internal hosts.
  - 11. The intelligent network protection gateway device of claim 9 wherein the mapping maps an e-mail address included in an incoming VoIP message to an internal port number in said internal network.
  - 12. The network protection gateway device of claim 9, wherein said distinguishing among VoIP packets and non-VoIP packets is based on a standard port address.
  - 13. The network protection gateway device of claim 9, wherein the external VoIP interface facilitates network meetings among an external network user and at least two internal network users.
  - 14. The network protection gateway device of claim 9, wherein the external VoIP interface facilitates network meetings among an internal network user and at least two external network users.

15. An intelligent network protection firewall comprising:
- a firewall configured to be interposed between an internal network and an external network and to provide network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts, the firewall further configured to provide application-layer protection from the external network on behalf of the plurality of internal hosts and supporting VoIP services without compromising internal network security by actively processing signaling protocols associated with Voice over IP (VoIP) sessions, includingdistinguishing among VoIP packets and non-VoIP packets,understanding and parsing the VoIP packets within an operating system kernel of the firewall, andperforming content-aware NAT within the operating system kernel by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;
  
  the firewall comprising a plurality of VoIP ports coupled to an external VoIP interface of the firewall, the external VoIP interface configured to receive incoming VoIP packets each having associated therewith a user alias and an indication regarding one of the plurality of VoIP ports and to direct the incoming VoIP packets to an internal host of the plurality of internal hosts by performing port address forwarding based on the port indication to a media gateway within the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The intelligent network protection firewall of claim 15 wherein the user alias comprises an email address of a user associated with one of the plurality of internal hosts.
  - 17. The intelligent network protection firewall of claim 15 wherein the mapping maps an e-mail address included in an incoming VoIP message to an internal port number in said internal network.
  - 18. The intelligent network protection firewall of claim 15, wherein the firewall is configured to distinguish among VoIP packets and non-VoIP packets based on a standard port address.
  - 19. The intelligent network protection firewall of claim 15, wherein the external VoIP interface facilitates network meetings among an external network user and at least two internal network users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Xie, Michael
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/873,895
Publication Number

US 20130276093A1
Time in Patent Office

910 Days
Field of Search

726/13, 726/14, 726/11, 713/11, 713/151, 713/153
US Class Current

1/1
CPC Class Codes

H04L 61/2521   Translation architectures o...

H04L 61/4535   using an address exchange p...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 65/1043   Gateway controllers, e.g. m...

H04L 65/1066   Session management

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

H04L 65/1106   Call signalling protocols; ...

H04L 69/22   Parsing or analysis of headers

Firewall interface configuration to enable bi-directional VoIP traversal communications

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall interface configuration to enable bi-directional VoIP traversal communications

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links