Firewall interface configuration to enable bi-directional VoIP traversal communications
First Claim
1. A method comprising:
- providing, by a firewall interposed between an internal network and an external network, network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts;
providing, by the firewall, application-layer protection from the external network on behalf of the plurality of internal hosts and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, includingdistinguishing among VoIP packets and non-VoIP packets,understanding and parsing the VoIP packets within the firewall, andperforming content-aware NAT within the firewall by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;
providing a plurality of VoIP ports to an external VoIP interface of the firewall;
receiving by the external VoIP interface incoming VoIP packets each having associated therewith one of the plurality of VoIP ports;
causing each of said received multiple incoming VoIP packets to be directed to an appropriate internal host of the plurality of internal hosts by performing by the firewall port address forwarding based on a mapping of the VoIP ports to private addresses of the plurality of internal hosts.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall also provides application-layer protection on behalf of the internal hosts and supports Voice over IP (VoIP) services by actively processing signaling protocols associated with VoIP sessions. An external VoIP interface of the firewall receives incoming VoIP packets having associated therewith an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on a mapping of VoIP ports to private addresses of the internal hosts.
64 Citations
16 Claims
-
1. A method comprising:
-
providing, by a firewall interposed between an internal network and an external network, network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts; providing, by the firewall, application-layer protection from the external network on behalf of the plurality of internal hosts and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, including distinguishing among VoIP packets and non-VoIP packets, understanding and parsing the VoIP packets within the firewall, and performing content-aware NAT within the firewall by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network; providing a plurality of VoIP ports to an external VoIP interface of the firewall; receiving by the external VoIP interface incoming VoIP packets each having associated therewith one of the plurality of VoIP ports; causing each of said received multiple incoming VoIP packets to be directed to an appropriate internal host of the plurality of internal hosts by performing by the firewall port address forwarding based on a mapping of the VoIP ports to private addresses of the plurality of internal hosts. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An intelligent network protection gateway device comprising:
-
a network address translation (NAT) processing means, configured to be interposed between an internal network and an external network, for providing network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing translation of Internet Protocol (IP) addresses associated with the plurality of internal hosts; an application-layer protection means, for protecting the plurality of internal host from the external network and for supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, including distinguishing among VoIP packets and non-VoIP packets, understanding and parsing the VoIP packets within the application-layer protection means, and changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers within the application-layer protection means to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network; an external VoIP interface including a plurality of VoIP ports configured to receive incoming VoIP packets each having contained therein one of the plurality of VoIP ports; wherein said external VoIP interface further comprises a means for directing the incoming VoIP packets to an appropriate internal host of the plurality of internal hosts by performing port address forwarding based on a mapping of the VoIP ports to private addresses of the plurality of internal hosts; wherein one or more of said NAT processing means and said application-layer protection means includes (i) logic implemented within an application specific integrated circuit (ASIC) of the intelligent network protection gateway device or (ii) a program storage device readable by one or more processors of the intelligent network protection gateway device, tangibly embodying a program of instructions executable by the one or more processors. - View Dependent Claims (9, 10, 11, 12)
-
-
13. An intelligent network protection firewall comprising:
-
a firewall configured to be interposed between an internal network and an external network and to provide network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts, the firewall further configured to provide application-layer protection from the external network on behalf of the plurality of internal hosts and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, including distinguishing among VoIP packets and non-VoIP packets, understanding and parsing the VoIP packets within an operating system kernel of the firewall, and performing content-aware NAT within the firewall by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network; the firewall comprising a plurality of VoIP ports coupled to an external VoIP interface of the firewall, the external VoIP interface configured to receive incoming VoIP packets each having associated therewith one of the plurality of VoIP ports and to direct the incoming VoIP packets to an internal host of the plurality of internal hosts by performing port address forwarding based on a mapping of the VoIP ports to private addresses of the plurality of internal hosts. - View Dependent Claims (14, 15, 16)
-
Specification