Firewall interface configuration to enable bi-directional VoIP traversal communications

US 9,497,166 B2
Filed: 05/19/2015
Issued: 11/15/2016
Est. Priority Date: 09/20/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

providing, by a firewall interposed between an internal network and an external network, network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts;

providing, by the firewall, application-layer protection from the external network on behalf of the plurality of internal hosts and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, includingdistinguishing among VoIP packets and non-VoIP packets,understanding and parsing the VoIP packets within the firewall, andperforming content-aware NAT within the firewall by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;

providing a plurality of VoIP ports to an external VoIP interface of the firewall;

receiving by the external VoIP interface incoming VoIP packets each having associated therewith one of the plurality of VoIP ports;

causing each of said received multiple incoming VoIP packets to be directed to an appropriate internal host of the plurality of internal hosts by performing by the firewall port address forwarding based on a mapping of the VoIP ports to private addresses of the plurality of internal hosts.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall also provides application-layer protection on behalf of the internal hosts and supports Voice over IP (VoIP) services by actively processing signaling protocols associated with VoIP sessions. An external VoIP interface of the firewall receives incoming VoIP packets having associated therewith an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on a mapping of VoIP ports to private addresses of the internal hosts.

64 Citations

View as Search Results

16 Claims

1. A method comprising:
- providing, by a firewall interposed between an internal network and an external network, network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts;
  
  providing, by the firewall, application-layer protection from the external network on behalf of the plurality of internal hosts and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, includingdistinguishing among VoIP packets and non-VoIP packets,understanding and parsing the VoIP packets within the firewall, andperforming content-aware NAT within the firewall by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;
  
  providing a plurality of VoIP ports to an external VoIP interface of the firewall;
  
  receiving by the external VoIP interface incoming VoIP packets each having associated therewith one of the plurality of VoIP ports;
  
  causing each of said received multiple incoming VoIP packets to be directed to an appropriate internal host of the plurality of internal hosts by performing by the firewall port address forwarding based on a mapping of the VoIP ports to private addresses of the plurality of internal hosts.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the firewall comprises an intelligent network protocol gateway.
  - 3. The method of claim 1, wherein said changing data in headers of the VoIP packets further comprises changing a source IP address and a port number in the headers of the VoIP packets.
  - 4. The method of claim 1, wherein said distinguishing among VoIP packets and non-VoIP packets is based on a standard port address.
  - 5. The method of claim 1, further comprising conducting through the external VoIP interface a network meeting between an external network user and at least two internal network users.
  - 6. The method of claim 1, further comprising conducting through the external VoIP interface a network meeting between an internal network user and at least two external network users.
  - 7. The method of claim 1, further comprising implementing said firewall as an application specific integrated circuit (ASIC).

8. An intelligent network protection gateway device comprising:
- a network address translation (NAT) processing means, configured to be interposed between an internal network and an external network, for providing network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing translation of Internet Protocol (IP) addresses associated with the plurality of internal hosts;
  
  an application-layer protection means, for protecting the plurality of internal host from the external network and for supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, includingdistinguishing among VoIP packets and non-VoIP packets,understanding and parsing the VoIP packets within the application-layer protection means, andchanging data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers within the application-layer protection means to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;
  
  an external VoIP interface including a plurality of VoIP ports configured to receive incoming VoIP packets each having contained therein one of the plurality of VoIP ports;
  
  wherein said external VoIP interface further comprises a means for directing the incoming VoIP packets to an appropriate internal host of the plurality of internal hosts by performing port address forwarding based on a mapping of the VoIP ports to private addresses of the plurality of internal hosts;
  
  wherein one or more of said NAT processing means and said application-layer protection means includes (i) logic implemented within an application specific integrated circuit (ASIC) of the intelligent network protection gateway device or (ii) a program storage device readable by one or more processors of the intelligent network protection gateway device, tangibly embodying a program of instructions executable by the one or more processors.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The intelligent network protection gateway device of claim 8 wherein the mapping maps an e-mail address included in an incoming VoIP message to an internal port number in said internal network.
  - 10. The network protection gateway device of claim 8, wherein said distinguishing among VoIP packets and non-VoIP packets is based on a standard port address.
  - 11. The network protection gateway device of claim 8, wherein the external VoIP interface facilitates network meetings among an external network user and at least two internal network users.
  - 12. The network protection gateway device of claim 8, wherein the external VoIP interface facilitates network meetings among an internal network user and at least two external network users.

13. An intelligent network protection firewall comprising:
- a firewall configured to be interposed between an internal network and an external network and to provide network-layer protection against unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality of internal hosts, the firewall further configured to provide application-layer protection from the external network on behalf of the plurality of internal hosts and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling protocols associated with VoIP sessions, includingdistinguishing among VoIP packets and non-VoIP packets,understanding and parsing the VoIP packets within an operating system kernel of the firewall, andperforming content-aware NAT within the firewall by changing data in headers of the VoIP packets and also changing data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;
  
  the firewall comprising a plurality of VoIP ports coupled to an external VoIP interface of the firewall, the external VoIP interface configured to receive incoming VoIP packets each having associated therewith one of the plurality of VoIP ports and to direct the incoming VoIP packets to an internal host of the plurality of internal hosts by performing port address forwarding based on a mapping of the VoIP ports to private addresses of the plurality of internal hosts.
- View Dependent Claims (14, 15, 16)
- - 14. The network protection gateway device of claim 13, wherein the firewall is configured to distinguish among VoIP packets and non-VoIP packets based on a standard port address.
  - 15. The network protection gateway device of claim 13, wherein the external VoIP interface facilitates network meetings among an external network user and at least two internal network users.
  - 16. The network protection gateway device of claim 13, wherein the external VoIP interface facilitates network meetings among an internal network user and at least two external network users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Xie, Michael
Primary Examiner(s)
Gergiso, Techane

Application Number

US14/715,964
Publication Number

US 20150256513A1
Time in Patent Office

546 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 61/2521   Translation architectures o...

H04L 61/4535   using an address exchange p...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 65/1043   Gateway controllers, e.g. m...

H04L 65/1066   Session management

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

H04L 65/1106   Call signalling protocols; ...

H04L 69/22   Parsing or analysis of headers

Firewall interface configuration to enable bi-directional VoIP traversal communications

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Firewall interface configuration to enable bi-directional VoIP traversal communications

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others