US 8607323 Method for providing media communication across firewalls
ABSTRACT – The present invention supports a method for transmitting information packets across network firewalls. A trusted entity is provisioned with an address designation for a pinhole through the firewall during setup of a communication session between two communication devices. This pinhole address is used throughout the communication session between the two communication devices to transmit information packets onto and out of the communication network.
The Internet, like so many other high tech developments, grew from research originally performed by the United States Department of Defense. In the 1960s, the military had accumulated a large collection of incompatible computer networks. Computers on these different networks could not communicate with other computers across their network boundaries.
In the 1960s, the Defense Department wanted to develop a communication system that would permit communication between these different computer networks. Recognizing that a single, centralized communication system would be vulnerable to attacks or sabotage, the Defense Department required that the communication system be decentralized with no critical services concentrated in vulnerable failure points. In order to achieve this goal, the Defense Department established a decentralized standard communication protocol for communication between their computer networks.
A few years later, the National Science Foundation (NSF) wanted to facilitate communication between incompatible network computers at various research institutions across the country. The NSF adopted the Defense Department’s protocol for communication, and this combination of research computer networks would eventually evolve into the Internet.
Internet Protocol and Packet-Based Communication
The Defense Department’s communication protocol governing data transmission between different networks was called the Internet Protocol (IP) standard. The IP standard uses discrete information packets, sometimes called datagrams, to communicate between different computers and other devices and networks over the Internet. The IP standard has been widely adopted for the transmission of discrete information packets across network boundaries. In fact, most telecommunication networks operate using information packets to transmit data to linked communication devices. The IP standard or similar packet-based communication protocols govern communications on these networks as well as the Internet, and businesses are increasingly adopting Internet compatible packet-based communication for private communication networks.
Packet-based communication protocols depend on destination and source address data found in an address header for routing over a communication network. Each information packet’s path through the network is controlled by switching or routing decisions based on the address data found in the packet’s address header. In a typical information packet-based communication scenario, data is transmitted from an originating communication device on a first network across a transmission medium to a destination communication device on a second network. During transmission, transit routers on the network process the information packet address header to route the individual information packets. After receipt at the destination device, the destination communication device decodes the transmitted information into the original information transmitted by the originating device according to the applicable communication protocol.
Addressing and Routing
A communication device operating on an information packet-based network is assigned a unique physical address. For IP-based networks, this address is referred to as an IP address. The IP address can include: (1) a network ID and number identifying a network, (2) a sub-network ID number identifying a substructure on the network, and (3) a host ID number identifying a particular computer on the sub-network. A header data field in the information packet will include source and destination addresses. The IP addressing scheme imposes a consistent addressing scheme that reflects the internal organization of the network or sub-network. Other addressing protocols use address headers and similar addressing mechanisms to route information packets.
A router is used to regulate the transmission of information packets into and out of the communication network. Routers interpret the logical address contained in information packet headers and direct the information packets to the intended destination. Information packets addressed between communication devices on the same network do not pass through a router on the boundary of the network, and as such, these information packets will not clutter the transmission lines outside the network. If data is addressed to a communication device outside the network, the router on the network boundary forwards the data onto the greater network.
Network communication protocols define how routers determine the transmission path through a network and across network boundaries. Routing decisions are based upon information in the address header and corresponding entries in a routing table maintained on the router. A routing table contains the information for a router to determine whether to accept an information packet on behalf of a device or pass the information packet onto another router. At each point in the routing path, the receiving or destination router processes the packet to compare the address header information to the routing table maintained on the router for the next router destination. The router then forwards the information packet to the appropriate router determined by the topological data in the routing table.
Private networks using Internet communication resources require secure connections for these communications. Without secure connections, computer hackers or other malicious attackers can access the network and compromise the system. Unprotected systems and networks can suffer remote login, session hijacking, denial of service attacks, e-mail bombs, redirect bombs, spam, viruses, macros, and source routing.
Firewalls are barrier devices placed at the entrance of a communication network to block unauthorized communication. A firewall may be either a program or hardware device, and firewalls basically fall into four categories: packet filters, Application Level Gateways (ALG) (also called proxies), circuit relays, and stateful multilayer inspection firewalls. Packet filters compare the information packet to a set of criteria before allowing the information packet to be forwarded onto the network. ALGs examine information packets at the application layer to block unauthorized applications or protocol information packets. Circuit relays monitor handshaking at the Transport Control Protocol (TCP) level and block unauthorized requested sessions. Stateful multilayer inspection firewalls combine elements of the other three types of firewalls by filtering information packets at the network layer, determining whether session information packets are legitimate, and evaluating information packets at the application layer.
Communication Across Firewalls
Firewalls block unauthorized entities outside the firewall from sending information packets onto the secured network. Network entities inside the firewall can transmit information outside the secured network by creating “pinholes” through the firewall. A “pinhole” is a communication port, also referred to as an IP port, that the network entity designates for sending information packets out of the network and also receiving information packets (e.g. responses) into the network during a communication session. A timer on the firewall starts when the pinhole is created and closes once a specified time duration elapses without any information packets going through the pinhole.
Voice-over-IP (VoIP) telecommunication is the combination of voice, data, video wireless, and multimedia applications into an integrated communication infrastructure based on circuit-switched and TCP/IP technologies and protocols. VoIP represents the next generation of networking technology capable of handling all types of packet-based communications and services. VoIP delivers more services that previously available with separate voice and data networks in conjunction with improved telephone services. VoIP takes advantage of the high voice quality found in voice networks, the ubiquitous nature of TCP/IP protocols, and the efficient use of bandwidth by having voice and data share the same connection. Having only one network with devices to manage offers significant savings, and the existing infrastructure can be utilized rather than requiring replacement. Moreover, VoIP telecommunication networks offer new applications, such as integrated contact centers and unified messages.
A telecommunication service provider with its switching equipment located outside of a firewall may attempt to make VoIP services (e.g. centrix services) or other multimedia communications available to subscribers inside the firewall. But, in order to do so, the service provider must first find a way to penetrate the firewall. Necessary signaling and media messages (e.g. information packets) have to traverse the firewall to reach the end-user’s equipment and setup the requisite IP addresses for routing through a designated pinhole.
For example, to setup the call, the first setup message must be sent to the called party from the switching equipment (e.g. a soft-switch) residing outside the firewall. Since the setup message is the first information packet that switch sends to the called party terminal, it is usually blocked by the firewall unless the firewall knows not to block the setup message. Similarly, the first media (e.g. Real Time Transport Protocol message) information packet from the calling party to the called party will be blocked unless the firewall knows not to do so.
Since signaling messages usually are sent to well-known destination communication ports, it is relatively easy to configure a firewall not to block signaling messages sent to these well-known ports. However, this non-blocking function requires a particular firewall to possess network security intelligence to ensure that port is not a security hole in the firewall. Not all networks have such an intelligent firewall, and, in some applications, the switch sends setup messages directly to user terminals.
Transmitting media information packets across the firewall also presents difficulty. The dominant protocol for carrying media information packets is Real-Time Transport Protocol (RTP). RTP information packets use a large range of IP ports for different media connections, so it is not possible to specially configure certain IP ports as can be done for signaling messages. Current methods for providing VoIP across firewalls are based on exchanging messages between firewall equipment and VoIP equipment with the vendors of these types of equipment working together to create and designate pinholes in the firewall. Because most corporations already have IP networks with firewall equipment deployed, it is impractical for a service provider to deploy communication equipment to communicate with all desired communication equipment. The costs for this approach would be prohibitively high. A generic and cost-effective solution for providing multi-media communication, including VoIP, across firewalls without requiring modifications to firewall equipment or an expensive array of communication equipment is needed.
SUMMARY OF THE INVENTION
A trusted entity (a Media Proxy Router, soft switch, or combination of the two) residing outside the firewall of a private network uses signaling messages to create a pinhole through the firewall to transmit media information packets. An established signaling pinhole (e.g. port) across the firewall is used to transmit the signaling messages across the firewall and create a pinhole through the firewall for transmitting media information packets.
A routing table on the trusted entity maintains an association of the address for the location of the pinhole for media communication through the firewall. Information packets containing media communication (e.g. RTP packets) are routed between a first communication device and a second communication device using address header replacement with the address of the firewall pinhole at the trusted entity. The media information packets of a communication session then transit the firewall using this established pinhole.