This invention relates to voice over Internet-Protocol (VoIP) software, and more particularly to VoIP through firewalls.
Internet-enabled communication such as electronic mail, web browsing, instant messaging, and video and audio streaming are common today. The Internet can also be used to make telephone calls using voice-over-Internet-Protocol (VoIP) technology. Video messages may also be exchanged using enhancements to VoIP technology.
Unfortunately, other programs can interfere with VoIP. To protect local computers and networks from unauthorized use or even outright attack, a barrier between a local network and the Internet is often employed. This barrier is known as a firewall, since it protects internal networks from the ravages of the open Internet.
Firewall is a generic term that describes an array of different technologies for securing computer networks. Some common Firewall technologies are Packet Filters, Proxy Servers, Network Address Translation, Port Address Translation and Application Protocol Filtering. Firewalls can be implemented in routers, special firewall appliances, and bastion hosts at the connection point of two or more computer networks. Personal firewalls are a software application running on a personal computer.
Firewalls can operate on different levels of the network. FIG. 1 is a reference diagram for the Open Systems Interconnection (OSI) network model. Packets passing through a firewall can be filtered by examining their IP addresses, TCP ports, protocols, states, or other header criteria at network layer 3 or transport layer 4.
Dynamic or stateful packet filters can operate on most of the layers. Only specifically-configured traffic is allowed through the firewall, such as web-browser traffic that uses Transport-Control-Protocol (TCP) on port 80. All traffic from outside the firewall can be blocked except when a connection is opened from within the firewall. A temporary return path, opening, or window is created through the firewall for each connection initiated from the local network within the firewall. This window closes when the connection is closed.
Proxy servers can operate on layers 3, 4, or application layer 7. Clients behind the firewall connect to the proxy server, which then makes another connection to the final server. Application protocol filtering can also operate on layer 7. Presentation layer 6, and session layer 5 are between the sockets of layer 7 and the TCP connections of layer 4. Data link layer 2 encapsulates the data into the actual packets or frames transmitted over the physical layer 1.
Firewalls can interfere with some Internet applications, even preventing their use across firewalls. For example, VoIP applications can be blocked by firewalls. Some firewalls only allow a few applications to pass packets through, such as web-browser traffic using port 80 and the hyper-text transfer protocol (HTTP) or port 443 with the secure-sockets layer (SSL). Packets to ports other than 80 and 443 may be blocked by firewalls.
FIG. 2 illustrates how a firewall can block TCP packets for a VoIP application. Personal computer PC 10 is protected by firewall 14, while server or PC 12 is directly connected to Internet 16.
Voice call applications may use standard web-browser settings. For example, audio from the user at PC 10 can be sent over Internet 16 to port 80 of PC 12 using the HTTP protocol. Outgoing TCP/IP packets containing higher-level browser-like commands, such as the HTTP GET command, can pass through firewall 14 since they originate from within (inside) firewall 14.
The reverse-direction audio stream is sent from PC 12 to PC 10. For example, PC 12 may act as a web server and send TCP/IP packets back to PC 10 using an HTTP response message. Many firewalls may allow such TCP/IP packets to pass through, but other more restrictive firewalls may match each HTTP response to an HTTP GET from inside the firewall. Other firewalls may terminate an HTTP session after a timeout period.
For example, after the first HTTP response is received by PC 10, a restrictive firewall 14 may close the HTTP session if a second HTTP response is sent without a second GET. Without another GET, firewall 14 may prevent other HTTP response messages from passing through after the first HTTP response. Thus while first HTTP response—1 is passed through firewall 14, second HTTP response—2 is blocked by firewall 14.
Audio streams are often long and need to send audio data at different times in different messages. When PC 12 attempts to stream audio back to PC 10 using several HTTP messages, firewall 14 terminates the HTTP session and blocks the session's packets in both directions. Firewall 14 then sees any subsequent HTTP response packets as coming from Internet 16 without a matching HTTP GET request from PC 10 within the firewall. Firewall 14 blocks these packets, assuming that they are unauthorized and possibly an attack on the local network.
What is desired is a method for passing packets and audio data through a firewall and to allow entry of audio or video streams originating from outside the firewall. A program that can use a firewall window for standard web-browser traffic is desired.
Using openings in firewalls for standard web traffic such as HTTP or SSL sessions is especially desired to allow VoIP to operate across restrictive firewalls.