Field
Embodiments of the present invention generally relate to the management and processes of the network communication packet implemented with a firewall. More particularly, embodiments of the present invention relate to a new interface configuration and processing scheme for enhancing bi-directional VoIP communication traversing the firewall without degrading the level of protections provided by the firewall.
Description of the Related Art
A technical difficulty is still faced by those who apply Internet Protocol (IP) for voice communication by sending voice messages as digitized data packets on Internet, commonly known as Voice over IP (VoIP) technologies, when the sender or the receiver are protected by a firewall protection system. Specifically, several popular VoIP signaling protocols such as MGCP, SIP and H323 are commonly implemented. All these different types of protocols are implemented with the data relating to the end point address embedded as part of the data content transmitted in the Internet Protocol packets. Referring to FIG. 1 for a typical firewall setup where the firewall is installed as a protection interface between the internal and external networks for preventing invasions of undesirable transmission between the internal and external networks. A conventional firewall employs a network address translation (NAT) technique to change the IP packet header such that all outgoing packets from the internal network are presented to the external network as if there are sent out from the firewall. However, once the sender's identification, i.e., the source IP address and port number of the sender, is translated and changed by the firewall, a return packet in response to the sender's VoIP packets can only return to the firewall and would be unable to reach the sender. The communication loop is broken due to the operation of the firewall in changing the source IP and the source port numbers. For a packet sent from the internal network to the external network through the firewall, it would typically include the header information of source IP address, protocol type, source port number, destination IP address and destination port number. An exemplary header is shown below:
An exemplary header is shown below:                Source IP: 192.168.100.1        Protocol: UDP        Source port: 1025        Destination IP: 10.1.2.3        Destination port: 2727        
After the packet is processed by the firewall, the header data is changed and an example of the changed header is shown below:                Source IP: firewall's external IP address        Protocol: UDP        Source port: allocated by the firewall (for example 3330)        Destination IP: 10.1.2.3        Destination port: 2727        
For the security of the network user protected by the firewall, the sender's IP address is therefore changed and hidden from the external network. It is noticed that the destination IP and port number are not changed. The same IP address and port number maybe included in the content of the IP packets too. Specifically, a valid SIP request must contain the following header fields: To, From, CSeq, Call-ID, Max-Forwards, and Via; all of these header fields are mandatory in all SIP requests. Call-ID in this case includes a port number and IP address (or domain name) of an end point. For the outbound traffic, i.e., IP packets transmitted from the internal private network to an external public network, because the conventional firewall only changes the packet header, the end point address embedded in the packet content still points to the original IP addresses and the embedded IP address will be mismatched with the header now changed by the firewall. Due to the mismatches, the VoIP communication cannot be successful. Furthermore, for the inbound VoIP communications, because the internal host's IP addressees are hidden from the public network, VoIP traffic when designate the IP address and the port number of an internal IP address cannot reach individual end point by their IP address, thus an incoming call cannot be made. Additionally, even a special assignment is made to correlate a port number with an end point of an internal user, since for each specific protocol, the port number is fixed, for example port 2427 is for MGCP, and 2543 is for SIP. So in a conventional firewall for the management of incoming traffic, if a packet is targeting port 2427, it usually is a call. However, since only one port is used, a call can only be made to one end point inside firewall using the conventional method.
In summary, VoIP is a major enabler of high-value, converged voice/data applications. However, widespread use of VoIP is at odds with conventional security technology: Network-level devices, such as NAT gateways, lack the intelligence to recognize and properly process the critical signaling protocols that enable VoIP calls to be established and managed. Until now, extreme compromises have been required to enable flexible VoIP applications: Companies have been forced to either compromise their security, by opening holes in their perimeter security to allow VoIP signaling to pass, or have been forced to purchase expensive, single-function call-proxy systems that focus on solving the NAT traversal problem. Another approach—using VoIP only in conjunction with VPN tunnels—greatly limits the reach of Internet telephony. None of these so-called solutions achieves the goal of enabling widespread, secure use of VoIP technology.
Since there is an increase in adopting voice over IP technology in the enterprise environment spawning from renewed interest in converged voice/data application, there is an urgent need to resolve the difficulties. Particularly, as most conventional network security technologies employ the network address translation (NAT) technique as a universal standard to prevent unauthorized access to a private network from the Internet, these difficulties often force organizations to either comprise security or forsake the voice/data convergence because such applications have become impractical.
Therefore, a need still exits in the art to provide improved firewall systems with more intelligent operations capable of managing both VoIP and non-VoIP network communications in order to resolve these difficulties.