As more information and types of information are becoming available on various connected computer networks, it is becoming increasingly important to ensure the security of data on these networks. One of the most common sources of security for such networks is a series of firewalls. Each firewall is a piece of hardware and/or software that is configured to allow or prevent communications arriving at the firewall. The choice to allow or deny a communication can be defined by at least one security policy for that firewall.
Network layer firewalls are protocol-based, and typically are utilized at a relatively low level of the relevant protocol stack, such as a TCP/IP protocol stack. Such a firewall generally acts as a packet filter, denying packets from passing through the firewall unless those packets meet the security rules defined in the security policy. Firewalls also can inspect all packets for proper content, in order to prevent viruses, spyware, or other undesirable content from passing through the firewall.
The need to inspect each packet can make it difficult for certain protocols to cross the firewall. For example, the User Datagram Protocol (UDP) is known to present challenges related to the inspection of the UDP packets. As a result, UDP signaling and data transported over UDP, such as Real-time Transport Protocol (RTP) data containing audio and/or video information such as voice or multimedia packets, cannot cross most firewalls. This severely limits the ability to deploy Voice over IP (VoIP), Web conferencing, and other streaming and/or multimedia applications across firewalls, whether between Internet and corporate intranet locations, between individual networks, or across companies, for example.
Certain existing systems attempt to solve this problem by creating a hole in the firewall using components of the firewall that are operable to open and maintain a communication channel through which the packets of a stream can be sent. In one example, a particular server that sends packets of information creates a hole at a particular port that can be used for sending the packet. In another example, a timeout can be used to allow a packet to pass through an open pinhole in the firewall. These approaches do not, however, allow for inspection or verification of the packets. The firewall can be configured to inspect each packet, even for UDP or other such packets, and make a clever decision based on a priori rules as to whether to let the packet go through. This still is not an optimal solution, however, because it is difficult for a firewall with an open UDP port to efficiently and accurately inspect the packets. Further, it is impossible to do this inspection other than heuristically if those packets are secure.