The present invention relates in general to interactive communication sessions within computer networks, and, more specifically, to maintaining such a session between two peer computers wherein one or both of the computers are coupled to the computer network through a firewall.
Much attention has been directed to computer internetworking problems of hacking, virus attacks, availability of unsuitable content, and other security issues. As each type of problem has developed, protective security tools have arisen to allow computers to be protected from attacks and to supervise how the computers can interact with the internetwork (e.g., Internet).
Today, most enterprise and home networks use some form of firewall or proxy server to block TCP/UDP connections initiated outside of the firewalled network environment. Blocking of particular packets within user traffic directed through the firewall can be performed based on several different criteria, such as IP address where the traffic originated, domain names of the source or destination of the traffic, the protocol in which the traffic is formatted, and the port sending or receiving the traffic, among others. Firewalls can also perform proxy services or perform network address translation (NAT) so that a particular computer is not directly accessible from outside the firewall.
One typical type of firewall operates as a router at the network service level to interface between a protected device and remote devices. The firewall filters out (i.e., discards) packets directed to the firewall in response to predetermined rules. Most often, rules are set up to discard packets based on the source and destination addresses and ports (i.e., sockets) or specific IP transport protocol types of packets. Since network/computer owners frequently deploy a firewall for the purpose of preventing outside access to internal computer resources, a typical set of rules may allow only connection sessions that are initiated by a computer behind the firewall. In other words, all incoming traffic may be blocked by the firewall except incoming packets wherein the source and destination addresses match those of prior outgoing packets. For instance, a firewall may maintain a table of source/destination addresses and ports of recent, outgoing packets. When an incoming packet is received, the addresses and ports are compared to the table and if matching source/destination addresses and ports are found then the incoming packet is in response to an internal request and it is forwarded through the firewall. If no match is found, then the packet is rejected.
Due to this exclusion of packets that are not specifically received in response to a requesting packet from inside the firewall, a computer user is prevented from using certain types of desirable network applications. For example, many legitimate applications employ spontaneous transmission of data and/or control signals such as audio and video conferencing, streaming multimedia, instant messaging, and on-line gaming. A firewall configured in this manner also prevents an authorized user from gaining remote access to a protected computer or network (e.g., an employee accessing a company's intranet from the Internet while traveling) unless modified with additional hardware and/or software, such as a virtual private network (VPN), to circumvent or tunnel through the firewall. Such a modification, however, may require specific protocols and cannot generically handle most applications. Furthermore, VPN solutions will not allow two users to communicate directly with each other through a firewall.