The Internet allows geographically and logically dispersed applications and nodes to easily communicate and exchange data. These data can range from simple text messages to encrypted or compressed high bandwidth real-time voice and video data. But with the ease of networking, also introduced are potential security threats to any computer publicly accessible on the Internet.
Traditionally, network security has been achieved simply by denying or restricting those outside a secure network access to data or devices within the secure network. Over time, common solutions have evolved, such as firewalls, NATs, and proxies. These approaches block or restrict unauthorized incoming data and unauthorized incoming requests from devices on a private network.
Firewalls isolate devices of a private network from public network devices. Firewalls are installed as security to protect data inside a private network from unsolicited connections. Firewalls can also restrict the way nodes inside a private network can access public sites, such as those on the Internet.
One technique for establishing a firewall is to maintain an “access control list.” An access control list approach compares address information contained in a data packet from a remote device to determine whether the source from which the packet originated is on a list of allowed or disallowed addresses. If the address is on the list of disallowed addresses, the packet is not allowed to pass.
Another method of restricting access involves “packet filtering”. Packet filtering examines data traversing a firewall to determine if the port or protocol (e.g. Internet Protocol (IP)) is subject to restrictions. If the port or protocol in use is restricted, the packet is not allowed to pass.
Another approach for providing network security uses a NAT (Network Address Translation) technique. NAT involves the translation of IP addresses used within one network to a different IP addresses known within another network.
Typical NAT techniques map local or private network addresses to one or more public IP addresses, and translate incoming global IP addresses into local IP addresses. NAT techniques provide added security since each outgoing or incoming request must go through a translation process to qualify or authenticate the request or match it to a previous request. To preserve the number of IP addresses needed, it is common for a private network use a single IP address in its communication outside the private network. Thus, external devices may not be able to identify or communicate with a specific local device because private addresses behind NATs are not directly accessible by entities on a public network.
Another approach for providing network security is based on proxies. Proxies, such as HTTP proxies, act as the only path out from a private network to the public domain. Proxies are generally done through one or two ports and may require authentication and/or encryption to achieve secure connections. The proxy acts as an intermediary between the secure private network and the public.
For example, referring to FIG. 1, a local client 1 and a remote server 3 are coupled over a public network 5, such as the Internet. The proxy server 7 receives a request for an Internet service (such as a Web page request from a remote server 3) from the client 1. If the request passes filtering requirements, the proxy server 7 processes the request and forwards the request to remote server 3. To the local user, the proxy server 7 is transparent, and all Internet requests and returned responses appear to be associated directly with the addressed remote server 3. The proxy server 7 acts as a firewall by preventing unauthorized incoming data requests from being processed.
A common theme for firewalls, NATs and proxies is that most bi-directional communication must be initiated from inside the private network towards a public IP address, potentially on restricted ports or with restricted protocols. Once connections or virtual circuits are created from the inside out, data may flow back on that same path from the public network to the private network.
However, for end-to-end rich media applications, such as videoconferencing, methods for initiating and maintaining a session through a gateway or firewall can be complex, requiring several channels to the same or different destinations just to establish a two-way or multi-way real-time conference. Standard protocols such as H.323, SIP and proprietary protocols such as First Virtual Communications' CUseeMe protocol are examples of protocols supporting these types of applications. For example, the International Telecommunications Union H.323 standard defines how real-time, bi-directional multimedia communications can be exchanged on packet-based networks. The H.323 protocol utilizes a User Datagram Protocol (UDP) for the transport of voice and video data. As opposed to a “reliable” type of transmission, or so-called “connected” stream-oriented protocol, such as Transmission Control Protocol/Internet Protocol (TCP/IP), the UDP is a connectionless packet-oriented transfer protocol. Some standards, such as H.323, use connection-based TCP/IP for call or connection setup, but do not use TCP/IP for audio and video data transmission. In contrast, TCP is used for reliable transfer of data and has built in packet loss detection and retransmission and thus is not appropriate for real-time audio and video data.
When a public network transmission utilizes a connectionless type of protocol, like UDP as a transport for the voice and video data packets, the incoming and outgoing packets are often blocked by the firewall security. As a result, connectionless type communications with third parties outside a private network are commonly disabled or blocked. For example, firewalls usually prevent incoming TCP and UDP connections. With firewalls, UDP may be blocked in both directions, while TCP may be blocked except for specific ports.
Internet communications standards and proprietary rich media applications usually require multiple communications channels via UDP and TCP on fixed or random ports. Particularly for real-time rich media communication like voice and video communication, there is a need for a system that allows the establishment of communication channels between computers protected by a firewall and outside third parties, but without compromising the firewall security measures set up to protect against unauthorized or non-permitted data transfers.
Therefore one objective of the present invention is to provide a method and computerized system for transmitting and receiving real-time voice, video and other data over the Internet when either an intended sender or recipient of data utilizes a computer device that is protected by a firewall that does not allow transmissions of data, including data using connectionless packet protocol.