1. Technical Field
Embodiments described in this disclosure generally relate to network security and, more particularly, to using authentication tokens to authorize a firewall to open a pinhole.
2. Description of the Related Art
As is known, RTP (short for real time protocol) provides an internet-standard protocol for transporting real-time media data, such as streaming audio and video, e.g., a VoIP telephone call. Of course, other protocols are available to create and manage media flows over computer networks. A common approach for allowing such media to flow over a firewall is for the firewall to inspect signaling messages (e.g., SIP) to identify information regarding what IP addresses and ports the media is going to use for a data flow (e.g., RTP over UDP). Once identified, the firewall opens a “pinhole” which allows the media to flow through that firewall towards an intended destination (provided the destination addresses and/or ports are authorized to receive such traffic). However, if the signaling is encrypted (which, it frequently is), the firewall cannot inspect the substance of the signaling to identify the destination addresses and/or ports.
Further, if the signaling and the actual media flow traverse different paths through a network, there is no way to guarantee that the firewall that actually receives the media will understand that a pinhole should be opened for such traffic. This latter scenario may be addressed by constraining network design to force signaling and media to flow through the same firewall. However, this approach often leads to unnatural network design choices in order to force both message signaling and subsequent real time data flows to use the same network paths. Accordingly, there remains a need for techniques for using authentication tokens to authorize a firewall to open a pinhole for certain media flows; in particular, to open a pinhole for media flows carrying real-time streaming media data (e.g., a VoIP call transported using RTP over UDP).