In the architecture defined by the Media Gateway Control (MEGACO) IETF Working Group, a typical H.248 model comprises media gateways (MGs) focusing on media translation and media gateway controllers (MGCs) focusing on call signaling and call processing functions.
Voice-over IP (VoIP) calls, sometimes referred to as Internet telephony, utilize a call signaling path between media gateway controllers, a media gateway control path between media gateway controllers and media gateways, and a bearer path. The call signaling path transfers call control data necessary to setup, connect and process a call. The media gateway control path is used by the media gateway controller to exchange data with the media gateways under its control. The bearer path is the actual voice data connection over which a conversation may take place. A media gateway port may have only one associated media gateway controller.
Private networks are generally protected from intrusion from public networks such as the Internet by firewalls that only permit certain pre-approved packet streams through pinhole openings in the firewall. A pinhole opening in a firewall may also be referred to as a packet filter. Data packets are routed (or denied routing) based on, among other things, the source and destination address in the packet header including the port number. The packet filter works like a mask, allowing only data that meets specific criteria to pass. The specific criteria are a set of rules where each data packet is subjected to the set of rules. The firewall performs state-full inspection and subjects data packet content as well as data packet header information to the filtering rules that define the pinhole openings in the firewall.
Typically a firewall is directly controlled by a system administrator or the like through a pre-defined set of approved address pairs. Dynamic firewall control on a per call basis is desired for secure VoIP telephony between endpoints on either side of a firewall. Unfortunately, the present firewall control scheme does not permit remote dynamic control of a firewall from another private network entity.
Given the nature of the security risk and the design of VoIP systems, firewalls must be dynamically modified on a per call basis in order to avoid security breaches. Either the firewall must comprehend the call signaling protocol and derive the pinhole requirements, or an external device that understands the call signaling protocol must explicitly inform the firewall.
Firewalls have been interpreting known protocols and learning of pinhole requirements for some time. Doing so, however, implies continuous network infrastructure upgrades as new protocols are introduced. Continuously upgrading network infrastructures increases the cost of and reduces the velocity of new service deployments. Alternatively, protocol specific “proxies” have been built which understand specific protocols and are, in effect, a widening of the firewall—an alternate path into the secure private network for a specific protocol suite. Unfortunately, these implementations possess performance characteristics that cannot meet the requirements of VoIP media streams.
What is needed is a way to dynamically manage a pinhole in a private network firewall such that VoIP communication between endpoints on the private network and endpoints on a network beyond the firewall do not compromise the security of the private network.