FIG. 1 depicts a schematic diagram of telecommunications system 100 in the prior art. System 100 routes voice conversations, or other types of media such as video, between network elements such as telecommunications endpoints. Telecommunications system 100 comprises:                i. backbone packet network 101;        ii. local area networks (LAN) 102-1 through 102-Q, wherein Q is a positive integer;        iii. other-provider networks 103-1 through 103-R, wherein R is a positive integer;        iv. telecommunications endpoints 104-1 through 104-S, wherein S is a positive integer;        v. routers 105-1 through 105-Q; and        vi. gateways 106-1 through 106-R.All of the elements depicted in FIG. 1 are interconnected as shown. As can be seen, system 100 comprises a plurality of different types of networks, including backbone packet network 101, local area networks 102-q for q=1 through Q, and other-provider networks 103-r for r=1 through R.        
Backbone packet network 101 is used to transport one or more types of media, such as Voice over Internet Protocol (or “VoIP”), for the subscribers of a particular service provider. Network 101 itself comprises one or more transmission-related nodes such as routers that are used to direct data packets (e.g., voice packets, etc.) from one or more sources to the correct destinations of those packets. Network 101 is capable of handling Internet Protocol-based messages that are transmitted among the network elements that have access to network 101, such as the various telecommunications endpoints and gateways throughout system 100. Although network 101 as depicted is a Voice-over-IP service provider's network, network 101 could alternatively be the Internet or some other type of Internet Protocol-based network.
Local area network (or “LAN”) 102-q provides for the local distribution of signals, such as in an enterprise system, and comprises networking equipment such as hubs, bridges, and switches between backbone packet network 101 and telecommunications endpoints 104-1 through 104-S. LAN 102 operates in accordance with a networking protocol such as Ethernet or IEEE 802.3.
Other-provider network 103-r is used to transport one or more types of media, such as Voice over Internet Protocol (or “VoIP”), for the subscribers of a different service provider than that of backbone network 101, where each network 103-r can belong to a different service provider from one other. Network 103-r comprises one or more transmission-related nodes such as routers or switches that are used to direct signals from one or more sources to the correct destinations of those signals. For example, network 103-1 can be the Public Switched Telephone Network (PSTN), which is capable of handling either analog or digital bearer information in circuit-switched calls among devices; meanwhile, network 103-2 can be another type of circuit-based or packet-based network, such as an Internet Protocol-based network or network based on an entirely different protocol; and so on.
Backbone 101 is connected with the various other networks via different types of networking devices, such as routers and gateways. Router 105-q is a networking device that connects backbone 101 with corresponding LAN 102-q by forwarding data packets between the two networks. Router 105-q routes packets at the network layer (i.e., layer 3) of the Open System Interconnection (OSI) reference model. Meanwhile, gateway 106-r is a networking device that connects backbone 101 with the gateway's corresponding network 103-r by forwarding data packets between the two networks. Gateway 106-r differs from router 105-q in that the gateway acts as a translator between two different types of networks. For example, gateway 106-1 interconnects and acts as a translator between backbone network 101, which is a packet-switched network, and other-provider network 103-1, which is the circuit-switched PSTN described earlier. Because gateway 106-r connects two different types of networks together, one of its main functions is to convert between the different transmission and coding techniques used across the two networks.
Telecommunications endpoint 104-s, for s=1 through S, is a communication appliance such as a deskset, a conferencing unit, a wireless terminal, a desktop or portable computer (i.e., “softphone”), an Internet phone, and so forth. As depicted, endpoint 104-s operates in a local area network. Endpoint 104-s is capable of digitizing voice signals from its user and formatting the digitized signals into transmittable data packets through an audio compressor/decompressor (or “CODEC”) circuit. Similarly, the CODEC circuit of endpoint 104-s is also capable of receiving data packets and converting the information contained within those packets into voice signals that are understandable by the endpoint's user.
Telecommunications endpoint 104-s is a packet-based device that is capable of exchanging information with any other device in telecommunications system 100, in a manner similar to how a personal computer is able to exchange information with other computers throughout the Internet. Consequently, endpoint 104-s is vulnerable to many of the same or similar packet attacks as a personal computer, such as “Denial-of-Service” (DoS) attacks. As is apparent in FIG. 1, there are many sources of potential packet attacks that can be directed at endpoint 104-s from within any of the networks in system 100. And in comparison to the personal computer, endpoint 104-s is particularly vulnerable because of the endpoint's inherent imbalance between its networking capacity and processing power. The imbalance means that a flood of packets can easily disrupt the processor of a packet-based phone before the phone's networking ability becomes impaired.
Firewalls are able to filter out some malicious packets and can be used in VoIP networks, similar to how they are used in computer data networks. The firewalls, either software or hardware in nature, are mainly deployed at the periphery of the network (i.e., the “network-edge”) to attempt to limit the amount of malicious packets from reaching the endpoints; for example, firewalls can be deployed at routers 105-1 through 105-Q and at gateways 106-1 through 106-R. However, implementing a firewall at a network-edge device is disadvantageous for various reasons. First, a network-edge firewall is only able to protect against malicious traffic that originates beyond the network's edge, not within the network itself. Second, as it often takes little added network traffic to disrupt a Voice-over-IP endpoint, a network-edge firewall might be inadequate to monitor traffic for each and every endpoint in a particular zone. And third, a network-edge firewall lacks specific knowledge that only an endpoint might have, thereby making the network-edge firewall an imperfect monitor of packets. As a result, firewalls that are “embedded” at the endpoints themselves are becoming increasingly necessarily to effectively thwart malicious packet attacks.
It is important to integrate the software firewall process that executes at an endpoint with the pre-existing telephony applications at the endpoint in such as way as to avoid or minimize any adverse effects on the endpoint's performance.