A firewall is a hardware and/or software component or set of components that intercepts data and thereby restricts access between a protected network and outside networks such as the Internet. Based upon one or more security policies, a firewall makes decisions as to whether or not to pass data to/from the protected network.
Firewalls can generally be classified as falling into one of four categories. The most basic category is the packet filter which works in the lower layers of the network protocol stack such as the transport layer and network layer. A packet filter examines all incoming and outgoing data packets and, based on pre-defined filtering rules, determines which packets will be allowed to pass. Filtering rules can be based on one or more factors, including type of packet, source and destination IP address, port number, etc. A packet filter is typically very fast, at least as compared to the other classifications of firewalls described below.
Another classification of firewall is the application proxy or proxy server. An application proxy operates at the upper levels of the protocol stack such as the application layer and presentation layer and provides proxy services on external networks for protected internal clients. The role of an application proxy is to communicate with external services on behalf of a client. While application proxies are more secure than packet filters, they are also much slower.
A third classification of firewall uses stateful packet inspection techniques that do not form part of the present invention.
A feature which can be included in any of the three types of firewalls described above involves the use of Network Address Translation (NAT). Firewalls using NAT hide the internal network protected by the firewall by converting the private, internal address of the network into an “official” address when packets are communicated across the firewall to the Internet. A traditional firewall using NAT usually only deals with information at the transport layer and network layer, not at the application layer.
Though originally designed for the transmission of data, IP networks are increasingly being used as an alternative voice communication tool. In recent years there have been many advancements and developments in the area of Internet applications for voice, facsimile, video, multi-media and voice-messaging for transport on an Internet Protocol network, rather than the Public Switched Telephone Network (PSTN).
Private networks of the type protected by one or more of the classifications of firewalls described above are increasingly being used to carry data packets for real-time Internet applications for voice, fax, video, multi-media and voice messaging calls. For voice calls, such real-time Internet applications are based on real-time Internet protocols such as H.323, MGCP, Megaco/H.248 and Session Initiation Protocol (SIP). Fax calls can be based on real-time Internet protocols such as T.38. In accordance with the real-time Internet protocols, there exist a combination of signaling channels, control channels and bearer channels. Each channel is created by and composed of a stream of data packets.
The difficulty is that real-time Internet communications such as voice, fax and video are very much affected by delays in transmission. For example, a voice call originating on a private network and communicating with a public network through an application proxy can render a useful VoIP communication difficult or impossible to achieve. An H.323 application proxy designed to pass H.323 type VoIP traffic is very processor intensive. Consequently, the service is slow and such a firewall cannot handle many VoIP calls simultaneously. The use of a packet filter, while much faster than an application proxy, is very insecure and is not an acceptable alternative.
A need therefore exists to provide the necessary speed for real-time Internet applications while not sacrificing system security.