1. Field of the Invention
This invention relates generally to telecommunications call processing and in particular to a voice firewall that facilitates communication and provides protection for telephony components connected via a private network to a public network.
2. Description of Related Art
Interest in sending voice communications over the Internet has grown rapidly in recent years. The idea first became a reality with the introduction of Internet telephone software that was designed to run on a personal computer (PC) having a sound card, speakers, microphone, and a modem. The software compressed voice communications and encoded them into internet protocol (IP) packets for transmission over the Internet. Although this telephone software allowed two parties to communicate using the Internet as a transmission medium, both parties were required to use a PC running the telephone software.
Transmitting voice communications over the Internet (commonly referred to as voice over IP, or VoIP) presents many advantages. The most compelling is reduced cost. For telephone companies, a VoIP network carries voice communications cheaper than traditional switched circuit telephone networks because available bandwidth is more efficiently used. A public switched telephone network (PSTN) allocates a 64 kilobit per second end-to-end circuit for each call. A VoIP network using the same bandwidth carries a much higher number of calls by compressing voice data into “packets” that are transmitted according to IP. The ability to carry more calls results in significant cost savings to the telephone company.
For the everyday user, VoIP communication reduces costs by allowing the user to bypass per-minute, long distance telephone charges over the PSTN. Currently, the only charge incurred while communicating over the Internet is a periodic charge, such as a monthly charge levied by the Internet Service Provider.
Since the first software packages enabling voice communication over IP networks, software and hardware developers have significantly enhanced the cost effectiveness and practicality of using VoIP. One of the most wide-reaching advances is the use of gateways to connect VoIP networks to traditional PSTNs. Gateways process voice signals to enable communication between VoIP devices and standard telephones on the PSTN.
IP telephones are very often connected to private networks, especially private LANs. Private LANs connected to public networks, such as the Internet, typically use a firewall to “hide” devices on the LAN from the outside world. A conventional firewall, such as a network address translation (NAT) firewall, allows all IP devices within a business to share a single public (i.e. Internet) IP address. All the devices within the business LAN use private IP addresses. Therefore, devices on the LAN are invisible to devices outside the LAN. This presents several problems for Internet telephony since telephones on remote private LANs, public networks, or the PSTN calling an IP telephone on a private LAN will not be able to “see,” and thus communicate with, the IP telephone.
Referring to FIG. 1 in the drawings, the basic operation of a conventional firewall is described in more detail. A first device 11 such as a personal computer (PC) is located on a private LAN. First device 11 desires to communicate with a second device 15 that is located on a public network (i.e. Internet Address space). A conventional firewall 21 forms a bridge between the private LAN and the public network. In a first step A, first device 11 sends a user datagram protocol (UDP) original packet to second device 15. This packet has a public destination address/port of 204.3.3.3:2000 associated with second device 15 and a private source address/port of 172.1.1.10:1000 associated with first device 11. A person having skill in the art will recognize that the actual IP addresses could vary and are shown for illustrative purposes only. Since the packet's destination address is a public address and since firewall 21 is specified as the default gateway on first device 11, the packet is sent to firewall 21. Firewall 21 receives the packet and, because it is the first packet with this source and destination address/port, a new session is created in firewall 21. The session records the source and destination address/port of the packet, plus it allocates a port for returning packets. In the illustrated case, the allocated return port is port 3000.
In step B firewall 21 relays the packet to the public network, but firewall 21 replaces the original source address/port with a firewall source address/port, the firewall port being the return port allocated for the newly created session. Second device 15 receives the packet and because of the source address/port change, the second device is totally unaware of the address/port of first device 11.
In step C second device 15 responds by sending a return packet back to what second device 15 believes is the original packet's source, the firewall source address/port. Firewall 21 receives the return packet at port 3000, looks up the session associated with port 3000, and then uses the information to route the return packet to first device 11. In step D firewall 21 relays the return packet to first device 11, replacing the destination address given by second device 15 (i.e. the firewall address) with the address/port of first device 11.
The preceding operational description illustrates that the act of sending a packet from a local device opens a temporary “hole” in firewall 21 for packets that are returned to the local device. The hole is only open for packets that exactly match the firewall source address/port. No other packets are sent through the hole. After a few minutes of inactivity, the hole is automatically closed.
As mentioned previously, a conventional firewall attached to a private LAN prevents the visibility of an IP telephone that is connected to the private LAN. Although an IP telephone could call another IP telephone on a public network, the private IP telephone could not call an IP telephone connected to another private LAN because each of the telephones on the two private LANs are not visible to the other. Similarly, an IP telephone would have difficulty connecting to a PSTN gateway at a service provider since the service provider likely protects devices on the service provider network with a conventional firewall.
A need exists, therefore, for a method of providing communication between two IP devices connected to different private networks. A need also exists for a method of providing communication between a provider endpoint at a provider location and a user endpoint at a user location where both the provider endpoint and the user endpoint are located behind conventional firewalls. Finally, a need exists for a voice firewall in the form of a computer program product that facilitates communication between the provider endpoint and the user endpoint.