When a private network is connected to a public network, such as the Internet, precautions must be taken to insure that unauthorized use of private data and facilities does not occur. However, it is necessary to allow desired connections to Internet services. To allow connectivity to the external network while maintaining security of the private network, perimeter security devices, such as firewalls, have been developed and deployed.
Perimeter security devices allow information to pass from within the private network to the intended target using standard protocols. All transmissions from outside of the private network are captured and screened by the perimeter security device. If the transmission is legitimate, the transmission is routed to the appropriate device on the private network. If not, the transmission is blocked. This rather simple process is adequate for some types of transmissions, but many transactions require much more sophisticated connections.
For example, the security perimeter device must allow negotiated services to flow between the end-points based on the negotiated parameters until the bearer session is taken down. Examples of these types of services are Voice Over IP (VOIP) and streaming audio or video. These types of connections are established using a control plane protocols, such as Session Initiation Protocal (SIP), Session Description Protocol (SDP), Real-Time Streaming Protocol (RTSP), and HyperText Transfer Protocol (HTTP) to set up traffic using associated high-speed bearer plane protocols. The security perimeter device must understand the specific control plane protocols in order to know when to allow bearer plane traffic (example VOIP, Streaming Audio) for a given user.
An example of setting up a session using SIP is shown in FIG. 1. In this example, a user A at mobile phone 10 wants to set up a VOIP connection with the mobile phone 12 of user B. Mobile phone 10 sends a setup request 14 to a SIP gateway 16. The SIP gateway 16 determines the location of mobile phone 10 and sends a setup request 18 including the multimedia parameters needed for the session. Mobile phone 12 then accepts, modifies or rejects those parameters in a setup response 20. A relayed setup response 22 is then passed to cell phone 10 by the SIP gateway 16. Assuming the setup is properly negotiated, a bearer plane multimedia session link 24 is established between mobile phone 10 and mobile phone 12.
An example of setting up a streaming media session is shown in FIG. 2. In this example, the user of mobile phone 30 is selecting a streaming video by selecting a hypertext link using her Web browser. The HTTP base request 32 is sent to Web server 34. Web server 34 returns an SDP channel and address description 36. Using this information, mobile phone 30 negotiates 38 a link 40 with streaming server 42 by which it receives the requested streaming video. RTSP is also a protocol used for set up of multimedia sessions such as video and/or audio streaming. SIP and RTSP are “control plane protocols” that are completely independent from the multimedia services they set up and control. The protocols used for the multimedia services themselves are also known as “bearer plane protocols”.
Firewalls in use today include facilities for dealing with these complex protocols. These firewalls apply security policies based on the session state including both the control and bearer plane traffic for a given user session. Control plane traffic, such as RTSP, SIP & SDP, is intercepted so that negotiated port numbers (port numbers used by both ends of the communication link), sometimes the IP address of the destination end-point of the communication, and multimedia characteristics used during the communications (for example, voice in one direction and video in the other) can be intercepted and captured. The firewall will then only allow traffic that complies with the negotiated parameters. These in-line security devices must also understand when the session is terminated so that they can stop allowing traffic between the original end-points of the communication link. The key to the ability of these security devices to perform their function is to remember specific characteristics (session state) of a user session in order to apply appropriate security measures. The control plane information is required because the logic is needed to remember and process the bearer traffic, and thus must be local to the security device itself. This information allows the firewall to respond properly to traffic on this session and to determine when the session has been closed. However, major installations may include large numbers of firewalls. In addition, in networks serving mobile users, such as mobile phones, may require multiple firewalls that are separated by geography and other factors.
An example of such a network is shown in FIG. 3. Mobile device 50 connects to WAN network 54 via access network 52. Access network 52 includes all of the necessary equipment to provide the cell phone connection, such as antenna towers, codecs, management network, etc. Access network 52 routes data connections to WAN network 54 via routers such as routers 56 and 58. WAN network 54 connects to the Internet 64 via either firewall A 60 or firewall B 62.
When the mobile user wants to make a VOIP call to mobile phone 66, control plane signals are passed through firewall A 60, through the Internet to firewall 68 and on to mobile phone 66 through that user's access network 70. The connection is negotiated and the state of the connection is stored in firewall 60 and firewall 68. The VOIP traffic is then carried on the negotiated bearer link through firewall 60 and firewall 68.
However, in situations where firewall 60 fails, no traffic will be allowed to go through another security device, such as firewall 62, even if another geographically redundant security device is available and both bearer and control traffic can be redirected through it. The only way to recover from this state of affairs is to take the entire session down (Voice conversation down or streaming video is stopped) and restart the session via the new security device.
An even worse case scenario is a situation where network operators (Internet Service Providers) have multiple exit/entry points to the Internet and allow traffic to exit/re-enter from the least congested one. However, control and bearer traffic are required to go through the same security device. In this case, the internal management systems of the WAN 54 may send the bearer traffic to firewall 62. However, since firewall 62 includes no information regarding the state of the established link, the transmission will be blocked and the VOIP connection will fail.
Operators utilize very complicated routing architectures that are difficult to deploy, maintain and support in order to overcome the requirement that both bearer and control traffic use the same security device for a given user session. Hence these security devices are tightly coupled to the routing topology of the network in which they operate. Any change to the topology will have an immediate impact on the ability of the device to operate correctly.
Even with these complex routing architectures, routing must be designed to ensure that the same set of firewalls be used to exit and re-enter a given network. This poses problems in the following scenarios:
Failure in a single exit/entry point for a data network that provides geographic redundant access for the following types of traffic:                TCP/IP→Maintaining state across firewalls geographically deployed→Applications: Web Browsing, any HTTP based app        RTSP/RTP dynamically assigning UDP ports (for inbound network initiated connections) across firewalls geographically deployed→Applications: Audio/Video Streaming        SIP/RTP dynamically assigning UDP ports for peer-to-peer communication→Applications: PTT, VOIP        
As we will see, however, the very strength of IP routing will become the biggest challenge for security devices such as firewalls. IP routing ensures that between any two communicating endpoints, IP packets are free to take the “best” path to reach each other and this path can change during the course of communication. This flexibility of IP routing presents challenges for in-line security devices such as state-full firewalls (see FIG. 3).