Numerous network services are now available for communications on and between networks such as the Internet, wide area corporate networks as well as networks at a single site. Such services (also denoted “network services” herein) include firewall protection, network address translation (NAT), encryption/decryption, secure communication tunnels such as is provided in virtual private networks (VPN), file transfer protocol (FTP) services, voice over Internet protocol (VoIP), etc. For inter-network communication, these services are preferably performed at a small number of designated nodes on a network so that the services can be more easily maintained and supervised by network system administrators. In particular, for inter-network communication, these services may be concentrated at substantially only nodes of a network, wherein such nodes directly interface with other networks. One particular type of such network interface nodes at which such services are concentrated is known as a “gateway”, wherein each such gateway node performs one or more of the above-identified services as well as routes communications between the networks to which the gateway node is connected (e.g., has a corresponding network address thereon). Thus, such gateway nodes may be considered as value added intermediaries that provide enhanced communications (e.g., more secure, and/or more reliable communications) between two parties on different networks that communicate via the gateway.
Referring to FIG. 1, heretofore such a gateway (e.g., gateway node 20) may provide network services such as those described above for data transmissions between the networks 14, 16, and 18 connected to the gateway. In particular, such services are generally applied for the benefit of users in certain predetermined networks (denoted “internal” networks herein”), e.g., networks 14 and 16 in FIG. 1. Thus, for IP transmissions from the “external” network 18 that are bound for an IP address in one of the networks 14 and 16 (via the gateway 20), such network services can be applied by the gateway. However, the application of such network services has been limited and inflexible.
Prior to providing further description of such prior gateway limitations and inflexibility, the notation of FIG. 1 is briefly described. Representative IP addresses in FIG. 1 are shown as call-outs for many of the interfaces between network components. As one skilled in the art will understand, there is a unique IP address for each end of each communication path between any two network components. Thus, referring to the communications link between router 32 and router 48 of the network 14, the router 48 knows the router 32 by the IP address 12.1.2.2, and the router 32 knows the router 48 by the IP address 12.1.2.1. Additionally, the routers 24, 32, and 36 that are directly connected to the gateway node 20 have respective IP addresses 172.16.1.1, 194.176.1.14, and 192.168.1.32.
The gateway node 20 of FIG. 1 may be substantially isolated from changes to IP addresses external to networks 14 and 16 by the router 24. For example, the routing table 28 at the gateway node 20 has explicit routing information only for destination IP addresses: (a) in the IP address range 11.1.2.0/24 (i.e., the 254 IP addresses: 11.1.2.1 through 11.1.2.254, as one skilled in the art will understand) for routing via router 32 (having IP address 194.172.1.14), and (b) in the IP address range 10.1.1.0/24 (i.e., the 254 IP addresses: 10.1.1.1 through 10.1.1.254) for routing via the router 36 (having IP address 192.168.1.32). Thus, for any IP transmission encountered having a destination IP address not in the above ranges (a) and (b), the gateway node 20 assumes the IP transmission is for a destination external to the networks 14 and 16. Accordingly, the gateway node 20 routes such an IP transmission to a default route which in the present case routes the transmission to the router 24 (i.e., IP address 172.16.1.1). Note that the router 24 is typically a network device on the Internet side of the gateway node 20. Thus, if an IP transmission that has endpoint 40 of network 18 as a destination, the gateway node 20 does not have an IP address range for the endpoint 40, but the gateway is able to route the transmission to the router 24.
Heretofore, however, such gateway node 20 has not been isolated from network changes within the corresponding network(s) (e.g., 14 and 16 in FIG. 1) for which it provides network services. For example, for an IP transmission from endpoint 40 to, e.g., user station 44 having IP address 11.1.2.2, if the router 48 network connection is modified so that this router connects directly to the gateway node 20 and no longer connects to router 32, then the routing table 28 at the gateway must be changed, replacing the entry:                <11.1.2.0/24 194.172.1.14> with the entry        <11.1.2.0/24 12.1.2.1>.Otherwise, the IP transmission will not reach user station 44. Unfortunately, requiring the gateway node 20 to perform such detailed routing implies that for at least large networks, frequent routing table 28 changes can be required.        
Additionally, heretofore there has been no effective way to configure a gateway node 20 so that the routing decision for an IP transmission is determined based upon what gateway supplied network services (e.g., firewall protection, NAT, encryption/decryption, VPN, file FTP, VoIP, etc.) are applied to the IP transmission. At most, such a prior art gateway node 20 may have specified gateway services performed depending on the source (e.g., originating IP address) of an IP transmission, or on an IP destination address determined by the gateway 20. For example, such a gateway node 20 may have been configured so that a particular set of network services are applied to IP transmissions whose source is external to the networks 14 and 16. Additionally, such a gateway node 20 may have been configured so that a second set of network services could be applied to intra-network IP transmissions (e.g., between user station 44 and user station 52). However, since there has been no effective way to configure a gateway node 20 to make its routing decision for an IP transmission based upon what gateway supplied network services are performed, routing configuration changes are always required when new networks are added that need these networks services.
Accordingly, it is desirable to provide enhancements to gateway nodes 20 wherein such enhancements both isolate such gateways from substantially all network addressing changes (i.e., both internal and external network addressing changes), and also provide enhancements so that such gateways can selectively route inter-network communications according to the services applied to such communications.
Terms and Descriptions
    Data Packet: A single network frame transmission from one network endpoint to another. The term “data packet” is typically contrasted to a “Voice Packet” by the presumption that the delivery of data packets is less time-sensitive than the delivery of voice packets to achieve a productive level of communication.    Denial of Service Analysis: An analysis of network communications for detecting an illicit application that is transmitting certain types of requests to a user station (e.g., an IP telephone) so that the telephone becomes effectively non-responsive to one or more legitimate network requests. For example, the illicit application might send a high volume of requests or requests that are known to reset the user station.    DiffServ bits: The six most-significant bits (MSB) of the ToS field of IPv4, as one skilled in the art will understand.    DMZ zone: For a given organization or company, a DMZ zone (demilitarized zone) is a collection of one or more networks, wherein each network (N) of the networks allows users of the network N to access a public network (e.g., the Internet), and/or the network N provides a service that is publicly available to at least one party outside the organization or company. For example, the network 14 (FIGS. 1 and 2) may provide access to a particular Internet page(s), or provide network access to customer support personnel. Additionally, users of the network 14 may need to access a public network for email, file transfer protocol (FTP) data transfers, Internet web servers, etc.    GRE: Generic Routing Encapsulation: Tunneling protocol developed by Cisco Systems Inc. that encapsulates a wide variety of protocol packet types inside an IP packet.    H 323: An ITU standard suite of IP-based protocols used for VoIP call signaling (e.g., for call setup, negotiation and call teardown, as one skilled in the art will understand).    H.323 Gatekeeper: A network entity that controls H.323 endpoints (e.g., IP Phones). The primary functions of the H.323 Gatekeeper are to control H.323 endpoints that are admitted to the network (by authenticating those endpoints), and translating the logical addresses (e.g., a phone extension: 123) to the corresponding IP addresses supporting that extension (e.g., to an IP address: 10.0.0.1).    H.323 Proxy: A network entity that establishes H.323 Call Signaling connections (i.e., TCP connections) on behalf of an H.323 endpoint (e.g., IP Phone).    H.323 Session: An ongoing VoIP call signaling connection (i.e., TCP connection) between an H.323 endpoint (e.g., an IP Phone), and an H.323 Gatekeeper.    ITU: Abbreviation for International Telecommunications Union, which is a standards body established by the United Nations to set international telecommunications standards.    Insecure zone: For a given organization or company, an insecure zone is a collection of one or more networks, wherein communications with each of the networks can not be assumed to be secure. For example, there may no guarantee (without taking explicit actions to provide such a guarantee) that communications with a source from an insecure zone: is not being intercepted or spoofed, is free of viruses, worms, malware, and/or spyware. There may be additionally no assurance that such communications are even from an intended source. Typically, the insecure zone will include the Internet and/or any other publicly accessible network whose access can not be controlled by the organization or company.    RTP: Abbreviation for Real Time Protocol, which is A UDP-based protocol for carrying media streams (e.g., voice, video, multi-media) as one skilled in the art will understand.    RSVP: Abbreviation for Resource Reservation Protocol, which a protocol used to provide quality of service (QoS) services. RSVP is an “end-to-end” protocol where each device in the network path between (and including) the endpoints participates in the RSVP negotiation to reserve the resources necessary (e.g., bandwidth, and DSPs) to deliver the agreed-upon level of service.    Secure zone: For a given organization or company, a secure zone is a collection of one or more networks, wherein each network is only accessible from known and authorized users (e.g., company employees). Typically, unauthorized access will be denied, and firewalls will be in place to prevent certain types of communications from entering the network (e.g., communications with executable downloads, scripts, viruses and/or advertising). Moreover, communication external to the secure zone may be via a virtual private network (VPN) as one skilled in the art will understand.    Semi-Secure zone: For a given organization or company, a semi-secure zone is a collection of one or more networks, wherein communications on each network is desired to be as secure as networks identified as being included in a secure zone. However, networks of a semi-secure zone use a transmission medium that may be more vulnerable to attack than another medium due to, e.g., the ease of interception of the network communications. For example, a network in a semi-secure zone may be partially or wholly wireless such as a wireless LAN. Accordingly, communications on such a network are likely to be encrypted or encrypted with a stronger encryption than communications with a network of another zone.    Stateful Inspection The ability of a network device, typically a firewall, to retain “state” information about ongoing network sessions. When a packet is allowed to traverse a stateful firewall according to the firewall's rules, the firewall will only permit traffic that would normally be returned in response to the original packet from the original packet's destination    ToS field: The second byte of the IP header in IPv4.    Zone: A collection of one or more communication networks that communicate with a network gateway via a single router, wherein each of the networks have a common security classification related to the security of communications from nodes of the networks to the gateway.