The invention relates generally to telecommunications access control systems and more particularly, to a system and method which permits an in-line device to power-up and assume control of calls.
A telecommunication firewall, such as the device described in U.S. Pat. No. 6,249,575 entitled TELEPHONY SECURITY SYSTEM is a recently developed device that protects an organization""sdata network from access via telephony resources. Rogue modems installed without the knowledge or authorization of an organization""IT personnel make an organization""sdata network vulnerable to access by unscrupulous personsxe2x80x94both inside and outside the organizationxe2x80x94via the Public Switched Telephone Network (PSTN). For example, an incoming modem call to an extension dedicated for only voice or fax use is indicative of a possible hacking attempt or of a rogue modem installed on the extension. Similarly, an outgoing modem call from an extension dedicated for only voice or fax use is indicative of a rogue modem and possible unauthorized activity within the private network. A telecommunications a firewall monitors incoming and outgoing calls via line sensors installed on trunks between the Central Office (CO) and the Private Branch exchange (PBX). The line sensor operates in a continuous loop, examining the data stream and determining call attributes (such as call source, destination and call content-type) as the data stream passes through the line sensor. In accordance with a user defined security policy, the line sensor autonomously denies violating calls and notifies IT personnel for appropriate follow-up.
Once installed, the line sensor signal receiving and transmitting circuitry is in-line with the trunk. When the line sensor switches on-line, it electrically receives and digitally regenerates the data traveling in both the transmit side and the receive side of each communication channel. In order to enforce the security policy, the line sensor must assume control of the data stream on each channel. If the trunk uses Channel Associated Signaling (CAS), gaining control of the call entails gaining control of the A/B bits transmitted between the CO and PBX. CAS uses specific bits of specific subframes to convey line state information that is analogous to xe2x80x9con-hookxe2x80x9d and xe2x80x9coff-hookxe2x80x9d. Depending on the protocol used, a bit value of one generally corresponds to off-hook or xe2x80x9cloop current flowingxe2x80x9d, and a bit value of zero generally corresponds to on-hook or xe2x80x9cno loop currentxe2x80x9d. It is highly desirous that the line sensor achieves control of the A/B bits in a manner that will not disrupt ongoing AandB signaling, nor confuse the CO or PBX as to the line state, thereby inadvertently causing the call to be dropped.
Unfortunately, when the line sensor comes on-line, the state of the calls on each channel of the trunk is unknown. It is possible to preset the line sensor to transmit a default set of A/B bit values on each channel, but it is difficult to anticipate what the line state on each channel will actually be when the line sensor comes on-line. Calls would be disrupted on any channel whose A/B bit values did not correspond with the present default set of A/B bit values transmitted by the line sensor. It is inevitable that preset default values will be incorrect on some channels, thereby resulting in some percentage of disrupted calls and user inconvenience.
Therefore, what is needed is a system and method whereby an in-line device powers-up and assumes control of calls on a trunk without disrupting ongoing call activity.
The present invention, accordingly, is a system and method that allows an in-line device to step into the data stream of a communication channel and assume control of the data on a channel in a phased and progressive transition of its hardware and software in a manner so as to be transparent to both the CO and the PBX, and thereby avoid disruption of ongoing call activity.
To this end, in the preferred embodiment, the telecommunications firewall line sensor is installed in-line on the PBX side of the demarcation line. When the line sensor is off-line, all data in each channel of the trunk passes xe2x80x9cuntouchedxe2x80x9d through the line sensor so that normal call activity is not affected. When the line sensor switches on-line, the line sensor intercepts and digitally regenerates the data traveling between the CO and PBX. At this time, the line sensor determines the line state (A/B bit value) of each channel on the trunk. As the line state for each channel is determined, the line sensor reconfigures itself and overwrites the A/B bits in the received data with identical A/B bit values in the transmitted data, thereby successfully gaining control of the A/B bits transmitted.
Once the line sensor establishes control over the A/B bits, the line sensor is now capable of either overwriting the transmitted data with identical A/B bits, or of overwriting the transmitted data with altered the A/B bits, whichever is required to enforce the security policy. In other words, if the security policy allows a call, the line sensor overwrites the A/B bits with identical bit values and the regenerated data is identical to the data received. If the line sensor determines a call is in violation of the security policy and the call is to be denied, the line sensor regenerates the received data, but overwrites the A/B bits with bits that will signal to the CO and PBX that the call has ended, thereby terminating the call.
A technical advantage achieves with the invention is the ability for an in-line device to autonomously switch on-line and assume control of ongoing communications on a trunk without disrupting call activity,