CN100379231C - A multimedia communication safe proxy gateway and safety proxy method - Google Patents
A multimedia communication safe proxy gateway and safety proxy method Download PDFInfo
- Publication number
- CN100379231C CN100379231C CNB2003101020004A CN200310102000A CN100379231C CN 100379231 C CN100379231 C CN 100379231C CN B2003101020004 A CNB2003101020004 A CN B2003101020004A CN 200310102000 A CN200310102000 A CN 200310102000A CN 100379231 C CN100379231 C CN 100379231C
- Authority
- CN
- China
- Prior art keywords
- module
- gatekeeper
- proxy gateway
- multimedia communication
- safe
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to a multimedia communication safe proxy gateway and a safety proxy method. The present invention is combined with a firewall technology to lead multimedia communication to penetrate through a firewall and lead the safety of the firewall not to be lowered. The safe proxy gateway comprises an H. 323 protocol control module, a data trunk module, a safety control module and a gatekeeper module and is positioned at a position where an internal network and an external network are connected, and the position where the internal network and the external network are connected is also provided with the firewall. The proxy method of the present invention comprises the following technologies: the coordinated control technology of ports of a proxy module and the gatekeeper module, the technology that each standard multimedia communication terminal is set with a gatekeeper IP address of a local multimedia communication safety proxy gateway, which leads the standard multimedia communication terminal to automatically sense the automatic sensation safety proxy gateway of the multimedia communication safety proxy gateway, and the media route technology that an IP media flow route is safely filtered and transferred in the multimedia communication safety proxy gateway, and an IP data flow route is safely transferred in the firewall in a conventional data communication mode.
Description
Technical field
The present invention relates to a kind of method of multimedia communication TSM Security Agent, relate to a kind of or rather based on the method for the multimedia communication TSM Security Agent of agreement H.323 and the multimedia communication safe proxy gateway of this method of use, also can be called H.323 safe proxy gateway, combine with firewall technology and equipment thereof, can make the multimedia communication passing fire wall, not reduce the fail safe of fire compartment wall simultaneously again.
Background technology
Along with the development of broadband IP network technology, multimedia communication service is universal day by day.Multimedia communication service has become one of the planning of broadband IP network and important goal of construction.
On the one hand, online video program request efficiently, video telephone and video conference because broadband networks can be provided convenience, ecommerce, online property office, tele-medicine, long-distance education etc., and require it that powerful opening is arranged; On the other hand, the need protection resource security of in-house network of the utmost point again under the interconnected environment of open network.The most frequently used safety method is between Intranet and outer net fire compartment wall to be installed, and this just requires all multimedia services of carrying out on broadband networks all must passing fire wall, comprise from outside to inside business and business from inside to outside.
Traditional is applied as the integrated service network that main IP network is changing multiple medium coexistence such as data, audio frequency, video and image into data.Data communication requires high reliability, and does not require real-time, for example HTTP, FTP (file transfer protocol (FTP)) and BBS (BBS) etc.; But Voice ﹠ Video communication is then opposite, and is not high to reliability requirement, and very responsive to real-time, for example IP phone and video conference etc.
H.323 agreement is the IP multimedia communication protocol that the ITU of International Telecommunications Union works out.Present most IP phone and video conferencing product all adopt this agreement, so H.323 agreement is most important IP multimedia communication protocol.But, because the complexity of agreement H.323, there is following difficult point when the firewall-penetrating based on the IP phone of standard H.323 and video conference business:
1. H.323 call out (as call) and comprise and a plurality ofly connect different the time for one, for example have at least two TCP (transmission control protocol) to connect; The call setup connection of standard is to use the fixed port except adopting Q.931 in all connections, all the other all are to use transient port, be that port is dynamic change, because scope is big and can't predict the IP address and the port status information of inside terminals in advance, fire compartment wall can not be ignored the safety of in-house network, and the packet filtering scope is open too much;
2. require the inside and outside of slave firewall to make a call, for based on multimedia services such as H.323 IP phone and video conference communication, external user must be directly and the built-in system user set up calling.And calling network outside is internally generally only required in traditional data communication, and the fire compartment wall calling of can temporary memory sending so correctly returns to the promoter calling out then;
3.H.323 IP address that signal post relates to and port numbers are to exchange in the last process of current call proceeding process, Q.931 exchanging in the data flow as the port numbers that H.245 connects, H.245, the port numbers of RTP (real time transport protocol) and RTCP (transmitting control protocol in real time) is exchanging in the session, and fire compartment wall can't directly be handled this situation.
In sum, the IP multimedia communication service can not reduce security of network system again simultaneously by firewall-penetrating on the one hand, is that multimedia is extensively applied the problem that must solve; And on the other hand, though the operation principle difference of dissimilar fire compartment walls, its mechanism that realizes safety is also different with the level of security that reaches, and all can not support well based on the H.323 multimedia communication of agreement.The multimedia communication TSM Security Agent method that the present invention proposes is at addressing this problem proposition.
Summary of the invention
The objective of the invention is to design a kind of multimedia communication safe proxy gateway and TSM Security Agent method, be based on H.323 the multimedia communication safe proxy gateway and the TSM Security Agent method of communication protocol, when combining with firewall technology, can make the multimedia communication passing fire wall, not reduce the fail safe of fire compartment wall simultaneously again.
The technical scheme that realizes the object of the invention is such: a kind of multimedia communication safe proxy gateway, be positioned at the interconnected place of internal network and external network, and also be provided with fire compartment wall at the interconnected place of internal network and external network, it is characterized in that:
Described multimedia communication safe proxy gateway comprises H.323 agreement control module, data trunk module, safety control module and gatekeeper's module; Described multimedia communication safe proxy gateway this gatekeeper's module I P address by being provided with on multimedia communication terminal is registered to this gatekeeper's module and quilt perception automatically automatically by multimedia communication terminal in the communication call process; H.323 the agreement control module will be H.323 call signaling be resolved to application layer, carry out safe access control by safety control module and gatekeeper's module then, when determining that the multimedia connection is trusty, gatekeeper's module directs into this calling on the corresponding secure media passage based on corresponding strategy, the data trunk module is acted on behalf of multi-medium data with as far as possible little time delay after call setup.
Described safety control module carries out safe access control with gatekeeper's module and comprises: gatekeeper's module judges according to security strategy whether a certain multimedia is connected credible, and notify safety control module with judged result, carry out whether block this connection by safety control module, connect when trustless in multimedia, blocking-up connects, when multimedia connects is can trust the time, and gatekeeper's module directs into this calling on the corresponding secure media passage based on corresponding strategy.
Described judge according to security strategy comprise:
Open two fixed ports of the proxy module that described H.323 agreement control module, safety control module and data trunk module are formed, other ports all are in closed condition;
In communication call process H.323, gatekeeper's module is according to the needs of calling procedure H.323, and the notification agent module is open or close certain port:
Proxy module mutual by with gatekeeper's module learnt the port that all current legal IP call out and need to use, and open then these ports are also transmitted the calling that obtains safety verification;
After certain port connection was finished, proxy module was closed this port at once.
Described gatekeeper's module and described H.323 agreement control module, data trunk module, safety control module are integrated on the same physical equipment; Perhaps gatekeeper's module is positioned on the physical equipment, and agreement control module H.323, data trunk module, safety control module are positioned on the another one physical equipment.
Described multimedia communication safe proxy gateway is positioned at one independently on the physical equipment, perhaps is integrated on the physical equipment with described fire compartment wall, and the traditional data passage is implemented conventional Data Control as an independent communication passage.
At the interconnected place of internal network and external network a multimedia communication safe proxy gateway is set, interconnected place at internal network and external network also is provided with fire compartment wall, and the multimedia communication safe proxy gateway is provided with H.323 agreement control module, data trunk module, safety control module and employing GK route and H.245 gatekeeper's module of route;
The gatekeeper IP address of local multimedia communication safe proxy gateway is set on each multimedia communication terminal, and multimedia communication terminal is by this automatic perception multimedia communication in gatekeeper IP address safe proxy gateway; H.323 the agreement control module will be H.323 call signaling be resolved to application layer, carry out safe access control by safety control module and gatekeeper's module then;
At multimedia communication safe proxy gateway and fire compartment wall independently of one another and when being listed in the interconnected place of internal network and external network, by different network interfaces, the IP Media Stream is shunted to IP address transition that the multimedia communication safe proxy gateway comprises internal network and external network, crosses over that internal network is called out with the two-way multimedia of external network and the safety filtering transmission of safety certification control; IP traffic is shunted to fire compartment wall carry out the transmission of routine data communication security;
When multimedia communication safe proxy gateway and fire compartment wall are integrated into a physical equipment of supporting multimedia communication, all IP Media Streams from the identical network interface, the multi-media safety passage that is routed automatically to the multimedia communication safe proxy gateway carries out safety filtering and transmits, and the routine data escape way that all IP traffics are routed automatically on the fire compartment wall carries out the transmission of routine data communication security.
Described safety control module and gatekeeper's module are carried out safe access control and are comprised, gatekeeper's module judges according to security strategy whether a certain multimedia connects credible, and notify safety control module with judged result, carry out whether block this connection by safety control module, if it is trustless that multimedia connects, blocking-up connects, and can trust if multimedia connects, and gatekeeper's module directs into this calling on the corresponding secure media passage based on corresponding strategy.
Described judge according to security strategy comprise:
By open two fixed ports of proxy module that described H.323 agreement control module, safety control module and data trunk module are formed, other ports all are in closed condition;
In communication call process H.323, gatekeeper's module is according to the needs of calling procedure H.323, and the notification agent module is open or close certain port;
Proxy module mutual by with gatekeeper's module learnt the port that all current legal IP call out and need to use, and open then these ports are also transmitted the calling that obtains safety verification;
After certain port connection was finished, proxy module was closed this port at once.
The safety filtering of described multimedia communication safe proxy gateway transmits and further comprises:
H.323 the agreement control module is resolved H.323 call signaling, and this H.323 credible wilfulness of multimedia communication is judged in the inquiring user tabulation, if insincere, blocking-up connects;
If credible, safety control module and gatekeeper's mould to this H.323 each of multimedia communication be connected and whether each used port is the safe safe access control of carrying out;
If H.323 certain connection or certain port are not these communicates by letter needed or does not meet H.323 protocol requirement, then be considered to unsafe, blocking-up connects, otherwise thinks safe;
Gatekeeper's module directs into corresponding network interface based on security strategy with believable, safe calling, promptly corresponding escape way;
The data trunk module is acted on behalf of the transmission of multi-medium data in the connection of call setup under the control of safety control module.
Described when multimedia communication safe proxy gateway and fire compartment wall are integrated into a physical equipment of supporting multimedia communication, also comprise by the filtering policy of the authentication mechanism of gatekeeper's module and the self-filtering router of fire compartment wall, outside Filtering Router is collaborative and finish the H.323 safety filtering control of communication call.
The safety filtering control of described H.323 communication call further comprises:
Do not adjust the filtering rule set of relevant fire compartment wall data communications security on the self-filtering router, but adjust filtering rule set about safe proxy gateway, permission is that the source host of source address sends from a fixed port with the IP address of gatekeeper's module, allow the destination host of any address in the in-house network to receive from arbitrary port, send from arbitrary port with the source host that allows any address in the in-house network net, the permission destination address is that the destination host of the IP address of gatekeeper's module receives from this fixed port, is used to support the in-house network multimedia communication terminal to register with gatekeeper's module, the RAS message communication of authentication or access request;
Externally add rule set on the Filtering Router, permission is that the source host of source address sends from this fixed port with the IP address of gatekeeper's module, allow the destination host of the IP address of outside Filtering Router to receive from arbitrary port, with allowing IP address with outside Filtering Router is that the source host of source address sends from arbitrary port, the permission destination address is that the destination host of the IP address of gatekeeper's module receives from this fixed port, be used for supporting to make a call from network-external, outside route filter is mutual for gatekeeper's module and higher level gatekeeper provide a passage to carry out RAS message;
When call communicates to connect desire by inside and outside Filtering Router, whether self-filtering router or outside Filtering Router this connection of module queries to the gatekeeper are to trust to connect, the decision that self-filtering router or outside Filtering Router are done permission or refused to connect according to the response message of gatekeeper's module.
In sum, be connected side by side between the inside and outside net when H.323 safe proxy gateway and fire compartment wall are independent, when using different network interfaces, be responsible for the safety of multimedia communication by safe proxy gateway, comprise the intranet and extranet address transition, cross over the security control authentication that intranet and extranet are set up the two-way multimedia calling, fire compartment wall then is responsible for the routine data communication security; When H.323 safe proxy gateway and fire compartment wall are integrated into a new fire compartment wall, when using identical network interface, inside and outside net filtration router can not change the filtering rule set that is used for non-H.323 data communication connection originally, increase and to be directed to the H.323 filtering rule set of communication security, by with safe proxy gateway in gatekeeper's module come safety filtering H.323 to communicate to connect alternately.
The present invention comprises three key technologies:
1. the port security of proxy module and gatekeeper's intermodule interlock control technology;
2. the automatic perception of standard multimedia terminal safe proxy gateway technology H.323;
3. medium route technology.
Compared with prior art, the invention has the beneficial effects as follows:
1. the multimedia communication safe proxy gateway of the present invention's proposition logically is independent of fire compartment wall, it has set up special-purpose escape way for multimedia communication, this method can be used with the fire compartment wall of any kind of, so can make H.323 communication can pass through various types of fire compartment walls;
2. crossing over the multimedia communication safe proxy gateway when calling out based on the audio/video terminal of agreement H.323, must know the IP address of multimedia communication safe proxy gateway, otherwise just can't connect by multimedia communication safe proxy gateway and other end terminal.But, do not support this setting based on the audio/video terminal of agreement H.323, the IP address of safe proxy gateway promptly is set on terminal.The present invention by gatekeeper's GK route and H.245 route solved this problem well.Any standard H.323 communication terminal does not need to do special setting, can perceive H.323 safe proxy gateway automatically, promptly obtains its IP address;
3. the core of safe proxy gateway is the safety that guarantees network system.The present invention realizes the safety of network system from two aspects: the one, and have only legal H.323 calling could pass through safe proxy gateway; The 2nd, the interlock of gatekeeper's module and proxy module is carried out security control to each port of calling procedure dynamic opening, makes reliable multimedia communication pass through safe proxy gateway.So the TSM Security Agent method that the present invention proposes has been implemented the complete safe authentication to protocol communication H.323.
Description of drawings
Fig. 1 is the principle structure block diagram of H.323 multimedia communication safe proxy gateway;
Fig. 2 is when safe proxy gateway H.323 is arranged side by side as autonomous device and Bastion Host, H.323 the FB(flow block) that cooperates with the subnet filter fire-proof wall of safe proxy gateway;
Fig. 3 is when H.323 safe proxy gateway and Bastion Host are integrated, H.323 the FB(flow block) that cooperates with the subnet filter fire-proof wall of safe proxy gateway;
H.323, Fig. 4 communicates by letter with penetrating the H.323 Q.931 phase process schematic diagram of safe proxy gateway;
Fig. 5 is the H.245 stage and the RTP phase process schematic diagram of H.323 communicating by letter and penetrating safe proxy gateway;
Fig. 6 is the process schematic diagram of the telephone terminal T 1 of external network when calling out the telephone terminal T2 of internal network;
Fig. 7 is local gatekeeper's module of H.323 safe proxy gateway and the proxy module intranet and extranet syndeton schematic diagram when being integrated on the physical equipment;
Fig. 8 is local gatekeeper's module of H.323 safe proxy gateway and the proxy module intercommunication schematic diagram when integrated.
Embodiment
Referring to Fig. 1, the H.323 safe proxy gateway structure that the present invention shown in the figure proposes is made up of four functional modules, comprising: H.323 agreement control module 101, data trunk module 103, safety control module 102 and gatekeeper's module 11.Wherein, data trunk module 103 is responsible for the packet that transmitted in both directions connects in UDP (User Datagram Protoco (UDP)) mode, packet comprises RTP (real time transport protocol) audio stream or video flowing, requires the data trunk module with as far as possible little time delay quick data transfering bag (acting on behalf of multi-medium data); H.323 agreement control module 101 is responsible for handling with what TCP (transmission control protocol) mode connected and two-wayly H.323 (is comprised and carry out Q.931 agreement and carry out H.245 two processes of agreement) control protocol, and its emphasis is H.323 to call out control; Safety control module 102 links with gatekeeper's module 11 and implements the security strategy of H.323 multimedia communication.
In order more clearly to explain among the present invention H.323 gatekeeper's module 11 of safe proxy gateway and the correlation between other modules, the special H.323 entire combination of agreement control module 101, data trunk module 103 and safety control module 102 is called proxy module 10.So H.323, safe proxy gateway just can be reduced to by gatekeeper's module 11 and proxy module 10 two parts and form.
H.323 the gatekeeper of safe proxy gateway (GateKeeper, GK) module 11 is used for the H.323 management of Zone, being responsible for providing the control service of calling out to telephone terminal, each H.323 Zone have and have only gatekeeper's module.H.323 the telephone system equipment in the Zone under gatekeeper's module is in charge of is realized functions such as address resolution, access control and bandwidth control, and its basic function is to carry out RAS (Register AdmissionStatus) message (comprising request and response message).According to agreement H.323, gatekeeper's module 11 can be selected GK route working method.The GK route is to allow the Q.931 call control signalling in the agreement H.225.0 must pass through gatekeeper's module, makes directly administer calls and gather the information of calling out of gatekeeper's module.If gatekeeper's module is operated under the GK routing mode, gatekeeper's module can also be selected H.245 route.H.245 route request H.245 passage also pass through gatekeeper's module, the Media Stream path can be managed and monitor to gatekeeper's module therefore, can also provide port security interlock control, medium routing function so gatekeeper's module cooperates with other module, and make H.323 safe proxy gateway of the automatic perception of terminal.Gatekeeper's module of a standard should have three function sub-modules: RAS message handles, Q.931 call signaling handle and H.245 control flows handle, use RAS_Server respectively, GK_Routed and H.245_Routed representing.
Three submodules of the proxy module of safe proxy gateway: agreement control module, data trunk module and safety control module, represent with Signal_Proxy, Media_Proxy and RAS/Secure_Handle respectively.The basic function of proxy module is to realize H.323 parsing, forwarding and the relaying of Media Stream and signaling flow.H.323 call out for one two stages are arranged: the one, Q.931 call out the H.245 control signaling stage with capabilities exchange, the 2nd, the multimedia transmission stage.Because connecting, all of H.323 calling out all need through the proxy module of safe proxy gateway H.323, so the legitimacy of H.323 calling out check and security control can be finished jointly by proxy module and gatekeeper's module.In order to realize correct call setup, agreement control module 101, safety control module 102 and gatekeeper's module 11 cooperatively interact, and implement safe access control, for data trunk module 103 provides safe and reliable communication environment.
Traditional firewall has multiple different structure, but commonly used mainly contains three kinds: the subnet filtration; Two host's main machine structures; With the main frame filtration.The H.323 TSM Security Agent method that the present invention proposes is applicable to the fire compartment wall of these three kinds of different structures, here a fire compartment wall with the subnet filtration is an example, illustrate that safe proxy gateway and fire compartment wall exist as separate physical equipment and be integrated in two kinds of situations on the physical equipment, are illustrated by Fig. 2 and Fig. 3 respectively.
Referring to Fig. 2, be H.323 safe proxy gateway 21 as a separate physical equipment be placed on fire compartment wall 20 position arranged side by side on the time a kind of the cooperation.H.323 safe proxy gateway 21 is positioned at the interconnected place of internal network 25 and outside (broadband IP) network 26, transmits the IP Media Stream; Bastion Host 22 is positioned at the interconnected place of self-filtering router two 3 with the outside Filtering Router 24 of fire compartment wall 20, transmits IP traffic.Self-filtering router two 3 is connected internal network 25 and outside (broadband IP) network 26 respectively with outside Filtering Router 24.
As autonomous device and fire compartment wall 20 side by side the time, three parts of fire compartment wall 20: outside Filtering Router 24, self-filtering router two 3 and Bastion Host 22 need not to do any adjustment in above-mentioned H.323 safe proxy gateway 21.H.323 safe proxy gateway 21 provides independently secure media passage for H.323 communicating by letter.H.323 safe proxy gateway 21 is carried out legitimacy and safety examination according to its security strategy to all connections of attempting to pass through, and block all non-connections H.323 and all unauthorizeds being connected H.323, thereby guarantee that network system does not reduce the fail safe of system because of the multimedia communication passing fire wall.H.323 communicate by letter auto by pass inside and outside Filtering Router 23,24 is directly arrived H.323 safe proxy gateway 21, H.323 safe proxy gateway 21 will resolve and connect, legitimacy to this connection is verified, has only just relaying of legal H.323 connection, block for illegal H.323 connection, thereby make the H.323 calling passing fire wall that to trust.If non-H.323 the connection attempts to pass through H.323 safe proxy gateway 21, because proxy gateway is resolved this connection, by distinguishing that H.323 this connection does not meet agreement and blocked.Like this, because inside and outside Filtering Router 23,24 and Bastion Host 22 are not adjusted original security strategy, and H.323 21 of safe proxy gateway are served business H.323, and do not act on behalf of other services, allow Bastion Host 22 in the demilitarized zone (DMZ) finish the task of traditional firewall.So this method realizes the H.323 agency service of agreement under the situation that guarantees original security performance, promptly finish H.323 access success firewall-penetrating.
Subnet filter fire-proof wall structure is the pattern that is widely adopted; the operation principle of inside and outside Filtering Router is identical; just object of protection is different; outside Filtering Router is outer protection; the Bastion Host (fire compartment wall and H.323 safe proxy gateway) of protection DMZ; and the self-filtering router is the innermost layer protection, the fail safe of protection in-house network.H.323 safe proxy gateway and fire compartment wall use different network interfaces in this example, promptly allow packet and the medium H.323 different passage that flows away, packet is walked the data channel that fire compartment wall provides, H.323 the medium passage that safe proxy gateway H.323 provides that flows away, the inside and outside Filtering Router can not done any adjustment to the filtering rule set of fire compartment wall, and H.323 data flow will be according to the medium routing mechanism auto by pass inside and outside Filtering Router of himself, and the fail safe that H.323 communicates to connect is ensured by safe proxy gateway H.323.Thereby on the Filtering Router of inside and outside, realize the filtering policy that H.323 support passes through, both allowed trusty H.323 communicating to connect smoothly pass, do not reduce security of network system again.
Referring to Fig. 3, H.323 safe proxy gateway cooperates with the another kind of subnet filter fire-proof wall, H.323 safe proxy gateway is placed on the Bastion Host, promptly add H.323 agency service on the basis of Bastion Host 31 original services, H.323 safe proxy gateway operates on the fire compartment wall 30 that has existed with an application.So H.323 communication will be passed through inside and outside Filtering Router 32,33.But inside and outside traditional Filtering Router do not supported H.323 to communicate by letter.In order to allow H.323 communication can pass through inside and outside Filtering Router, inside and outside Filtering Router need add some at the filtering rule of H.323 communicating by letter, and link to judge H.323 to be connected whether can trust with gatekeeper's module in the safe proxy gateway H.323, allow trusty H.323 the connection pass through inside and outside Filtering Router 32,33.
In Fig. 3, H.323 safe proxy gateway and fire compartment wall use identical network interface, i.e. routine data bag and H.323 the medium same passage that flows away that is to say that H.323 Media Stream also needs to pass through inside and outside Filtering Router.Owing to H.323 communicating to connect the interim dynamic port of use greater than 1024, Filtering Router will allow H.323 to communicate to connect and pass, and certainly will will adjust the safety filtering rule set that was used for data communication originally, thereby weaken the security guarantee of fire compartment wall.For this reason, we must introduce the fail safe that new security strategy mechanism ensures fire compartment wall.
Because H.323 safe proxy gateway is used identical network interface with fire compartment wall, just uses same IP address.Like this, filter need be done thorough adjustment for the safety filtering strategy of fire compartment wall, because H.323 dynamic port greater than 1024 is used in communication, can not allow or refuse the connection of which port definitely.So the filtering rule set of self-filtering router will allow about fire compartment wall (or H.323 safe proxy gateway) all connections greater than 1024 ports.Obviously, this filtering rule set has weakened the security control of Filtering Router to data communication greatly, because Filtering Router passes in order to allow H.323 communicate to connect smoothly, have to remove the safety filtering control that data are communicated to connect, obviously this is infeasible.The present invention is directed to this problem, realize on the basis of communication port method of controlling security, further propose Filtering Router and gatekeeper's module and link and realize the safety filtering control method of communication port H.323 in the interlock of gatekeeper's module and proxy module.Use under the situation of identical network interface at safe proxy gateway H.323 and fire compartment wall, if independently carry out filtering policy, a little less than the safety filtering of realization is controlled then by Filtering Router.Carry out the safety filtering strategy, just can finish stronger safety filtering and control and allow the authentication mechanism of the filtering policy of Filtering Router and gatekeeper's module combine.
The filtering rule set of relevant data communication security (fire compartment wall) is not done any adjustment on the Filtering Router, and will adjust about the filtering rule set of safe proxy gateway.Because the RAS of gatekeeper's module communicates to connect and uses 1719 fixed port in the safe proxy gateway, so the self-filtering router sets in advance to allowing the connection of 1719 used ports of safe proxy gateway, the rule set 1 listed as table 1.
Table 1
| Rule set 1 | Action | Source host | Port | Destination host | Port |
| Allow | The IP address of gatekeeper GK | 1719 | Any address in the net | Arbitrary port |
| Allow | Any address in the net | Arbitrary port | The IP address of gatekeeper GK | 1719 |
First line display in the form: allowing IP address with gatekeeper GK is that the source host of source address sends from port one 719, and the destination host of any address receives from arbitrary port in the in-house network; Second line display in the form: allow the source host of any address in the in-house network net to send from arbitrary port, destination address is that the destination host of the IP address of gatekeeper GK receives from 1719 ports.
The rule set 1 of self-filtering router clearly is used for supporting H.323 to communicate to connect, and the RAS message that inner H.323 terminal can register, authenticate or insert request in view of the above with gatekeeper GK module is communicated by letter.H.323 communication has a characteristic: the employed port of current connection is confirmed in the communication of last connection, that is to say signaling connectivity port affirmation in RAS message communication Q.931, H.245 Q.931 port is being confirmed in the communication, and H.245 RTP medium connectivity port is being confirmed in the communication.Owing to use GK route and route working method H.245, so before each of communication switching H.323 communicated to connect, gatekeeper's module had just been grasped the dynamic port of this connection with use.If call communicates to connect desire by Filtering Router, Filtering Router (comprising self-filtering router and outside Filtering Router) just to the gatekeeper module queries whether should be connected be to trust connection.Then, Filtering Router will be done the decision of permission or refusal according to the response message of gatekeeper's module.
In order can to make a call from network-external, outside Filtering Router need to provide a passage to carry out RAS message mutual for gatekeeper's module and higher level gatekeeper, needs externally to add the listed rule set 2 of table 2 on the Filtering Router for this reason.Because local gatekeeper's module is in the outside of self-filtering router, not the needing alternately of local gatekeeper's module and higher level gatekeeper GK passed through the self-filtering router, so special rule set just is not provided to provide the self-filtering router for this reason.
Table 2
| Rule set 2 | Action | Source host | Port | Destination host | Port |
| Allow | The IP address of gatekeeper GK | 1719 | The IP address of outside Filtering Router | Arbitrary port | |
| Allow | The IP address of outside Filtering Router | Arbitrary port | The IP address of gatekeeper GK | 1719 |
First line display in the form: allowing IP address with gatekeeper GK is that the source host of source address sends from port one 719, and the destination host of the IP address of the outside Filtering Router of in-house network receives from arbitrary port; Second line display in the form: allowing IP address with the outside Filtering Router of in-house network is that the source host of source address sends from arbitrary port, and destination address is that the destination host of the IP address of gatekeeper GK receives from 1719 ports.
In sum, when H.323 safe proxy gateway is used identical network interface with fire compartment wall, filter can not change the filtering rule set that is used for non-H.323 data communication connection originally, by with safe proxy gateway in gatekeeper's module come safety filtering H.323 to communicate to connect alternately, thereby guarantee the fail safe of fire compartment wall, can realize that again the safety of H.323 communicating by letter passes through.
When H.323 H.323 communication need penetrate safe proxy gateway, exterior terminal was at first mutual with safe proxy gateway, after safe proxy gateway is done corresponding processing to Control on Communication message and Media Stream, just and between inside terminals set up annexation; Similarly, inside terminals also must connect by the processing ability and the exterior terminal of safe proxy gateway.Illustrate respectively with accompanying drawing 4 and accompanying drawing 5 and H.323 to communicate by letter to penetrate H.323 safe proxy gateway the time the H.323 Q.931 access phase (Fig. 4) of the point to point call process of Lian Jieing and H.245 access phase, RTP access phase (Fig. 5).Suppose that terminal 1 is positioned at extranets, terminal 2 is positioned at in-house network, and middle vertical line is represented H.323 safe proxy gateway (comprising proxy module and local gatekeeper's module GK).
H.323 Q.931 safe proxy gateway resolves message, H.245 control messages and media channel message in the process that H.323 call out to connect, and reads the domain of dependence of message, callee's address another name and the resource operating position request of calling out etc.Next, H.323 safe proxy gateway is done two things: mutual with higher level gatekeeper on the one hand, and request address parsing, bandwidth resources and charging startup etc.; On the other hand, implement the security strategy of H.323 calling out by proxy module (among Fig. 1 10) and local gatekeeper's module (among Fig. 1 11) interlock, according to caller of obtaining and called subscriber for information about with call out port judge call out whether credible.If credible calling, H.323 H.323 this call out safe proxy gateway with relaying, sends by corresponding network interface then.Otherwise, will block this calling.
When H.323 H.323 communication need penetrate safe proxy gateway, exterior terminal was at first mutual with safe proxy gateway, and safe proxy gateway is done after the corresponding processing Control on Communication message and Media Stream, just connects with inside terminals then; Similarly, inside terminals also must connect by the processing ability and the exterior terminal of safe proxy gateway.Fig. 4 has represented H.323 to communicate by letter with Fig. 5 and penetrated the processing procedure of safe proxy gateway: wherein terminal 1 is positioned at extranets, and terminal 2 is positioned at in-house network.The telephone terminal T1 that represents the inside and outside network shown in Figure 6, T2 calling procedure, internal network terminal T1 connects local area network (LAN) LAN1, local area network (LAN) LAN1 connects self-filtering router 61, self-filtering router 61 connects H.323 safe proxy gateway 62, H.323 safe proxy gateway 62 connects outside Filtering Router 63, outside Filtering Router 63 connects wideband IP network, wideband IP network connects supports the H.323 fire compartment wall 64 of communication, fire compartment wall 64 connects local area network (LAN) LAN2, and local area network (LAN) LAN2 connects external network terminal T2.Local area network (LAN) LAN1 also is connected with gatekeeper GK1 module, and local area network (LAN) LAN2 also is connected with gatekeeper GK2 module, and wideband IP network connects higher level gatekeeper GK.
Referring to Fig. 6, in the Q.931 stage of H.323 communicating by letter, safe proxy gateway need be handled each protocol Data Unit (PDUs:Protocol Data Units) referring to Fig. 4 combination.Safe proxy gateway to the concrete processing procedure of message PDUs Q.931 is:
Step 401, the terminal 1 that is positioned at extranets sends login request message ARQ (terminal 1 with H.323 set up TCP by 1720 ports between safe proxy gateway be connected) to gatekeeper's module of safe proxy gateway.Because be provided with the IP address of gatekeeper's module on the terminal 1, and gatekeeper's module and proxy module are integrated on the physical equipment security proxy gateway, so terminal aware security proxy gateway automatically.
Step 402, after gatekeeper's module is received the ARQ message that contains purpose terminal 2 another names, at first in the validated user terminal list, search terminal 1, if terminal 1 is given in the outside ip address loopback in ACF that has then another name with terminal 2 change safe proxy gateway into, otherwise still keeps the another name of terminal 2 among the ACF of loopback.Terminal 1 just can not known the implicit IP address of terminal 2 like this, and the terminal 2 of internal network is under the protection of safe proxy gateway all the time, has determined the legitimacy of terminal 1 by this step.
Step 403, terminal 1 sends Setup message to safe proxy gateway, and the source end is a terminal 1, and destination is a safe proxy gateway;
Step 404,405 after gatekeeper's module of safe proxy gateway receives Setup message, is at first given calling terminal 1 loopback Proceeding message, judges that then this calling is from inside or outside.If call out from inside, to judge to call out and whether pass through local gatekeeper's module route, if not then being described, this calling do not pass through local gatekeeper's module authentication, to be blocked, if passed through local gatekeeper's module route, then read the IP address of Setup-UUIE.destCallSignalingAddress, promptly transferred away this calling by proxy module then in the address of far-end safe proxy gateway.If call out from the outside, then verification Setup-UUIE.destCallSignalingAddress is the outside ip address of safe proxy gateway, whether will detect remoteExtensionAlias then exists, if exist, it is translated into the IP home address of safe proxy gateway, if do not exist, just detect User Part message and create the remoteExtensionAlias territory and an IP home address.Proxy module is last, and revising the back source address is safe proxy gateway according to revising the Setup message that sends to terminal 2 with the interaction results of local gatekeeper's module, and destination address is the IP address of terminal 2, forwards by corresponding network interface again.The security control of call phase is finished in the interlock of proxy module and gatekeeper's module thus.
Step 406,407,408, after terminal called 2 receives Setup message, loopback Proceeding message, the gatekeeper's module to safe proxy gateway sends login request message ARQ then, and gatekeeper's module of safe proxy gateway is to terminal 2 loopback ACF.
Step 409,410, after terminal called 2 receives ACF message, with loopback ALERTING message Alerting, because local gatekeeper's module is operated in the GK routing mode, Alerting message will be at first by local gatekeeper's module, and proxy module is revised Call Reference Value (CRV) message and is transmitted to terminal 1 with the local call table then.
Step 411,412 will be in case terminal called 2 off-hooks will send and call out connection Connect message.The same with Alerting message, because the gatekeeper is operated in the GK routing mode, connect message is routed to local GK module earlier, by authenticating back notification agent module.(the H.245 port address of supposition terminal 2 is 5000) exists if proxy module is found UUIE.H245Address, just upgrade UUIE.H245Address (safe proxy gateway after supposition is upgraded H.245 port address is 5100) and UUIE.destinationInfo information, transmit this PDU message to terminal 1 then.
Either party's on-hook will send and call out release Release Complete message.After safe proxy gateway receives this message, discharge H.245 with all resources of RTP channel and transmit this PDU, discharge the resource of join dependency Q.931 at last and close connection.
Also combination is referring to Fig. 6 referring to Fig. 5, and in the H.245 stage and the RTP stage of H.323 communication, safe proxy gateway need be handled H.245 each protocol Data Unit of message (PDUs:Protocol Data Units).The RTP port address of supposing terminal 1 is 1500, and the RTCP port address is 1501, and the RTP port address of terminal 2 is 4000, and the RTCP port address is 4001.Concrete operations are as described below.
Step 501, finished Q.931 the connect message in stage after, H.245 port address is definite, communication will enter the H.245 stage, carry out the foundation of capability negotiation and logical channel.In order to open a logic channel, terminal 1 sends OpenLogicalChannel (OLC) message to proxy gateway.
Step 502,505,506, gatekeeper's module of safe proxy gateway receives OLC message at port 5100 (the Q.931 port numbers of communication process negotiation), think that this port is safe and reliable, proxy module is transmitted OpenLogicalChannel (OLC) message at arbitrary port to terminal 2 then, and to terminal 1 loopback OpenLogicalChannelAck (OLCA) message.Terminal 2 after port 5000 receives OLC message, loopback OpenLogicalChannelAck (OLCA) message.When acting on behalf of module and find that dataType is audio or video, will be that RTCP and rtp streaming distribute local port (on the both sides of proxy module).After OLC and the negotiation of OLCA message, the Media Stream of terminal 1 sends reception RTP port and the RTCP port is respectively 1500 and 1501; RTP port and RTCP port that proxy module is communicated by letter with terminal 1 are respectively 2000 and 2001; The RTP port and the RTCP port of terminal 2 are respectively 4000 and 4001; RTP port and RTCP port that proxy module is communicated by letter with terminal 2 are respectively 3000 and 3001.
Step 503,504,507,508 with step 501,502,505,506 identical only be that direction is opposite.
In stage H.245, gatekeeper's module authentication port 5100 in the safe proxy gateway is safe, with proxy module mutual after, transmit from the 5100 PDU message that receive by proxy module, and, determine the transmitting and receiving terminal port address (being the RTP address) in RTP media flow transmission stage by OLC and OLCA message.
H.245 after the stage end, begin the RTP stage.The port 2000,2001,3000 and 3001 that a stage of communication is consulted on gatekeeper's module authentication is safe, transmits RTP and RTCP packet by proxy module.Without gatekeeper's module authentication, just lose this PDU message if find logic channel, finish gatekeeper's module and proxy module interlock opposite end cause for gossip thus and execute security control by proxy module.For a known channel: 1) between this locality and remote port, carry out port match; 2) the activation data bag is transmitted in RTP and RTCP session.RTP that proxy gateway proxy module safe in utilization then is used and RTCP address substitute RTP among the PDU and RTCP address (as port address 4000,4001 is replaced by 2000,2001 or port address 1500,1501 is replaced by 3000,3001) and transmit PDU message.
If terminal attempts to refuse an OLC message, will send OpenLogicalChannelReject message.Receive this message when acting on behalf of module,, just lose PDU if find that logic channel is unknown.Otherwise, then discharge all of the port resource of this logic channel and transmit this PDU message.
If terminal attempts to close a logic channel, will send CloseLogicalChannel message.If proxy module is found channel the unknown, just lose PDU message, stop the forwarding of packet on RTP and the RTCP port subsequently and discharge all port resources, transmit this PDU message at last.
Form H.323 that the gatekeeper's module and the proxy module of safe proxy gateway logically are independently, but be to be integrated on the equipment physically.Gatekeeper's module is operated in GK route and routing mode H.245, and the IP phone terminal is based on gatekeeper's routing function perception this locality safe proxy gateway H.323 automatically, so need not dispose the local H.323 information of safe proxy gateway on the IP phone terminal.So-called IP phone terminal is perception safe proxy gateway H.323 automatically, be meant on the IP phone terminal and need do not do special setting, the IP phone terminal just can obtain the H.323 IP address of safe proxy gateway of this locality or far-end from the gatekeeper when calling out, thereby makes its calling can pass through H.323 safe proxy gateway.
When calling out one when being positioned at behind far end system of safe proxy gateway H.323, calling party must at first be connected with the H.323 safe proxy gateway of far-end (callee), and tells whom called safe proxy gateway callee is.Can utilize H.323Setup message and gatekeeper ACF message on the IP phone terminal to realize this function: its destCallSignalingAddress territory and/or destinationAddress territory comprise the address of this gateway; The remoteExtensionAlias territory comprises actual called party address.When the calling party makes a call, at first connect with the gatekeeper, and from the access confirmation message (ACF) that gatekeeper's module provides, obtain far-end (called) H.323 safe proxy gateway and called party address information, again these address informations are filled in destCallSignalingAddress territory and/or destinationAddress territory and the remoteExtensionAlias territory.
The front is addressed; H.323 gatekeeper's module of safe proxy gateway and proxy module are integrated on the physical equipment; gatekeeper's module is in the in-house network of the protection of safe proxy gateway H.323, and the security strategy by safety control module and the authentication mechanism of gatekeeper's module combine and realize safe access control jointly.In the ordinary course of things, only open two port ones 719 of proxy module and 1720, other ports all are in closed condition.In calling procedure H.323, gatekeeper's module is according to the needs of calling procedure H.323, and the notification agent module is open or close certain port.One H.323 communication call is before making a call, and telephone terminal module at first to the gatekeeper send to insert request message ARQ, and message makes a call by sending Q.931Setup only to obtain the authentication of gatekeeper's module.H.323 agreement is guaranteed the legitimacy and the fail safe of H.323 calling out by this process.
Gatekeeper's module and proxy module are integrated on the main frame, and are operated in the configuration mode of GK routing mode, can realize very strong port-level security access control.When carrying out the GK route, all calls of network internal all will be by the GK route, gatekeeper GK module can analyze the used dynamic port of telephone terminal in the net like this, so gatekeeper GK module will be notified safe proxy gateway by call information request-reply message IRR: which port of certain IP address is that current calling is employed.
When mutual by with gatekeeper's module of the proxy module of safe proxy gateway, learning currently has several legal IP to call out, and has used which port, and just open then these ports are also transmitted the calling that obtains safety verification.Finish in case certain port connects, safe proxy gateway is just closed this port at once.If the connection of certain port is a not notice of gatekeeper's module, safe proxy gateway will not acted on behalf of the connection about this port.Therefore, safe proxy gateway has not only realized the safe access control of IP address, has also realized the safe access control about port.
Referring to Fig. 7, Fig. 8, H.323 local gatekeeper's module of safe proxy gateway and proxy module are integrated on the main frame 111, constitute H.323 safe proxy gateway, are connected with outer net 26 with Intranet 25 respectively again, and inside and outside net is connected with user terminal.The maximum characteristics of this structure are not require that the IP phone terminal is provided with the local H.323 address of safe proxy gateway, can be by GK route automatic perception this locality and far-end safe proxy gateway.Therefore, this structure has clear superiority aspect simplicity and the practicality, is a kind of configuration structure that is worthy to be popularized.
H.323 the intercommunication situation during the integrated configuration of local gatekeeper's module of safe proxy gateway and proxy module shown in Fig. 8.Under this configuration structure, the local gatekeeper's module 121 and the proxy module 122 of safe proxy gateway have merged in the realization of logical sub functional module fully, and intercommunication each other is very simple: by operating public data block and using identical network intercepting port just can realize both sides' cooperation.Local gatekeeper's module 121 by RAS_Server, GK_Routed and H.245_Routed three function sub-modules form, and always work in the GK route and H.245 under the working method of route.In this case, the function sub-modules Signal_Proxy of proxy module 122 and the submodule GK_Routed of local GK module combine, H.245_Routed, the function sub-modules Media_Proxy of proxy module 122 and the submodule of local GK module combine, and promptly the GK_Routed of GK module 121 comprises the Signal_Proxy of proxy module 122; H.245_Routed the Media_Proxy that comprises proxy module 122 of GK module 121.Because the RAS_Server of the RAS_Handle of proxy module 122 and gatekeeper GK has identical functions, so, in proxy module 122, do not need the RAS_Handle submodule.Receive the Q.931 call-signaling message of telephone terminal when local gatekeeper's module 121 after, GK_Routed manages and monitors calling, whether then Signal_Proxy resolves call signaling, transmit and how to transmit in conjunction with gateway routing table and proxy policies decision; H.245_Routed the submodule of next local GK module 121 is carried out the management and the monitoring of media channel, and the Media_Proxy of proxy module 122 implements proxy policies simultaneously.
Because this model selection GK route and route H.245, so call out certain for local GK module 121, certainly also just through safe proxy gateway H.323.Therefore, telephone terminal does not need to do special setting, after it receives the admission confirm ACF message of local GK module 121, just call out local GK module with 1720 public's ports, so, whole H.323 safe proxy gateway just participates in calling procedure and has suffered, and telephone terminal is perception local security proxy gateway and do not need to be provided with the IP address of local security proxy gateway automatically.Certainly, when calling out one in the terminal of safe proxy gateway back H.323, also can be by higher level gatekeeper's perception far-end safe proxy gateway H.323.Solid arrow represents to call out execution flow process (comprising signaling flow and Media Stream) among the figure.
This pattern has the following advantages: the one, and communication control procedure is simple, and call delay is short; The 2nd, local GK module and proxy module are simple alternately, and Bandwidth Management and Access Control are quite convenient.
Claims (11)
1. multimedia communication safe proxy gateway is positioned at the interconnected place of internal network and external network, also is provided with fire compartment wall at the interconnected place of internal network and external network, it is characterized in that:
Described multimedia communication safe proxy gateway comprises H.323 agreement control module, data trunk module, safety control module and gatekeeper's module; Described multimedia communication safe proxy gateway this gatekeeper's module I P address by being provided with on multimedia communication terminal is registered to this gatekeeper's module and quilt perception automatically automatically by multimedia communication terminal in the communication call process; Wherein,
Described H.323 agreement control module H.323 call signaling is resolved to application layer;
Described safety control module and gatekeeper's module are carried out safe access control, when definite multimedia connects is can trust the time, gatekeeper's module directs into this calling on the corresponding secure media passage based on corresponding strategy, the data trunk module is acted on behalf of multi-medium data with as far as possible little time delay after call setup.
2. a kind of multimedia communication safe proxy gateway according to claim 1, it is characterized in that: described safe access control comprises:
Gatekeeper's module judges according to security strategy whether multimedia connects credible, and notify safety control module with judged result, carry out whether block this connection by safety control module, connect when trustless in multimedia, blocking-up connects, when multimedia connects is can trust the time, and gatekeeper's module directs into this calling on the corresponding secure media passage based on corresponding strategy.
3. a kind of multimedia communication safe proxy gateway according to claim 2 is characterized in that: described judge according to security strategy comprise:
Open two fixed ports of the proxy module that described H.323 agreement control module, safety control module and data trunk module are formed, other ports all are in closed condition;
In communication call process H.323, gatekeeper's module is according to the needs of calling procedure H.323, and the notification agent module is open or close certain port;
Proxy module mutual by with gatekeeper's module learnt the port that all current legal IP call out and need to use, and open then these ports are also transmitted the calling that obtains safety verification;
After certain port connection was finished, proxy module was closed this port at once.
4. a kind of multimedia communication safe proxy gateway according to claim 1 is characterized in that: described gatekeeper's module and described H.323 agreement control module, and data trunk module, safety control module are integrated on the same physical equipment; Perhaps gatekeeper's module is positioned on the physical equipment, and agreement control module H.323, data trunk module, safety control module are positioned on the another one physical equipment.
5. a kind of multimedia communication safe proxy gateway according to claim 1, it is characterized in that: described multimedia communication safe proxy gateway is positioned at one independently on the physical equipment, perhaps be integrated on the physical equipment, the traditional data passage is implemented conventional Data Control as an independent communication passage with described fire compartment wall.
6. the TSM Security Agent method of a multimedia communication safe proxy gateway is characterized in that:
At the interconnected place of internal network and external network a multimedia communication safe proxy gateway is set, interconnected place at internal network and external network also is provided with fire compartment wall, and the multimedia communication safe proxy gateway is provided with H.323 agreement control module, data trunk module, safety control module and employing GK route and H.245 gatekeeper's module of route;
The gatekeeper IP address of local multimedia communication safe proxy gateway is set on each multimedia communication terminal, and multimedia communication terminal is by this automatic perception multimedia communication in gatekeeper IP address safe proxy gateway; H.323 the agreement control module will be H.323 call signaling be resolved to application layer, carry out safe access control by safety control module and gatekeeper's module then;
At multimedia communication safe proxy gateway and fire compartment wall independently of one another and when being listed in the interconnected place of internal network and external network, by different network interfaces, the IP Media Stream is shunted to IP address transition that the multimedia communication safe proxy gateway comprises internal network and external network, crosses over that internal network is called out with the two-way multimedia of external network and the safety filtering transmission of safety certification control; IP traffic is shunted to fire compartment wall carry out the transmission of routine data communication security;
When multimedia communication safe proxy gateway and fire compartment wall are integrated into a physical equipment of supporting multimedia communication, all IP Media Streams from the identical network interface, the multi-media safety passage that is routed automatically to the multimedia communication safe proxy gateway carries out safety filtering and transmits, and the routine data escape way that all IP traffics are routed automatically on the fire compartment wall carries out the transmission of routine data communication security.
7. the TSM Security Agent method of multimedia communication safe proxy gateway according to claim 6 is characterized in that: described safety control module and gatekeeper's module are carried out safe access control and are comprised,
Gatekeeper's module judges according to security strategy whether a certain multimedia connects credible, and notify safety control module with judged result, carry out whether block this connection by safety control module, if it is trustless that multimedia connects, blocking-up connects, can trust if multimedia connects, gatekeeper's module directs into this calling on the corresponding secure media passage based on corresponding strategy.
8. the TSM Security Agent method of multimedia communication safe proxy gateway according to claim 7 is characterized in that: described judge according to security strategy comprise:
By open two fixed ports of proxy module that described H.323 agreement control module, safety control module and data trunk module are formed, other ports all are in closed condition;
In communication call process H.323, gatekeeper's module is according to the needs of calling procedure H.323, and the notification agent module is open or close certain port:
Proxy module mutual by with gatekeeper's module learnt the port that all current legal IP call out and need to use, and open then these ports are also transmitted the calling that obtains safety verification;
After certain port connection was finished, proxy module was closed this port at once.
9. the TSM Security Agent method of multimedia communication safe proxy gateway according to claim 6 is characterized in that the safety filtering transmission of described multimedia communication safe proxy gateway further comprises:
H.323 the agreement control module is resolved H.323 call signaling, and this H.323 credible wilfulness of multimedia communication is judged in the inquiring user tabulation, if insincere, blocking-up connects;
If credible, safety control module and gatekeeper's module to this H.323 each of multimedia communication be connected and whether each used port is the safe safe access control of carrying out;
If H.323 certain connection or certain port are not these communicates by letter needed or does not meet H.323 protocol requirement, then be considered to unsafe, blocking-up connects, otherwise thinks safe;
Gatekeeper's module directs into corresponding network interface based on security strategy with believable, safe calling, promptly corresponding escape way;
The data trunk module is acted on behalf of the transmission of multi-medium data in the connection of call setup under the control of safety control module.
10. the TSM Security Agent method of multimedia communication safe proxy gateway according to claim 6, it is characterized in that: described when multimedia communication safe proxy gateway and fire compartment wall are integrated into a physical equipment of supporting multimedia communication, also comprise by the filtering policy of the authentication mechanism of gatekeeper's module and the self-filtering router of fire compartment wall, outside Filtering Router is collaborative and finish the H.323 safety filtering control of communication call.
11. the TSM Security Agent method of multimedia communication safe proxy gateway according to claim 10 is characterized in that: the safety filtering control of described H.323 communication call further comprises:
Do not adjust the filtering rule set of relevant fire compartment wall data communications security on the self-filtering router, but adjust filtering rule set about safe proxy gateway, permission is that the source host of source address sends from a fixed port with the IP address of gatekeeper's module, allow the destination host of any address in the in-house network to receive from arbitrary port, send from arbitrary port with the source host that allows any address in the in-house network net, the permission destination address is that the destination host of the IP address of gatekeeper's module receives from this fixed port, is used to support the in-house network multimedia communication terminal to register with gatekeeper's module, the RAS message communication of authentication or access request;
Externally add rule set on the Filtering Router, permission is that the source host of source address sends from this fixed port with the IP address of gatekeeper's module, allow the destination host of the IP address of outside Filtering Router to receive from arbitrary port, with allowing IP address with outside Filtering Router is that the source host of source address sends from arbitrary port, the permission destination address is that the destination host of the IP address of gatekeeper's module receives from this fixed port, be used for supporting to make a call from network-external, outside route filter is mutual for gatekeeper's module and higher level gatekeeper provide a passage to carry out RAS message;
When call communicates to connect desire by inside and outside Filtering Router, whether self-filtering router or outside Filtering Router this connection of module queries to the gatekeeper are to trust to connect, the decision that self-filtering router or outside Filtering Router are done permission or refused to connect according to the response message of gatekeeper's module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101020004A CN100379231C (en) | 2003-10-21 | 2003-10-21 | A multimedia communication safe proxy gateway and safety proxy method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101020004A CN100379231C (en) | 2003-10-21 | 2003-10-21 | A multimedia communication safe proxy gateway and safety proxy method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1610340A CN1610340A (en) | 2005-04-27 |
| CN100379231C true CN100379231C (en) | 2008-04-02 |
Family
ID=34756319
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101020004A Expired - Fee Related CN100379231C (en) | 2003-10-21 | 2003-10-21 | A multimedia communication safe proxy gateway and safety proxy method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100379231C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102088453A (en) * | 2010-01-29 | 2011-06-08 | 蓝盾信息安全技术股份有限公司 | Method, system and method for controlling access of host computer |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100484016C (en) * | 2004-06-23 | 2009-04-29 | 华为技术有限公司 | Multi-media network security system and method thereof |
| CN100461670C (en) * | 2005-12-27 | 2009-02-11 | 中兴通讯股份有限公司 | H.323 protocol-based terminal access method for packet network |
| CN101188582B (en) * | 2006-11-17 | 2010-09-29 | 中兴通讯股份有限公司 | System and method for H.323 terminal communication cross the isomerous network |
| CN101741818B (en) * | 2008-11-05 | 2013-01-02 | 南京理工大学 | Independent network safety encryption isolator arranged on network cable and isolation method thereof |
| CN101431460B (en) * | 2008-11-28 | 2011-07-13 | 中兴通讯股份有限公司 | Method and system for implementing network interconnection between WEB application and peripheral unit |
| CN101594233B (en) * | 2009-06-26 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | Method for uploading information, method for receiving information, equipment and communication system |
| CN101710960A (en) * | 2009-08-06 | 2010-05-19 | 中兴通讯股份有限公司 | Method and system for realizing video conference |
| CN101783804A (en) * | 2010-02-22 | 2010-07-21 | 建汉科技股份有限公司 | Method for improving safety protocol packet processing efficiency |
| CN104159154B (en) * | 2014-07-22 | 2018-12-25 | 小米科技有限责任公司 | Multi-medium play method, device and system |
| CN107241565B (en) * | 2017-05-02 | 2020-03-31 | 苏州科达科技股份有限公司 | Multimedia conference system and communication method thereof |
| CN111885210A (en) * | 2020-08-10 | 2020-11-03 | 上海上实龙创智能科技股份有限公司 | Cloud computing network monitoring system based on end user environment |
| CN113179225B (en) * | 2021-04-26 | 2022-11-04 | 深圳市奇虎智能科技有限公司 | Application identification and processing method and system of sub-route, storage medium and computer equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1047241A2 (en) * | 1999-04-22 | 2000-10-25 | Siemens Information and Communication Networks Inc. | System and method for restarting of signaling entities in H.323-based realtime communication networks |
| CN1360778A (en) * | 1999-07-14 | 2002-07-24 | 西门子信息及通讯网络公司 | Gatekeeper with several local domains |
| WO2002082722A2 (en) * | 2001-04-06 | 2002-10-17 | Genuity Incorporation | Alternate routing of voice communication in a packet-based network |
-
2003
- 2003-10-21 CN CNB2003101020004A patent/CN100379231C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1047241A2 (en) * | 1999-04-22 | 2000-10-25 | Siemens Information and Communication Networks Inc. | System and method for restarting of signaling entities in H.323-based realtime communication networks |
| CN1360778A (en) * | 1999-07-14 | 2002-07-24 | 西门子信息及通讯网络公司 | Gatekeeper with several local domains |
| WO2002082722A2 (en) * | 2001-04-06 | 2002-10-17 | Genuity Incorporation | Alternate routing of voice communication in a packet-based network |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102088453A (en) * | 2010-01-29 | 2011-06-08 | 蓝盾信息安全技术股份有限公司 | Method, system and method for controlling access of host computer |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1610340A (en) | 2005-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1145521B1 (en) | SYSTEM AND METHOD FOR ENABLING SECURE CONNECTIONS FOR H.323 VoIP CALLS | |
| US7408948B2 (en) | Packet mode speech communication | |
| CA2714825C (en) | Packet mode speech communication | |
| US7894410B2 (en) | Method and system for implementing backup based on session border controllers | |
| US7254832B1 (en) | Firewall control for secure private networks with public VoIP access | |
| CN100379231C (en) | A multimedia communication safe proxy gateway and safety proxy method | |
| GB2460651A (en) | Controlling delivery of media data to a plurality of target devices in a target network | |
| CN101316231B (en) | Router apparatus | |
| EP2628286B1 (en) | Connection control with b2bua located behind nat gateway | |
| CN1665238B (en) | Networking system for next generation network | |
| US20030046403A1 (en) | Method for routing data streams of a communication connection between users of a connectionless packet data network, and a packet data network, a control device and a program module therefore | |
| US20070041357A1 (en) | Interworking of hybrid protocol multimedia networks | |
| US8675039B2 (en) | Method of transferring communication streams | |
| KR20100060658A (en) | Apparatus and method for supporting nat traversal in voice over internet protocol system | |
| US8032934B2 (en) | Network security system and the method thereof | |
| US7342905B1 (en) | Communications system | |
| CN112653661B (en) | Media recovery method and system under VoIP network limitation | |
| US8774163B2 (en) | Communication system and method for implementing IP cross-domain interconnecting via border media gateway | |
| US20070195694A1 (en) | System for dynamic control of an ip network | |
| JP2005252814A (en) | Communication system, method, and program, and relay management device and program | |
| US20050068944A1 (en) | Multimedia video telephony | |
| KR100527200B1 (en) | method and apparatus for offer conference service in exchange switch | |
| JP2004228616A (en) | Call establishment on intranet and external network through dmz | |
| KR20050027658A (en) | Broadcasting system and method using gatekeeper in voice over internet protocol network | |
| KR20070063788A (en) | Access gateway providing voice over internet protocol service and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080402 Termination date: 20121021 |