Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-12-01
2004-06-22
Sheikh, Ayaz (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C713S152000, C713S152000, C709S223000, C709S224000, C709S226000, C709S227000, C709S229000, C709S237000
Reexamination Certificate
active
06754831
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to the security of networks and, in particular, to the security of hosts communicating through a firewall.
BACKGROUND OF THE INVENTION
The number of organizations linking their internal networks to the Internet is growing at what appears to be an exponential rate. Access to the Internet enables computers on the organization's internal network to access the computers on other networks linked to the Internet. Likewise, the computers on the other networks linked to the Internet may access the computers on the organization's internal network, thus rendering a organization's computer resources vulnerable to unwelcome and potentially malicious outsiders.
For the purpose of explanation, entities to which network traffic may be directed are referred to herein as “hosts”. Examples of hosts include computers and printers.
One mechanism providing security against unwelcome outsiders is a firewall. A firewall is a combination of software and one or more network devices (e.g. routers) through which network traffic is directed. Firewalls are used to screen traffic between “internal” networks and “external” networks (e.g. networks linked to the Internet) for security purposes. Typically, a firewall protects resources on “internal” networks from undesired access via external networks by blocking or redirecting certain kinds of network traffic.
For example, referring to
FIG. 1
corporate network
110
is protected by firewall
112
and thus corporate network
110
is internal relative to firewall
112
. Host
182
is on an external network (not illustrated) that is linked to the Internet
228
, and is external relative to firewall
112
and corporate network
110
. Channel
192
represents a channel through which host
182
has attempted to connect to a web server on host
114
, which is on corporate network
110
. A web server is a server that communicates, for example, using the hypertext transfer protocol (HTTP). Firewall
112
prevents external host
182
from accessing the web server on host
114
by blocking the attempted connection. Channel
190
, on in the other hand, represents a connection by internal host
114
to a web server on external host
182
which is not blocked by firewall
112
, thus permitting internal host
114
to access the web server on external host
182
. Firewall
112
thus allows internal hosts to access web servers on external hosts, but does not allow an external host to access a web server on the internal network.
The terms “channel” and “connection” are used herein. A “channel” is a path of communication though which two or more processes may direct communication (as used herein, the term “process” refers to a process under the control of an operating system). For example, a process on internal host
114
may communicate to a process on external host
182
through a network link to firewall
112
, and then through the Internet
228
to external host
182
. This path of communication is referred to as channel, or more specifically, channel
192
. A “connection” is a channel that two active processes are currently using to communicate. These processes need not communicate using HTTP. For example, a connection exists on channel
190
when a process on internal host
114
is using channel
190
to communicate with a process on host
182
.
Channels may be constructed from one or more connections. For example, a “tunnel” is a kind of channel which is built from one connection from an external host to a firewall, and another from that firewall to an internal host. Data from one host to the other travels through both connections (and the firewall). The two hosts involved generally treat this channel just like they would treat a simple connection, except for the tunnel setup phase.
The typical steps to establish a connection between a first process and a second process include (1) the first process requesting the connection to the second process, and (2) receiving acknowledgement that the second process will accept and transmit data to the first process over the connection. A host is considered to be “connected to” another host when a process on the host is connected to a process on the other host. Under these conditions, the host is also considered to be “connected to” the process that is on the other host.
Referring again to
FIG. 1
, internal host
114
may be accessed by internal host
116
without going through the firewall. Internal hosts on a network are said to be “behind” the firewall because network traffic flowing between them does not pass through the firewall. External hosts are said to be “outside” the firewall because traffic between external hosts and internal hosts passes through the firewall.
Often, it is desirable to treat some external hosts as hosts that are “virtually” behind the firewall, thus providing those external hosts a higher level of access to the internal network than is provided to other external hosts. For example, an organization may operate a first network
110
at a first physical location (e.g., the organization's headquarters) and a second network
130
at a second physical location that is remote relative to the first location. The first network and second network are both external relative to each other and are both linked to the Internet
228
. The services available on internal hosts
114
,
116
on the first network include corporate electronic mail servers and corporate business applications. Because the second network
130
serves the same organization, it is desirable to provide hosts (e.g., host
134
) on the second network
130
the same level of access that is provided the hosts
114
,
116
on the first network
110
. By giving hosts on the second network
130
the same level of access as hosts on the first network
110
, electronic mail servers and corporate business applications may be accessed by hosts
134
on the second network
130
, even though the hosts
134
on the second network
130
are external to the first network
110
.
One mechanism of providing such access is referred to as a virtual private network. In a virtual private network, one or more secure channels interconnect two or more networks. Secure channels usually provide for the secure transmission of data by, for example, encrypting data that flows through the secure channel. Secure channels often pass through public networks such as the Internet.
FIG. 1
shows an example of a virtual private network. Corporate network
110
and corporate network
130
form a virtual private network and are interconnected by secure channel
138
.
Network traffic between networks within a virtual private network passes through one of the secure channels without being blocked by the firewall. For example, traffic between host
134
and host
114
is not blocked by firewall
132
or firewall
112
. Thus host
134
is treated as if host
134
is behind firewall
112
.
It is possible that an unwelcome outsider may, by gaining access to one network within a virtual private network, compromise the security of every network within a virtual private network. For example, an unwelcome outsider may, by gaining access to host
134
, gain access to corporate network
130
and corporate network
110
.
To prevent a virtual private network from being compromised in this fashion, network traffic to and from hosts outside a virtual private network (i.e. a host connected to a network not part of the virtual private network) is often “consolidated” through one network. Specifically, all network traffic to and from members of a virtual private network is “funneled” through one network and its firewall. The network whose firewall is used to funnel the traffic between the members of the virtual private network is referred to as the “primary” network. The other networks within the virtual private network are referred to herein as “subsidiary” networks. A host on the subsidiary network is referred to as a subsidiary host.
For example, corporate network
110
is the primary network. Firewall
112
prevents network tra
Arani Taghi T.
Finnegan Henderson Farabow Garrett & Dunner L.L.P.
Sheikh Ayaz
Sun Microsystems Inc.
LandOfFree
Authenticated firewall tunneling framework does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Authenticated firewall tunneling framework, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Authenticated firewall tunneling framework will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3361740