Electrical computers and digital processing systems: multicomput – Miscellaneous
Reexamination Certificate
2001-02-22
2004-11-16
El-chanti, Hussein (Department: 2157)
Electrical computers and digital processing systems: multicomput
Miscellaneous
C709S232000, C709S238000, C709S227000, C709S228000
Reexamination Certificate
active
06820110
ABSTRACT:
BACKGROUND OF THE INVENTION
Any transmission of data between two computers raises questions of how secure such a transmission is against unauthorized interception or even manipulation of the data or the transmission processes by unauthorized third parties. For companies, banks, and government authorities, an additional security concern arises if their own enterprise-wide computer network is to be protected against attacks from the outside, e.g., from the Internet. Especially if there is an active connection between the enterprise and the Internet, unauthorized access to the internal computer network of an enterprise can jeopardize data security in this computer network.
As described in “The Internet, From Access to 'Zine”, AT&T Technology, 1993, pp. 2-9, authored by Deborah Mills-Scofield, and “Firewalls and Security on the Internet, 1996, ISBN, 3-89319-875-x, authored by Cheswick and Bellovin, various computer systems with data links of different designs for data transmission are known. So-called firewalls are used to solve the security problems. At the firewalls the (TCP/IP-) data packets are analyzed, unauthorized access is denied, and authorized requests are permitted. Firewalls do not, however, represent a physical separation between the internal computer network of an enterprise and the outside world. Rather, the data packets are analyzed by software (see Pp. 64, Sect. 3.3, Para. 1 and Page 88, Sect. 3.4, Para. 1 in “Firewalls and Security on the Internet”.
As described in “Firewall Systems”, authored by N. Pohlmann, a computer system of the type described above is known. A so-called application gateway is used as a lock element between two computers in a computer link. The first computer is, for example, part of the Internet, and the other computer is part, for example, of an in-house intranet. The application gateway ensures the physical disconnection of the two computers in the sense that when one computer is accessed from the other, the accessing computer appears not at its own address, but rather at the address of the application gateway so that individual data transfer processes can no longer be carried out. At the application gateway, software (a so-called proxy) is made available which during the data transfer moves the data packets back and forth between the computers. Even in the case of the computer system described in this article, the data packets are analyzed by software.
By manipulating these software-implemented firewalls from the outside or through some other unauthorized access, it is therefore still possible to obtain access to an in-house computer network from the outside and to threaten data security in an enterprise-wide computer network. If the security requirements of an enterprise are especially stringent, the known firewalls cannot offer adequate security.
It is therefore the object of this invention to make available more effective security mechanisms for stopping attacks by unauthorized third parties on computers on a data link.
SUMMARY OF THE INVENTION
The present invention pertains to a computer system that comprises at least one computer, a second computer, and a data link between the first computer and the second computer for the purpose of transmitting data, whereby in the data link there is a lock element. Between the first computer and the lock element there is a first flood gate (inner flood gate [IFG]). Between the second computer and the lock element there is a second flood gate (outer flood gate [OFG]). When the first flood gate is closed the second flood gate is opened and, vice versa, when the second flood gate is closed the first flood gate is opened.
The invention also pertains to a process for transmitting data between a first computer and a second computer via a data link, whereby the data is transmitted in one direction by the first computer through an opened first flood gate to a lock element. When the first flood gate is closed, and the second flood gate is opened, data is transmitted through the second flood gate to the second computer. When the data moves in the opposite direction the process takes place in the opposite sequence.
The first computer can be, for example, part of an internal enterprise-wide computer network. The second computer can be designed as a computer in the World-Wide Net.
The invention proposes, based on the computer system of the type mentioned above, that the data link be designed as an Integrated Services Digital Network (ISDN) connection according to the Net Terminal Base Adapter (NTBA) Standard, that the transfer of data from the first computer be carried out via a third computer that is located in a common computer network with the first computer and vice versa via the lock element to the second computer, whereby the establishment of a data link and the transfer of data between the third computer and the lock element and between the second computer and the lock element are carried out via the two B-channels of the ISDN connection according to the NTBA Standard.
According to the invention, technical provisions are thus made in the computer system that ensure that it is not technically possible to establish a data link from the first computer to the third computer at the same time as a link is established from the third computer to the second computer. To accomplish this, it is proposed that in each case the two B-channels of an ISDN connection be used to provide a data link from the first computer to the third computer or from the third computer to the second computer. This will make it possible to meet very rigorous security requirements at comparatively low cost.
An ISDN connection according to the NTBA Standard has two bearer channels (B-channels) and a data channel (D-channel). Thus, the ISDN-NTBA configuration allows a maximum of two data-transfer links at one time. The data link is designed in such a way that when the third computer establishes a connection with the lock element in order to transfer data, this requires the two B-channels of the ISDN-NTBA configuration. The lock element is dialed up via one B-channel, and the data transfer link to the lock element is established via the second B-channel (the first flood gate is opened). It is therefore impossible to set up a link between the lock element and the second computer at the same time since the ISDN-NTBA configuration no longer has a free B-channel available (the second flood gate cannot be opened).
If, in the opposite situation, there is already a connection between the second computer and the lock element (second flood gate is opened) via one of the two B-channels, the third computer can no longer set up a link to the lock element (the first flood gate cannot be opened) since, as explained above, this requires both B-channels of the ISDN-NTBA configuration. By making dual use of the same NTBA, i.e., on the one hand at the third computer and on the other at the lock element, the lock function of the data link of the computer system according to the invention can be implemented in a simple fashion.
The lock element is designed as, e.g., a computer. The data link of the computer system according to the invention produces a slight time delay in data transfer that the user will hardly notice. During this time delay the flood gates are opened and closed and the data to be transferred is analyzed. By properly controlling the sequence of the individual steps in the data transfer, the time delay can be reduced to a minimum.
According to an advantageous enhancement of the invention, it is proposed that the first computer be located in a first computer network. The first computer is preferably designed as a server for a computer network, and the first computer network is preferably designed as an internal enterprise-wide network. In such in-house computer networks, data security is especially important. Many enterprises have now begun to handle a large portion of their company business completely electronically via their in-house computer networks. Unauthorized access to these computer networks from the outside or
Engel Thomas
Haffner Ernst-Georg
Meinel Christoph
El-chanti Hussein
Hoffman Wasson & Gitler PC
Institut fur Telematik E.V.
LandOfFree
Data link between two computers and method for transmitting... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Data link between two computers and method for transmitting..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Data link between two computers and method for transmitting... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3352476