Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-03-23
2003-11-18
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S239000
Reexamination Certificate
active
06651174
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a network system which is employed in the access to servers via networks from client terminals.
This application is based on patent application No. Hei 10-146372 filed in Japan, the contents of which are incorporated herein by reference.
2. Description of the Related Art
Conventionally, in LAN (local area network) environments in corporations, various types of controls necessary for the main business were employed, so that the connection of the LAN system or the like via the internet has been difficult as a result of problems regarding the advisability of protocols for passage through firewalls to be described hereinbelow, and the like.
However, recently, as a result of the penetration of distributed computing technologies and the spread of Java, it has become possible to construct network systems by means of connecting company-wide LAN systems via the internet. Here, when this type of network system is constructed, by means of installing a firewall, security is maintained.
Here, a firewall is a system which is installed at the point of attachment between the information system itself and the internet, and which serves the function of a firewall; it prevents the unpermitted intrusions from unauthorized individuals and keeps out computer viruses.
Furthermore, in network systems having firewalls such as that described above, there may be limitations in accordance with security policies with respect to classifications of protocols which may be employed in this environment, and thereby, by disallowing the passage of freely selected protocols, security is maintained.
FIG. 5
shows the outlines of the composition of the conventional network system described above. In this figure, reference
1
indicates the internet, in which a plurality of networks are connected to one another, and in the example shown in
FIG. 5
, internet
1
connects the LAN of company A and the LAN of company B. In company A, reference
2
indicates a database server which stores various databases in a storage unit, and this is connected to internet
1
via firewall
3
.
It is only possible for authorized terminals to access the database server
2
via firewall
3
. Unauthorized terminals are incapable of accessing database server
2
through firewall
3
. Reference
4
indicates a public WWW (world wide web) server which is connected to the internet
1
, and this is freely accessible by any terminal irrespective of its authorized or non-authorized status.
In company B, reference
5
indicates a database server which stores various databases in the storage unit thereof; this is connected to internet
1
via firewall
6
. Only authorized terminals are capable of accessing this database server
5
via firewall
6
. Reference
7
indicates a public WWW server which is connected to internet
1
, and this server is accessible by terminals irrespective of their authorized or non authorized status. Reference
8
indicates a company internal WWW server which is connected to internet
1
via firewall
6
; this company internal WWW server
8
may be accessed via firewall
6
only by authorized terminals.
FIG. 6
shows the main parts of the composition of a conventional network server. In this figure, reference
9
indicates a client terminal which is installed on the client side and is connected to internet
1
. This client terminal
9
conducts access to the WWW server
13
and the database server
19
described hereinbelow via internet
1
. In client terminal
9
, reference
10
indicates a client application program which is executed by client terminal
9
; this program serves to conduct communication control, encryption control, protocol control, and the like. Furthermore, the client application program
10
is a program which is executed when other company-side applications are employed from client terminal
9
via internet
1
. Reference
11
indicates an encrypted communication control unit, which has the function of controlling an encoding dedicated protocol for conducting encryption and decoding of data grams passing through specified protocol service ports defined in advance, irrespective of the attributes of the data (for example, an SSL or secure socket layer). Reference
12
indicates a session management unit which manages the sessions.
WWW server
13
is connected to internet
1
via firewall
14
, and is a terminal which functions using the startup from client terminal
9
as an opportunity. Here, a plurality of ports are provided in firewall
14
, and these ports may be broadly classified into standard ports for the communication of protocols from unauthorized client terminals
9
, and security communication ports for communicating only those protocols from authorized client terminals
9
.
In the WWW server
13
described above, reference
15
indicates an encrypted communication control unit having a function identical to that of the encrypted communication control unit
11
described above. Reference
16
indicates a session management unit which manages the sessions. Reference
17
indicates a server application program which is executed by WWW server
13
, and which is employed in the control of communications with client terminals
9
. Reference
18
indicates a DB (database) communication control unit which conducts the control of access to database
20
described hereinbelow. Database server
19
stores database
20
in the memory unit thereof.
Here, the operation of the network system shown in
FIG. 6
will be explained using the operations explanatory diagrams shown in
FIGS. 7A and 7B
.
FIG. 7A
serves to explain the access operation from unauthorized company external client terminals
9
1
, while
FIG. 7B
serves to explain the access operation from unauthorized and authorized client terminals
9
1
and
9
2
.
Here, in
FIGS. 7A and 7B
, client terminal
9
1
corresponds to one unauthorized client terminal
9
in
FIG. 6
, and is located outside the company. Client terminal
9
2
corresponds to a different authorized client terminal
9
in
FIG. 6
, and is also located outside the company.
The firewalls
14
shown in
FIGS. 7A and 7B
have ports P
A
and P
B
, and ports P
A
are ports which are assigned the port number #
80
, and which are installed for the purposes of access from an unspecified large number of client terminals. Accordingly, the port number #
80
of port P
A
described above is public. On the other hand, port P
B
is provided with a port number #X, and is installed for the purposes of access from authorized client terminals
9
2
. Accordingly, this port number #X of ports P
B
is a number which may only be employed in communications by the clients of client terminals
9
2
which have authorization. In other words, access to ports P
B
is only possible from specified client terminals
9
2
.
The public server
13
1
and private server
13
2
shown in
FIGS. 7A and 7B
correspond to the WWW server
13
shown in FIG.
6
. Here, a client terminal
9
1
is provided with access to public server
13
1
via internet
1
and port P
A
of firewall
14
. On the other hand, a client terminal
9
2
accesses private server
13
2
via internet
1
and the port P
B
of firewall
14
. Reference
21
indicates a client terminal located within the company; since security is maintained on the inside of the firewall, this terminal may directly access public server
13
1
and private server
13
2
.
In
FIG. 7A
, the unauthorized client terminal
9
1
commonly accesses public server
13
1
through port P
A
of firewall
14
using http (hypertext transfer protocol). At this time, the http described above is capable of passing through port P
A
.
Here, when an attempt is made to access private server
13
2
from client terminal
9
1
, since the client of client terminal
9
1
does not know the port number #X of port P
B
, it is impossible to pass through the firewall
14
. In other words, the http from client terminal
9
1
is not capable of passing through port P
B
, so that no communication is
Kobayashi Kazue
Nagaoka Toru
Sakata Masashi
Hayes Gail
NTT Comware Corporation
Revak Christopher
LandOfFree
Firewall port switching does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Firewall port switching, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Firewall port switching will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3184919