Methods and apparatus for securing access to a computer

Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C709S202000, C709S203000, C709S217000, C709S227000, C709S228000, C713S151000, C713S152000

Reexamination Certificate

active

06631417

ABSTRACT:

FIELD OF THE INVENTION
The present invention relates generally to methods and an apparatus for providing secure remote access to a computer, and more specifically to providing secure access to a computer behind a firewall.
BACKGROUND OF THE INVENTION
The Internet is a vast, globe-spanning collection of interconnected computer networks and the associated programs, protocols, and standards that enable these computers to communicate with each other. The World Wide Web (“web”), a popular application of the Internet, relies on some of these protocols and standards to make vast collections of digital content accessible via the Internet. Because basic web technologies are relatively simple, anyone may readily publish content ranging from simple text to demanding multi-media presentations.
The globe-spanning nature of the Internet permits a user to contact any computer connected to the Internet from any other computer connected to the Internet. This fundamental property of the Internet, combined with the ease of publishing content on the web, is largely responsible for the explosive growth of the Internet as a medium of communication.
An unfortunate side effect of the globe-spanning nature of the Internet is that any computer connected to the Internet may be a target for attack by meddlesome individuals from anywhere in the world. Indeed, there are countless reports of individuals gaining unauthorized access to computers and other devices connected to the Internet. Conventional wisdom, therefore, has been that sensitive, proprietary, or confidential information should not be stored on computers connected to the Internet. To do otherwise may expose these computers to outside attacks and risk compromising any sensitive data they contain.
However, because of the rapid growth in business-to-business electronic commerce, it is often desirable or even necessary to be able to share sensitive data via the Internet. For example, a company may need to share financial projections with potential investors, or a manufacturing partner may need design specifications for a new product. One way to protect such sensitive data is to use a firewall to restrict access to the computers storing the sensitive data.
A firewall is a combination of hardware and/or software that serves as a controlled link between one network, such as the Internet, and a protected network, such as a corporate Intranet. As used herein, a network referred to as “protected” or being “inside” or “behind” a firewall refers to a network that is being protected by the firewall. Conversely, a network referred to as “unprotected” or “less-protected” or being “outside” a firewall refers to a network that is not being protected by the firewall. For instance, a corporate Intranet is generally behind a firewall, whereas the Internet is outside the firewall.
Generally, a firewall examines packets arriving at the firewall and processes the packets according to a set of rules and policies. For example, a firewall may implement a policy of forwarding packets that originate behind the firewall but may deny or drop packets originating from outside the firewall. Rules may then provide for limited exceptions to the more general policies. A common rule is to allow a packet originating outside the firewall to pass through if it is a response to a packet that originated within the protected network. A rule such as this is necessary for the Internet services that use the Transmission Control Protocol (TCP), because TCP requires a receiving computer to send acknowledgments of data that has been received.
Another common rule is to allow packets from specific IP addresses or IP domains to pass through the firewall. Such a rule may be used, for example, to provide trusted individuals with access to proprietary data stored on a computer behind a firewall. However, this type of rule is, in a sense, a small hole in a firewall that lets packets pass through. Such holes are potential weak spots that may be exploited to gain unauthorized access to a computer and to any confidential information it may contain. For example, the originating IP address of a packet may be forged using a technique known as “source spoofing” to make a packet appear to come from a “friendly“ IP address or domain when in fact the packet originated elsewhere. Source spoofing is only one form of attack that may be used in an attempt to gain unauthorized access; many other methods of exploiting weaknesses in firewall security are known in the art, and new forms of attack are continually being discovered.
Therefore, in view of the forgoing, it would be desirable to provide methods and an apparatus for securing a firewall against common forms of attack.
It would also be desirable to provide methods and an apparatus for allowing packets to pass through a firewall without weakening firewall protection.
In addition, it would be desirable to provide methods and an apparatus for providing secure access through a firewall.
SUMMARY OF THE INVENTION
It is, therefore, an object of the present invention to provide methods and an apparatus for securing a firewall against common forms of attack.
It is also an object of the invention to provide methods and an apparatus for allowing packets to pass through a firewall without weakening firewall protection.
It is another object of the invention to provide methods and an apparatus for providing secure access through a firewall.
These and other objects of the present invention are achieved by providing a multiplexer and a connection manager. The connection manager, located behind a firewall, establishes an outgoing connection to the multiplexer and sends the multiplexer a request message. The multiplexer, which is located outside of the firewall, receives and queues the request message, keeping the connection open.
A server outside the firewall receives a request from a client and forwards it to the multiplexer. The multiplexer dequeues the previously queued request message and creates a response message containing the client request. The response message, including the client request, is then sent to the connection manager.
The connection manager removes the client request from the response message and sends it to a protected application, or back-end, for processing. When the processing has been completed, the connection manager sends the back-end response to the multiplexer in another request message. The multiplexer removes the response from the request message and passes the response to the outside server for sending to the requesting client.
As a result of this process, all packets passing through the firewall originate behind the firewall or are responses to packets originating behind the firewall.


REFERENCES:
patent: 5550984 (1996-08-01), Gelb
patent: 5623601 (1997-04-01), Vu
patent: 5696898 (1997-12-01), Baker et al.
patent: 5699513 (1997-12-01), Feigen et al.
patent: 5768503 (1998-06-01), Olkin
patent: 5778174 (1998-07-01), Cain
patent: 5784463 (1998-07-01), Chen et al.
patent: 5790809 (1998-08-01), Holmes
patent: 5805803 (1998-09-01), Birrell et al.
patent: 5826029 (1998-10-01), Gore, Jr. et al.
patent: 5828833 (1998-10-01), Belville et al.
patent: 5828893 (1998-10-01), Wied et al.
patent: 5835726 (1998-11-01), Shwed et al.
patent: 5848161 (1998-12-01), Luneau et al.
patent: 5864666 (1999-01-01), Shrader
patent: 5898830 (1999-04-01), Wesinger, Jr. et al.
patent: 5903732 (1999-05-01), Reed et al.
patent: 5915087 (1999-06-01), Hammond et al.
patent: 5944823 (1999-08-01), Jade et al.
patent: 5960177 (1999-09-01), Tanno
patent: 5968176 (1999-10-01), Nessett et al.
patent: 5983350 (1999-11-01), Minear et al.
patent: 6032259 (2000-02-01), Nemoto
patent: 6052788 (2000-04-01), Wesinger, Jr. et al.
patent: 6061797 (2000-05-01), Jade et al.
patent: 6088796 (2000-07-01), Cianfrocca et al.
patent: 6105067 (2000-08-01), Batra
patent: 6167522 (2000-12-01), Lee et al.
patent: 6212640 (2001-04-01), Abdelnur et al.
patent: 6345300 (2002-02-01), Bakshi et al.
patent: 6363478 (2002-03-01), Lambert et al.
patent: 6463474 (2002-10-01), Fuh et al.
D'Alotto, Leonard

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Methods and apparatus for securing access to a computer does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Methods and apparatus for securing access to a computer, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Methods and apparatus for securing access to a computer will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-3139645

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.