Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-03-30
2003-11-04
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S223000
Reexamination Certificate
active
06643778
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a network system such as a VPN (Virtual Private Network), and more particularly to a network system that uses a firewall.
2. Description of Related Art
In recent years, networks which connect multiple Intranets to each other using the internet have been proposed. The concerned networks are called extranets.
The VPN is known as such an extranet. By constructing a VPN, it is possible to dynamically form a work group that extends within a company or between companies. By forming a dynamic network, it is possible to link application groups in each Intranet with the internet as a base network.
When constructing an extranet, flexibility and security must be ensured for each Intranet. To ensure flexibility and security, it is necessary to construct work groups between users for which access to information and services is restricted but for which there is no physical network restriction. In addition, to ensure flexibility and security, it is necessary to provide a flexible and unified interface as the interface used to provide services to work groups and to connect and disconnect users.
An extranet using a VPN can be viewed as a virtual extension of an Intranet. Therefore, it is preferable if the environmental conditions of each Intranet that forms a work group are the same as the environmental conditions of the Intranet operated individually. To accomplish this, it is preferable to use the same firewall as that when accessed from an outside terminal as the firewall that protects the Intranet when accessing from another internet.
With an Intranet operated individually, there are firewalls that use the methods shown below as firewalls for protecting the Intranet when accessing from an outside terminal. These methods can be used individually or in hybrid form to construct a firewall.
(1) Packet Filtering Method
This method determines packets that can pass through a firewall based on IP (Internet Protocol) addresses of data subject to communication, communication port numbers that show the type of application subject to services provided to the client, etc.
(2) Circuit Level Gateway Method
This method executes relay or proxy response of send data for specific applications at the TCP (Transmission Control Protocol) layer level. This method uses a standard technology called SOCKS.
(3) Application Gateway Method
This method installs a proxy program that executes proxy responses for each protocol to operate specific applications such as HTTP (Hyper Text Transfer Protocol) or FTP (File Transfer Protocol).
(4) Expansion Packet Filtering Method
This method registers a script for which the transactions between requests and responses have been put into rule form to a firewall for each application, and allows only packets which satisfy the rules to pass through.
However, when using the methods described above as a firewall for protecting Intranets that form a work group, in other words, a firewall for protecting the Intranet from access from other Intranets, there are the following disadvantages.
With the packet filtering method, IP addresses are monitored as described above, but these IP addresses are set for each client (the computer that is the user terminal). Because of this, with this method, there is a fixed relationship between the client and server (computer providing services within the firewall), so it is not possible to ensure flexibility when forming a dynamic work group. Also, to perform monitoring of IP addresses for each packet, it is not possible to ensure sufficient operating capability with software installation of a firewall, making it necessary to construct a firewall with dedicated hardware.
With the circuit level gateway method, handling at the TCP (Transmission Control Protocol) layer is required. Therefore, when mounting a firewall on an Intranet, it becomes necessary to replace the TCP/IP library groups at the client OS (Operating System) layer. It also becomes necessary to make software changes for server applications when TCP/IP changes occur.
With the application gateway method, a proxy program within the firewall must be provided for each element application to construct work groups. Because of this, when adding element applications in an Intranet, it becomes necessary to newly develop proxy programs and to make firewall setting changes.
With the extension packet filtering method as well, as with the application gateway method, when adding element applications in an Intranet, it becomes necessary to newly register scripts and to make firewall setting changes.
These reasons make it difficult to use a firewall used by individually-operated-Intranets for an extranet.
SUMMARY OF THE INVENTION
An object of the present invention is to provide a suitable firewall for an extranet.
To achieve this, the network system of the present invention comprises a first Intranet and second Intranet connected to each other with the internet as a base, a first dynamic proxy server for forming a firewall to protect the first Intranet, a second dynamic proxy server for forming a firewall to protect the second Intranet, a remote access terminal connected to the first Intranet, a first object directory server installed in the first Intranet to determine if the service requested using the remote access terminal is provided in the first Intranet or provided in the second Intranet, and a second object directory server installed in the second Intranet to dynamically install a service proxy in the second dynamic proxy server when the service is provided in the second Intranet.
With such a structure, it is possible to protect multiple Intranets with a firewall while connecting and providing services to each other using the internet as a base.
REFERENCES:
patent: 5590199 (1996-12-01), Krajewski, Jr. et al.
patent: 5974444 (1999-10-01), Konrad
patent: 6098172 (2000-08-01), Coss et al.
patent: 6104716 (2000-08-01), Crichton et al.
patent: 6112228 (2000-08-01), Earl et al.
patent: 6173322 (2001-01-01), Hu
patent: 6178505 (2001-01-01), Schneider et al.
patent: 6212565 (2001-04-01), Gupta
patent: 6330605 (2001-12-01), Christensen et al.
patent: 6385661 (2002-05-01), Guthrie et al.
patent: 6408336 (2002-06-01), Schneider et al.
patent: 6446109 (2002-09-01), Gupta
patent: 2001/0014881 (2001-08-01), Drummond et al.
Jeffrey et al, “Proxy-Sharing Proxy Servers” 1996, IEEE, p. 116-119.*
Nolle, “Making Bandwidth ‘Free’”, Apr. 26, 1999, Network World, vol. 16, #17, dialog text search, p. 1-3.*
Hokimoto et al, “An Approach for Constructing Mobile Applications Using Service Proxies” 1996, IEEE Proceedings of the 16th ICDCS, p. 726-733.*
Nakajima et al, “Adaptive Continous Media Applications in Mobile Computing Environments”, 1997, IEEE, p. 152-160.*
Fox et al, “Security on the Move: Indirect Authentication Using Kerberos” 1996, ACM, p. 155-164.*
“Roxy + User's Guide”, Mar. 25, 2000, Program Version 3.00, p. 1-44.*
Chapman & Zwicky, O'Reilly & Associates, Inc. “Building Internet Firewalls”. Chapter 4, pp. 57-89, Chapter 6, pp. 131-188, and Chapter 7, pp. 189-205. Nov., 1995.
Hayes Gail
Oki Electric Industry Co. Ltd.
Rabin & Berdo P.C.
Revak Christopher
LandOfFree
Network system using a firewall dynamic control method does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Network system using a firewall dynamic control method, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Network system using a firewall dynamic control method will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3184540