Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
2000-07-26
2004-06-22
Duong, Frank (Department: 2666)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C370S395200, C370S401000, C709S229000, C709S249000, C713S152000
Reexamination Certificate
active
06754212
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to security of a computer connected to a network system and particularly to a method of constituting a network system which executes access control and relays communications of applications through mutual cooperation of fire walls.
As a method of preventing invasion into a computer through a network, a repeater (fire wall) has been proposed to give restriction to the access from outside.
A typical fire wall has a function, as is described “Computer Security Resource Clearinghouse” of NIST (National Institute of Standards and Technology), to control the accesses depending on IP (Internet Protocol) addresses of the transmitting side and receiving side and kinds of services and to the store access record.
Moreover, as a repeater for repeating communication between a client and a server, there is provided socks V5 proposed by RFC1928 in the environment where fire walls exists. In the socks, mutual identification between the client and the repeating server and socks protocol for realizing connection instruction for the repeating server are defined and thereby communication between the client and the server having passed one fire wall can be realized.
Moreover, there is a gateway protocol such as RIP (Routing Information Protocol: RFC 1058), OSPF (Open Shortest Path First: RFC 1131), etc. as a mechanism to realize dynamic exchange of repeating route information in the IP layer.
With rapid development of Internet system, a person can get various kinds of information generated in the world on the real-time basis but, on the other hand, a person is in turn threatened to external invasion. As effective measures for such external invasion, it has been proposed to (1) give limitation on IP address for making access to each service and to (2) provide a gateway (fire wall in narrow sense) to store the access record. Use of such fire wall in narrow sense has enabled reduction of threat for an external invader by acquiring matching property of the operating environment of the gateway itself and localizing the range of control by an administrator.
However, in the case of executing the access control utilizing the technique of the related art, since the access control object is based on the information incorporated to a computer such as class of service and IP address, there is a problem that the access control based on users cannot be realized. For example, desired access control becomes impossible for the computer to which the IP address is assigned dynamically and class of service is limited to particular users.
Moreover, in private network utilizing the Internet, a fire wall plays a very important role for security and an internal fire wall is increasingly installed in the private network in order to protect the sub-network. There are several problems to be solved for the communication in the environment where a plurality of fire walls exist. For example, when the communication having passed the internal fire wall for protecting the sub-network is to be attempted from a computer of an external network, the communication must be repeated between the external fire wall and the internal fire wall.
However, since the routing information for the internal fire wall provided for repeating is concealed to the external network, such routing information must be obtained with a certain method.
FIG. 1
shows an example of the problem explained above. When a client ex
101
attempts to make communication with a server accommodated in the network ex
106
of A corporation, an external fire wall ex
102
repeats the communication. Since the external fire wall ex
102
can obtain the routing information to the server ex
104
for communication with the server ex
104
in the network ex
106
of A corporation, communication can be repeated. However, since the server ex
105
is concealed by the internal fire wall ex
103
for the communication with the server ex
105
accommodated in the sub-network ex
107
, the external fire wall ex
102
cannot obtain the routing information to the server ex
105
and thereby this communication cannot be repeated.
Moreover, in the case of the communication between two networks connected through the external network, this communication cannot be realized between respective internal fire walls, unless the routing information for identifying the internal fire wall is set for the external fire wall.
FIG. 2
shows an example of the problem explained above. A client ex
201
accommodated in the network ex
210
is capable of making communication with a server ex
202
in the network ex
211
by registering the fire wall ex
206
as the route to the server ex
202
in the fire wall ex
205
. However, when a server ex
204
is provided in the internal sub-network ex
214
of the network ex
213
, since the route is concealed by the fire wall ex
208
, the internal fire wall ex
209
cannot be registered in the fire wall ex
207
.
OBJECT AND SUMMARY OF THE INVENTION
It is therefore an object of the present invention to provide a large scale network system which enables communications having passed the fire wall and repeaters (fire walls) used in the same network by solving the problems explained above and offering a means for exchanging the repeating route information among a plurality of repeaters (fire walls).
Moreover, it is also an object of the present invention to provide a network system which enhances security and assures higher operation flexibility and repeaters used therein through the access control based on the computer users and applications.
The objects explained above will be achieved using following means.
(1) Access control based on computer users and applications
Executing access control as an object of access control on the basis of computer users and applications
(2) Identification of computer users and applications
Identifying, for executing access control, that the communication is requested by a person who has issued the request.
(3) Data transfer in the repeaters having the access control function
Providing transparency of communication in the communication between computers having the access control functions
The data transfer by the repeaters can be realized by providing, in the repeater, a repeating route control table storing correspondence between the address of the transmitting side computer and the address of the repeater provided to transfer the data to such address and executing the processing to select, from the data repeating route control table, the repeater provided in the course of the route to the target computer in the receiving side to enable the communication from the computer of the transmitting side and the processing to connect the repeating program of the repeater identified by the processing explained above to request the repeating of communication with the receiving side to the repeater.
REFERENCES:
patent: 5416842 (1995-05-01), Aziz
patent: 5548646 (1996-08-01), Aziz et al.
patent: 5623601 (1997-04-01), Vu
patent: 5689566 (1997-11-01), Nguyen
patent: 5699513 (1997-12-01), Feigen et al.
patent: 5793763 (1998-08-01), Mayes et al.
patent: 5802320 (1998-09-01), Baehr et al.
patent: 5826014 (1998-10-01), Coley et al.
patent: 5835726 (1998-11-01), Shwed et al.
patent: 5864683 (1999-01-01), Boebert et al.
patent: 5960177 (1999-09-01), Tanno
patent: 6111883 (2000-08-01), Terada et al.
Leech et al, SOCKS Protocol Version 5, RFC 1928, pp. 1-9, Mar. 1996.*
Atkinson et al, Security Architecture for the Internet Protocol, RFC 1825, pp. 1-22, Aug. 1995.*
Kayashima et al, Seamless VPN, INET97, pp. 1-11, Jul. 9, 1997.*
“Check Point Fire Wall-1”, Version 3.0, Jan. 1997, P/N 440-3000.
Terada, Masato, Yoshihara, Seiji, and Murayama, Yuko; “Access Control for Inter-Organizational Computer Network Environment”; Issued Jan. 26, 1996.
Kitakaku, Tomohiro and Katsumata, Masashi; “A Study on Authentication and Access Contrl Systems for Computer Network”; Issued Jan. 1994.
Fujiyama Tetsuya
Hirayama Kazunari
Kawashima Takahiko
Kayashima Makoto
Koizumi Minoru
LandOfFree
Repeater and network system utililzing the same does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Repeater and network system utililzing the same, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Repeater and network system utililzing the same will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3354698