Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1999-12-20
2004-05-25
Harvey, Jack B. (Department: 2142)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S201000, C710S044000, C710S220000, C713S152000, C705S054000, C370S466000
Reexamination Certificate
active
06742039
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention is directed to connecting to a device on a network. More specifically, the present invention is directed to connecting to a device on a network that is protected by an access control mechanism.
2. Description of Related Art and General Background
A network is a system of computers that are connected to each other (and possibly to terminals and other peripheral devices) by communications lines which may be physical and/or wireless. Each computer on a network may be generally classified as a ‘client’ (i.e. a computer that initiates requests) or a ‘server’ (i.e. a computer that receives and responds to requests), although a single computer may also perform different roles at different times. Transfers of information across the network are typically conducted in compliance with one or more network protocols to ensure that the information may be properly delivered and interpreted. One such protocol is the Hypertext Transfer Protocol or HTTP, an application-level protocol that provides a basis for information transfer across the Internet and is specified e.g. in RFC 2616 (“Hypertext Transfer Protocol—HTTP/1.1”), R. Fielding et al., June 1999, which document is available at http://www.ietf.org/rfc/rfc2616.txt. As shown in
FIG. 1
, HTTP is a query/response protocol in which an entity such as a client
30
directs a query for information to a specific resource (such as a file or web page, as identified by a Universal Resource Locator or URL) and another entity such as a server
40
forwards an appropriate response associated with that resource.
A local area network (or ‘LAN’) allows computers or terminals that are located near one another to share resources such as storage devices, printers, and other peripheral equipment. A LAN that is connected to a larger network may include one or more access points (or ‘gateways’) through which devices within the LAN may communicate with devices outside the LAN. Access control mechanisms (or ‘ACMs’) provide security against unauthorized access to the LAN by controlling or restricting the flow of information across the access points.
FIG. 2
, for example, shows a LAN
230
that is connected to the Internet
250
only through an ACM
20
a
. Due to the presence of ACM
20
a
at this access point, a remote computer
20
c
that is connected to the Internet
250
may not freely interact with devices connected to LAN
230
such as computer
10
a
. Any request for information that is sent by remote computer
20
c
to computer
10
a
will be scrutinized by ACM
20
a
and may be rejected.
One type of ACM is a firewall. The term ‘firewall’ indicates a protective layer that separates a computer network from external network traffic, and this layer may be implemented in software, hardware, or any combination of the two. For example, firewall application software may be installed on a server to create a combination called a ‘firewall’ server.
Another type of ACM is a server (possibly a firewall server) running an application program that evaluates incoming requests according to a predefined set of rules. Such a device is called a ‘proxy server’ or simply a ‘proxy.’ To entities outside the network, the proxy may act as a server, receiving and evaluating incoming transmissions. To devices within the network, the proxy may act as a client, forwarding the incoming transmissions which conform to its rules. For example, the proxy may prevent executable files from entering the LAN but may pass all responses to HTTP queries that were sent by devices within the LAN.
Unfortunately, the characteristics that make firewalls or proxies effective in controlling the flow of information into the network also lead to increased complexity and cost. For example, when an entity outside the LAN, such as remote computer
20
c
, seeks to be connected with an entity within the LAN, such as computer
10
a
, complex and/or costly changes to the ACM may be necessary to permit the connection. In addition, a significant amount of processing resources must be expended to perform the task of evaluating all gateway traffic to ensure compliance with the network's security rules and thereby protect the network from potentially harmful traffic.
Some solutions to these problems of overhead—such as setting aside a dedicated, open port in the firewall through which external traffic may enter—may create unacceptable security risks. Other, more secure solutions include virtual private networks (VPNs), which use encryption to allow users on different networks to exchange information with each other in a secure manner over the Internet. This encryption effectively creates a secure “tunnel” between sender and receiver so that even though the information may pass through many other entities during transmission, it is accessible only to the sender and the receiver.
Although a VPN offers a higher level of security, no reduction in overhead processing is thereby achieved, as network traffic entering the LAN through the VPN must still pass through and be evaluated by the ACM. Adding a VPN to an existing network also involves a significant investment in resources and may introduce bugs or errors into a stable system. Furthermore, in many network installations it may not be feasible to reconfigure an existing ACM to support communication with every new external entity that may be desired, as such modifications require extensive resources and testing. To avoid these costs and risks, another approach is desired.
SUMMARY
A system and method according to an embodiment of the invention allows an external entity to communicate with a device within a network protected by an access control mechanism. The external entity sends a request directed to the device to an intermediary (hereinafter a “trusted arbitrator”). The trusted arbitrator communicates the request to a connection entity which is located within the protected network. The trusted arbitrator communicates this request to the connection entity by attaching it to a response to a request from the connection entity. The connection entity then forwards the request to the device.
REFERENCES:
patent: 5586250 (1996-12-01), Carbonneau et al.
patent: 5623601 (1997-04-01), Vu
patent: 5708780 (1998-01-01), Levergood et al.
patent: 5778174 (1998-07-01), Cain
patent: 5933498 (1999-08-01), Schneck et al.
patent: 5944794 (1999-08-01), Okamoto et al.
patent: 5950195 (1999-09-01), Stockwell et al.
patent: 5987611 (1999-11-01), Freund
patent: 6058426 (2000-05-01), Godwin et al.
patent: 6061650 (2000-05-01), Malkin et al.
patent: 6092196 (2000-07-01), Reiche
patent: 6119143 (2000-09-01), Dias et al.
patent: 6122639 (2000-09-01), Babu et al.
patent: 6163844 (2000-12-01), Duncan et al.
patent: 6167445 (2000-12-01), Gai et al.
patent: 6167446 (2000-12-01), Lister et al.
patent: 6198824 (2001-03-01), Shambroom
patent: 6219786 (2001-04-01), Cunningham et al.
patent: 6226752 (2001-05-01), Gupta et al.
patent: 6233618 (2001-05-01), Shannon
patent: 6292465 (2001-09-01), Vaid et al.
patent: 6310889 (2001-10-01), Parsons et al.
patent: 6317837 (2001-11-01), Kenworthy
patent: 6317838 (2001-11-01), Baize
patent: 6321337 (2001-11-01), Reshef et al.
patent: 6345300 (2002-02-01), Bakshi et al.
patent: 6351775 (2002-02-01), Yu
Arne Helme, Sape J. Mullender, “What You See Is What Gets Signed”, Mar. 1997, Huygens Systems Research Lab, Huygen report 97-01, pp. 7-13.*
Hypertext Transfer Protocol --HTTP/1.1, www.ietf.org//rfc/rfc2616.txt, R. Fielding et al.; The Internet Society, Jun. 1999, pp. 1-155.
Enabling Secure Virtual Private Networks Over the Internet, white paper No. NP0894.01, Intel Corp., Santa Clara, CA (1998) pp. 1-11.
Classical versus transparent IP proxies, RFC1919, M. Chatel, Network Working Group, Mar. 1996, www.ietf.org//rfc/rfc1919.txt, pp. 1-34.
King David A.
Remer David L.
Remer Eric B.
Harvey Jack B.
Intel Corporation
Nguyen Hai V.
Pillsbury & Winthrop LLP
LandOfFree
System and method for connecting to a device on a protected... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for connecting to a device on a protected..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for connecting to a device on a protected... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3236084