Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing
Reexamination Certificate
1999-02-08
2002-04-16
Rinehart, Mark H. (Department: 2152)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
C713S152000
Reexamination Certificate
active
06374298
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to a remote maintenance and remote operation system in which a servicing device connected to an intracompany network of a service providing company performs maintenance and management on a device connected to a user-side network over an open external network, such as the Internet, through remote operation, and more specifically to a remote maintenance and remote operation system for use with network systems each of which is equipped with a firewall for the other.
2. Description of the Related Art
Nowadays a system is being practiced actively which performs maintenance and management on users' devices through remote operation over networks in order to save expenses and time for business trips.
Also, an attempt is being made to adopt a system which employs the Internet as a network for remote operation. The Internet is the worldwide network which permits free communications with unspecified persons around the world. Thus, the employment of the Internet will permit global remote maintenance service.
Incidentally, the Internet has a problem of security because it is an open network. In particular, if an intracompany network of a company is connected to the Internet and so all of host computers connected to that network are made accessible by outsiders over the Internet, then the company will be exposed to dangers that important internal information which must be kept confidential may be stolen, the system may be crashed, data may be altered, and the like.
For this reason, a “firewall” has come to be provided between the Internet and an intracompany network recently. The firewall is a facility for protecting the intracompany network from hackers. In general, firewalls are roughly classified into packet filtering gateways, circuit gateways, and application gateways.
FIG. 1
is a schematic illustration of a firewall that is equipped with the above-described packet filtering gateway feature and installed between an external network (Internet)
1
and an internal network (intracompany network)
2
. In this figure there are illustrated IP address filtering and TCP port filtering by way of example.
Communications are made over the Internet on the basis on the TCP/IP protocol and IP datagram (IP packet) routing within the Internet is controlled on a bucket brigade basis. The IP datagram contains an IP header and a TCP header in its header.
The IP header contains an IP destination address (receiving IP address in the figure) and an IP source address (transmitting IP address in the figure). The IP address comprises a network address and a host address.
The-TCP header contains a receiving port number and a transmitting port number. The port numbers have a one-to-one correspondence with processes and are utilized for interprocess communications over the Internet. A firewall
3
is provided with an IP address table
32
and a port number table
34
. Into the IP address table
32
is entered a set of IP addresses that is acceptable to the internal network
2
. Also, into the port number table
34
is entered a set of port numbers that is acceptable to the internal network
2
.
In the IP address filtering, when a packet is received, a reference is made to the IP address table
32
. If a transmitting IP address that has not been entered into that table is placed in the IP header of that packet (IP datagram), the IP datagram is rejected. Also, in the TCP port filtering, a reference is made to the port number table
34
when an IP datagram (packet) is received. If a port number that has not been stored into the port number table
34
is placed in the TCP header of that IP datagram, it is rejected. In this way, specific applications, such as Telenet, FTP and the like, can be filtered.
FIG. 2
is a diagram for use in explanation of a second feature of the firewall
3
.
The firewall
3
is provided with a feature of making access to hosts within the internal network
2
for hosts on the external network
1
(e.g., the Internet) in order not to allow the external hosts to make direct access to the hosts within the internal network
2
. In other words, access by hosts within the internal network
2
to the external network is to be made through the firewall
3
all the time.
In the example shown in
FIG. 2
, an IP address of “E” is set up on the firewall
3
. Also, “A”, “B”, “C” and “D” are set up on hosts A, B, C and D in the internal network
2
as their respective IP addresses. In such a system, for example, when the host B wants to transmit an IP datagram
12
to some host (external host) on the external network
1
, the host B transmits the datagram
12
to the firewall
3
not to the external host directly. Since the IP address set up on the host B is “B” as described above, the transmitting IP address of the IP datagram
12
is “B”. Upon receipt of the IP datagram
12
, the firewall
3
translates the original transmitting IP address B to its IP address “E” for subsequent transmission over the external network.
Thus, if only the IP address of the firewall
3
is made open to the external network
1
, the existence of the internal network will be kept from the external network. The feature is also called the IP relay feature.
By installing the firewall
3
equipped with such a packet filtering gateway feature as described above between the internal network
2
and the external network
1
, improper IP datagrams that are going to enter the internal network
2
directly from the external network
1
can be blocked almost completely.
FIG. 3
shows a system in which internal networks
2
A,
2
B,
2
C and
2
D of respective A, B, C and D companies are connected with a commercial network
5
. In this system, each of the A, B, C and D companies installs a respective one of firewalls
3
A,
3
B,
3
C and
3
D between its own internal network
2
A,
2
B,
2
C, and
2
D and the commercial internet
5
in order to protect their respective internal networks from unauthorized access via the commercial network
5
.
Next, problems with such a system as shown in
FIG. 3
will be described with reference to FIG.
4
.
In
FIG. 4
, the A company is a company which provides maintenance and management services for pieces of software and hardware within a network that its client manages. Suppose that the client is the D company and the A company considers performing. maintenance and management services for a serviced device
7
connected to the D company's network
2
D using a servicing device
6
connected to its own network by means of remote operation over the commercial internet
5
.
In this case, when the IP address of the A company's firewall
3
A has not been entered into the IP address table
32
in the D company's firewall
3
D, even if the servicing device
6
transmits a packet for remote operation to the serviced device
7
of the D company, that packet is rejected by the firewall
3
D and cannot enter the D company's internal network
2
D. Thus, the A company cannot provides maintenance and management services for the serviced device of the D company.
If, on the other hand, the IP address of the A company's firewall
3
A is entered into the IP address table
32
of the b company's firewall
3
D, then the A company's servicing device
6
will be able to perform maintenance and management on the D company's serviced device
7
by remote operation. However, this will result in a problem of security. That is, in this case, since any host connected to the A company's internal network
2
A, even it be a host other than the servicing device
6
, can enter the D company's internal network, the possibility exists that the internal network
2
D system of the D company may be destroyed and important information may be stolen. The reason is that the D company's firewall
3
D cannot identify the source of packets sent from the A company's firewall
3
A over the commercial internet
5
.
In the prior art, therefore, as shown schematically in
FIG. 5
, direct point-to-point connect
Rinehart Mark H.
Staas & Halsey , LLP
Thompson Marc D.
LandOfFree
System for performing remote operation between... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System for performing remote operation between..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System for performing remote operation between... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2888292