Method and system for transmitting information across a firewall

US 20030126230A1
Filed: 11/07/2002
Published: 07/03/2003
Est. Priority Date: 12/28/2001
Status: Active Grant

First Claim

Patent Images

1. A method (300,400) of transmitting information across a firewall among a plurality of computers, at least one first of the computers being at a first side of the firewall and at least one second of the computers being at a second side of the firewall, wherein at least one first proxy and at least one second proxy are associated with the at least one first computer at the first side of the firewall and with the at least one second computer at the second side of the firewall, respectively, and wherein a pass through communication tunnel directly connects each first and second proxy, the tunnel being secured by mutual authentication of the corresponding first and second proxies, the method including the steps of:

causing (416;

456) a transmitting one of the computers to send a firewall-incompatible message for a receiving one of the computers at the other side of the firewall to a transmitting one of the associated at least one proxy, sending (330;

470) the message from the transmitting proxy to a receiving one of the at least one proxy at the other side of the firewall through the corresponding tunnel, associating (335;

422) the message with the receiving computer, and forwarding (340;

444) the message from the receiving proxy to the receiving computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method (300;400) and system (100) for transmitting information across a firewall (130b) between multiple endpoints (120) and gateways (135), in a resource management environment (such as the TME) having characteristics that are firewall-incompatible. A gateway proxy (125g) and an endpoint proxy (125e) are associated with the endpoints and the gateways, respectively. The two proxies are connected to each other by means of a pass through communication tunnel crossing the firewall, which tunnel is secured by mutual authentication of the gateway proxy and the endpoint proxy at its ends. Each endpoint and each gateway is tricked into communication only with the respective proxy. Particularly, a listening port is allocated on the endpoint proxy on behalf of each endpoint, so that the corresponding gateway will open a connection back to the endpoint proxy on the listening port for transmitting any packet to the endpoint. A table (230) stored on the endpoint proxy associates each listening port with the corresponding endpoint for managing the routing of the packets.

72 Citations

View as Search Results

15 Claims

1. A method (300,400) of transmitting information across a firewall among a plurality of computers, at least one first of the computers being at a first side of the firewall and at least one second of the computers being at a second side of the firewall, wherein at least one first proxy and at least one second proxy are associated with the at least one first computer at the first side of the firewall and with the at least one second computer at the second side of the firewall, respectively, and wherein a pass through communication tunnel directly connects each first and second proxy, the tunnel being secured by mutual authentication of the corresponding first and second proxies, the method including the steps of:
- causing (416;
  
  456) a transmitting one of the computers to send a firewall-incompatible message for a receiving one of the computers at the other side of the firewall to a transmitting one of the associated at least one proxy, sending (330;
  
  470) the message from the transmitting proxy to a receiving one of the at least one proxy at the other side of the firewall through the corresponding tunnel, associating (335;
  
  422) the message with the receiving computer, and forwarding (340;
  
  444) the message from the receiving proxy to the receiving computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method (300,400) according to claim 1, wherein the at least one second computer is protected by the firewall, the method further including the steps of:
    - causing (416) each second computer to send each message for a corresponding first computer to a respective listening logical connection of an associated second proxy, associating (446) the message with the first computer by the second proxy according to the listening logical connection, attaching (468) an identifier of the first computer to the message by the second proxy, and forwarding (340) the message to the first computer by the first proxy according to the identifier.
  - 3. The method (300,400) according to claim 2, wherein a further identifier of the first computer is associated with each message sent from each first computer to a corresponding second computer, the method further including the step of associating (422) the message with the second computer by the second proxy according to the further identifier.
  - 4. The method (300,400) according to any claim from 1 to 3, wherein the message is sent from the transmitting computer to the transmitting proxy using a first insecure protocol, the message is transmitted from the transmitting proxy to the receiving proxy using a second secure protocol, and the message is forwarded from the receiving proxy to the receiving computer using the first protocol.
  - 5. The method (300,400) according to claim 3 or 4, further including the steps under the control of the second proxy of:
    - receiving (406,408) a message of an initial login type encrypted with a shared static key from the first proxy, the initial login message being indicative of a request for an initial login from a first computer and being associated with an indication of a first address and a first logical connection of the first computer, deciphering (410) the initial login message using the static key, allocating (412) a corresponding listening logical connection to the second proxy, storing (414) a memory structure associating the listening logical connection with the first address and the first logical connection, updating (416) the initial login message by replacing the first logical connection with the listening logical connection, and encrypting (418) the initial login message using the static key.
  - 6. The method (300,400) according to claim 5, further including the steps under the control of the second proxy of:
    - receiving (406,450) a message of an initial response type encrypted with the static key on the listening logical connection associated with the first computer, the initial response message being indicative of a response to the initial login message and including a dynamic identifier of the first computer and an indication of a second address and a second logical connection of at least one corresponding second computer, deciphering (452) the initial login message using the static key, associating (454) the dynamic identifier, each second address and second logical connection with the corresponding first address and first logical connection in the memory structure, updating (456) the initial response message replacing each second address and second logical connection with a first proxy address and a first proxy logical connection of the first proxy, encrypting (458) the initial response message with the static key, and attaching (468) an indication of the first address and of the first logical connection to the initial response message.
  - 7. The method (300,400) according to claim 6, wherein the initial response message further includes a dynamic key for the first computer, the method further including the steps under the control of the second proxy of:
    - associating (454) the dynamic key with the dynamic identifier in the memory structure, receiving (406,408,428) a message of an upcall type encrypted with the dynamic key from the first proxy, the upcall message being indicative of a request from an application running on the first computer and including an indication of an ephemeral logical connection to the first computer associated with the application, deciphering (430) the upcall message using the dynamic key retrieved from the memory structure, allocating (432) a corresponding transient logical connection to the second proxy, storing (434) a transient memory structure associating the transient logical connection with the first address and the ephemeral logical connection, updating (436) the upcall message by replacing the ephemeral logical connection with the transient logical connection, and encrypting (438) the upcall message using the dynamic key.
  - 8. The method (300,400) according to claim 7, further including the steps under the control of the second proxy of:
    - receiving (406,448) a response message to the upcall message on the transient logical connection associated with the application, determining (446) the corresponding first address and ephemeral logical connection using the transient memory structure, releasing (464) the transient logical connection, deleting (466) the transient memory structure, and attaching (468) an indication of the first address and of the ephemeral logical connection to the response message.
  - 9. The method (300,400) according any claim from 5 to 8, further including the steps of:
    - detecting (320) the first address of each first computer sending a message to the first proxy, attaching (325) an indication of the first address to the message by the first proxy, and updating (424,426) the first address associated with the dynamic identifier in the memory structure by the second proxy according to the first address attached to the message.
  - 10. The method (300,400) according any claim from 5 to 9, wherein the at least one first computer and the at least one first proxy consist of a plurality of first computers and a plurality of first proxies, respectively, an identifier of the first proxies being stored in a further memory structure on the second proxy, the method further including the steps under the control of the second proxy of:
    - associating (454) the identifier of a current first proxy from which the initial login message is received with the corresponding first address and first logical connection in the memory structure, determining (446) the current proxy corresponding to each message received from each second computer using the memory structure, transmitting (470-474) the message to the current first proxy when available or to a different one of the associated first proxies in the further memory structure otherwise.
  - 11. The method (300,400) according any claim from 1 to 10, wherein each first computer consists of an endpoint in a demilitarised zone and each second computer consists of a gateway in a private network.
  - 12. A computer program application (205-255,240-265) directly loadable into a working memory of a data processing system (100) for performing the method of any claim from 1 to 11 when the program application is run on the data processing system.
  - 13. A program application product (160g,160e) comprising a computer readable medium on which the program application (205-255,240-265) of claim 12 is stored.

14. A system (100) for transmitting information across a firewall (130b) among a plurality of computers (120,135), at least one first (120) of the computers being at a first side of the firewall and at least one second (135) of the computers being at a second side of the firewall, the system including at least one first proxy (125g) and at least one second proxy (125e) associated with the at least one first computer at the first side of the firewall and with the at least one second computer at the second side of the firewall, respectively, a pass through communication tunnel (132) directly connecting each first and second proxy and being secured by mutual authentication of the corresponding first and second proxies, means (225-235) for causing a transmitting one of the computers to send a firewall-incompatible message for a receiving one of the computers at the other side of the firewall to a transmitting one of the associated at least one proxy, means (215;
- 255) for sending the message from the transmitting proxy to a receiving one of the at least one proxy at the other side of the firewall through the corresponding tunnel, means (210;
  
  225-235) for associating the message with the receiving computer, and means (210,265;
  
  225,245) for forwarding the message from the receiving proxy to the receiving computer.

15. A data processing system (100) including a firewall (130b), a plurality of computers (120,135), at least one first (120) of the computers being at a first side of the firewall and at least one second (135) of the computers being at a second side of the firewall, at least one first proxy (125g) and at least one second proxy (125e) associated with the at least one first computer at the first side of the firewall and with the at least one second computer at the second side of the firewall, respectively, a pass through communication tunnel (132) directly connecting each first and second proxy and being secured by mutual authentication of the corresponding first and second proxies, means (225-235) for causing a transmitting one of the computers to send a firewall-incompatible message for a receiving one of the computers at the other side of the firewall to a receiving one of the associated at least one proxy, means (215;
- 255) for sending the message from the transmitting proxy to a receiving one of the at least one proxy at the other side of the firewall through the corresponding tunnel, means (210;
  
  225-235) for associating the message with the receiving computer, and means (210,265;
  
  225,245) for forwarding the message from the receiving proxy to the receiving computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
International Business Machines Corporation
Inventors
Donatelli, Alex, Lerro, Marco

Granted Patent

US 7,316,028 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/217
CPC Class Codes

H04L 45/742   Route cache; Operation thereof

H04L 63/0218   Distributed architectures, ...

H04L 67/14   Session management for real...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Method and system for transmitting information across a firewall

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for transmitting information across a firewall

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links