Firewall providing enhanced netowrk security and user transparency

US 20040088706A1
Filed: 11/03/2003
Published: 05/06/2004
Est. Priority Date: 02/06/1996
Status: Abandoned Application

First Claim

Patent Images

1. A load-sharing server sharing resources with a plurality of servers connected to a computer network, the server comprising:

a network connection;

an association between servers containing the highest availability and plurality of virtual hosts contained on a plurality of servers; and

a server, said server having the highest availability and being in communication with said association, wherein at least one corresponding virtual host provides a connection to a client over a computer network, said client being in communication with said server over said computer network connection.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a firewall that achieves maximum network security and maximum user convenience. The firewall employs “envoys” that exhibit the security robustness of prior-art proxies and the transparency and ease-of-use of prior-art packet filters, combining the best of both worlds. No traffic can pass through the firewall unless the firewall has established an envoy for that traffic. Both connection-oriented (e.g., TCP) and connectionless (e.g., UDP-based) services may be handled using envoys. Establishment of an envoy may be subjected to a myriad of tests to “qualify” the user, the requested communication, or both. Therefore, a high level of security may be achieved. The usual added burden of prior-art proxy systems is avoided in such a way as to achieve fall transparency-the user can use standard applications and need not even know of the existence of the firewall. To achieve full transparency, the firewall is configured as two or more sets of virtual hosts. The firewall is, therefore, “multi-homed,” each home being independently configurable. One set of hosts responds to addresses on a first network interface of the firewall. Another set of hosts responds to addresses on a second network interface of the firewall. In one aspect, programmable transparency is achieved by establishing DNS mappings between remote hosts to be accessed through one of the network interfaces and respective virtual hosts on that interface. In another aspect, automatic transparency may be achieved using code for dynamically mapping remote hosts to virtual hosts in accordance with a technique referred to herein as dynamic DNS, or DDNS.

Citations

19 Claims

1. A load-sharing server sharing resources with a plurality of servers connected to a computer network, the server comprising:
- a network connection;
  
  an association between servers containing the highest availability and plurality of virtual hosts contained on a plurality of servers; and
  
  a server, said server having the highest availability and being in communication with said association, wherein at least one corresponding virtual host provides a connection to a client over a computer network, said client being in communication with said server over said computer network connection.

2. A method of configuring a load-sharing server sharing resources with a plurality of servers connected to a computer network, the method comprising:
- configuring an association between servers containing the highest availability and plurality of virtual hosts contained on a plurality of servers; and
  
  configuring a server, said server having the highest availability and being in communication with said association, said at least one corresponding virtual host providing a connection to a client over a computer network, said client being in communication with said server over a network connection.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 3. The method of claim 2 further comprising configuring static information using a master configuration file to propagate the information.
  - 4. The method of claim 2 wherein configuring the server comprises using a master configuration file to manage information accessed by use of a virtual private network.
  - 5. The method of claim 2 further comprising validating dynamic configuration information.
  - 6. The method of claim 5 wherein validating dynamic configuration information comprises sequentially running a predetermined series of algorithms.
  - 7. The method of claim 5 further comprising controlling a sequence for sequentially running of the predetermined series of algorithms, the controlling based on results of a previous test.
  - 8. The method of claim 5, wherein validating dynamic information comprises examining functionality of DNS-based services.
  - 9. The method of claim 2, further comprising said server dynamically adding at least one of said computers to distributed interconnection with other computers in a distributed set of system platforms.
  - 10. The method of claim 9, wherein said adding is performed on a real time basis.
  - 11. The method of claim 2, further comprising said server dynamically adding at least one of said computers to distributed interconnection with other computers in a distributed set of subsystem platforms.
  - 12. The method of claim 11, wherein said adding is performed on a real time basis.
  - 13. The method of claim 2, further comprising said server dynamically removing at least one of said computers from distributed interconnection with other computers in a distributed set of system platforms.
  - 14. The method of claim 13, wherein said removing is performed on a real time basis.
  - 15. The method of claim 2, further comprising said server dynamically removing at least one of said computers from distributed interconnection with other computers in a distributed set of subsystem platforms.
  - 16. The method of claim 15, wherein said removing is performed on a real time basis.

17. A method of providing loadsharing using a plurality of computers, the method comprising:
- receiving a network connection request;
  
  accessing a database using DNS to select a computer from a plurality of computers, wherein the database includes availability data, configuration data, and load information corresponding to each computer in the plurality, dynamically performing loadsharing using the plurality of computers based on load information, availability data, and configuration data; and
  
  providing a connection to a client over a computer network, said client being in communication with said server over a network connection.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, further comprising using DNS to translate a universal resource locator (URL) into an Internet protocol (IP) address.
  - 19. The method of claim 17, wherein the server comprises a loadsharing agent, the method further comprising the server using said loadsharing agent to loadshare traffic requests received from said network between selections from the group consisting of:
    - computers connected to said computer network and clients located on said computers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Christopher D. Coley, Ralph E. Wesinger Jr
Original Assignee
Christopher D. Coley, Ralph E. Wesinger Jr
Inventors
Coley, Christopher D., Wesinger, Ralph E. Jr.

Application Number

US10/701,011
Publication Number

US 20040088706A1
Time in Patent Office

Days
Field of Search
US Class Current

718/105
CPC Class Codes

B65B 11/004   in blanks, e.g. sheets prec...

G06F 16/958   Organisation or management ...

G06F 21/42   using separate channels for...

G06Q 20/027   involving a payment switch ...

H04L 2101/677   Multiple interfaces, e.g. m...

H04L 61/25   of the same type

H04L 61/2514   between local and global IP...

H04L 61/2521   Translation architectures o...

H04L 61/256   NAT traversal

H04L 61/35   involving non-standard use ...

H04L 61/4511   using domain name system [DNS]

H04L 61/4552   Lookup mechanisms between a...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/18   using different networks or...

H04L 69/16   Implementation or adaptatio...

H04L 69/164   Adaptation or special uses ...

H04L 9/40 : Network security protocols

View All

Firewall providing enhanced netowrk security and user transparency

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall providing enhanced netowrk security and user transparency

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links