Firewall providing enhanced netowrk security and user transparency
First Claim
1. A load-sharing server sharing resources with a plurality of servers connected to a computer network, the server comprising:
- a network connection;
an association between servers containing the highest availability and plurality of virtual hosts contained on a plurality of servers; and
a server, said server having the highest availability and being in communication with said association, wherein at least one corresponding virtual host provides a connection to a client over a computer network, said client being in communication with said server over said computer network connection.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a firewall that achieves maximum network security and maximum user convenience. The firewall employs “envoys” that exhibit the security robustness of prior-art proxies and the transparency and ease-of-use of prior-art packet filters, combining the best of both worlds. No traffic can pass through the firewall unless the firewall has established an envoy for that traffic. Both connection-oriented (e.g., TCP) and connectionless (e.g., UDP-based) services may be handled using envoys. Establishment of an envoy may be subjected to a myriad of tests to “qualify” the user, the requested communication, or both. Therefore, a high level of security may be achieved. The usual added burden of prior-art proxy systems is avoided in such a way as to achieve fall transparency-the user can use standard applications and need not even know of the existence of the firewall. To achieve full transparency, the firewall is configured as two or more sets of virtual hosts. The firewall is, therefore, “multi-homed,” each home being independently configurable. One set of hosts responds to addresses on a first network interface of the firewall. Another set of hosts responds to addresses on a second network interface of the firewall. In one aspect, programmable transparency is achieved by establishing DNS mappings between remote hosts to be accessed through one of the network interfaces and respective virtual hosts on that interface. In another aspect, automatic transparency may be achieved using code for dynamically mapping remote hosts to virtual hosts in accordance with a technique referred to herein as dynamic DNS, or DDNS.
-
Citations
19 Claims
-
1. A load-sharing server sharing resources with a plurality of servers connected to a computer network, the server comprising:
-
a network connection;
an association between servers containing the highest availability and plurality of virtual hosts contained on a plurality of servers; and
a server, said server having the highest availability and being in communication with said association, wherein at least one corresponding virtual host provides a connection to a client over a computer network, said client being in communication with said server over said computer network connection.
-
-
2. A method of configuring a load-sharing server sharing resources with a plurality of servers connected to a computer network, the method comprising:
-
configuring an association between servers containing the highest availability and plurality of virtual hosts contained on a plurality of servers; and
configuring a server, said server having the highest availability and being in communication with said association, said at least one corresponding virtual host providing a connection to a client over a computer network, said client being in communication with said server over a network connection. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method of providing loadsharing using a plurality of computers, the method comprising:
-
receiving a network connection request;
accessing a database using DNS to select a computer from a plurality of computers, wherein the database includes availability data, configuration data, and load information corresponding to each computer in the plurality, dynamically performing loadsharing using the plurality of computers based on load information, availability data, and configuration data; and
providing a connection to a client over a computer network, said client being in communication with said server over a network connection. - View Dependent Claims (18, 19)
-
Specification