Providing A Generic Gateway For Accessing Protected Resources

US 20080178278A1
Filed: 01/22/2007
Published: 07/24/2008
Est. Priority Date: 01/22/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method for exposing to an external entity at least one resource of a plurality of resources of a private network, wherein the plurality of resources is protected by a physical or logical barrier, the method comprising:

receiving a request to access the at least one protected resource of the private network from an external entity comprising a computing device residing on a network external to the private network, wherein the request is received by an external gateway appearing to the external entity to be the at least one protected resource;

forwarding the access request from the external gateway to an internal gateway, the internal gateway applying a resource-specific, user-specified security policy over a persistent communication channel between the internal gateway and the external gateway, wherein the internal gateway establishes the persistent communication channel via ports and protocols to which access is not prohibited by the physical or logical barrier;

in response to determining that the request is valid and is authorized, forwarding the request to the at least one protected resource and forwarding the response to the request to the external gateway over the persistent communication channel

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An internal gateway establishes persistent connections to an external gateway through permitted ports and protocols of a firewall. Software on the external gateway and the internal gateway collaborate in order to make available internal, firewall-protected resources to external clients securely and without having to modify network or firewall configurations. Any computing resource such as a web service, web application, or any other network addressable resource residing behind a firewall can be securely exposed in a generic fashion to clients on the external network. No special software is required by clients.

Citations

20 Claims

1. A method for exposing to an external entity at least one resource of a plurality of resources of a private network, wherein the plurality of resources is protected by a physical or logical barrier, the method comprising:
- receiving a request to access the at least one protected resource of the private network from an external entity comprising a computing device residing on a network external to the private network, wherein the request is received by an external gateway appearing to the external entity to be the at least one protected resource;
  
  forwarding the access request from the external gateway to an internal gateway, the internal gateway applying a resource-specific, user-specified security policy over a persistent communication channel between the internal gateway and the external gateway, wherein the internal gateway establishes the persistent communication channel via ports and protocols to which access is not prohibited by the physical or logical barrier;
  
  in response to determining that the request is valid and is authorized, forwarding the request to the at least one protected resource and forwarding the response to the request to the external gateway over the persistent communication channel
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising forwarding the response to the request to the external entity.
  - 3. The method of claim 1, wherein the external gateway appears to the external entity to be the protected resource because the external gateway presents an interface to the external entity identical to an interface presented by the protected resource.
  - 4. The method of claim 3, wherein the interface presented to the external entity is unprotected.
  - 5. The method of claim 1, wherein the physical or logical barrier comprises a firewall.
  - 6. The method of claim 1, wherein the internal gateway polls the external gateway for queued requests.
  - 7. The method of claim 5, further comprising establishing a resource-specific security policy without requiring the firewall to be modified, wherein the resource-specific security policy is established by specifying external clients who can access the at least one protected resource and an endpoint for the at least one protected resource.
  - 8. The method of claim 1, wherein the protected resource comprises a web service, a web application, a Microsoft Active Directory-protected web service, a Windows WCF based service, a rich client application, a message-related application, a TCP/IP-based endpoint or a SOAP-based web service not otherwise accessible by an external network.

9. A system for exposing a protected resource of a private network to an external entity comprising:
- an external gateway positioned external to a firewall between an entity of a protected network and an entity of an external network, wherein the external gateway presents an interface accessible to the entity of the external network, wherein the interface exposed to the entity of the external network is identical to an actual interface presented by a resource of the protected network, the actual interface not accessible to the entity of the external network, the exposed interface appearing to the external entity to be the actual interface, wherein an internal gateway establishes a persistent connection between the internal gateway and the external gateway.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the external gateway receives requests for the resource and stores them in a queue.
  - 11. The system of claim 9, wherein the internal gateway continuously polls the external gateway for queued requests.
  - 12. The system of claim 9, wherein the internal gateway applies a resource-specific, user-specified security policy to the queued requests, the resource-specific, user-specified security policy separate from a security policy applied by the firewall, the internal gateway sending only those queued requests that comply with the resource-specific, user-specified security policy to the resource.
  - 13. The system of claim 9, further comprising a metadata store for storing metadata information concerning internal resources to be exposed to external clients.
  - 14. The system of claim 9, wherein the resource comprises a web service, a web application, a Microsoft Active Directory-protected web service, Windows WCF based service, a rich client application, a message-related application, a TCP/IP-based endpoint or a SOAP-based web service not otherwise accessible by the entity of the external network.

15. A tangible computer-readable medium comprising computer-executable instructions for:
- receiving a request to access a protected resource of a plurality of protected resources of a private network protected by a firewall from an external entity comprising a computing device residing on a network external to the private network, wherein the request is received by an external gateway appearing to the external entity to be the protected resource;
  
  forwarding the request from the external gateway to an internal gateway over a persistent communication channel established by the internal gateway to the external gateway.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The tangible computer-readable medium of claim 15, comprising further computer-executable instructions for:
    - applying a resource-specific, user-specified security policy separate from a security policy enforced by the firewall, and in response to determining that the request complies with the resource-specific, user-specified security policy, sending the request to the external gateway via a first communication channel established by the internal gateway to the external gateway and sending the request to the protected resource via a second communication channel established by the internal gateway to the protected resource.
  - 17. The tangible computer-readable medium of claim 16, comprising further computer-executable instructions for:
    - receiving a response to the compliant request from the protected resource at the internal gateway via the second communication channel established by the internal gateway to the protected resource.
  - 18. The tangible computer-readable medium of claim 17, comprising further computer-executable instructions for:
    - sending the response to the external gateway from the internal gateway via the first communication channel.
  - 19. The tangible computer-readable medium of claim 18, comprising further computer-executable instructions for:
    - sending the response to the external entity from the external gateway after correlating the response from the protected resource with the received request.
  - 20. The tangible computer-readable medium of claim 15, comprising further computer-executable instructions for:
    - translating an interface associated with the protected resource based on metadata supplied by an authorized user, wherein the translation is performed at the internal gateway, at the external gateway, or at both the internal gateway and the external gateway, wherein the translation adapts an external interface associated with the protected resource to an internal interface associated with the protected resource or adapts the internal interface associated with the protected resource to the external interface associated with the protected resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bitkoo LLC (Quest Software, Inc.)
Original Assignee
Bitkoo LLC (Quest Software, Inc.)
Inventors
Kotler, Eric N., Grinstein, Doron

Application Number

US11/625,514
Publication Number

US 20080178278A1
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

Providing A Generic Gateway For Accessing Protected Resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Providing A Generic Gateway For Accessing Protected Resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links