Method and protocol for synchronized transfer-window based firewall traversal
First Claim
1. In a first network with a plurality of network devices and a plurality of firewalls, the first network connected to a second network with a plurality of network devices, a method of firewall traversal, the method comprising the following steps:
- sending a first secure message with a firewall traversal protocol from a first network device on a first network inside a first firewall to a second network device on a second network outside the first firewall, wherein the first secure message includes firewall traversal information that helps the second network device to traverse the first firewall protecting the first network by allowing a virtual data transfer-window to be created through the first firewall;
receiving a second secure message with the firewall traversal protocol on the first network device from the second network device network creating a virtual data transfer-window through the first firewall, wherein the second secure message includes firewall traversal information from the first secure message to authenticate the second network device; and
receiving a plurality of secure data packets on the first network device in the virtual data transfer-window through the first firewall from the second network device, wherein the plurality of secure data packets received through the virtual data transfer-window in the firewall include firewall traversal information from the first secure message to authenticate the plurality of secure data packets at the first firewall.
6 Assignments
0 Petitions
Accused Products
Abstract
A protocol and method for synchronized transfer-window based firewall traversal is provided. The firewall traversal protocol includes messages for securely opening and closing a virtual data transfer-window through a firewall. The method allows a first network device inside a firewall to allow a virtual data transfer-window through a firewall to be opened with a second network device outside the firewall by sending the second network device secure information with the firewall traversal protocol. The secure information allows the second network device outside the firewall to securely traverse the firewall through the virtual data transfer-window to reach the first network device inside the firewall. The protocol and method help to improve firewall security and may help make the firewall less vulnerable to a number of common firewall attacks.
-
Citations
20 Claims
-
1. In a first network with a plurality of network devices and a plurality of firewalls, the first network connected to a second network with a plurality of network devices, a method of firewall traversal, the method comprising the following steps:
-
sending a first secure message with a firewall traversal protocol from a first network device on a first network inside a first firewall to a second network device on a second network outside the first firewall, wherein the first secure message includes firewall traversal information that helps the second network device to traverse the first firewall protecting the first network by allowing a virtual data transfer-window to be created through the first firewall;
receiving a second secure message with the firewall traversal protocol on the first network device from the second network device network creating a virtual data transfer-window through the first firewall, wherein the second secure message includes firewall traversal information from the first secure message to authenticate the second network device; and
receiving a plurality of secure data packets on the first network device in the virtual data transfer-window through the first firewall from the second network device, wherein the plurality of secure data packets received through the virtual data transfer-window in the firewall include firewall traversal information from the first secure message to authenticate the plurality of secure data packets at the first firewall. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
receiving a third secure message through with the firewall traversal protocol on the first network device from the second network device to close the virtual data transfer-window through the first firewall; and
sending a fourth secure message with the firewall traversal protocol from the first network device to the second network device to acknowledge closing of the virtual data transfer-window through the first firewall.
-
-
3. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of claim 1.
-
4. The method of claim 1 wherein the first secure message is an open-transfer-window message and the second secure message is an open-transfer-window acknowledgment message to from a firewall traversal protocol.
-
5. The method of claim 1 wherein the step of sending a first secure message includes sending any of a network address, starting firewall traversal sequence number, security parameter index, or transfer rate information in the first secure message as firewall traversal information.
-
6. The method of claim 1 wherein the first secure message firewall traversal information includes a starting firewall traversal sequence number-X, the second secure message includes a firewall traversal sequence number-X+1, and the plurality of secure data packets include a firewall traversal sequence number-X+1+N, where N is the Nth-number secure data packet.
-
7. The method of claim 1 wherein the first secure message includes secure information in an authentication header.
-
8. The method of claim 1 wherein the first secure message, second secure message and plurality of secure data packets are Internet Protocol data packets with firewall traversal information included in an Internet Protocol Authentication Header.
-
9. The method of claim 1 wherein the first network is a local area network, the second network is a local area network and the first network and second network are connected through a firewall by a third network.
-
10. The method of claim 9, wherein the third network is the Internet.
-
11. The method of claim 1 wherein the virtual data transfer-window is a virtual tunnel.
-
12. In a first computer network with a plurality of network devices and a plurality of firewalls, the first network connected to a second network with a plurality of network devices, a method of firewall traversal, the method comprising the following steps:
-
receiving a first secure message with a firewall traversal protocol on a second network device on a second network outside a first firewall from a first network device on a first network inside the first firewall, wherein the first secure message includes firewall traversal information that helps the second network device to traverse the first firewall protecting the first network by allowing a virtual data transfer-window to be created through the first firewall;
sending a second secure message with the firewall traversal protocol from the second network device to the first network device network to create a virtual data transfer-window through the first firewall, wherein the second secure message includes firewall traversal information from the first secure message to authenticate the second network device;
sending a plurality of secure data packets from the second network device to the first network device in the virtual data transfer-window through the first firewall, wherein the plurality of secure data packets received through the virtual data transfer-window in the firewall include firewall traversal information from the first secure message to authenticate the plurality of secure data packets at the first firewall. - View Dependent Claims (13)
-
-
14. A computer readable medium having stored therein a set of routines for implementing a firewall traversal protocol, the firewall traversal protocol allowing a first network device on a first network inside a firewall to communicate with a second network device on a second network outside the firewall, the set of routines implementing the firewall traversal protocol as data bits, the computer readable medium comprising:
-
an open transfer-window message, for opening a data transfer-window through a firewall, wherein the open transfer-window message is sent from a first network device on a first network inside a firewall to a second network device on a second network outside the firewall and includes firewall traversal information;
an open transfer-window acknowledgment message, for acknowledging a open transfer window message;
a close transfer-window message, for closing a data transfer-window through a firewall; and
a close transfer-window message, for acknowledging a close transfer-window message. - View Dependent Claims (15, 16, 17)
-
-
18. In a first network with a plurality of network devices and a plurality of firewalls, the first network connected to a second network with a plurality of network devices, a method of firewall traversal, the method comprising the following steps:
-
sending a open transfer window message with a firewall traversal protocol from a first network device on a first network inside a first firewall to a second network device on a second network outside the first firewall, wherein the first secure message includes firewall traversal information that helps the second network device to traverse the first firewall protecting the first network by allowing a virtual data transfer-window to be created through the first firewall;
receiving an open transfer window acknowledgment message with the firewall traversal protocol on the first network device from the second network device network creating a virtual data transfer-window through the first firewall, wherein the second secure message includes firewall traversal information from the first secure message to authenticate the second network device;
receiving a plurality of secure data packets on the first network device in the virtual data transfer-window through the first firewall from the second network device, wherein the plurality of secure data packets received through the virtual data transfer-window in the firewall include firewall traversal information from the first secure message to authenticate the plurality of secure data packets at the first firewall;
receiving a close transfer window message through with the firewall traversal protocol on the first network device inside the first firewall from the second network device outside the first firewall to close the virtual data transfer-window through the first firewall; and
sending a close transfer window acknowledgment message with the firewall traversal protocol from the first network device inside the first firewall to the second network device outside the first firewall to acknowledge closing of the virtual data transfer-window through the first firewall. - View Dependent Claims (19, 20)
-
Specification