Firewall providing enhanced network security and user transparency
First Claim
1. A method of operating a system for facilitating a connection between a first computer and a second computer, the method comprising:
- receiving a connection request from the first computer for a connection to the second computer, the request including the name of the second computer;
initiating verification checks in response to the request including verifying a name and Internet protocol (IP) address associated with the first computer, and verifying that a connection is allowed between the first computer and the second computer; and
establishing a connection between the first computer and the second computer.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention, generally speaking, provides a firewall that achieves maximum network security and maximum user convenience. The firewall employs “envoys” that exhibit the security robustness of prior-art proxies and the transparency and ease-of-use of prior-art packet filters, combining the best of both worlds. No traffic can pass through the firewall unless the firewall has established an envoy for that traffic. Both connection-oriented (e.g., TCP) and connectionless (e.g., UDP-based) services may be handled using envoys. Establishment of an envoy may be subjected to a myriad of tests to “qualify” the user, the requested communication, or both. Therefore, a high level of security may be achieved. The usual added burden of prior-art proxy systems is avoided in such a way as to achieve fall transparency-the user can use standard applications and need not even know of the existence of the firewall. To achieve full transparency, the firewall is configured as two or more sets of virtual hosts. The firewall is, therefore, “multi-homed,” each home being independently configurable. One set of hosts responds to addresses on a first network interface of the firewall. Another set of hosts responds to addresses on a second network interface of the firewall. In one aspect, programmable transparency is achieved by establishing DNS mappings between remote hosts to be accessed through one of the network interfaces and respective virtual hosts on that interface. In another aspect, automatic transparency may be achieved using code for dynamically mapping remote hosts to virtual hosts in accordance with a technique referred to herein as dynamic DNS, or DDNS.
-
Citations
10 Claims
-
1. A method of operating a system for facilitating a connection between a first computer and a second computer, the method comprising:
-
receiving a connection request from the first computer for a connection to the second computer, the request including the name of the second computer;
initiating verification checks in response to the request including verifying a name and Internet protocol (IP) address associated with the first computer, and verifying that a connection is allowed between the first computer and the second computer; and
establishing a connection between the first computer and the second computer. - View Dependent Claims (2, 3, 4, 5)
identifying a network address of the second computer based upon the name of the second computer.
-
-
3. The method of claim 1, further comprising:
mapping the name of the second computer to one or more network addresses associated with the system.
-
4. The method of claim 1, further comprising:
mapping the name of the second computer to one or more private IP addresses associated with the system.
-
5. The method of claim 1, further comprising:
channel processing information passed between the first computer and the second computer, wherein the channel processing includes one or more acts from the group consisting of encrypting, decrypting, encoding, decoding, compression, decompression, content filtering, image enhancement, sound enhancement, data enhancement, and virus detection.
-
6. A method of operating a third computer network in processing a request from a first computer network for connection to a second computer network, said method comprising:
-
receiving a request from the first computer network for the connection to the second computer network, the request including a domain name associated with the second computer network;
initiating verification checks in response to the request including verifying a name and Internet protocol (IP) address associated with the first computer, and verifying that a connection is allowed between the first computer and the second computer; and
establishing a connection between the first computer and the second computer. - View Dependent Claims (7, 8, 9, 10)
identifying one or more network addresses associated with second computer network based upon the domain name associated with the second computer network.
-
-
8. The method of claim 6, further comprising:
mapping the domain name associated with the second computer network to one or more network addresses associated with the second computer network.
-
9. The method of claim 6, further comprising
mapping the domain name associated with the second computer network to one or more private IP addresses associated with the second computer network. -
10. The method of claim 6, further comprising:
channel processing information passed between the first computer and the second computer, wherein the channel processing includes one or more acts from the group consisting of encrypting, decrypting, encoding, decoding, compression, decompression, content filtering, image enhancement, sound enhancement, data enhancement, and virus detection.
Specification