Authenticated firewall tunneling framework
First Claim
1. A method of communicating between a process on an external host and an internal host behind a firewall, the method comprising:
- authenticating a user relative to the firewall that is associated with the process; and
if the user is authenticated relative to the firewall, then;
generating a first set of configuration data indicating a configuration of a tunnel for connecting the process to the internal host and the manner in which the tunnel is created, generating a socket based on the first set of configuration data, the socket being configured to connect the process to the internal host through the tunnel, establishing a session associated with the user, wherein the tunnel is associated with the session, and transmitting the first set of configuration data to the external host, wherein generating said socket includes instantiating said socket as an object belonging to a socket subclass, wherein;
said socket subclass belongs to a socket super class that includes a first routine, and said socket subclass defines an implementation for said first routine, said implementation configuring sockets.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for managing network access to internal hosts protected by a firewall is provided. A user on an external host logs in into a firewall. Once the user has been authenticated to the firewall, a session is established for the user, and tunnel configuration is transmitted to the user'"'"'s process on the external host. The tunnel configuration data indicates the configuration of at least one tunnel for connecting to at least one internal host protected by the firewall. When creating a socket for connecting to the internal host, the socket is configured based on the tunnel configuration data. Tunnel objects and tunnel socket objects may be specially configured to establish a connection in a way that takes advantage of the power and simplicity of the inheritance feature of object oriented software. Various tunnel classes are provided to configure tunnels in a variety of manners.
138 Citations
14 Claims
-
1. A method of communicating between a process on an external host and an internal host behind a firewall, the method comprising:
-
authenticating a user relative to the firewall that is associated with the process; and
if the user is authenticated relative to the firewall, then;
generating a first set of configuration data indicating a configuration of a tunnel for connecting the process to the internal host and the manner in which the tunnel is created, generating a socket based on the first set of configuration data, the socket being configured to connect the process to the internal host through the tunnel, establishing a session associated with the user, wherein the tunnel is associated with the session, and transmitting the first set of configuration data to the external host, wherein generating said socket includes instantiating said socket as an object belonging to a socket subclass, wherein;
said socket subclass belongs to a socket super class that includes a first routine, and said socket subclass defines an implementation for said first routine, said implementation configuring sockets. - View Dependent Claims (2, 3, 4, 8)
requesting a socket for connecting said process to said internal host prior to generating said socket.
-
-
3. The method of claim 1, wherein generating said socket further includes configuring said socket to connect said process to said firewall via a first channel using said session.
-
4. The method of claim 1, further including:
-
requesting a connection through said socket, and in response to requesting a connection through said socket, establishing said connection through said tunnel.
-
-
8. The method of claim 3, wherein:
-
said first channel includes a first port on said firewall; and
the step of configuring said socket includes configuring said socket based on a mapping that maps said first port to a second port on said internal host.
-
-
5. A method of communicating between a process residing on an external host and an internal host behind a firewall, the method comprising the steps of:
-
authenticating a user relative to the firewall that is associated with the process;
establishing a session associated with the user;
causing a first set of configuration data to be transmitted to the external host, said first set of configuration data indicating a configuration of a tunnel for connecting the process to the internal host;
receiving, by a socket factory, a request from the process for a socket to connect said process to the internal host;
generating, by the socket factory, said socket based on the first set of configuration data, said socket being configured to connect the process to the internal host through the tunnel; and
receiving, by the firewall, a request from the external host for a connection through said socket, and in response to receiving said request for a connection, establishing, via the firewall, said connection through the tunnel via a first channel using the session.
-
-
6. A method of communicating between a process residing on an external host and an internal host behind a firewall, the method comprising the steps of:
-
authenticating a user relative to the firewall that is associated with the process;
establishing a session associated with the user;
causing a first set of configuration data to be transmitted to the external host, said first set of configuration data indicating a configuration of a tunnel for connecting the process to the internal host;
receiving, by a socket factory, a request from the process for a socket to connect said process to the internal host;
generating, by the socket factory, said socket based on the first set of configuration data, said socket being configured to connect the process to the internal host through the tunnel; and
receiving, by the firewall, a request from the external host for a connection through said socket, and establishing, via the firewall, said connection through the tunnel, wherein establishing said connection through said tunnel includes determining the configuration of said tunnel based on data received from a service residing a third host accessible to said firewall.
-
-
7. A method of communicating between a process residing on an external host and an internal host behind a firewall, the method comprising the steps of:
-
authenticating a user relative to the firewall that is associated with the process;
establishing a session associated with the user;
causing a first set of configuration data to be transmitted to the external host, said first set of configuration data indicating a configuration of a tunnel for connecting the process to the internal host;
receiving, by a socket factory, a request from the process for a socket to connect said process to the internal host;
generating, by the socket factory, said socket based on the first set of configuration data, said socket being configured to connect the process to the internal host through the tunnel; and
receiving, by the firewall, a request from the external host for a connection through said socket and establishing, via the firewall, said connection through the tunnel, wherein establishing said connection through said tunnel includes instantiating a tunnel object residing within said firewall associated with said connection. - View Dependent Claims (9)
said tunnel subclass belongs to a tunnel super class, wherein said tunnel super class defines a first routine, and wherein said tunnel sub class includes an implementation configuring tunnels.
-
-
10. A method of communicating between a process associated with a user on an external host and an internal host that is behind a firewall, the method comprising:
-
receiving tunnel configuration data, said tunnel configuration data indicating the configuration of a tunnel for connecting said process to said internal host using a session established for said user on said firewall; and
generating a socket for connecting said process to said internal host based on said tunnel configuration data, wherein generating a socket includes instantiating a socket as an object belonging to a socket sub class, wherein;
said socket subclass belongs to a socket super class that includes a first routine, and said socket subclass defines an implementation for said first routine, said implementation configuring said sockets. - View Dependent Claims (11, 12)
the method further includes requesting a socket to said internal host; and
wherein the step of generating a first socket for connecting said process to said internal host includes generating a socket configured to connect said process to said internal host via said tunnel.
-
-
12. The method of claim 10, wherein generating a socket configured to connect said process to said internal host via said tunnel includes generating a socket configured to connect said process to a tunnel entry port associated with said firewall.
-
13. A computer readable medium carrying one or more sequences of one or more instructions for communicating between a process on an external host and an internal host behind a firewall, wherein the execution of the one or more sequences of the one or more instructions by one or more processors causes the one or more processors to perform:
-
authenticating a user that is associated with said process relative to said firewall; and
if said user is authenticated relative to said firewall, then;
generating a first set of configuration data indicating a configuration of a tunnel for connecting said process to said internal host and the manner in which the tunnel is created, generating a socket based on the first set of configuration data, the socket being configured to connect the process to the internal host through the tunnel, establishing a session associated with said user, wherein said tunnel is associated with the session, and transmitting the first set of configuration data to said external host, wherein generating said socket includes instantiating said socket as an object belonging to a socket subclass, wherein;
said socket subclass belongs to a socket super class that includes a first routine, and said socket subclass defines an implementation for said first routine, said implementation configuring sockets.
-
-
14. A computer system, comprising:
-
a firewall comprising a processor; and
a memory, including instructions, coupled to said processor, said processor executing the instructions to authenticate a user that is associated with a process relative to said firewall and, if said user is authenticated relative to said firewall;
generate a first set of configuration data using user profile data and information associated with the external host, said first set of configuration data indicating a configuration of a tunnel for connecting said process to an internal host behind said firewall and the manner in which the tunnel is created, generate a socket based on the first set of configuration data, the socket being configured to connect the process to the internal host through the tunnel, establish a session associated with said user, wherein said tunnel is associated with the session, and cause the first set of configuration data to be transmitted to said external host, wherein the socket is instantiated as an object belonging to a socket subclass, wherein;
said socket subclass belongs to a socket super class that includes a first routine, and said socket subclass defines an implementation for said first routine, said implementation configuring sockets.
-
Specification