Outside access to computer resources through a firewall
First Claim
1. Tunneling apparatus for a data communication network containing a firewall, said firewall defining inside and outside regions and forming a security barrier preventing objects in said outside region from directly initiating access to objects in said inside region, while permitting objects in said inside region to directly initiate and obtain access to objects in said outside region;
- said tunneling apparatus enabling objects in said outside region to obtain access to predetermined trusted objects in said inside region in a manner requiring formation of connections under exclusive control of processes operating in said inside region, said tunneling apparatus comprising;
an outside interface computer in said outside region, said outside interface computer interfacing between said firewall and objects in said outside region;
an inside interface computer in said inside region, said inside interface computer interfacing between said firewall and objects in said inside region;
said inside interface computer having a special control connection to said outside interface computer, through said firewall, for transferring control information to said outside computer;
said inside interface computer maintaining a table of trusted objects and intermittently providing copies of said table to said outside interface computer through said control connection;
entries in said table serving as a basis for permitting and denying access to access to trusted objects in said inside region when requests for such access are initiated by objects in said outside region;
said outside interface computer acting to selectively transfer requests sent from objects in said outside region to said inside computer, via said control connection, when said requests are directed to trusted objects identified by entries in said table; and
said inside computer acting in response to a said transferred request to establish a data communication connection unique to the respective request, and separate from said control connection, for communicating data associated with the respective trusted object between said inside and outside regions.
2 Assignments
0 Petitions
Accused Products
Abstract
A firewall isolates computer and network resources inside the firewall from networks, computers and computer applications outside the firewall. Typically, the inside resources could be privately owned databases and local area networks (LAN'"'"'s), and outside objects could include individuals and computer applications operating through public communication networks such as the Internet. Usually, a firewall allows for an inside user or object to originate connection to an outside object or network, but does not allow for connections to be generated in the reverse direction; i.e. from outside in. The disclosed invention provides a special "tunneling" mechanism, operating on both sides of a firewall, for establishing such "outside in" connections when they are requested by certain "trusted" individuals or objects or applications outside the firewall. The intent here is to minimize the resources required for establishing "tunneled" connections (connections through the firewall that are effectively requested from outside), while also minimizing the security risk involved in permitting such connections to be made at all. The mechanism includes special tunneling applications, running on interface servers inside and outside the firewall, and a special table of "trusted sockets" created and maintained by the inside tunneling application. Entries in the trusted sockets table define objects inside the firewall consisting of special inside ports, a telecommunication protocol to be used at each port, and a host object associated with each port. Each entry is "trusted" in the sense that it is supposedly known only by individuals authorized to have "tunneling" access through the firewall from outside. These applications use the table to effect connections through the firewall in response to outside requests identifying valid table entries.
143 Citations
10 Claims
-
1. Tunneling apparatus for a data communication network containing a firewall, said firewall defining inside and outside regions and forming a security barrier preventing objects in said outside region from directly initiating access to objects in said inside region, while permitting objects in said inside region to directly initiate and obtain access to objects in said outside region;
- said tunneling apparatus enabling objects in said outside region to obtain access to predetermined trusted objects in said inside region in a manner requiring formation of connections under exclusive control of processes operating in said inside region, said tunneling apparatus comprising;
an outside interface computer in said outside region, said outside interface computer interfacing between said firewall and objects in said outside region; an inside interface computer in said inside region, said inside interface computer interfacing between said firewall and objects in said inside region; said inside interface computer having a special control connection to said outside interface computer, through said firewall, for transferring control information to said outside computer; said inside interface computer maintaining a table of trusted objects and intermittently providing copies of said table to said outside interface computer through said control connection;
entries in said table serving as a basis for permitting and denying access to access to trusted objects in said inside region when requests for such access are initiated by objects in said outside region;said outside interface computer acting to selectively transfer requests sent from objects in said outside region to said inside computer, via said control connection, when said requests are directed to trusted objects identified by entries in said table; and said inside computer acting in response to a said transferred request to establish a data communication connection unique to the respective request, and separate from said control connection, for communicating data associated with the respective trusted object between said inside and outside regions. - View Dependent Claims (2, 3, 4, 5)
- said tunneling apparatus enabling objects in said outside region to obtain access to predetermined trusted objects in said inside region in a manner requiring formation of connections under exclusive control of processes operating in said inside region, said tunneling apparatus comprising;
-
6. Tunneling apparatus for a data communication network containing a firewall, said firewall defining inside and outside regions and forming a security barrier preventing objects in said outside region from directly initiating access to objects in said inside region, while permitting objects in said inside region to directly initiate and obtain access to objects in said outside region;
- said tunneling apparatus enabling objects in said outside region to obtain access to predetermined trusted objects in said inside region in a manner requiring formation of connections under exclusive control of processes operating inside said region, said tunneling apparatus comprising;
an outside interface computer in said outside region, said outside interface computer interfacing between said firewall and objects in said outside region; an inside interface computer in said inside region, said inside interface computer interfacing between said firewall and objects in said inside region; means in both said inside and outside interface computers for ascertaining identities of said predetermined trusted objects; means in said outside interface computer, responsive to a request sent from an object in said outside region, for cooperating with said ascertaining means to determine if that request is directed to one of said trusted objects and, if the request is so directed, for routing the request to said inside interface computer; and means in both said inside and outside interface computers responsive to said request directed to said one of said trusted object for forming a data communication connection between said one of said trusted objects and the outside object that sent the respective request;
wherein segments of said data communication connection located in said inside region and extending through said firewall are formed under exclusive control of said inside interface computer, and a segment of said data communication connection extending from said outside interface computer to the object that sent the request is formed under control of said outside interface computer; and
further wherein;said means for ascertaining identities of said trusted objects includes;
means in said inside interface computer for creating and maintaining a table listing said trusted objects;
means for transferring a copy of said table listing through said firewall to said outside interface computer; and
means in said outside interface computer for storing and referring to said copied table listing; andeach entry in said table of trusted objects consists of a first item of information identifying an object in said inside region, a second item of information identifying a data communication port assigned to the respective object, and a third item of information identifying a data communication protocol to be used for transmitting data through said port.
- said tunneling apparatus enabling objects in said outside region to obtain access to predetermined trusted objects in said inside region in a manner requiring formation of connections under exclusive control of processes operating inside said region, said tunneling apparatus comprising;
-
7. Computer-readable tunneling software for enabling data handling objects outside a firewall to establish data communication connections with data handling objects inside said firewall, said software comprising:
-
inside and outside program segments intended to run on computers located respectively inside and outside said firewall, said computers interfacing between said firewall and said objects respectively inside and outside said firewall; said inside segment comprising;
means for operating a said inside computer to create and maintain a table of trusted inside objects; and
means for operating said inside computer in conjunction with said firewall to provide a copy of said table to said outside segment; andwherein each entry in said table of trusted objects consists of a first item of information identifying a specific object inside said firewall, a second item of information identifying a port of said inside computer allocated for said specific object, and a third item of information identifying a data communication protocol required for conducting data communication with said specific object and port. - View Dependent Claims (8)
-
-
9. A method for enabling objects outside a computer system security firewall to obtain data connections to selected objects inside said firewall comprising:
-
creating and maintaining a table of selected objects inside said firewall, each entry in said table comprising items of information identifying a selected object, a data communication port assigned to said object and a data communication protocol assigned to the respective port; providing a copy of said table outside said firewall; providing outside objects with a specific security clearance access to items of information constituting an entry in said table; having respective said outside objects issue requests for access to the object, port and protocol entity defined by the items of information provided to said outside objects; and having computer systems outside and inside said firewall establish a data transmission connection between a specific inside object identified in each request and an outside object originating that request;
wherein segments of said data transmission connection that lie inside said firewall and extend through said firewall are constructed under exclusive control of said computer system inside said firewall. - View Dependent Claims (10)
-
Specification