Firewall providing enhanced network security and user transparency
First Claim
1. In a computer networking environment having a plurality of firewall nodes on a path between a first terminal and a host terminal, where the firewall nodes delineate one network segment from another network segment, a method of establishing a communication link comprising the steps of:
- providing a plurality of virtual hosts on each of the plurality of firewall nodes;
forming forward and reverse DNS tables for each of said plurality of firewall nodes wherein the DNS entries correspond to addresses of the virtual hosts on a given network segment and the virtual hosts correspond to actual hosts;
in response to the first terminal'"'"'s DNS query to determine the address of the host, providing the address of the virtual host assigned to handle requests for the host terminal;
transmitting a connection request using the address of the virtual host;
at the virtual host assigned to handle requests for the host, and subsequently, at each successive virtual host located on firewall nodes on the path;
receiving a connection request;
obtaining a host name using reverse DNS, the host name corresponding to the requested address;
obtaining an address for use on the next network segment using DNS corresponding to the host name;
requesting a connection using the address for the next network segment;
receiving a connection request at the host and responding to the request; and
,transmitting the response in the reverse direction traversing the same path from virtual host to virtual host until the response reaches the first terminal.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention, generally speaking, provides a firewall that achieves maximum network security and maximum user convenience. The firewall employs "envoys" that exhibit the security robustness of prior-art proxies and the transparency and ease-of-use of prior-art packet filters, combining the best of both worlds. No traffic can pass through the firewall unless the firewall has established an envoy for that traffic. Both connection-oriented (e.g., TCP) and connectionless (e.g., UDP-based) services may be handled using envoys. Establishment of an envoy may be subjected to a myriad of tests to "qualify" the user, the requested communication, or both. Therefore, a high level of security may be achieved. The usual added burden of prior-art proxy systems is avoided in such a way as to achieve full transparency--the user can use standard applications and need not even know of the existence of the firewall. To achieve full transparency, the firewall is configured as two or more sets of virtual hosts. The firewall is, therefore, "multi-homed," each home being independently configurable. One set of hosts responds to addresses on a first network interface of the firewall. Another set of hosts responds to addresses on a second network interface of the firewall. In one aspect, programmable transparency is achieved by establishing DNS mappings between remote hosts to be accessed through one of the network interfaces and respective virtual hosts on that interface. In another aspect, automatic transparency may be achieved using code for dynamically mapping remote hosts to virtual hosts in accordance with a technique referred to herein as dynamic DNS, or DDNS.
294 Citations
6 Claims
-
1. In a computer networking environment having a plurality of firewall nodes on a path between a first terminal and a host terminal, where the firewall nodes delineate one network segment from another network segment, a method of establishing a communication link comprising the steps of:
-
providing a plurality of virtual hosts on each of the plurality of firewall nodes; forming forward and reverse DNS tables for each of said plurality of firewall nodes wherein the DNS entries correspond to addresses of the virtual hosts on a given network segment and the virtual hosts correspond to actual hosts; in response to the first terminal'"'"'s DNS query to determine the address of the host, providing the address of the virtual host assigned to handle requests for the host terminal; transmitting a connection request using the address of the virtual host; at the virtual host assigned to handle requests for the host, and subsequently, at each successive virtual host located on firewall nodes on the path; receiving a connection request; obtaining a host name using reverse DNS, the host name corresponding to the requested address; obtaining an address for use on the next network segment using DNS corresponding to the host name; requesting a connection using the address for the next network segment; receiving a connection request at the host and responding to the request; and
,transmitting the response in the reverse direction traversing the same path from virtual host to virtual host until the response reaches the first terminal. - View Dependent Claims (2, 3, 4, 5, 6)
-
Specification
-
- Resources
-
Current AssigneeNetwork Engineering Software, Inc. (Hopto Inc.)
-
Original AssigneeNetwork Engineering Software, Inc. (Hopto Inc.)
-
InventorsWesinger, Jr., Ralph E., Coley, Christopher D.
-
Primary Examiner(s)WRIGHT, NORMAN M
-
Application NumberUS09/299,941Time in Patent Office358 DaysField of Search713/200, 713/201, 714/4, 714/18, 380/3, 380/23, 380/25, 340/825.34US Class Current726/11CPC Class CodesB65B 11/004 in blanks, e.g. sheets prec...G06F 16/958 Organisation or management ...G06F 21/42 using separate channels for...G06Q 20/027 involving a payment switch ...H04L 2101/677 Multiple interfaces, e.g. m...H04L 61/25 of the same typeH04L 61/2514 between local and global IP...H04L 61/2521 Translation architectures o...H04L 61/256 NAT traversalH04L 61/35 involving non-standard use ...H04L 61/4511 using domain name system [DNS]H04L 61/4552 Lookup mechanisms between a...H04L 63/02 for separating internal fro...H04L 63/0227 Filtering policies mail mes...H04L 63/0263 Rule managementH04L 63/0281 ProxiesH04L 63/0807 using tickets, e.g. Kerbero...H04L 63/18 using different networks or...H04L 69/16 Implementation or adaptatio...H04L 69/164 Adaptation or special uses ...View All
