+

WO1998031124A9 - Serveur mandataire a action inverse - Google Patents

Serveur mandataire a action inverse

Info

Publication number
WO1998031124A9
WO1998031124A9 PCT/US1998/001117 US9801117W WO9831124A9 WO 1998031124 A9 WO1998031124 A9 WO 1998031124A9 US 9801117 W US9801117 W US 9801117W WO 9831124 A9 WO9831124 A9 WO 9831124A9
Authority
WO
WIPO (PCT)
Prior art keywords
server
data packet
address
name
list
Prior art date
Application number
PCT/US1998/001117
Other languages
English (en)
Other versions
WO1998031124A1 (fr
Filing date
Publication date
Application filed filed Critical
Publication of WO1998031124A1 publication Critical patent/WO1998031124A1/fr
Publication of WO1998031124A9 publication Critical patent/WO1998031124A9/fr

Links

Definitions

  • This invention relates to client/server computer communication over an internetwork system and, more particularly, to improved access of firewall protected servers.
  • Networks are well-known in the computer communications field.
  • a network is a group of computers and associated devices that are connected by communications facilities or links.
  • Network connections can be of a permanent nature, such as via cables, or can be of a temporary nature, such as connections made through telephone or other communication links.
  • Networks vary in size, from local area network (LAN) consisting of a few computers and related devices, to a wide area network (WAN) which interconnects computers and LANs that are geographically dispersed.
  • An internetwork is the joining of multiple computer networks, both similar and dissimilar, by means of gateways or routers that facilitate data transfer and conversion from various networks.
  • a well-known abbreviation for internetwork is "Internet.” As currently understood, the capitalized term "Internet” refers to the collection of networks and routers that use a
  • TCP/IP Transmission Control Protocol/Internet Protocol
  • FIGURE 1 A representative section 10 of the Internet is shown in FIGURE 1 (Prior Art) in which a plurality of LANs 12 are interconnected by routers 11.
  • the routers 11 are generally special purpose computers used to interface one LAN to another.
  • Communication links within the LANs may be twisted wire pair, or coaxial, cable, while communication links between networks may utilize 56Kbps analog telephone lines, 1Mbps digital T-l lines and/or 45Mbps T-3 lines.
  • the Internet comprises a vast number of such interconnected networks and routers and that only a small representative section of the Internet is shown in FIGURE 1.
  • the rapid growth and development of the Internet has made the Internet an important business tool. A company's primary concern when connected to the Internet is security.
  • the advantages of using the Internet can immediately be nullified by the possibility of internal company computers being compromised by an external entity. Ruinous results occur if data is stolen or computers are infected by viruses.
  • the immediate solution created is the firewall, a filter which can work either at the circuit or software level. This solution has been widely accepted by corporations and, with proper care and administration, effectively allows a company to securely utilize the Internet.
  • the firewall's primary fault is that it blocks communication in both directions, input to the internal network of the company and output to the Internet.
  • Proxy servers act as relay stations between an internal network and the
  • the present invention is directed to providing such communication security.
  • a method and system for securely accessing servers over an internetwork are provided.
  • Each server includes a processor and a memory.
  • the location address of a first server is determined.
  • the user sends a data packet with a server name to the first server according to the determined location address, wherein the server name is associated with a second server connected to the internetwork through the first server.
  • the first server compares the server name in the sent data packet to at least one internal address, wherein the at least one internal address identifies the location of said second server. If an internal address is found to match the server name, the packet is sent to the found internal address.
  • a client or user transmits a server name to a third server prior to sending said data packet.
  • the user receives a location address from the third server in response to the transmitted server name, wherein the location address is the address identifying a first server associated with the server name and connected to the internetwork.
  • the third server is a server name server and the first server is a web server.
  • communication between the first server and the second server is performed through a firewall.
  • the list of at least one internal address is encrypted.
  • the encrypted list is decrypted then compared to the server name of the received data packet.
  • the decrypted list is deleted at the completion of the comparison.
  • the user receives an error reply if no match was found in the compare of the server name with the list of internal addresses or if a reply data packet from the second server fails to be sent from the first server.
  • FIGURE 1 is a schematic diagram illustrating a network, such as the Internet
  • FIGURE 2 is a block diagram of a preferred embodiment of a system configuration of the present invention
  • FIGURE 3 is an example system functioning according to the invention of FIGURE 2;
  • FIGURES 4 and 5 are flow diagrams illustrating the steps for executing the invention shown in FIGURE 2;
  • FIGURES 6 and 7 are flow diagrams illustrating an example packet request and reply according to steps shown in FIGURES 4 and 5. Detailed Description of the Preferred Embodiment
  • a network system provides secure bi-directional data packet communication between a requester or client 15 and servers 20 protected by a firewall according to the present invention.
  • a company 13 includes a number of internal servers 20 protected by a firewall 22 and a bastion server 18 connected to a network 14.
  • Client 15 also connects to the network 14, and includes a domain name server 16 or connects to a domain name server 16 over a network 17.
  • Networks 14 and 17 may be the same network.
  • Client 15 can be a separate entity from company 13 or a separate entity in a different department of company 13. Examples of networks 14 or 17 are the Internet and an intranet.
  • FIGURE 3 illustrates an example of computer components and peripheral devices that may be used in place of like numbered block diagram components shown in FIGURE 2.
  • a computer 20a, file server 20b, printer 20c and facsimile device 20d are examples of computers or peripheral devices that can act as or include a server 20 connected within Company A's firewall 22 (FIGURE 2).
  • Company A's system 13a includes a bastion server 18a coupled between the network 14a and the Company A's firewall 22a.
  • the firewall 22a provides discrete access to the servers 20a-d located inside Company A.
  • the bastion 18 is a server that includes a processor and memory like typical servers, but also includes an internal address file 26 and a rules file 24 stored in memory.
  • the internal address file 26 includes the internal addresses for each of the servers 20 the company wishes to allow external access to through the firewall 22.
  • the IP address is the bastion 18's location on the network 14.
  • the client may include a domain name server, thereby reducing the step of having to retrieve from an external domain name server.
  • the data packet is then sent to the retrieved destination IP address.
  • the rules file 24 provides a predefined set of rules for maintaining secure communication of data packets passing in both directions through bastion server 18.
  • Bastion 18 limits communication with a single server 20 within firewall 22 without putting the company's system 13 at risk to rogue clients or unauthorized requests.
  • the bastion 18 can perform this service because the internal address file 26 is the only location where internal IP addresses are stored.
  • the limited secure communication performed by the bastion 18 is described in more detail below with reference to the example illustrated in the Tables.
  • FIGURE 4 is an information flow diagram according to the invention shown in FIGURE 2.
  • the client uses a domain (server) name to request the IP address of a bastion coupled to the server identified by the server name through a firewall.
  • This request can be accomplished by various methods known in the art. Supplying the server name directly to a domain name server is one method and performing an automatic request from a domain name server at the time the client sends a data packet is another.
  • the client receives the server name from the company under confidence prior to execution of any transactions.
  • the domain name server retrieves the IP address associated with the requested server name, see block 42.
  • the DNS domain name server
  • all names of accessible servers within a company's firewall are stored with direct reference to the company's IP address (IP address of the company's bastion).
  • IP address of the company's bastion IP address of the company's bastion.
  • the DNS Upon finding the requested server name, the DNS returns the directly referenced IP address, see block 44.
  • a company only requires only a single IP address for identifying all the servers within its system.
  • the client establishes a connection with the bastion, see block 46.
  • the data packet which includes the server name
  • the bastion is sent to the bastion, see block 48.
  • the bastion compares the server name to the internal address file, see block 52.
  • the bastion determines whether a match exists between the server name and an internal address located in the internal address file. If no match is found, the bastion sends a reply to the client indicating that the request packet cannot be delivered because the requested server is not listed or no longer listed in the internal address file within the company or the request is incorrect for some other predefined reason, see block 56.
  • the received packet is checked against rules contained within the rules file, see decision block 58. If the received data packet fails to pass any of the predefined rules in the rules file, a reply is sent to the client indicating so, see block 56. However, if the received data packet passes all the rules contained within the rules file, a connection is made between the client and the server associated with the matched internal IP address and the data packet is delivered to the server.
  • the rule checks include certain security- programs that operate upon received data packets and, particularly, data packets that are or include programs. Some unique rules and rules in the form of programs are described in more detail below with respect to Table 3.
  • FIGURES 6 and 7 illustrate an example of two-way packet communication between a client and a firewall protected server over the Internet.
  • the client's and bastion's IP addresses are 245.23.12.3 and 124.12.32.1, respectively.
  • the client's goal is to establish two way data packet communication with a server protected by a firewall and connected to the Internet through a bastion.
  • the client sends a request packet out on the Internet to the destination server, fujil.hde.com. @ IN SOA bastion.hde.com. root.bastion.hde. com (
  • a domain name server searches for the domain name zone file associated with the server name that ends with hde.com.
  • the DNS runs the DNS server program called "named" that reads the zone file, shown in Table 1.
  • the zone file provides the translation of the requested server name, fujil, into the IP address, 124.12.32.1, for the bastion connecting the server identified by the server name to the Internet, see block 84. If no IP address matches the server name, fujil, an alternate DNS is accessed for locating an IP address associated with the server name.
  • the alternate DNS is identified in the DNS zone file by the code line: "IN NS bastion.hde.com.”
  • NS is name server.
  • the client establishes a connection to the bastion with IP address 124.12.32.1.
  • Port 80 of the bastion is the receiving port and the client's connecting port depends upon other client port connections. In this example the client connecting port is port 80.
  • the bastion receives the data packet(s) from the client at block 88.
  • the server name, fujil.hde.com, and the data packet are transmitted to the bastion.
  • a program operating within the bastion provides the necessary coordination for the received data packet.
  • the server name, fujil.hde.com is first compared to a decrypted internal address file, internal. conf, see Table 2.
  • the internal IP address file is decrypted into active memory upon data packet reception and the decrypted internal IP address file is deleted from memory upon completion of the comparison.
  • the decrypted internal IP address file appears in active memory, i.e., RAM, for a very short period of time, it is virtually impossible for one to access this information in an attempt to discover the internal addresses.
  • the internal address file presents a list of domain names and corresponding internal IP addresses. These internal addresses are known only to the bastion.
  • FIGURE 7 illustrates an example of a reply packet sent from the internal server through the bastion back to the client.
  • the internal server first sends the reply packet to the bastion.
  • the reply data packet is a reply to the data packet received from the client.
  • the reply packet may also be an unsolicited data packet.
  • the reply data packet passes a check against a set of rules for outgoing data packets. Similar to checks of received data packets, the outgoing data packet check is performed within the bastion.
  • the outgoing data packet is sent to the client with IP address 245.23.12.3. Destination IP: 204.95.95.0-94
  • FILE viruses.dat
  • Table 3 illustrates an example set of rules for checking data packets passing through the bastion.
  • the code line "Destination IP: 204.95.95.0-94" is an IP address limiter rule. If an internal address discovered in the internal address file check of a received data packet is within the range of 204.95.95.0 through 204.95.95.94, the received data packet is denied access.
  • the limiter rule may also be used to present a range of allowable IP addresses. By using a IP address limiter, a system operator can limit access to specific internal servers. Another check performed is a file compare of the received data packet against prespecified files, as indicated by the code lines beginning with "FILE:".
  • the received data packet is checked against the indicated files "viruses.dat” and "ps_error.dat.” These files compare the data packet to known viruses and data errors. If the data packet fails to pass the check with either one of these files, the data packet is refused and destroyed, because it most likely contains a virus. Similar file compare programs may also be used in the line “FILE:”.
  • the code line “Flags:” prevents so called “Christmas tree” data packets from being relayed to the internal server by the bastion and causing problems with the internal server.
  • a received packet that exhibits the flags 0110001101 in its header will not be processed by the bastion.
  • the "URL:” code line identifies all URL addresses the internal server is denied access to.
  • the access is denied and an error message is returned to the client explaining the failed transaction.
  • a log file is maintained within the bastion to record information regarding the denied transaction.
  • the log file may include such things as why the denial was made, who it was from, and what was the destination of the packet. It can be appreciated to those of ordinary skill in the art that the rules file can include very specific rules relating to the type of system in which it is being used.
  • the "JAVA Checks:” code lines indicate JAVA class files that execute if the bastion receives a JAVA applet as or in a data packet.
  • the JAVA class files listed are "signature.class”, "security. class” and "test.class”. Each perform specific checks of received JAVA applets.
  • the "security. class” program ensures that the data within the data packet going to the client or internal server is not destructive for the intended recipient.
  • the "security.class” program performs security operations similar to that performed by a complete, secure JAVA virtual machine.
  • “Security.class” performs these protective illegal operation overrides by attaching itself to the applet being sent in the data packet.
  • security.class When the applet intended for the recipient is run at the destination client or server, "security.class” is run simultaneously. Since every system operable with JAVA applets includes a JAVA virtual machine, “security.class” sometimes performs redundant security checks to those performed by a complete JAVA virtual machine, thus protecting against a bad or incomplete JAVA virtual machine.
  • the "signature.class” program performs a certification operation similar to those provided by VeriSign Corporation's programs.
  • the "signature.class” program authenticates received JAVA applets by adding a signature program and/or time stamp to the received applet.
  • the signature and/or time stamp program is also run to insure that in between transmission from the client server and the destination, the applet was not tampered with or altered in any manner. If the applet will not run and the destination client or server will be informed that the applet received was invalid.
  • the "test.class” program performs two checks of the applet being transmitted through the bastion server. First, it compares the applet against known virus code, similar to a virus checking program. Next, it communicates with a secure Java virtual machine located on the bastion. The Java virtual machine on the bastion executes the applet intended for the destination client or server. If any illegal operations are attempted by the applet, the Java virtual machine informs the "test.class" program and -l i ⁇
  • test.class program relays to the a program on the bastion that the Java applet is not secure and should not be transmitted to the destination client or server.
  • the "ActiveX Checks:” section includes the program " security. ocx".
  • the “ActiveX Checks:” section is similar to the “Java Checks:” section except it applies to data packets which are ActiveX programs which are intended to be run on the destination client or server.
  • the "security. ocx” program attaches to an ActiveX program destined for a client or server. This program is run at the destination client or server and behaves similar to a common virus checking program. It monitors the execution of the ActiveX program that is running on the destination client or server. If the ActiveX program attempts an operation which is destructive to the host client or server, the "security. ocx" stops execution and warns the client or server user that the ActiveX program attempted an illegal operation.

Abstract

L'invention a trait à un procédé et à un système permettant d'accéder de façon sûre à des serveurs sur un inter-réseau (14). Chaque serveur comporte un processeur et une mémoire. Un premier serveur (18) situé à l'extérieur du pare-feu (22) d'une société permet de connecter la société à l'inter-réseau. Un utilisateur ou client (15) envoie un paquet de données doté d'un nom de serveur à un deuxième serveur (20) identifié par le nom de serveur et se trouvant dans les limites du pare-feu de la société. L'adresse de localisation du premier serveur est récupérée en fonction du nom du domaine/serveur, une connexion est établie avec le premier serveur selon l'adresse de localisation du premier serveur qui a été récupérée, et le paquet de données muni du nom de domaine/serveur est envoyé au premier serveur connecté. Le premier serveur compare le nom de domaine/serveur se trouvant dans le paquet de données envoyé, à une liste d'au moins une adresse interne, dans laquelle la (les) adresse(s) interne(s) permettent d'identifier l'emplacement du deuxième serveur. Si une adresse interne correspond au nom de serveur, le premier serveur envoie le paquet à l'adresse interne.
PCT/US1998/001117 1997-01-10 1998-01-06 Serveur mandataire a action inverse WO1998031124A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US78247997A 1997-01-10 1997-01-10
US08/782,479 1997-01-10

Publications (2)

Publication Number Publication Date
WO1998031124A1 WO1998031124A1 (fr) 1998-07-16
WO1998031124A9 true WO1998031124A9 (fr) 1998-11-12

Family

ID=25126182

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1998/001117 WO1998031124A1 (fr) 1997-01-10 1998-01-06 Serveur mandataire a action inverse

Country Status (1)

Country Link
WO (1) WO1998031124A1 (fr)

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9219755B2 (en) 1996-11-08 2015-12-22 Finjan, Inc. Malicious mobile code runtime monitoring system and methods
US7058822B2 (en) 2000-03-30 2006-06-06 Finjan Software, Ltd. Malicious mobile code runtime monitoring system and methods
US8079086B1 (en) 1997-11-06 2011-12-13 Finjan, Inc. Malicious mobile code runtime monitoring system and methods
US6351751B1 (en) 1998-05-14 2002-02-26 Sun Microsystems, Inc. Persistent storage managers for configuring client/server environments
US6119129A (en) * 1998-05-14 2000-09-12 Sun Microsystems, Inc. Multi-threaded journaling in a configuration database
US6052720A (en) * 1998-05-14 2000-04-18 Sun Microsystems, Inc. Generic schema for storing configuration information on a server computer
US6119157A (en) * 1998-05-14 2000-09-12 Sun Microsystems, Inc. Protocol for exchanging configuration data in a computer network
US6161125A (en) * 1998-05-14 2000-12-12 Sun Microsystems, Inc. Generic schema for storing configuration information on a client computer
US6557037B1 (en) * 1998-05-29 2003-04-29 Sun Microsystems System and method for easing communications between devices connected respectively to public networks such as the internet and to private networks by facilitating resolution of human-readable addresses
WO1999066384A2 (fr) * 1998-06-17 1999-12-23 Sun Microsystems, Inc. Procede et appareil permettant un acces sur et authentifie a des reseaux d'ordinateurs
US6317837B1 (en) * 1998-09-01 2001-11-13 Applianceware, Llc Internal network node with dedicated firewall
SE513255C2 (sv) * 1998-09-11 2000-08-07 Telia Ab Förbättringar i eller relaterade till transmissionssystem
US6654892B1 (en) * 1999-06-08 2003-11-25 Sun Microsystems, Inc. Methods and apparatus for permitting transactions across firewalls
DE19952669A1 (de) * 1999-11-02 2001-05-10 Siemens Ag Umgekehrte Maskierung für die Zugreifbarkeit auf Datenendstationen in privaten IPv4-Netzen
SE0100545D0 (sv) * 2001-02-19 2001-02-19 Ericsson Telefon Ab L M Method and device for data communication
JP4102290B2 (ja) 2003-11-11 2008-06-18 株式会社東芝 情報処理装置
US8190773B2 (en) 2005-06-03 2012-05-29 Nokia Corporation System and method for accessing a web server on a device with a dynamic IP-address residing behind a firewall
US7970788B2 (en) 2005-08-02 2011-06-28 International Business Machines Corporation Selective local database access restriction
US7933923B2 (en) 2005-11-04 2011-04-26 International Business Machines Corporation Tracking and reconciling database commands
DE102006012167B4 (de) * 2006-03-13 2008-02-21 Mainpean Gmbh Verfahren und Computersystem zur Bereitstellung einer über ein digitales Informationsnetzwerk angebotenen Leistung
US8141100B2 (en) 2006-12-20 2012-03-20 International Business Machines Corporation Identifying attribute propagation for multi-tier processing
US8495367B2 (en) 2007-02-22 2013-07-23 International Business Machines Corporation Nondestructive interception of secure data in transit
US8261326B2 (en) 2008-04-25 2012-09-04 International Business Machines Corporation Network intrusion blocking security overlay

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2686755A1 (fr) * 1992-01-28 1993-07-30 Electricite De France Procede de chiffrement de messages transmis entre reseaux interconnectes, appareil de chiffrement et dispositif de communication de donnees chiffrees mettant en óoeuvre un tel procede.
US5550984A (en) * 1994-12-07 1996-08-27 Matsushita Electric Corporation Of America Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information

Similar Documents

Publication Publication Date Title
WO1998031124A9 (fr) Serveur mandataire a action inverse
WO1998031124A1 (fr) Serveur mandataire a action inverse
US5896499A (en) Embedded security processor
Bellovin Distributed firewalls
US6178505B1 (en) Secure delivery of information in a network
US8200818B2 (en) System providing internet access management with router-based policy enforcement
US6408336B1 (en) Distributed administration of access to information
US7051365B1 (en) Method and apparatus for a distributed firewall
KR100225574B1 (ko) 상호 연결된 컴퓨터 네트워크를 위한 보안 시스템
US6961783B1 (en) DNS server access control system and method
US5898830A (en) Firewall providing enhanced network security and user transparency
US6950936B2 (en) Secure intranet access
US5960177A (en) System for performing remote operation between firewall-equipped networks or devices
US6981143B2 (en) System and method for providing connection orientation based access authentication
US7472414B2 (en) Method of processing data traffic at a firewall
AU733109B2 (en) Methods and apparatus for controlling access to information
US20050235348A1 (en) System for preventing unwanted access to information on a computer
US20010044820A1 (en) Method and system for website content integrity assurance
US20070245137A1 (en) HTTP cookie protection by a network security device
JPH05274266A (ja) 遠隔システム管理のための機密保護機能を提供するための方法
GB2317792A (en) Virtual Private Network for encrypted firewall
Cisco Evolution of the Firewall Industry
Cisco Evolution of the Firewall Industry
Cisco Evolution of the Firewall Industry
Cisco Evolution of the Firewall Industry
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载