The use of computer networks to store data and provide information to users is becoming increasingly common. Many businesses, governmental organizations and other entities now maintain local area networks (“LANS”) to interconnect user computers for sharing and propagation of information within the entity. Typically, each user computer (e.g., PC) or workstation connected through a LAN can utilize devices, such as printers, and access data stored on other computers connected to the LAN. For additional interconnectivity, individual LANS can connect to other LANS through Wide Area Networks (“WANS”).
The largest WAN currently in existence is the Internet. The Internet is a loosely organized network of computers spanning the globe. Client computers, such as home computers or user computers located on a LAN, can connect to other clients and servers on the Internet through a regional Internet Service Provider (“ISP”) that further connects to larger regional ISPs or directly to one of the Internet's “backbones.” Regional and national backbones are interconnected through long range data transport connections such as satellite relays and undersea cables. Through these layers of interconnectivity, each computer connected to the Internet can potentially connect to every other (or at least a large number) of other computers on the Internet.
To isolate computers connected to the Internet through a LAN from other computers on the Internet, an entity maintaining a LAN will often implement a “firewall.” A firewall can be a software and/or hardware based application that filters information coming into a LAN from the Internet (or other WAN). An entity will typically establish a firewall at each connection between the LAN and the Internet (e.g., at each T1 line) to maximize security against unwanted items (e.g., computer viruses). The firewall can implement security rules that allow only specific computers on the LAN to access the Internet and receive information from the Internet. The level of filtering, however, often depends on the protocol being used to communicate data.
Various services using different protocols can be offered over the Internet such as telnet, FTP (file transfer protocol), gopher, SMTP (simple mail transfer protocol) and world wide web services, to name a few. In some cases, any number of these services can be used by the same physical computer over different ports (i.e., world wide web content over port 80, email over port 25, etc.). Some protocols, such as FTP, allow computers to push data to other computer with a request from the receiving computer for that data. Without a firewall in place, almost any computer on the Internet could upload files and programs onto the computers on an entity's LAN, posing a serious security threat. Therefore, an entity may establish a firewall so that only one, well-monitored computer on the LAN is capable of receiving data via the FTP protocol.
Other protocols pose less of a threat, however. For example, HTTP, which is used for world wide web services, is essentially a one-way protocol. That is, a client computer, typically through the use of a web browser, must request data before the web server can send the requested data to the client computer. Thus, information received by a client computer via HTTP protocol is usually requested by the client computer. Moreover, HTTP is stateless protocol in which client and server computers do not maintain connectivity information between requests. Thus, when an HTTP request is received from a client computer, the web server opens a connection, sends a reply and closes the connection. The connection may remain persistent for a predefined duration so that multiple requests can be received (known as “pipelining”), however, when the connection is closed the web server does not generally maintain connectivity information about the client computer. The HTTP connection is typically established over port 80 or port 443 for enhanced security using secured sockets (i.e., HTTPS).
With the growth of the Internet over the past several years, entities are increasingly employing multiple LANs (typically in geographically remote locations) interconnected by the Internet. This allows, for example, a user at a Washington D.C., office to send email to a colleague in Austin, Tex. or even to print a document in Austin. To help determine the performance, efficiency and utilization of each of its LANs, an entity will often employ remote monitoring techniques. Remote monitoring can be employed to identify peak activity and aid administrators in making decisions about network growth and deployment. FIG. 1 is diagrammatic representation of a prior art remote monitoring system 100. In remote monitoring system 100, a centralized network management station 105 is connected to an entity's LANs, such as first LAN 110 and a second LAN 120, via a global computer network 130, such as the Internet. Each LAN includes one or more systems being monitored (e.g., monitored system 115 and monitored system 125) and is isolated from global computer network 130 by a firewall (e.g., firewall 135 and firewall 140, respectively). In order to monitor monitored system 115 and monitored system 125, a remote monitoring agent is deployed on each monitored system (e.g., monitoring agent 150 and monitoring agent 155). Each monitoring agent can continuously monitor statistics such as processor usage, network utilization, number of TCP/IP connections and other such statistics known to those of ordinary skill in the art.
In prior art systems such as FIG. 1, a two-way communication protocol is generally used to provide updates and new configuration information to the remote monitoring agents. This is generally achieved by opening an additional port at the respective firewall and allowing communications over that port via a virtual private network (“VPN”). The opening of additional ports through the firewall provides additional points of entry to the corresponding LAN, thereby potentially decreasing overall security. Other prior art systems provide connectivity through a secure leased line, such as ISDN lines 160 and 165, connected to each monitored system, essentially bypassing global computer network 130. In other prior art systems, a dial-up connection is provided to the monitored systems, again bypassing global computer network 105.
These prior art systems have a number of shortcomings, however. Allowing access from VPN, leased line, or dialup access usually entails additional hardware, software and/or phone charges that may not be financially feasible for smaller entities. Moreover, the establishment of a VPN or interfacing leased/dialup lines between the central management station 105 and the monitored systems can require a significant amount of time. If central management station 105 is administrated by a different entity than LAN 110 and LAN 120, a representative of the management entity will typically have to make one or more on-site visits to the locations of monitored system 115 and monitored system 125 to install software and/or hardware, and to reconfigure the firewall, again leading to additional time and expense.