1. Field of the Invention
The present invention relates to computer networks, and, more particularly, to a method and apparatus for allowing network communications to proceed between two computers despite the fact that one or both of the computers are protected by a firewall.
2. Description of the Related Art
As the Internet has grown, security concerns have grown as well. In order to prevent unauthorized access to computer systems connected to the Internet, gateway systems commonly referred to as firewalls have been developed in order to prevent such unauthorized access.
FIG. 1 illustrates a network architecture 100 that employs such security measures. A computer system 105 is coupled to a firewall system 110 that allows access to a network 115. Also coupled to network 115 by a firewall system 120 is a computer system 125. Preferably, firewall systems 110 and 120 allow computer systems 105 and 125 transparent access to network 115, respectively, but prevent access to their respective computer systems originating from network 115. Thus, computer systems 105 and 125 are able to access other computer systems coupled to network 115 (e.g., a computer system 130). Such access may be accomplished by, for example, programs 135 and/or 140 accessing data 145 on computer system 130 using any one of a number of networking protocols, as illustrated by connections 131 and 132. In contrast, firewall systems 110 and 120 prevent access to computer systems 105 and 125, respectively, by other systems coupled to network 115 (e.g., programs running on computer system 130 (not shown)).
Firewalls such as firewall systems 110 and 120 normally control access to the computers thus protected by controlling the ability to create connections to and from the computers they protect. Firewall systems 110 and 120 are thus configured to allow computer systems 105 and 125, respectively, to initiate connections to systems on the opposite side of their respective firewalls, but prevent the computer systems on the opposite side from initiating connections to the computers protected by the firewalls.
However, it is often desirable to gain access to a system protected by a firewall from a system on the unprotected side of the firewall (also commonly referred to as the “dirty” side of a firewall). Because this type of access to a protected computer system is exactly that which a firewall is meant to prevent, the presence of a firewall impeded such access. For example, such is the case where a technical support group requires access to a customer's computer system. If both the customer's system and that of the technical support group are connected to a network, a desirable method of accessing the customer's system would be via that network. Traditional solutions to this dilemma include supporting the desired communications via the use of an alternate communications path (exemplified by a connection 146), or the disabling of either the customer's firewall or that of the technical support group (exemplified by a connection 147).
The former solution is illustrated in FIG. 1, where modems 151 and 152 allow computer systems 105 and 125 to communicate via a public telephone system 155. A similar alternative is to configure computer systems 105 and 125 to communicate using a private network. The latter solution of simply disabling the firewall can be used to permit an outside computer (e.g., in the case of computer system 105, computer systems 125 or 130) to access the formerly-protected computer system.
Unfortunately, these solutions are less than ideal. Using an alternate communication system entails the additional costs of the alternate communication system and the need to commit valuable resources to the alternate system's installation and maintenance, among other such concerns. For example, when implementing the alternate communication system shown in FIG. 1, modems 151 and 152 must be purchased and then connected to computer systems 105 and 125, respectively, as well as coupled to one another via public telephone system 155. This requires the operator of computer system 125 to arrange access to computer system 105 by some means and further requires that a modem-compatible connection be made available for their use. Thus, access to computer system 105 by computer system 125 using an alternate means of communication is both inconvenient and raises issues of compatibility.
On the other hand, defeating the security features of firewall system 110 to allow access to computer system 105 by computer system 125 opens computer system 105 to attack by any computer system attached to network 115. When put in such a state, computer system 105 thus becomes susceptible to computer hackers, computer viruses and the like. As a result, access by this method is likely not available on an immediate basis, requiring the authorization of the management of the company to which computer system 105 belongs. Moreover, such a method is often awkward due to the need for monitoring of the incoming data stream to prevent attacks on computer system 105 such as those mentioned previously. Given the foregoing issues and the need to access computer systems protected by a firewall, the ability to access a computer system through a firewall protecting that computer system would be of great use. Such a technique should be able to support the requisite communications without the use of an alternate means of communication, and without the need to inhibit the firewall's security features.