1. Field of the Invention
The current invention generally relates to network security. More specifically, the current invention relates network data transmissions through a firewall.
2. Description of the Related Art
As computer networks have evolved, increasingly sensitive personal and business data have been stored on information systems to improve efficiency and reduce the cost of doing business. Consequently, this valuable personal data has become a target for computer theft and a rise in attacks on information systems has been observed. Moreover, storing sensitive personal data on information systems has given system administrators the enormous responsibility of ensuring data security and data integrity. Indeed, information system security is a high priority for system administrators handling sensitive data.
System administrators currently have a number of tools at their disposal to ensure data security and data integrity. Secure Shell (SSH) software may be used to prevent plain-text transmissions from being intercepted by computer criminals by creating an encrypted tunnel through which information flows that only the intended receiver and sender can interpret. SSH was designed as a replacement for previously existing remote administration tools such as rsh and telnet. Tools such as rsh, telnet, and ssh give a system administrator the ability to issue commands on a computer system from a remote location. SSH achieves a high level of security by creating a secured logical tunnel. A client, for example, that wishes to communicate with a server running an SSH service initiates a connection with that server. The server sends back a public host key to the client identifying the server, which is then used to create an encrypted session key by the client. The client proceeds to send the session key back to the server, and the server decrypts this session key and creates an encrypted connection between the client and server. Authentication is then required using a password or other means to log into the server over the encrypted connection. While this method offers a high level of security, the process is not transparent in environments where a persistent connection is required. Furthermore, SSH has generally been limited to gaining remote access to a shell (command line interface to a computer system) rather than for application programming.
Secure Socket Layer (SSL) technology provides similar functionality for transmissions which take place over networks employing the Hypertext Transfer Protocol (HTTP). SSL was a response to the increase in online shopping, banking, and identity sensitive activities performed on the web using an Internet web browser. SSL's intended implementation was for HTTP, but SSL's use has been expanded beyond HTTP to other network applications. In an SSL-enabled connection, the user visits an SSL-enabled website. The user's web browser checks the website's identification certificate to ensure the website is legitimate and not another website acting as the intended website. The website has an identification certificate which is obtained from an issuer that both the website itself and the web browser trust. If the certificate is not available or its authenticity appears to be in question, the user's web browser will notify the user and permit the user to make a decision to proceed. The web browser and the website then exchange information indicating what encryption methods are understood on both the web browser and the website in the transaction and an encryption key is generated by the web browser. The encryption key is then sent to the server allowing the website to decrypt transmissions between the web browser and the website. After the key has been sent to the website the connection is secured and all HTTP transmissions from the web browser to the secured website may be encrypted. SSL allows for secure HTTP transmission, but it limited to the HTTP protocol. If another protocol must be secured, SSL support is generally not available or becomes economically unfeasible when trying to adapt the SSL security function to a non-HTTP application.
Recently, Virtual Private Networks (VPN) has been implemented to give users an additional level of security using techniques similar to SSH. A VPN is a security mechanism, which creates a private, encrypted network on a much larger public network infrastructure. The most common VPN implementation is the creation of a private, encrypted network over the Internet. VPN uses a tunneling technique similar to SSH wherein each network packet (discrete network data) is encrypted and transferred between a client and a server. There is no agreed upon specification for VPN implementations, however, and thus the use of the term VPN to describe secure networks can take on various meanings. In general, a VPN requires that a client authenticate with a server, thereby creating an encrypted network, which facilitates the secure transmission of data. The authentication mechanism, encryption algorithm, and network protocol may all be implemented differently, thus leading to innumerable variations. Currently, Point-to-Point Tunneling Protocol and IPSec are competing technologies with different advantages and disadvantages subject to opinions by different professionals. These authentication and encryption mechanisms serve as the basis for the VPN connection. In addition, VPNs use advanced packet-monitoring techniques coupled with encryption to ensure that packets are not intercepted and unreadable and in this respect is generally superior to SSH. VPN however has numerous drawbacks. As previously mentioned, VPN does not have a standard industry specification leading to interoperability problems and expensive vendor lock-in situations. VPNs also only currently support Internet Protocol (IP) on a wide scale. Other legacy protocols requiring secure distributed connections are not supported by current VPN solutions. Therefore, many applications using unsupported transmission mechanisms requiring a secure connection may not use VPN to improve security.
In addition to the aforementioned security tools, system administrators have generally implemented firewalls on all vulnerable networks. A firewall is piece of software that resides on a computer system serving as a gateway between a local and remote network. When data is transferred across the network in the form of multiple network packets over a protocol such as TCP/IP, a firewall intercepts each packet and inspects it en route to its destination. After intercepting the packet, the firewall will accept or reject the packet based on predefined rules established by the system administrator. These rules check the type, source, destination, and other pertinent information of the packet. If the packet's properties pass inspection based on the firewall rules, it is routed on to its destination, if it fails, the network packet will be rejected.
In client/server environments, client software resides on a client computer system and server software resides on a server computer system. A significant benefit of client/server environments is that the client software and server software may reside on different computer systems permitting the two computer systems to be in different locations but on the same network. A typical configuration is a data source that resides on a computer system separate from multiple client computer systems. In a client/server transaction, the client may request data from the server, and the server attempts to supply the requested data in the form of network packets. The process may work in reverse as well when the server requests information from the client. Such configurations exist, for example, where a server checks each client to ensure compliance to a set of security standards. Thus, it is imperative that a transparent path exists in both directions to allow the flow of information in a client/server configuration.
A firewall generally will allow packets to flow freely from a local network to a remote network; however, the converse is generally not true since most firewalls are configured to reject all network transmissions originating from a remote network unless the network transmission has been initiated by a computer system residing on the local network. Firewalls, therefore, create specific problems in client/server environments where the flow of information must occur without obstruction and in either direction to avoid data loss. Various techniques have been employed to permit inbound traffic from a remote network through the firewall to the local network. One such method involves permitting inbound traffic from only designated IP addresses chosen by a system administrator. This solution is feasible but only in networks with a smaller number of servers and clients. In a large environment, designating a specific list of IP addresses is undesirable because of number of IP addresses that would have to be specified as well as the effort required to maintain an accurate list. Another technique permits only specific protocols to pass through the firewall. This is problematic, however, because security flaws may still be exploited within the allowed protocol and thus may still require significant maintenance work to effectively implement. Therefore, a need exists for an efficient method and apparatus that permits inbound traffic from a remote network to enter a local network through a firewall while maintaining appropriate security measures.