The Internet, as conventionally understood, is a heterogeneous collection of interconnected networks allowing largely undifferentiated public access to the connected computing systems. A client, generically a client application program executed on a network connected computer system, can request a connection to any server computer system with a publically resolvable domain name or explicit Internet address. In general terms, the connection request is defined by a combination of source and destination internet protocol (IP) network addresses, a network transport protocol type, and a network port number. The network addresses define at least the publically known end-points of the connection. The protocol type, such as HTTP (Hypertext Transfer Protocol), TCP (Transmission Control Protocol), UDP (User Datagram Protocol), WS (Web Services), and corresponding encrypted variants, allows the client to specify the communications protocol required for connection. The network port number, in combination with the source network address, enables the server computer system, generically the network operating system executed by a server computer system, to uniquely identify a client connection. The operation of accepting and establishing a requested connection by a server is generally referred to as binding. Once a bound connection is established, commands and data may be exchanged through the connection.
Beyond issues involving reachability, security has been and will likely remain a primary issue for network connected computer systems. Various strategies have become conventionally adopted to manage security issues, including the use of firewalls and dedicated internet servers, to isolate and limit security exposures. In larger, typically corporate network architectures, a perimeter network is established around a private intranet. The various client and server computer systems connected to this private intranet are, by design of the perimeter network, not visible by domain name or IP address to systems outside the private intranet that are connected to the public Internet. This precludes connection requests from the Internet from directly reaching the private intranet. Internet connections to the server systems within the perimeter network are allowed.
Circumstances exist where selective public access through the Internet-facing firewall of the perimeter network is desirable. Port-forwarding, conventionally implemented as a socket proxy, allows Internet connections to the perimeter firewall to be relayed to a computer system connected to the internal private network. Qualifying connections are constrained by protocol type and port number as configured on the perimeter firewall. The destination port, the target of the forwarded port, is also identified as part of the configuration data stored on the firewall. Opening a port for port-forwarding increases the risk of a security breach, particularly since identification of the destination port implies knowledge of the internal network, as well as imposes a non-standard security management responsibility. Thus, port-forwarding may not be possible by management policy or where the firewall is independently managed.
Consequently, there exists a need for a way to selectively and securely enable inbound connections to a system on a private network.