1. Field of the Invention
The present invention relates to establishing a secure connection with a device on a network, and in particular, to systems and methods for supporting multiple encryption/authentication schemes from a source entity to a target entity protected by an access control mechanism and communicating securely between the two entities over the Internet.
2. Related Art
Computer networks, such as a local area network (LAN), wide area network (WAN) or other Ethernet-based systems facilitate communications among systems of computers. These systems may be connected to each other, and possibly to terminals and other peripheral devices, by physical and/or wireless communications lines. Each entity on a network may be generally classified as a ‘client’ (i.e. an entity that initiates requests) or a ‘server’ (i.e. an entity that receives and responds to requests), although a single entity may also perform different roles at different times. Transfers of information across the network are typically conducted in compliance with one or more network protocols to ensure that the information may be properly delivered and interpreted. One such protocol is the Hypertext Transfer Protocol or HTTP, an application-level protocol that provides a basis for information transfer across the Internet. As shown in FIG. 1, HTTP is a query/response protocol in which an entity such as a client 30 directs a query for information to a specific resource (such as a file or web page, as identified by a Universal Resource Locator or URL) and another entity such as a server 40 forwards an appropriate response associated with that resource.
A LAN allows computers or terminals that are located near one another to share resources such as storage devices, printers, and other peripheral equipment. A LAN that is connected to a larger network may include one or more access points (or ‘gateways’) through which devices within the LAN may communicate with devices outside the LAN. Access control mechanisms (or ‘ACMs’) provide security against unauthorized access to the LAN by controlling or restricting the flow of information across the access points. FIG. 2, for example, shows a LAN 230 that is connected to the Internet 250 only through an ACM 20a. Due to the presence of ACM 20a at this access point, a remote computer 20c that is connected to the Internet 250 may not freely interact with devices connected to LAN 230 such as computer 10a. Any request for information that is sent by remote computer 20c to computer 10a will be scrutinized by ACM 20a and may be rejected.
One type of ACM is a firewall, which is a protective layer that separates a computer network from external network traffic. This layer may be implemented in software, hardware, or any combination of the two. For example, firewall application software may be installed on a server to create a combination called a ‘firewall server.’ Another type of ACM is a server running an application program that evaluates incoming requests according to a predefined set of rules (also called ‘packet filtering’). Such a device is called a ‘proxy server’ or simply a ‘proxy.’ To entities outside the network, the proxy may act as a server, receiving and evaluating incoming transmissions. To devices within the network, the proxy may act as a client, forwarding the incoming transmissions that conform to its rules.
Unfortunately, the characteristics that make firewalls or proxies effective in controlling the flow of information into the network also lead to increased complexity and cost. For example, when a source entity outside the LAN seeks to be connected with a target entity within the LAN, complex modifications and/or costly changes to the ACM may be necessary to permit the connection. In addition, significant processing resources are consumed in evaluating all gateway traffic to ensure compliance with the network's security rules and thereby protect the network from potentially harmful traffic.
Some solutions to these problems of overhead—such as setting aside a dedicated, open port in the firewall through which external traffic may enter—may create unacceptable security risks. Other, more secure solutions include virtual private networks (VPNs), which use encryption to allow users on different networks to exchange information with each other in a secure manner over the Internet. This encryption effectively creates a secure “tunnel” between sender and receiver so that even though the information may pass through many other entities during transmission, it is accessible only to the sender and the receiver.
Although a VPN offers a higher level of data security, no reduction in overhead processing is thereby achieved, as network traffic entering the LAN through the VPN must still pass through and be evaluated by the ACM. Adding a VPN to an existing network also involves a significant investment in resources and may introduce bugs or errors into a stable system. It is desirable to reduce or avoid these costs and risks.
Furthermore, a VPN presents the problem of requiring all the entities that belong to it to use the same authentication and encryption schemes when the entities wish to communicate with each other in a secure manner. A VPN does not support multiple encryption and/or authentication schemes that may be utilized in a connection between a source entity and a target entity over the Internet. Therefore, there is a need for a system and a method to support multiple encryption and/or authentication schemes over a connection over the Internet, allowing entities that utilize different encryption and/or authentication schemes to be securely connected.