The present invention relates to the security of networks and, in particular, to the security of hosts communicating through a firewall.
The number of organizations linking their internal networks to the Internet is growing at what appears to be an exponential rate. Access to the Internet enables computers on the organization""s internal network to access the computers on other networks linked to the Internet. Likewise, the computers on the other networks linked to the Internet may access the computers on the organization""s internal network, thus rendering a organization""s computer resources vulnerable to unwelcome and potentially malicious outsiders.
For the purpose of explanation, entities to which network traffic may be directed are referred to herein as xe2x80x9chostsxe2x80x9d. Examples of hosts include computers and printers.
One mechanism providing security against unwelcome outsiders is a firewall. A firewall is a combination of software and one or more network devices (e.g. routers) through which network traffic is directed. Firewalls are used to screen traffic between xe2x80x9cinternalxe2x80x9d networks and xe2x80x9cexternalxe2x80x9d networks (e.g. networks linked to the Internet) for security purposes. Typically, a firewall protects resources on xe2x80x9cinternalxe2x80x9d networks from undesired access via external networks by blocking or redirecting certain kinds of network traffic.
For example, referring to FIG. 1 corporate network 110 is protected by firewall 112 and thus corporate network 110 is internal relative to firewall 112. Host 182 is on an external network (not illustrated) that is linked to the Internet 228, and is external relative to firewall 112 and corporate network 110. Channel 192 represents a channel through which host 182 has attempted to connect to a web server on host 114, which is on corporate network 110. A web server is a server that communicates, for example, using the hypertext transfer protocol (HTTP). Firewall 112 prevents external host 182 from accessing the web server on host 114 by blocking the attempted connection. Channel 190, on in the other hand, represents a connection by internal host 114 to a web server on external host 182 which is not blocked by firewall 112, thus permitting internal host 114 to access the web server on external host 182. Firewall 112 thus allows internal hosts to access web servers on external hosts, but does not allow an external host to access a web server on the internal network.
The terms xe2x80x9cchannelxe2x80x9d and xe2x80x9cconnectionxe2x80x9d are used herein. A xe2x80x9cchannelxe2x80x9d is a path of communication though which two or more processes may direct communication (as used herein, the term xe2x80x9cprocessxe2x80x9d refers to a process under the control of an operating system). For example, a process on internal host 114 may communicate to a process on external host 182 through a network link to firewall 112, and then through the Internet 228 to external host 182. This path of communication is referred to as channel, or more specifically, channel 192. A xe2x80x9cconnectionxe2x80x9d is a channel that two active processes are currently using to communicate. These processes need not communicate using HTTP. For example, a connection exists on channel 190 when a process on internal host 114 is using channel 190 to communicate with a process on host 182.
Channels may be constructed from one or more connections. For example, a xe2x80x9ctunnelxe2x80x9d is a kind of channel which is built from one connection from an external host to a firewall, and another from that firewall to an internal host. Data from one host to the other travels through both connections (and the firewall). The two hosts involved generally treat this channel just like they would treat a simple connection, except for the tunnel setup phase.
The typical steps to establish a connection between a first process and a second process include (1) the first process requesting the connection to the second process, and (2) receiving acknowledgement that the second process will accept and transmit data to the first process over the connection. A host is considered to be xe2x80x9cconnected toxe2x80x9d another host when a process on the host is connected to a process on the other host. Under these conditions, the host is also considered to be xe2x80x9cconnected toxe2x80x9d the process that is on the other host.
Referring again to FIG. 1, internal host 114 may be accessed by internal host 116 without going through the firewall. Internal hosts on a network are said to be xe2x80x9cbehindxe2x80x9d the firewall because network traffic flowing between them does not pass through the firewall. External hosts are said to be xe2x80x9coutsidexe2x80x9d the firewall because traffic between external hosts and internal hosts passes through the firewall.
Often, it is desirable to treat some external hosts as hosts that are xe2x80x9cvirtuallyxe2x80x9d behind the firewall, thus providing those external hosts a higher level of access to the internal network than is provided to other external hosts. For example, an organization may operate a first network 110 at a first physical location (e.g., the organization""s headquarters) and a second network 130 at a second physical location that is remote relative to the first location. The first network and second network are both external relative to each other and are both linked to the Internet 228. The services available on internal hosts 114, 116 on the first network include corporate electronic mail servers and corporate business applications. Because the second network 130 serves the same organization, it is desirable to provide hosts (e.g., host 134) on the second network 130 the same level of access that is provided the hosts 114, 116 on the first network 110. By giving hosts on the second network 130 the same level of access as hosts on the first network 110, electronic mail servers and corporate business applications may be accessed by hosts 134 on the second network 130, even though the hosts 134 on the second network 130 are external to the first network 110.
One mechanism of providing such access is referred to as a virtual private network. In a virtual private network, one or more secure channels interconnect two or more networks. Secure channels usually provide for the secure transmission of data by, for example, encrypting data that flows through the secure channel. Secure channels often pass through public networks such as the Internet.
FIG. 1 shows an example of a virtual private network. Corporate network 110 and corporate network 130 form a virtual private network and are interconnected by secure channel 138.
Network traffic between networks within a virtual private network passes through one of the secure channels without being blocked by the firewall. For example, traffic between host 134 and host 114 is not blocked by firewall 132 or firewall 112. Thus host 134 is treated as if host 134 is behind firewall 112.
It is possible that an unwelcome outsider may, by gaining access to one network within a virtual private network, compromise the security of every network within a virtual private network. For example, an unwelcome outsider may, by gaining access to host 134, gain access to corporate network 130 and corporate network 110.
To prevent a virtual private network from being compromised in this fashion, network traffic to and from hosts outside a virtual private network (i.e. a host connected to a network not part of the virtual private network) is often xe2x80x9cconsolidatedxe2x80x9d through one network. Specifically, all network traffic to and from members of a virtual private network is xe2x80x9cfunneledxe2x80x9d through one network and its firewall. The network whose firewall is used to funnel the traffic between the members of the virtual private network is referred to as the xe2x80x9cprimaryxe2x80x9d network. The other networks within the virtual private network are referred to herein as xe2x80x9csubsidiaryxe2x80x9d networks. A host on the subsidiary network is referred to as a subsidiary host.
For example, corporate network 110 is the primary network. Firewall 112 prevents network traffic between corporate network 110 and any network outside of the virtual private network. All network traffic between the hosts on corporate network 110 and corporate network 130 and hosts outside the virtual private network comprised of corporate network 110 and 130 is xe2x80x9cfunneledxe2x80x9d through corporate network 110 and firewall 112.
One disadvantage of a virtual private network is that a virtual private network requires low-level changes to the operating system. Another disadvantage of most kinds of virtual private networks is the overhead incurred in funneling through the primary network all network traffic that travels between subsidiary hosts and hosts outside the virtual private network. Specifically, network traffic between a subsidiary host to a host outside the virtual private network must pass through the secure channel, through the firewall into the primary network, then back out the firewall of the primary network to the outside host. Furthermore, any network traffic through the secure channel is encrypted, even though such traffic may not need the level of security provided by encryption. The overhead involved in encrypting would not have occurred had the same network traffic been sent from the subsidiary host directly to the outside host.
For example, consider network traffic flowing from host 134 (FIG. 1) to host 182. Network traffic from host 134 to host 182 is encrypted and directed through secure channel 138 to corporate network 110. Network traffic then passes from corporate network 110 through firewall 112, and then through the Internet 228 to host 182. Note that encryption of the network traffic occurred for transmission over secure channel 138 even though encryption is not performed for the same network traffic as it passes from corporate network 110 to host 182.
Another disadvantage of most kinds of virtual private network is that all hosts on the virtual private network are provided the same level of network access as any other host on the virtual private network. Thus, such virtual private networks are unsuitable for common situations where it is desirable to xe2x80x9cselectivelyxe2x80x9d provide network access for external hosts to some internal hosts on a network but not to other internal hosts. For example, it may desirable for a business organization to allow the external hosts of customers to access an internal host providing xe2x80x9ccustomerorderingxe2x80x9d services but prevent the external hosts from accessing the internal hosts on which the business organization""s internal accounting services reside. If the networks of the customer are made part of a virtual private network that includes the network of the business organization, a host on the customer""s network would have the same level of network access as an internal host on the business organization""s network, and thus may be able to access the business organization""s internal accounting services.
Yet another disadvantage of most kinds of virtual private networks is that users outside the primary network are granted similar access to the corporate network. Thus, such virtual private networks are unsuitable for common situations where it is desirable to xe2x80x9cselectivelyxe2x80x9d provide network access to various users on the same host, or to provide the same level of access to the same user on different external hosts. For example, an internal host (xe2x80x9cclinical information serverxe2x80x9d) in a hospital provides clinical information to clinical users. Patient confidentiality requires that access is generally denied to external hosts (i.e. hosts external to the hospital""s network). Most virtual private networks do not concurrently prevent network access to the clinical server by one set of users, while permitting access to another set of users, e.g. doctors.
Based on the foregoing, it is desirable to provide a method which avoids the overhead caused by the consolidation of network traffic to and from networks outside a virtual private network through the primary network. It is further desirable to provide a method that selectively permits one type of network traffic from a set of hosts outside a firewall but blocks another type of network traffic from the same set of hosts.
A method and apparatus for managing network access to internal hosts protected by a firewall is described. According to an aspect of the present invention, a user on an external host logins into a firewall. Once the user has been authenticated to the firewall, a session is established for the user, and tunnel configuration data is transmitted to the user""s process on the external host. The tunnel configuration data indicates the configuration of at least one tunnel for connecting to at least one internal host. When creating a socket for connecting to the internal host, the socket is configured based on the tunnel configuration data.
According to another aspect of the present invention, tunnel objects and tunnel socket objects may be specially configured to establish a connection in a way that takes advantage of the power and simplicity of the inheritance feature of object oriented software. Various tunnel classes are provided to configure tunnels in a variety of manners.
The present invention provides the ability to flexibly support a variety of xe2x80x9cstrategiesxe2x80x9d within the same basic application framework, and on the same host. The kind of IP packets that are sent do not have to be modified at the operating system level. Virtual private networks which focus on low level (IP) mechanisms do not have application information sufficient to provide comparable flexibility. The framework presented herein works from the low levels to the high levels in the network communications protocol stack.
According to another aspect of the present invention, the firewall may be managed at a finer level of granularity, because access may be based at least in part on the configuration data particular to the user, rather than solely based on configuration data particular to a host. For example, the same user can use different hosts at different times, and be granted the same level of access.