1. Field of the Invention
The present invention relates generally to communications systems and networks, and, more particularly, to a secure gateway for providing access from a client computer over an insecure public network to one of a plurality of destination servers on a secure private network.
2. Description of the Related Art
Computer networks are known generally as including a wide variety of computing devices, such as client computers and servers, interconnected by various connection media. In particular, it is commonplace for an institution, such as a corporation, to provide such a network. Such network may include a multiplicity of servers executing a corresponding number of application programs (xe2x80x9capplicationsxe2x80x9d). The corporation""s employees may use one or more of these applications to carry out the business of the corporation. Such a network may be characterized as a private, secure network, since it is accessible under normal, expected operating conditions only by suitably authorized individuals.
It has become increasingly popular, and in many instances a business necessity, for users (xe2x80x9cclientsxe2x80x9d) to remotely access the private network. While the remote access is sometimes accomplished through dedicated, secure lines, it is increasingly done through the global communications network known as the Internet. Computer networks, particularly the Internet, can be vulnerable to security breaches. In particular, the Internet is generally considered insecure, in view of its widespread access and use by the public at-large. Accordingly, a problem arises as to how to securely allow the client access to the resources available on the private, secure network (e.g., the applications) over a generally insecure public network, such as the Internet.
One general approach taken in the art has been to employ various encryption schemes. For example, a protocol known as a Secure Sockets Layer (SSL) protocol protects information transmitted across the insecure Internet using encryption. Another known authentication scheme involves the use of a so-called digital certificate, which also uses encryption. As used, the digital certificate can be attached to an electronic message to verify to the recipient that the sender is who the sender claims to be. A well-known and widely accepted standard for digital certificates is ITU X.509.
While the above-described techniques are effective for what they purport to accomplish, providing access to a private, secure network over an insecure network such as the Internet requires a comprehensive combination of many security features. Accordingly, it is also known in the art to securely provide remote access by way of a gateway architecture. One known gateway architecture includes a firewall, a web server, an information collector (IC), an application message router (AMR), and an authorization handler.
The firewall is between the private, secure network and the public, insecure network. The web server and the information collector are on the insecure, public network side of the firewall. The web server communicates with the information collector using the well-known Gateway Interface (CGI), the specification for transferring information between a web server and a CGI program. The AMR and the authorization handler are on the private, secure network side of the firewall. The IC and AMR communicate through the firewall by way of an interprocess communication (IPC) mechanism. In this known gateway architecture, a user wishing to gain access to an application on the private network first accesses the web server using a conventional web browser. The user authenticates him or herself by providing a digital certificate.
The web server forwards the particulars of the digital certificate to the IC according to a CGI script. The information collector, in turn, forwards the digital certificate through the firewall to the AMR via the IPC mechanism. The AMR, also via an IPC mechanism, queries the authorization handler to authenticate the user. The authorization handler""s response is sent back to the AMR. If the user is successfully authenticated, access is permitted. There are, however, several shortcomings to this approach.
First, the information collector and application message router are custom programmed software applications. Accordingly, they must be ported for each new platform used. This platform dependence results in increased costs (and delays) when implemented on new platforms.
Second, the known gateway has throughput limitations. The CGI interface is relatively slow, as is the IC-to-AMR link because, among other things, the IPC mechanism is single-threaded.
Third, certain data (e.g., static HTML, graphics, etc.) is more vulnerable to security breaches (i.e., being xe2x80x9chackedxe2x80x9d) because it is maintained on the web server, on the Internet (insecure) side of the private network firewall. This situation is undesirable.
Another known gateway for providing access to a private network over an insecure network involves a two-level client-side digital certificate authentication mechanism. One proxy server is provided for every application on the private network, which are disposed on the Internet side of the firewall. One of the proxy servers performs a first level check of the digital certificate, and then passes the digital certificate data through the firewall via HTTPS for the second-level check by an authorization server. While this configuration addresses some of the shortcomings described above, routing in this approach is relatively inefficient for multiple applications (i.e., requires multiple proxy servers).
In addition, some applications on the private network do not require digital certificate strength authentication. In these situations for known gateway architectures there is no authentication of the user outside of the firewall (i.e., the gateways described above authenticate, at least at some level, before allowing further access across the firewall for complete authentication).
There is therefore a need to provide an improved gateway that minimizes or eliminates one or more of the shortcomings as set forth above.
A computer system according to the present invention provides an improved mechanism for routing. Client computers are provided access over the Internet to one of several applications on the private network via a proxy server on the Internet side of a firewall and a gateway on the private network side. The proxy server is configured to forward messages to the gateway, which handles the routing functions to all of the destination applications, in substitution of the multiple proxy servers required by known gateway systems. Thus, a reduced number of proxy servers are needed for providing access to multiple applications, reducing cost and complexity.
A computer system is provided according to the present invention that allows access from a client computer over an insecure public network to a selected one of a plurality of destination servers on a secure private network each executing a corresponding application. The computer system includes a proxy server, and a gateway. The proxy server is configured to establish a secure connection with the client computer over the insecure, public network. The gateway is disposed between the proxy server and the private network. According to the invention, the gateway includes means for appending, prior to routing, an identifier to a message received from the client computer destined for the selected destination server. The identifier is associated with the selected destination server. In addition, the gateway further includes means for routing the message to the selected destination server as a function of the identifier.
In a preferred embodiment, the identifier comprises a character string associate with the application to which the user of the remote client computer is provided access. The gateway is configured to create a cookie containing the identifier wherein subsequent requests made by the client computer also include the cookie containing the identifier. Through the foregoing, the identification of the selected application is known by the gateway.
Other objects, features, and advantages of the present invention will become apparent to one skilled in the art from the following detailed description and accompanying drawings illustrating features of this invention by way of example, but not by way of limitation.