Distributed computer systems describe a multitude of computer systems able to communicate with each other via data connections on computer network infrastructures in an organized manner. Distributed computer systems are used in computer network infrastructures, for example, comprising server-client topologies, wherein partly confidential data, customer data or user data, for example, are exchanged between a client and a server and access to data by third parties is to be suppressed.
In secured computer network infrastructures, processing computer systems on which (confidential) data is processed, are specifically secured. Predetermined network ports of the processing computer systems can be initially closed, for example, so that access or connection establishment to a respective processing computer system is not possible.
Conventional solutions provide sending predetermined knocking signals via network to a processing computer system with closed network ports (so-called port knocking), wherein a predetermined data sequence addresses predetermined network ports of the processing computer system. This data sequence is compared to a predetermined sequence in the processing computer system, wherein the processing computer system opens or closes one or more network ports to allow external connection establishment via network, if the comparison was successful.
One risk in those measures is that a processing computer system is opened for attackers (hackers) or non-authorized computer systems that manipulate a respective port-knocking process. This way, a (manipulative) access of third parties to possibly confidential data is possible in the processing computer system by the opened network ports. Furthermore, a program running on one or multiple network ports of the processing computer system is required for addressability of services in the opened processing computer system. This running program constitutes a potential security gap for external attacks (e.g., via buffer overflow or so-called denial-of-service attacks, DOS) via network.
An explicit authentication of an external computer system directly on a processing computer system within the computer network infrastructure for access is of no relevance here because a processing computer system (as explained above) does initially not allow external connection establishment.
In contrast, addressing an external computer system that requires access to a processing computer system is often difficult or even impossible because the external computer system is secured per se and possibly can not be addressed for connection establishment.
Moreover, access to processing computer systems within a computer network infrastructure is, in most cases, effected via internet or a separate intranet (to unblock applications, for example), wherein such accesses are characterized by the fact that the external computer systems accessing the computer network infrastructure (the computing center, for example) arrive via a private access using no (unambiguous) public IP-address. Examples of this include cascaded connections via a proxy or by so-called NAT/PAT masking methods (NAT=Network address translation, PAT=Port Address Translation).
As a result, basically no connection can be initiated by a processing computer system to the respective external computer system within the computer network infrastructure due to the simple fact that the processing computer system does not know the exact IP-address of the external computer system due to the masking of the IP-address. Furthermore, the IP-address normally is private and can not be used directly in routing. Moreover, it is usually secured behind a firewall during communication.
It could therefore be helpful to provide a secured unblocking of external computer systems for communication with secured processing computer systems within a computer network infrastructure and nevertheless improve protection against attacks on respective computer systems in the computer network infrastructure at the same time.