Increasingly, users of corporate and other computer networks have desired to provide limited and controlled access via a public or other external network, such as the Internet, to portions of their internal computer network. For example, a company engaged in the manufacture and sale of some article of commerce may wish to provide its customers, or certain select customers, with limited access to the company's order management system. The company may wish to limit such customers, for example, to viewing status information about their own orders, without permitting them to access any records associated with orders placed by other customers and without permitting them to alter their own records, such as by changing the status, or to create new records, such as by placing a new order. The same company may wish to provide a different scope of access to other external users, such as by permitting third party sales representatives to enter new orders in the system.
A typical prior art system for permitting limited external access to an internal computer network is shown in FIG. 1. An external client system 102 is connected to the Internet 104. An internal network 106 also is connected to the Internet 104 via a network connection 108. The network connection 108 connects a firewall system 110 to the Internet 104 in such a way that all external communications between the internal network 106 and the Internet 104 must pass through the firewall system 110. Internal systems 112, 114, 116 are connected to the firewall system 110 via a switch 118. As a result, all communications between any of the internal systems 112, 114, 116 and the Internet 104 must pass through the firewall system 110.
Typically, an external client system, such as client system 102 of FIG. 1, accesses an internal system connected to an external network, such as the Internet, by sending via the Internet a request addressed to the internal system. Such a request typically must employ an application layer protocol that is suitable for the type of information or service requested from the internal system. For example, a web page may be retrieved by sending a “GET” request under the HyperText Transfer Protocol (HTTP). Under the HTTP protocol, the specific web page desired is identified by a Uniform Resource Locator (URL), which indicates the location of the specific file desired.
For example, to retrieve a web page from internal system 112 of FIG. 1, the client system 102 may provide the URL associated with the file to web browser software installed on the client system 102, which software would in turn send a request to the internal system 112 for the associated file.
Such a request would have to pass through the firewall system 110 to reach the internal system 112. In a typical configuration, the firewall system 110 may be configured to provide certain basic limitations on the access of external systems, such as external client system 102, to the data and other services that may be available on the internal systems that the firewall is configured to protected. For example, the firewall system may be configured to block all external network traffic addressed to the Internet Protocol (IP) address associated with a particular internal system, such as by blocking all traffic to the IP address associated with internal system 112, while permitting such traffic to internal systems 114 and 116. In certain cases, it may be possible to configure the firewall system 110 to block only that external traffic associated with one or more specified URL's associated with a particular internal system, permitting external traffic associated with other URL's associated with the same internal system.
However, typical prior art firewall systems are not able to distinguish between like requests from different parties based solely on all or part of the content of the request itself, nor to permit one requesting party a first level of access and a second party a second level of access to the same internal database or application, for example. Typically, in order to implement such finer distinctions special computer code must be written for each system and application affected and for each such distinction to be made. It can be costly and inefficient to prepare such custom scripts to implement application-level security (i.e., rules controlling access to a particular application).
Therefore, there is a need for a way to control external access to an internal computer network based on the content of incoming requests without the need to write custom computer code at the internal network level. Moreover, there is a need for a way to exercise such control beyond the techniques currently available for limiting access based on the destination IP address and/or URL associated with the request.