A. Network Addresses
Computers are connected to each other to form networks that, in turn, are connected to other networks to form internets. Use of the worldwide internet know as "the Internet" has exploded as increasing numbers of people run programs on their client machines that need to communicate with host computers that are not only down the hall, but across the ocean. Each host on the Internet has a unique name, such as www.whitehouse.gov, and a corresponding network address, such as 128.102.252.1. Just as a person who sends a letter through the U.S. Postal Service needs to know the recipient's street address, a client that communicates with a host via a network needs to know the host's network address. Usually, however, the client only knows the host's name.
In the Internet world, the names and addresses of hosts are stored in databases on computers located throughout the world. A computer that has one of these databases, and responds to queries for a host's address, is known by various names, including "Domain Name Server" or simply "name server." Because so many host computers have Internet addresses, it is not practical to maintain the name and address information for all hosts in one database. Instead, such information is distributed among the Internet Domain Name Servers throughout the world.
Domain Name Servers and their associated name and address databases are just one system used to respond to address queries (also referred to as "resolving addresses"). The terms "directory service," "directory system," "DS," and others, are used to refer in general to systems that get information from an online database to respond to queries over a network. For example, distributed databases that are implemented in accordance with the X.500 directory system standard can include many types of information other than network addresses (e.g, names and addresses of people, names and locations of printers, telephone and fax numbers). Details of X.500 are well known to those skilled in the art and need not be described in detail here. See, for example, Uyless D. Black, OSI: A Model for Computer Communications Standards, Prentice-Hall (1991), pages 388-89.
When connecting to the Internet, an organization registers its domain name (e.g., sun.com). This is referred to as a second-level domain. The organization must designate and maintain at least two public name servers to which all address queries for the second-level domain are directed by the Internet Domain Name System. These servers will be referred to herein as the "registered" name servers for the domain. Oftentimes, an organization divides its domain into smaller segments, which are referred to as "zones" (e.g., eng.sun.com and corp.sun.com). As those skilled in the art will appreciate, the term "zone" can refer to any desired subdivision of the domain, including the full domain itself. The organization can designate name servers that are "authoritative" only for their respective zones. Each zone, then, has its own database (the "zone database") containing the names, addresses, and other information for the machines in that zone. As a matter of convenience, the term "name server" will be used herein to denote a server that responds to queries for information in the server's database (e.g., a Domain Name Server or a Directory Server) and the term "zone database" will be used to refer to that database, whether it covers a second-level domain or a smaller zone. As those skilled in the art will also appreciate, the term "database" can refer to any organized collection of information.
If the organization chooses to make the addresses of machines in a zone publicly visible, the registered name servers for the second-level domain containing the zone are configured to direct address queries for machines in the zone to the authoritative zone name servers. However, if the organization wants to hide the network topology of the zone, the registered name servers are configured without any information about the zone name servers, and only machines within the zone are configured to direct queries to the zone name servers. Such a visibility-limited zone can be referred to as a "protected zone," and the machines therein as can be referred to as "protected machines." Thus, whether or not the address of a machine is publicly visible can affect the interaction of programs running over a network.
As discussed above, when an application program running on a client needs to contact a host at another location, the application needs the host's address. In general, the application program might send a query to a "resolver" program, which also runs on the client, requesting the address. The resolver program would check a local file to identify a default name server to ask for host addresses, then pass the query on to that default name server. For convenience, this default name server will be referred to herein as the "local NS" for the client. The local NS might already have the requested address, or it might contact other name servers, as necessary, until reaching one that has the address (e.g., the registered name server for the second-level domain or the authoritative name server for the zone). If the local NS receives a response to the query, the local NS would return the response to the resolver, which would process the response and pass the address on to the client. These and other details of the Internet Domain Name System and resolvers are well known to those skilled in the art and need not be described here. See, for example, Sidnie Feit, TCP/IP, McGraw-Hill (1997), Chapter 12 for more details.
B. Authorized Clients
Current technologies do not adequately address certain aspects of communication over networks. To implement an organization's network policies, as discussed above, a network administrator may set up zones in order to hide the network topology by making the addresses of protected machines visible only to other protected machines. However, the network administrator may sometimes also want to permnit authorized clients outside the protected zone to communicate with hosts inside the protected zone. The network administrator could store the addresses of the protected hosts, with which authorized clients can communicate, in one or more static configuration files on those clients. These configuration files would then have to be updated on every authorized client every time the address of a protected host changed. The network administrator could send replacement files to every authorized client; alternatively, the network administrator could distribute the changed information to persons having access to the authorized clients for "manual" entry. Such persons could edit the configuration files directly or use a program (e.g., a command line program or graphical user interface) to enter the changed information.
With the increasing number and mobility of clients, it is burdensome, if not impossible, to keep these configuration files up-to-date. Network administrators need a way to configure authorized clients with the addresses of protected hosts that does not require human intervention to modify the configuration files on every authorized client. The solutions provided by various embodiments of the invention will enable authorized clients to dynamically update their files using information that is stored and maintained in a central location. A network administrator would then only need to update the information in an easily accessible location, rather than updating the files on every authorized client.
C. Secure Communications
Often an authorized client needs more than the address of a protected host to establish communications. This is the case when the client and host want to ensure that their communications are "secure." Secure communications encompass the issues of privacy, integrity, and authentication. Privacy means that when a client sends confidential information over a network only the intended host can read and understand it. Integrity means that no one has modified the message during transmission. Authenication means that the host is assured that the message is from the client that the message claims. Standard cryptographic methods include algorithms, such as DES and RSA, and other technologies or protocols, such as digital signatures, digital certificates, and SKIP. As needed, these cryptographic methods (or equivalent security techniques) are commonly used to ensure various aspects of privacy, integrity, and authentication.
Like supplying the addresses of protected hosts to authorized clients, secure communication is an aspect of communication over networks that the current technologies do not adequately address. In some network configurations, a firewall, which is a network security system, controls access to protected machines. To enable an authorized client to communicate securely with a protected machine, the firewall must be configured to allow communications from that client through the firewall. Further, for secure communications with a protected host, besides the host's address, an authorized client needs additional information. This additional information includes: (1) the address and key of a firewall that performs encryption for the protected host, and (2) the encryption algorithm (and other needed cryptographic methods) to be used.
Once the authorized client obtains this additional information, it is generally stored, along with the host address, in a data structure that is used by the component of the client that handles cryptographic operations (e.g., an application program, the operating system, or even a hardware crypto-processor). For example, SKIP technology stores such "outbound secure message information," in addition to inbound access information, in a client's access control list. However, those skilled in the art will understand that the outbound secure message information can be stored in any appropriate data structure.
The data structure containing the outbound secure message information has to be updated on every authorized client every time a host's address or cryptographic information changes. Once again, various embodiments of the invention will enable authorized clients to dynamically update their data structures using information that is stored and maintained in a central location. As a matter of convenience, the term "authorized client" will be used herein to refer to a client that is configured to use the invention and whose communications will be allowed through by the firewall for the protected hosts with which the authorized client communicates.