This invention relates to methods for enabling communication between communications systems in an open data network. In particular, this invention relates to methods for establish connectivity between two secure communications systems located behind firewalls.
Recently, it has become common for communications systems having some processing capabilities and access to an open data network (i.e., the Internet) to communicate with each other through the network. Typically, the communications systems transmit data to each other in packets, which are delivered using a suite of standard protocols known as Transport Control Protocol/Internet Protocol (TCP/IP). It should be understood by one skilled in the art that these packets may include data packets, control packets such as TCP packets or other types of packets defined by the relevant protocol for performing similar functions, and any other suitable packets.
The IP is a network layer protocol that facilitates the transmission of packets between remotely-located communications systems through the use of an IP address that is unique to each remote system. The TCP protocol is a transport-layer protocol riding atop the IP. The TCP provides a full-duplex byte stream between applications, whether they reside on the same machine or on remotely-located machines. The TCP ensures that transmitted packets are received in the same order in which they were transmitted.
One of the most important features of TCP/IP is that it is an “open” protocol that enables anyone who wishes to implement it to do so. While TCP/IP makes it relatively simple for systems to transmit packets to each other, it does not provide a robust mechanism for authenticating these packets. Therefore, communications systems that use TCP/IP to communicate with remote systems in the open data network run the risk of inadvertently accepting malicious packets from unreliable remote sources.
One way to minimize such risks is through the implementation of a firewall. A firewall is a security system that acts as a protective boundary between one or more communications systems in a “private” network and the open data network. Typically, the firewall monitors all aspects of the communications that are transmitted between the private network and the open data network. More specifically, the firewall inspects the source and destination addresses of each packet that passes through. To prevent unsolicited traffic from the open data network from entering the private network, the firewall keeps a table of all communications that have originated from the private communications systems. All inbound traffic from the open data network is compared against the entries in the table. The firewall permits only inbound traffic that have a matching entry in the table indicating that the communication exchange was initiated from a private communications system within the firewall to pass. The firewall drops all communications that originate from a source that is outside of the firewall, thus preventing common hacking attempts. Most of the time, the firewall does not inform the private communications system before discarding unsolicited communications.
Most communications systems connect to the open data network through a shared gateway (e.g., provided by an Internet Service Provider). These shared gateways often provide Network Address Translation (NAT), an Internet Engineering Task Force (IETF) standard, as a means of connecting multiple communications systems on a private network to the open network using a single shared public IP address. Although NAT is mainly deployed to solve the IP address scarcity problem, it also provides a layer of obscurity for the communications systems in the private network. Because communications systems located outside of the private network can only obtain the public IP address of the NAT device providing NAT, the private address of each individual communications system in the private network is protected. Although NAT is not the same thing as a firewall, they are often provided in conjunction with each other by the gateway server.
With increased security provided by the firewalls and NAT devices comes decreased accessibility to communications systems. It is especially problematic for communications systems located behind firewalls that prevent communications that have originated from outside the firewalls to establish direct communication with other remote systems.
Therefore, it is desirable to provide a communications scheme that enables two communications systems, each located behind a firewall, to directly communicate with each other.
It is also desirable to provide such a direct communications scheme between communications systems located behind firewalls that additionally include a network address translation device for implementing network address translation (NAT).