Networks implementing distributed data processing systems, and in particular the INTERNET, have attained a widespread diffusion in the last years. A major concern of organisations wishing to embrace the INTERNET as a way of conducting business is that of exposing their internal private network to the outside world. Several security issues are raised by this kind of applications, which involve attachment of the (secure) private network of the organisation to the largely uncontrolled environment of the INTERNET. Particularly, the organisation must be protected from intruders attempting to gain unauthorised access to the private network or attempting to compromise its operation.
Most security measures involve the use of a firewall. A firewall consists of hardware and/or software controlling the traffic between the INTERNET and the private network; all messages entering or leaving the private network pass through the firewall, which allows only certain traffic to transit as specified by a firewall administrator.
However, a firewall is only able to check the traffic between the two different networks, but it cannot prohibit unwanted connections within the private network. Therefore, the private network is typically connected to the INTERNET through an extension thereof, known as Demilitarised Zone (DMZ). The DMZ includes all the computers (such as web servers) that must be publicly accessible from the INTERNET. A first firewall separates the DMZ from the INTERNET, and a second firewall separates the private network from the DMZ. In this way, the web servers are protected from the INTERNET and they are taken apart from the internal network at the same time.
A more secure approach consists of providing multiple security zones (compartments or segments), which are protected from each other by corresponding firewalls. As a consequence, any security breach in one of the compartments is restricted within the attacked compartment and it does lead to a total compromise of the environment.
Communication between computers separated by multiple firewalls (for example located in two different compartments) is quite complex. This drawback is particularly acute when different protocols or technologies are used for the firewalls.
Moreover, no solution is known in the art for managing communications across the multiple firewalls in a manner that is transparent to a user.