Computer networks have become increasingly popular in the last years. Typically, every organization has its own private network, (for example, a LAN); the private network consists of multiple computers, which are connected to each other for implementing desired services within the organization.
On the other hand, the private network must be exposed to a public network (typically, the Internet) to allow communication with the outside; in this way, the organization can provide its services to third parties or it can exploit services offered by others. The above-described integration allows conducting business everywhere in the world (thanks to the ubiquity of the Internet); therefore, this has become a need for facing the challenges of the market globalization.
However, several security issues are raised by the attachment of the (secure) private network of the organization to the largely uncontrolled environment of the Internet. Particularly, the organization must be protected from intruders attempting to gain unauthorized access to the private network or attempting to compromise its operation.
For this purpose, a firewall is typically used to control the traffic between the Internet and the private network. In order to increase the security of the environment, the private network may also be connected to the Internet through an extension thereof, known as Demilitarized Zone (DMZ). The DMZ includes all the computers (such as web servers) that must be publicly accessible from the Internet. A first firewall separates the DMZ from the Internet, and a second firewall separates the private network from the DMZ. In this way, the web servers are protected from the Internet and they are taken apart from the private network at the same time. Preferably, multiple security compartments (each one protected from the others by corresponding firewalls) are provided; in this way, any security breach in one of the compartments is restricted within the attacked compartment and it does lead to a total compromise of the environment.
Communication between computers separated by multiple firewalls (for example, located in two different compartments) is quite complex. This drawback is particularly acute when different protocols or technologies are used for the firewalls.
A solution known in the art is described in US-A-20030123483 and US-A-2003126230 (the entire disclosures of which are herein incorporated by reference). Particularly, those documents propose a specific communication stack for establishing virtual sessions between pairs of (remote) computers; each virtual session is implemented by means of multiple point-to-point sessions between adjacent computers, which are connected to each other through a tunnel crossing the corresponding firewall.
For this purpose, the computers are logically organized in a tree. Each computer (representing a node of the tree) stores a routing table, which specifies all the child nodes depending thereon in the tree. The routing table is used to pass information—to be provided to a target node—to the correct child node in the tree (until the desired destination is reached).
The routing tables of the network are created dynamically. Particularly, whenever a node turns-on it collects the routing tables from all the corresponding child nodes and updates its routing table accordingly. The routing table so obtained is then transmitted to the corresponding parent node in the tree, which updates its routing table and propagates the information along the tree up to a root node.
The above-described solution allows the root node to communicate with each leaf node of the tree in a secure manner.
However, this technique is restricted to applications having a hierarchical structure. Therefore, it is not possible to apply the same solution to generic applications; particularly, the above-described solution does not allow communications between whatever pair of computers in peer-to-peer applications.