1. Field of the Invention
The present invention relates to a firewall technique for interconnecting the Internet and a LAN (Local Area Network), and for securely protecting the resources within the LAN while permitting accesses made from the Internet to the LAN.
2. Description of the Related Art
Conventionally, a firewall was arranged with a packet filtering method or a filtering method as an application gateway. These methods are intended to determine whether or not to permit an access from an outside to an inside for each service.
With the firewall for protecting in-house resources from an illegal attack from outside when an in-house LAN is connected to the Internet, all accesses are prohibited by default, and only a particular individual access is permitted.
Therefore, with the current filtering method which respectively recognizes a service and a user as first and second standards, almost all network services become unavailable and even legal users cannot receive useful Internet services.
If network services are made available outside and inside a company depending on need in order to satisfy the recently diversified demands of in-house users, data from many services are allowed to pass through the firewall. As a result, it becomes difficult to maintain security.
Additionally, using a remote access method which is currently becoming popular, login to an in-house LAN machine is permitted after authentication checking is made. Accordingly, even a single attack can possibly cause serious damage.
As described above, with the conventional methods, if the number of services which can externally use in-house resources increases, the possibility that the in-house resources, which must be protected, can be exposed to danger becomes great.
This invention was developed in the above described background, and aims at significantly improving the degree of convenience of a firewall, and at securing a security level equivalent to that of a conventional technique by changing a filtering method.
The present invention assumes a network connection trolling method for interconnecting an external work (a network outside a company) and a local area network (a network inside a company).
According to the present invention, authentication checking is made for a user within an external network user of a client machine 301) when the user accesses a local area network (an authentication checking server 101).
Next, a resource request to access a resource within the local area network is received from the user based on the result of the authentication checking (a resource managing server 102).
Then, an access right to the resource within the local area network, which is requested by the resource request, is calculated based on the resource request and the result of the authentication checking (the resource managing server 102).
As a result, an access to the resource is made based on the calculated access right (the resource managing server 102).
Here, the accessed resource is transmitted as a mobile code to the client machine operated by the user. The client machine access the data within the resource by receiving and executing the mobile code.
According to the present invention, filtering is performed by recognizing a user and a service as first and second standards, so that it becomes possible to protect in-house resources from external attacks and to satisfy the diversified demands of in-house users in accordance with the respective policies for respective users, that is, all company employees are permitted to make any accesses by default, while external users are prohibited from making any accesses by default.
Additionally, a change is made from the conventional method for permitting login to a machine within an in-house network after authentication checking is made, to the method for externally transmitting only a requested in-house resource, thereby making the scale of damage which can possibly occur with a single attack less than that of a conventional technique.
More specifically, the distinction between text information such as electronic mail received within a company, multimedia information, etc., and the application program data of a system under development, is not made, and they are defined to be in-house resources. The applications inside and outside the company can be linked and operate together.
As described above, according to the present invention, the degree of convenience of a firewall can be significantly improved by changing a filtering method, and moreover, the security mechanism is duplicated by checking user authentication and controlling each access to in-house resources, thereby ensuring the security level equivalent to that of a conventional technique.