Any transmission of data between two computers raises questions of how secure such a transmission is against unauthorized interception or even manipulation of the data or the transmission processes by unauthorized third parties. For companies, banks, and government authorities, an additional security concern arises if their own enterprise-wide computer network is to be protected against attacks from the outside, e.g., from the Internet. Especially if there is an active connection between the enterprise and the Internet, unauthorized access to the internal computer network of an enterprise can jeopardize data security in this computer network.
As described in xe2x80x9cThe Internet, From Access to ""Zinexe2x80x9d, ATandT Technology, 1993, pp. 2-9, authored by Deborah Mills-Scofield, and xe2x80x9cFirewalls and Security on the Internet, 1996, ISBN, 3-89319-875-x, authored by Cheswick and Bellovin, various computer systems with data links of different designs for data transmission are known. So-called firewalls are used to solve the security problems. At the firewalls the (TCP/IP-) data packets are analyzed, unauthorized access is denied, and authorized requests are permitted. Firewalls do not, however, represent a physical separation between the internal computer network of an enterprise and the outside world. Rather, the data packets are analyzed by software (see Pp. 64, Sect. 3.3, Para. 1 and Page 88, Sect. 3.4, Para. 1 in xe2x80x9cFirewalls and Security on the Internetxe2x80x9d.
As described in xe2x80x9cFirewall Systemsxe2x80x9d, authored by N. Pohlmann, a computer system of the type described above is known. A so-called application gateway is used as a lock element between two computers in a computer link. The first computer is, for example, part of the Internet, and the other computer is part, for example, of an in-house intranet. The application gateway ensures the physical disconnection of the two computers in the sense that when one computer is accessed from the other, the accessing computer appears not at its own address, but rather at the address of the application gateway so that individual data transfer processes can no longer be carried out. At the application gateway, software (a so-called proxy) is made available which during the data transfer moves the data packets back and forth between the computers. Even in the case of the computer system described in this article, the data packets are analyzed by software.
By manipulating these software-implemented firewalls from the outside or through some other unauthorized access, it is therefore still possible to obtain access to an in-house computer network from the outside and to threaten data security in an enterprise-wide computer network. If the security requirements of an enterprise are especially stringent, the known firewalls cannot offer adequate security.
It is therefore the object of this invention to make available more effective security mechanisms for stopping attacks by unauthorized third parties on computers on a data link.
The present invention pertains to a computer system that comprises at least one computer, a second computer, and a data link between the first computer and the second computer for the purpose of transmitting data, whereby in the data link there is a lock element. Between the first computer and the lock element there is a first flood gate (inner flood gate [IFG]). Between the second computer and the lock element there is a second flood gate (outer flood gate [OFG]). When the first flood gate is closed the second flood gate is opened and, vice versa, when the second flood gate is closed the first flood gate is opened.
The invention also pertains to a process for transmitting data between a first computer and a second computer via a data link, whereby the data is transmitted in one direction by the first computer through an opened first flood gate to a lock element. When the first flood gate is closed, and the second flood gate is opened, data is transmitted through the second flood gate to the second computer. When the data moves in the opposite direction the process takes place in the opposite sequence.
The first computer can be, for example, part of an internal enterprise-wide computer network. The second computer can be designed as a computer in the World-Wide Net.
The invention proposes, based on the computer system of the type mentioned above, that the data link be designed as an Integrated Services Digital Network (ISDN) connection according to the Net Terminal Base Adapter (NTBA) Standard, that the transfer of data from the first computer be carried out via a third computer that is located in a common computer network with the first computer and vice versa via the lock element to the second computer, whereby the establishment of a data link and the transfer of data between the third computer and the lock element and between the second computer and the lock element are carried out via the two B-channels of the ISDN connection according to the NTBA Standard.
According to the invention, technical provisions are thus made in the computer system that ensure that it is not technically possible to establish a data link from the first computer to the third computer at the same time as a link is established from the third computer to the second computer. To accomplish this, it is proposed that in each case the two B-channels of an ISDN connection be used to provide a data link from the first computer to the third computer or from the third computer to the second computer. This will make it possible to meet very rigorous security requirements at comparatively low cost.
An ISDN connection according to the NTBA Standard has two bearer channels (B-channels) and a data channel (D-channel). Thus, the ISDN-NTBA configuration allows a maximum of two data-transfer links at one time. The data link is designed in such a way that when the third computer establishes a connection with the lock element in order to transfer data, this requires the two B-channels of the ISDN-NTBA configuration. The lock element is dialed up via one B-channel, and the data transfer link to the lock element is established via the second B-channel (the first flood gate is opened). It is therefore impossible to set up a link between the lock element and the second computer at the same time since the ISDN-NTBA configuration no longer has a free B-channel available (the second flood gate cannot be opened).
If, in the opposite situation, there is already a connection between the second computer and the lock element (second flood gate is opened) via one of the two B-channels, the third computer can no longer set up a link to the lock element (the first flood gate cannot be opened) since, as explained above, this requires both B-channels of the ISDN-NTBA configuration. By making dual use of the same NTBA, i.e., on the one hand at the third computer and on the other at the lock element, the lock function of the data link of the computer system according to the invention can be implemented in a simple fashion.
The lock element is designed as, e.g., a computer. The data link of the computer system according to the invention produces a slight time delay in data transfer that the user will hardly notice. During this time delay the flood gates are opened and closed and the data to be transferred is analyzed. By properly controlling the sequence of the individual steps in the data transfer, the time delay can be reduced to a minimum.
According to an advantageous enhancement of the invention, it is proposed that the first computer be located in a first computer network. The first computer is preferably designed as a server for a computer network, and the first computer network is preferably designed as an internal enterprise-wide network. In such in-house computer networks, data security is especially important. Many enterprises have now begun to handle a large portion of their company business completely electronically via their in-house computer networks. Unauthorized access to these computer networks from the outside or manipulation of the data contained therein can do extremely serious damage to the enterprise. In this respect the data link of the computer system according to the invention represents a remedy.
According to another advantageous enhancement of the computer system according to the invention, it is proposed that the second computer be located in a second computer network. The second computer is preferably designed as an Internet server, and the second computer network is preferably the Internet. Attacks by third parties across the Internet on the in-house computer networks connected to the Internet pose a particularly serious threat to data security in such enterprises.
When data are transmitted from a computer in an in-house computer network to a computer on the Internet, data security is of especially great importance since theoretically millions of Internet users could penetrate the in-house computer network without permission and manipulate the data stored therein. Moreover, in the world-wide Internet, which is accessible to everyone, there are many so-called viruses and Trojan horses in circulation that can pose a serious threat to the data stores of the enterprise once they have penetrated the enterprise""s in-house computer network. The data link of the computer system according to the invention offers a suitable platform for ensuring secure and reliable protection against viruses, etc. To accomplish this, a suitable means of analysis must be present in the data link, preferably in the lock element.
According to another advantageous enhancement of the invention, it is proposed that there be a third computer in the first computer network and that there be a fourth computer in the lock element.
The fourth computer may be located inside the lock element in its own network environment which, however, must be physically separated from both the first computer network and from the second computer network. The idea of the fourth computer is to carry out various analysis processes within the lock element and thus to provide a certain amount of pre-selection. The third computer is also connected to the ISDN connection. The fourth computer is not connected directly to the ISDN-NTBA configuration since it is connected (via a separate network) to the lock element.
To transmit data, the data to be transmitted is sent from the first computer to the third computer. In the third computer the data is analyzed and checked. The analysis of the data to be sent can be done on the first computer. Only if the check has revealed no anomalies will the first flood gate be opened. Then the data is sent from the third computer to the lock element, and then the first flood gate is closed again. Only after the first flood gate is completely closed will the second flood gate be opened. Then the data will be sent from the lock element to the second computer, and then the second flood gate will again be closed.
To receive data, the second flood gate is opened and the data to be received are transmitted from the second computer to the gate element. Then the second flood gate is closed, and only once it has been completely closed will the first flood gate be opened. Then the data will be sent from the lock element to the third computer. Then the first flood gate will be closed, and then the third computer will check and analyze the data.
Only when the check has revealed no anomalies will the data be sent from the third computer to the first computer.
The fact that the two computers and the two computer networks are physically separated from one another prevents on-line attacks from the outside against one of the computers in a computer network and makes it impossible to manipulate from the outside the analysis processes that are carried out in the third computer.
It is advantageous for the link between the first computer and the second computer to be structured as an Integrated Services Digital Network (ISDN) connection according to the Net Terminal Base Adapter (NTBA) Standard.
As another way of accomplishing the object of this invention, it is proposed, based on the process of the type mentioned above, that the data link be designed as an Integrated Services Digital Network (ISDN) connection according to the Net Terminal Base Adapter (NTBA) Standard, that the data from the first computer be transferred via a third computer that is located in a common computer network with the first computer, and via the lock element to the second computer, and vice versa, and that to establish a data link and to transfer data between the third computer and the lock element and between the second computer and the lock element, the two B-channels of an ISDN connection according to the NTBA Standard be used.
According to an advantageous enhancement of this invention, it is proposed that an analysis of the data to be transferred be performed in the third computer. The analysis should preferably be performed according to semantic criteria.
At no time during the data transfer is the third computer directly connected to the second computer network or to the second computer. This is prevented by the flood gates, which are never opened at the same time when data are being transferred. Thus it is impossible for unauthorized third parties to gain direct access to the third computer during a data transfer or to manipulate the analysis mechanism contained in the third computer.
In the lock element itself, by contrast, no analysis of the data to be transferred is performed since, in order to transfer data, the lock element is in direct contact with the second computer network or with the second computer for a certain length of time. During this period of time, an analysis mechanism contained in the lock element could be manipulated by unauthorized third parties.
If the data is sent via the opened first flood gate from the lock element to the third computer, infected data files, i.e., data files that contain viruses or Trojan horses, could admittedly be stored in the third computer. However, here there is a decisive difference compared to the operation of known firewalls. Instead of carrying out all analysis processes on line, the third computer is able, depending on the desired scalable depth and duration of the analysis, to examine and, optionally, to destroy the passive data that the lock element has received from the second computer network without risk of access from the outside or of interactive manipulation.
Within the framework of the semantic analysis of the data, it is possible to check whether the content of certain data files can leave the in-house computer network and go outside. During the semantic analysis of data files, in particular these systems for electronic communication (e-mail) are checked since documents of any kind can be dispatched over them. In the process according to the invention, it is possible to perform a semantic analysis since the analysis times can be structured in a flexible manner.
According to a preferred embodiment of invention, to send data it is proposed:
that the data to be sent be sent from the first computer to the third computer,
that the third computer analyze and check the data,
that the first flood gate be opened,
that the data be sent from the third computer (INS) to the gate element,
that the first floodgate be closed,
that the second flood gate be opened,
that the data be sent from the lock element to the second computer, and
that the second flood gate be closed.
According to a preferred embodiment of invention, to receive data it is proposed:
that the second flood gate be opened,
that the data to be received be sent from the second computer to the lock element,
that the second flood gate be closed,
that the first flood gate be opened,
that the data be sent from the lock element to the third computer,
that the first flood gate be closed,
that the third computer analyze and check the data, and
that the data be sent from the third computer to the first computer.
The first flood gate is preferably driven by the third computer, and the second flood gate is preferably driven by the lock element.
According to an advantageous enhancement of the process according to the invention, the data to be received is sent from the lock element to the third computer at the time when the data to be sent is also sent from the third computer to the lock element. In this way two different data transfer steps can be carried out in one time-step. A prerequisite for this is that the positions of the flood gates be the same at this point in time. In the case of this enhancement, specifically the first flood gate is opened and the second flood gate is closed.
According to another advantageous enhancement of the invention, the data to be received is sent from the second computer to the lock element at the point in time when the data to be sent is also sent from the lock element to the second computer. At this point in time, the first flood gate is closed and the second flood gate is opened.
According to another enhancement of the process according to the invention, the analysis of the received data is carried out at the same time as the data to be sent is analyzed.
The analysis of the data is preferably done in the third and/or the fourth computer. The analysis of the data to be sent can, however, also be carried out in the first computer.
In principle, it is possible in one time-step to carry out the data transfer steps in which the positions of the flood gates are the same.