1. Field of the Invention
The present invention is directed to connecting to a device on a network. More specifically, the present invention is directed to connecting to a device on a network that is protected by an access control mechanism.
2. Description of Related Art and General Background
A network is a system of computers that are connected to each other (and possibly to terminals and other peripheral devices) by communications lines which may be physical and/or wireless. Each computer on a network may be generally classified as a xe2x80x98clientxe2x80x99 (i.e. a computer that initiates requests) or a xe2x80x98serverxe2x80x99 (i.e. a computer that receives and responds to requests), although a single computer may also perform different roles at different times. Transfers of information across the network are typically conducted in compliance with one or more network protocols to ensure that the information may be properly delivered and interpreted. One such protocol is the Hypertext Transfer Protocol or HTTP, an application-level protocol that provides a basis for information transfer across the Internet and is specified e.g. in RFC 2616 (xe2x80x9cHypertext Transfer Protocolxe2x80x94HTTP/1.1xe2x80x9d), R. Fielding et al., June 1999, which document is available at http://www.ietf.org/rfc/rfc2616.txt. As shown in FIG. 1, HTTP is a query/response protocol in which an entity such as a client 30 directs a query for information to a specific resource (such as a file or web page, as identified by a Universal Resource Locator or URL) and another entity such as a server 40 forwards an appropriate response associated with that resource.
A local area network (or xe2x80x98LANxe2x80x99) allows computers or terminals that are located near one another to share resources such as storage devices, printers, and other peripheral equipment. A LAN that is connected to a larger network may include one or more access points (or xe2x80x98gatewaysxe2x80x99) through which devices within the LAN may communicate with devices outside the LAN. Access control mechanisms (or xe2x80x98ACMsxe2x80x99) provide security against unauthorized access to the LAN by controlling or restricting the flow of information across the access points. FIG. 2, for example, shows a LAN 230 that is connected to the Internet 250 only through an ACM 20a. Due to the presence of ACM 20a at this access point, a remote computer 20c that is connected to the Internet 250 may not freely interact with devices connected to LAN 230 such as computer 10a. Any request for information that is sent by remote computer 20c to computer 10a will be scrutinized by ACM 20a and may be rejected.
One type of ACM is a firewall. The term xe2x80x98firewallxe2x80x99 indicates a protective layer that separates a computer network from external network traffic, and this layer may be implemented in software, hardware, or any combination of the two. For example, firewall application software may be installed on a server to create a combination called a xe2x80x98firewallxe2x80x99 server.
Another type of ACM is a server (possibly a firewall server) running an application program that evaluates incoming requests according to a predefined set of rules. Such a device is called a xe2x80x98proxy serverxe2x80x99 or simply a xe2x80x98proxy.xe2x80x99 To entities outside the network, the proxy may act as a server, receiving and evaluating incoming transmissions. To devices within the network, the proxy may act as a client, forwarding the incoming transmissions which conform to its rules. For example, the proxy may prevent executable files from entering the LAN but may pass all responses to HTTP queries that were sent by devices within the LAN.
Unfortunately, the characteristics that make firewalls or proxies effective in controlling the flow of information into the network also lead to increased complexity and cost. For example, when an entity outside the LAN, such as remote computer 20c, seeks to be connected with an entity within the LAN, such as computer 10a, complex and/or costly changes to the ACM may be necessary to permit the connection. In addition, a significant amount of processing resources must be expended to perform the task of evaluating all gateway traffic to ensure compliance with the network""s security rules and thereby protect the network from potentially harmful traffic.
Some solutions to these problems of overheadxe2x80x94such as setting aside a dedicated, open port in the firewall through which external traffic may enterxe2x80x94may create unacceptable security risks. Other, more secure solutions include virtual private networks (VPNs), which use encryption to allow users on different networks to exchange information with each other in a secure manner over the Internet. This encryption effectively creates a secure xe2x80x9ctunnelxe2x80x9d between sender and receiver so that even though the information may pass through many other entities during transmission, it is accessible only to the sender and the receiver.
Although a VPN offers a higher level of security, no reduction in overhead processing is thereby achieved, as network traffic entering the LAN through the VPN must still pass through and be evaluated by the ACM. Adding a VPN to an existing network also involves a significant investment in resources and may introduce bugs or errors into a stable system. Furthermore, in many network installations it may not be feasible to reconfigure an existing ACM to support communication with every new external entity that may be desired, as such modifications require extensive resources and testing. To avoid these costs and risks, another approach is desired.
A system and method according to an embodiment of the invention allows an external entity to communicate with a device within a network protected by an access control mechanism. The external entity sends a request directed to the device to an intermediary (hereinafter a xe2x80x9ctrusted arbitratorxe2x80x9d). The trusted arbitrator communicates the request to a connection entity which is located within the protected network. The trusted arbitrator communicates this request to the connection entity by attaching it to a response to a request from the connection entity. The connection entity then forwards the request to the device.