1. Field of the Invention
The invention relates generally to the field of network communications. More particularly, the invention relates to tunneled internet communications. Specifically, embodiments of the invention relate to: systems and methods for a three component secure tunnel; systems and methods for efficient SSL/TSL layering; and systems and methods for authentication of tunneled connections.
2. Discussion of the Related Art
(Freier 1996)(1) describes a protocol (SSL) that allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The SSL protocol is the basis of security on the Internet. However SSL normally requires a direct connection between the client and the server and that means that if the server is behind a firewall then a hole must be opened to allow this access.
(Dierks 1999)(2) describes the Transport Layer Security (TLS) protocol that can provide communications privacy over the internet. TLS is essentially the latest evolution of SSL and suffers the same firewall problem as SSL.
EP 1081918 (Hinde 2003)(3) describes how to create connections using a versatile protocol such as TCP/IP to be established through a firewall and proxy server, the versatile protocol is tunnelled using HTTP. Tunneling connections via http as described by Hinde et al. provides a mechanism that can be used to pass through inspecting firewalls. However it does not provide the security offered by an SSL connection and the implementation of Hinde et al. requires that two connections be used for each tunneled connection.
U.S. Pat. No. 6,104,716 (Critchton et al.) describes a secure lightweight tunneling system for use over the internet. Critchton et al. describes the basic problem presented by firewalls blocking inbound connections and the well-known solution of using a middle server outside of the two firewalls to act as a relay. However it does not address the additional restrictions placed on outbound connections enforced by application level firewalls and packet inspecting firewalls.
Critchon et al. does not use the middle proxy to do authentication and does not throttle and limit unauthenticated connections. This makes the server vulnerable to attacks by unauthenticated clients.
U.S. Pat. Appl. Pub. 2003/0046586 (Bheemarasetti et al.) describes a system for accessing data from any location and any device including those behind firewalls, proxy servers, address translations and other devices, while securing the data and network. The mechanism described by Bheemarasetti et al. provides a secure tunnel mechanism however it requires that the client system can connect to the system running the tunnel software and thus requires that holes be opened in the firewall.
U.S. Pat. No. 6,061,797 (Jade et al.) describes a system that provides a special “tunneling” mechanism, operating on both sides of a firewall, for establishing “outside in” connections when they are requested by certain “trusted” individuals or objects or applications outside the firewall. The solution provided by Jade et al. makes use of outbound connections only and is therefore much more firewall friendly. However the protocols used to establish these connections may not be allowed by packet inspecting firewalls. The mechanism as described requires that the TCP port number of the connections is used to provide access control and routing functions. This implies that different port numbers must be used for different services thus requiring that any firewalls allow outbound connections on these ports. Jade et al. makes use of an “outside server” to act as a relay. This server is typically placed on the public internet. Because no end to end security or integrity is provided a compromised “outside server” could be used to gain access to or alter tunneled data.
(Phifer 2004)(4) describes a mechanism for using a “Communications Server” and a “Broker” server to create a connection between client and server systems located behind firewalls.
This “GoToMyPC” mechanism makes use of outbound connections using the standard SSL on standard ports to communicate with the “broker” system. These connections should have no problem passing through firewalls. However the “Communications server” makes use of a proprietary protocol on a non standard port number and so may be blocked by a firewall.
U.S. Pat. No. 6,367,009 (Davis et al.) describes extending SSL (secure socket layer) to a multi-tier environment using delegation of authentication and authority. The Davis et al. method delegates authentication to the middle tier server. However, this delegation of trust means that the middle tier server can impersonate the client and this is a problem if the middle tier server is compromised.
U.S. Pat. Appl. Pub. 2004/0039827 (Thomas et al.) describes a method a system for providing secure access to private networks with client redirection. The Thomas et al. method requires authentication information on the middle tier or direct access to an authentication database. Also, the Thomas et al. method does not provide a secure tunnel all the way to the back end servers, but instead only to the intermediate server.