公开(公告)号：US6061797A

公开(公告)日：2000-05-09

申请号：US132915

申请日：1998-08-12

Applicant: Prashanth Jade ,  Victor Stuart Moore ,  Arun Mohan Rao ,  Glen Robert Walters

Inventor： Prashanth Jade ,  Victor Stuart Moore ,  Arun Mohan Rao ,  Glen Robert Walters

IPC: G06F13/00 ,  G06F12/14 ,  G06F13/36 ,  H04L12/56 ,  H04L12/66 ,  H04L29/06 ,  G06F13/16 ,  H04L9/32

CPC classification number: H04L63/0272 ,  H04L29/06 ,  H04L63/029

Abstract: A firewall isolates computer and network resources inside the firewall from networks, computers and computer applications outside the firewall. Typically, the inside resources could be privately owned databases and local area networks (LAN's), and outside objects could include individuals and computer applications operating through public communication networks such as the Internet. Usually, a firewall allows for an inside user or object to originate connection to an outside object or network, but does not allow for connections to be generated in the reverse direction; i.e. from outside in. The disclosed invention provides a special "tunneling" mechanism, operating on both sides of a firewall, for establishing such "outside in" connections when they are requested by certain "trusted" individuals or objects or applications outside the firewall. The intent here is to minimize the resources required for establishing "tunneled" connections (connections through the firewall that are effectively requested from outside), while also minimizing the security risk involved in permitting such connections to be made at all. The mechanism includes special tunneling applications, running on interface servers inside and outside the firewall, and a special table of "trusted sockets" created and maintained by the inside tunneling application. Entries in the trusted sockets table define objects inside the firewall consisting of special inside ports, a telecommunication protocol to be used at each port, and a host object associated with each port. Each entry is "trusted" in the sense that it is supposedly known only by individuals authorized to have "tunneling" access through the firewall from outside.

Abstract translation: 一个防火墙将计算机和网络资源隔离在防火墙之外的网络，计算机和计算机应用程序之外。 通常，内部资源可以是私有数据库和局域网（LAN），外部对象可以包括通过公共通信网络（例如因特网）操作的个体和计算机应用。 通常，防火墙允许内部用户或对象发起与外部对象或网络的连接，但不允许在相反方向上生成连接; 所述公开的发明提供了在防火墙的两侧操作的特殊的“隧道”机制，用于当某些“受信任”的个人或防火墙之外的对象或应用程序请求时，建立这样的“外部”连接。 这里的意图是尽可能减少建立“隧道”连接所需的资源（通过外部有效请求的防火墙的连接），同时最大限度地减少允许完全进行连接的安全风险。 该机制包括在防火墙内外的接口服务器上运行的特殊隧道应用程序，以及内部隧道应用程序创建和维护的“可信套接字”特殊表。 可信套接字表中的条目定义了由特殊内部端口组成的防火墙内的对象，每个端口使用的电信协议以及与每个端口相关联的主机对象。 每个条目都是“受信任的”，因为它被认为只有被授权从外部通过防火墙进行“隧道”访问的人才知道。

公开(公告)号：US5944823A

公开(公告)日：1999-08-31

申请号：US731800

申请日：1996-10-21

Applicant: Prashanth Jade ,  Victor Stuart Moore ,  Arun Mohan Rao ,  Glen Robert Walters

Inventor： Prashanth Jade ,  Victor Stuart Moore ,  Arun Mohan Rao ,  Glen Robert Walters

IPC: G06F13/00 ,  G06F12/14 ,  G06F13/36 ,  H04L12/56 ,  H04L12/66 ,  H04L29/06 ,  G06F11/00

CPC classification number: H04L63/0272 ,  H04L29/06 ,  H04L63/029

Abstract: A firewall isolates computer and network resources inside the firewall from networks, computers and computer applications outside the firewall. Typically, the inside resources could be privately owned databases and local area networks (LAN's), and outside objects could include individuals and computer applications operating through public communication networks such as the Internet. Usually, a firewall allows for an inside user or object to originate connection to an outside object or network, but does not allow for connections to be generated in the reverse direction; i.e. from outside in. The disclosed invention provides a special "tunneling" mechanism, operating on both sides of a firewall, for establishing such "outside in" connections when they are requested by certain "trusted" individuals or objects or applications outside the firewall. The intent here is to minimize the resources required for establishing "tunneled" connections (connections through the firewall that are effectively requested from outside), while also minimizing the security risk involved in permitting such connections to be made at all. The mechanism includes special tunneling applications, running on interface servers inside and outside the firewall, and a special table of "trusted sockets" created and maintained by the inside tunneling application. Entries in the trusted sockets table define objects inside the firewall consisting of special inside ports, a telecommunication protocol to be used at each port, and a host object associated with each port. Each entry is "trusted" in the sense that it is supposedly known only by individuals authorized to have "tunneling" access through the firewall from outside. These applications use the table to effect connections through the firewall in response to outside requests identifying valid table entries.

Abstract translation: 一个防火墙将计算机和网络资源隔离在防火墙之外的网络，计算机和计算机应用程序之外。 通常，内部资源可以是私有数据库和局域网（LAN），外部对象可以包括通过公共通信网络（例如因特网）操作的个体和计算机应用。 通常，防火墙允许内部用户或对象发起与外部对象或网络的连接，但不允许在相反方向上生成连接; 所述公开的发明提供了在防火墙的两侧操作的特殊的“隧道”机制，用于当某些“受信任”的个人或防火墙之外的对象或应用程序请求时，建立这样的“外部”连接。 这里的意图是尽可能减少建立“隧道”连接所需的资源（通过外部有效请求的防火墙的连接），同时最大限度地减少允许完全进行连接的安全风险。 该机制包括在防火墙内外的接口服务器上运行的特殊隧道应用程序，以及内部隧道应用程序创建和维护的“可信套接字”特殊表。 可信套接字表中的条目定义了由特殊内部端口组成的防火墙内的对象，每个端口使用的电信协议以及与每个端口相关联的主机对象。 每个条目都是“受信任的”，因为它被认为只有被授权从外部通过防火墙进行“隧道”访问的人才知道。 这些应用程序使用该表来响应外部请求识别有效的表条目来实现通过防火墙的连接。