WO2000048372A1 - Data communication method for sending a message through a firewall - Google Patents
Data communication method for sending a message through a firewall Download PDFInfo
- Publication number
- WO2000048372A1 WO2000048372A1 PCT/FI2000/000075 FI0000075W WO0048372A1 WO 2000048372 A1 WO2000048372 A1 WO 2000048372A1 FI 0000075 W FI0000075 W FI 0000075W WO 0048372 A1 WO0048372 A1 WO 0048372A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- firewall
- message
- computer system
- sent
- connection
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Definitions
- the invention is concerned with a data communication method for sending a message on a computer network from a first computer system to at least one other computer system through a firewall.
- the method can be used for sending protected messages with various kinds of protection methods, computer networks and network protocols and is expected to be very useful for instance for sending secret messages.
- a computer network is formed when two or more computers are connected to each other.
- Local area networks (or internal networks) may be formed of the computers within a company, while wide area networks may be extended over bigger areas, such as many towns and even countries.
- the networks may be connected via cables, fibers and/or radio links.
- An example of a global network is the Internet. This worldwide network can be used for communication, delivering and searching for information.
- the local network can be connected to another network, which can be an external network, such as Internet, and so electronic mail can be sent to the whole world to everyone connected to the external network.
- Internet is the most common network for data communication, by for example E-mail. The fact that several local networks can be connected to other networks, Internet in particular sets up requirements for the security and the equipment therefor
- a firewall is a security system to protect a network against infringement from unauthorized users in other networks, such as Internet
- a firewall can hinder computers from communicating directly with other networks, such as external networks, and vice versa Instead, all communication is sent through the firewall placed outside the internal network
- the firewall decides if it is safe to let messages and files pass between the external and the internal network on the basis of the addresses of the message, that can be in form of data packets, and different parameters
- the firewall thus controls the communication between the internal and external network and modifies the data packets of for example TCP/IP based Internet (with respect to the TCP/IP protocol, see the next page)
- a firewall translates network addresses and other data defining the communication so that the internal address and the internal parameters are changed to an external address and external parameters This means that for instance IP addresses used in an internal or local network are hidden from outside users
- a packet coming from an external network to an internal network is modified back by the firewall
- the firewall can be formed in many different ways and is usually designed individually from case to case in accordance with the
- Another method of increasing the security is by means of protection of the messages to be sent by for instance tunneling in virtual networks.
- virtual networks several local and global networks use Internet to be connected to each other.
- tunneling data is transferred between two networks via a third network, such as Internet.
- Packet mode is a transfer method that can be used in virtual connections.
- data is sent in small "packets" with an address and a sender, so that several persons can use the connection simultaneously.
- the other protocol is usually TCP/IP, when the transfers go through Internet.
- the own protocols are packed in the TCP/IP packages that are sent via Internet.
- TCP/IP Transmission Control Protocol/Internet Protocol. Standards for TCP/IP are well documented in so called RFC (Request for comments) documents.
- the IP protocol takes care of the data packets and is responsible for that the packets find right addresses. The data packets are addressed by means of internet addresses and go from computer to computer until the right destination is reached. Communication with IP is connectionless as no fixed connection exist between communicating computers. The message is going forward step by step.
- the TCP protocol takes care of the transferring of messages between two computers by making a virtual connection between them without any physical connection.
- the TCP is the transport protocol that is responsible for the connection itself between sender and receiver.
- TCP/IP Transmission Control Protocol/IP
- the packets go through the "tunnel" maintained by Internet to the receiver, where the packets of different protocols are separated from each other and return to the original form.
- the authorization of the receiver can be controlled in different ways.
- the authorization control can be carried out in two steps: authentication and authorization. Authentication is carried out to control the identity of the user, while the authorization defines what the user is authorized to do.
- the virtual networks give a high security.
- the secret information has an own channel on Internet as a result of different methods of authentication, encryption and/or encapsulation.
- the security of Internet is not sufficient for all types of transfers. There are however ways to protect e-mail and other messages sent through internet from others. Especially high security can be achieved by encryption.
- Encryption means that messages are changed before sending so that they cannot be read before decryption with a special key and usually also by confirming that the right person sent the message (authentication).
- Encryption means that messages are changed before sending so that they cannot be read before decryption with a special key and usually also by confirming that the right person sent the message (authentication).
- firewalls One problem with firewalls is the need of extensive equipment for the firewall computer if the traffic amount of traffic through the firewall is high.
- firewalls Another problem with firewalls is that if protection methods are used and the network is protected with a firewall, the firewall cannot identify the messages to be sent and will therefore not let them pass. In existing methods, the protection function or the parameters for the protection are given to the firewall so that the firewall can identify or protect the message and the message can then be sent through the firewall. The drawback with such methods is decreased security for the local network as secret information is delivered outside the local network.
- US patent 0715668 is mentioned as such prior art.
- the patent is about secure transfer of information between firewalls over an unprotected network.
- Internet protocol security and IPSec messages are handled in the firewall without assuming that encrypted messages has access to all services by decrypting the message and controlling the access.
- an electronic data transfer system transmits a message between the first computer system, arranged within a firewall, and a second computer system. Messages that are not suitable for transmission through a firewall are translated in a format that is appropriate for transmission across the firewall.
- An object of the invention is a method of sending messages that decreases the work to be done by the firewall computer compared with previously known methods.
- the second object of the invention is a safer method of sending protected messages through a firewall. More in detail, the second object of the invention is a method wherein protected messages can be sent through a firewall without delivering information about the parameters of the protection outside the local network to the firewall.
- a message is sent on a computer network from a first computer system to at least one other computer system through a firewall.
- step a) a request with data for a new connection between the first computer system and at least one other computer system is sent from the first computer system to the firewall.
- step b) up on approval of the message, information about the necessary modifications to be made in a message that is sent via the requested connection through the firewall is sent from the firewall to the first computer system.
- the protected message to be sent is modified in the first computer system in accordance with the information sent from the firewall.
- step d) which is optional and can be carried out before step c) or after step c)
- identification data of the connection for the message to be sent between said computer systems is sent to the firewall so that the message can be identified by the firewall to be able to pass the same.
- step e) the protected message is then sent from the first computer system to the at least one other computer system through the firewall.
- the message to be sent is protected as the method is very suitable for sending protected messages.
- the message to be sent between said computer systems is in that case protected in step c) after it has been modified, whereby step d) is necessary and the data to be sent from the first computer system to the firewall includes the necessary information so that the connection for the message can be identified by the firewall.
- the protection method can be some method known in the art.
- One suitable way to protect the message is to use methods defined in the standard RFC 1825 for TCP/IP
- RFC 1825 is a standard defining the IPSec security system standard, which consists of technology principles for the method used IPSec, in turn, has sub standards for encryption, such as ESP, which is an abbreviation for encapsulated security protocol and AH, which is an abbreviation for a standard in IP for authentication
- ESP which is an abbreviation for encapsulated security protocol
- AH which is an abbreviation for a standard in IP for authentication
- the authentication method might be MD5, SHA or other method known in the art
- the encryption method might be some known method such as DES Blowfish or the like
- the request for a new communication sent from the first computer system to the firewall contains for instance data of the new connection to be opened between the first computer system and at least one other computer system in for example in form of address identification data and such other parameters Typical other parameters are for instance IP Data (the sender address, the receiver address), the type of protocol and TCP data the sender port and the receiver port The port defines the application for sending the data with e g TCP/IP, such as the program used, the web browser etc
- step b) typical parameters that the firewall modifies so that the messages can pass through are the above data, for instance IP Data (the sender address, the receiver address), the type of protocol and TCP data the sender port and the receiver port
- IP Data the sender address, the receiver address
- TCP Transmission Control Protocol
- step b) typical parameters that the firewall modifies so that the messages can pass through are the above data, for instance IP Data (the sender address, the receiver address), the type of protocol and TCP data the sender port and the receiver port
- the modifications might comprise all data of step a) or a part of them All of the data to be modified might be known by the firewall even if not exactly included in step a)
- step d) identification data for the protection used to protect the message to be sent between said computer systems is sent to the firewall so that the protected message can be identified by the firewall.
- the identification data is in such a form that the firewall can identify the actual connection but not the actual parameters that have been used to protect the message. There exist many allowed connections with the same IP address but different other parameters.
- the actual protected message is sent in accordance with the parameters of one of the allowed connections and shall be identified by the firewall as being allowed and safe to deliver. If the message is not protected, step d) might be unnecessary in some embodiments, but is still advantageous to carry out in other embodiments, for instance if much traffic is going through the firewall, step d) might speed up the sending.
- the inventive idea is that a part of the firewall functionality has been given to another computer function and is carried out in the first computer system. If the message is protected, the firewall and the first computer system transfers necessary information so that the firewall would be able to pass the protected messages without having knowledge about the actual parameters used to protect the message to be sent.
- Figure 1 is a flow sheet over the different steps of the method of invention
- FIG. 2 is a schematic view of the computer network within which the data communication of the invention is carried out DETAILED DESCRIPTION OF THE INVENTION
- Figure 2 is a schematic view of a computer network within which the data communication of the invention can be carried out.
- a message shall be sent from a first computer system C1 to a second computer system C2.
- the first computer system belongs to an internal network.
- the internal network is protected by a firewall, so that all messages to be sent and received through the firewall has to be identified and accepted by the firewall.
- the firewall controls data of the connection via which the messages are sent and if the connection is accepted by the firewall, the messages can pass the firewall. Before the messages can pass the firewall, they are modified in the firewall in accordance with given parameters, such as address changes and protocol changes.
- the computer system C1 has a virtual connection to computer system C2, which means that messages to be sent from the first computer system C1 to the second computer system C2 are sent via one or more other networks, such as external networks, for instance Internet, after having passed the firewall before ending up at and received by the second computer system C2.
- Figure 1 is a flow sheet over the different steps of an embodiment of the method of the invention.
- a message shall be sent on a computer network from the first computer system C1 to a second computer system C2 through a firewall, which is placed outside the internal or local network to which the first computer system C1 belongs.
- the method of the invention can be used both for the purpose to decrease the work to be carried out by the firewall and/or for sending protected messages. If the message to be sent shall be protected before sending in accordance with the second embodiment of the invention, it can not be sent through the firewall in the normal way, because the firewall is not able to control address identification data of protected messages or forward encrypted messages.
- an information message is sent from the first computer system C1 to the firewall containing data about a new connection between the first computer system C1 and a second computer system C2 system in form of for instance address identification data, and possible other parameters for the message to be sent between said computer systems. If the firewall accepts this connection, the sending proceeds so that according to step b), information about necessary changes to be made in the message is sent from the firewall to the first computer system C1 so that the message can be sent through the firewall.
- the message that is intended to be protected with some protection method, that can be an authentication method and/or encryption method and shall be sent is according to step c) first modified by the first computer system C1 in accordance with the information sent from the firewall before protection.
- identification data of the protection method that have been used for protection of the message is according to point d) sent from the first computer system C1 to the firewall F so that the protected message can be identified but not read by the firewall to be able to be passed by the same. If the message is not protected, step d) is optional if the firewall used is able to identify the message. Step d) can also be carried out before step c). The protected message is then according to step e) sent from the first computer system C1 to the other computer system C2 through the firewall.
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU24445/00A AU2444500A (en) | 1999-02-10 | 2000-02-03 | Data communication method for sending a message through a firewall |
CA002362634A CA2362634A1 (en) | 1999-02-10 | 2000-02-03 | Data communication method for sending a message through a firewall |
EP00902692A EP1153499A1 (en) | 1999-02-10 | 2000-02-03 | Data communication method for sending a message through a firewall |
JP2000599188A JP2002537689A (en) | 1999-02-10 | 2000-02-03 | Data communication method of sending messages through firewall |
NO20013915A NO20013915L (en) | 1999-02-10 | 2001-08-10 | Method of data communication |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FI990265A FI106594B (en) | 1999-02-10 | 1999-02-10 | Communication method for sending a message through a firewall |
FI990265 | 1999-02-10 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000048372A1 true WO2000048372A1 (en) | 2000-08-17 |
Family
ID=8553705
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FI2000/000075 WO2000048372A1 (en) | 1999-02-10 | 2000-02-03 | Data communication method for sending a message through a firewall |
Country Status (7)
Country | Link |
---|---|
EP (1) | EP1153499A1 (en) |
JP (1) | JP2002537689A (en) |
AU (1) | AU2444500A (en) |
CA (1) | CA2362634A1 (en) |
FI (1) | FI106594B (en) |
NO (1) | NO20013915L (en) |
WO (1) | WO2000048372A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5699513A (en) * | 1995-03-31 | 1997-12-16 | Motorola, Inc. | Method for secure network access via message intercept |
GB2317792A (en) * | 1996-09-18 | 1998-04-01 | Secure Computing Corp | Virtual Private Network for encrypted firewall |
EP0858201A2 (en) * | 1997-02-06 | 1998-08-12 | Sun Microsystems, Inc. | Method and apparatus for allowing secure transactions through a firewall |
US5826029A (en) * | 1995-10-31 | 1998-10-20 | International Business Machines Corporation | Secured gateway interface |
-
1999
- 1999-02-10 FI FI990265A patent/FI106594B/en not_active IP Right Cessation
-
2000
- 2000-02-03 CA CA002362634A patent/CA2362634A1/en not_active Abandoned
- 2000-02-03 WO PCT/FI2000/000075 patent/WO2000048372A1/en not_active Application Discontinuation
- 2000-02-03 JP JP2000599188A patent/JP2002537689A/en not_active Withdrawn
- 2000-02-03 EP EP00902692A patent/EP1153499A1/en active Pending
- 2000-02-03 AU AU24445/00A patent/AU2444500A/en not_active Abandoned
-
2001
- 2001-08-10 NO NO20013915A patent/NO20013915L/en not_active Application Discontinuation
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5699513A (en) * | 1995-03-31 | 1997-12-16 | Motorola, Inc. | Method for secure network access via message intercept |
US5826029A (en) * | 1995-10-31 | 1998-10-20 | International Business Machines Corporation | Secured gateway interface |
GB2317792A (en) * | 1996-09-18 | 1998-04-01 | Secure Computing Corp | Virtual Private Network for encrypted firewall |
EP0858201A2 (en) * | 1997-02-06 | 1998-08-12 | Sun Microsystems, Inc. | Method and apparatus for allowing secure transactions through a firewall |
Also Published As
Publication number | Publication date |
---|---|
NO20013915D0 (en) | 2001-08-10 |
AU2444500A (en) | 2000-08-29 |
FI106594B (en) | 2001-02-28 |
FI990265A (en) | 2000-08-11 |
JP2002537689A (en) | 2002-11-05 |
NO20013915L (en) | 2001-08-10 |
CA2362634A1 (en) | 2000-08-17 |
FI990265A0 (en) | 1999-02-10 |
EP1153499A1 (en) | 2001-11-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP0967765B1 (en) | Network connection controlling method and system thereof | |
TWI362859B (en) | ||
EP1730651B1 (en) | Establishing a virtual private network for a road warrior | |
US6067620A (en) | Stand alone security device for computer networks | |
US7853783B2 (en) | Method and apparatus for secure communication between user equipment and private network | |
US8190899B1 (en) | System and method for establishing a remote connection over a network with a personal security device connected to a local client without using a local APDU interface or local cryptography | |
US5872847A (en) | Using trusted associations to establish trust in a computer network | |
US6212636B1 (en) | Method for establishing trust in a computer network via association | |
Recio et al. | A remote direct memory access protocol specification | |
US6076168A (en) | Simplified method of configuring internet protocol security tunnels | |
US7051365B1 (en) | Method and apparatus for a distributed firewall | |
US7624180B2 (en) | Mixed enclave operation in a computer network | |
US7346770B2 (en) | Method and apparatus for traversing a translation device with a security protocol | |
US5692124A (en) | Support of limited write downs through trustworthy predictions in multilevel security of computer network communications | |
US6351810B2 (en) | Self-contained and secured access to remote servers | |
US20040107360A1 (en) | System and Methodology for Policy Enforcement | |
US20020035635A1 (en) | Method and system for establishing a security perimeter in computer networks | |
CA2388114A1 (en) | Methods and arrangements in a telecommunications system | |
WO2007103338A2 (en) | Technique for processing data packets in a communication network | |
EP1384370B1 (en) | Method and system for authenticating a personal security device vis-a-vis at least one remote computer system | |
US20040243837A1 (en) | Process and communication equipment for encrypting e-mail traffic between mail domains of the internet | |
JP2007036834A (en) | Encryption apparatus, program, recording medium, and method | |
WO2000048372A1 (en) | Data communication method for sending a message through a firewall | |
Cisco | Introduction to Cisco IPsec Technology | |
JP2001111612A (en) | Information leakage prevention method and system, and recording medium recording information leakage prevention program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
ENP | Entry into the national phase |
Ref document number: 2362634 Country of ref document: CA Ref country code: CA Ref document number: 2362634 Kind code of ref document: A Format of ref document f/p: F |
|
ENP | Entry into the national phase |
Ref country code: JP Ref document number: 2000 599188 Kind code of ref document: A Format of ref document f/p: F |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2000902692 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2000902692 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 09913213 Country of ref document: US |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2000902692 Country of ref document: EP |