WO2000048372A1 - Data communication method for sending a message through a firewall - Google Patents

Data communication method for sending a message through a firewall Download PDF

Info

Publication number
WO2000048372A1
WO2000048372A1 PCT/FI2000/000075 FI0000075W WO0048372A1 WO 2000048372 A1 WO2000048372 A1 WO 2000048372A1 FI 0000075 W FI0000075 W FI 0000075W WO 0048372 A1 WO0048372 A1 WO 0048372A1
Authority
WO
WIPO (PCT)
Prior art keywords
firewall
message
computer system
sent
connection
Prior art date
Application number
PCT/FI2000/000075
Other languages
French (fr)
Inventor
Panu PIETIKÄINEN
Original Assignee
Intrasecure Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intrasecure Networks Oy filed Critical Intrasecure Networks Oy
Priority to AU24445/00A priority Critical patent/AU2444500A/en
Priority to CA002362634A priority patent/CA2362634A1/en
Priority to EP00902692A priority patent/EP1153499A1/en
Priority to JP2000599188A priority patent/JP2002537689A/en
Publication of WO2000048372A1 publication Critical patent/WO2000048372A1/en
Priority to NO20013915A priority patent/NO20013915L/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the invention is concerned with a data communication method for sending a message on a computer network from a first computer system to at least one other computer system through a firewall.
  • the method can be used for sending protected messages with various kinds of protection methods, computer networks and network protocols and is expected to be very useful for instance for sending secret messages.
  • a computer network is formed when two or more computers are connected to each other.
  • Local area networks (or internal networks) may be formed of the computers within a company, while wide area networks may be extended over bigger areas, such as many towns and even countries.
  • the networks may be connected via cables, fibers and/or radio links.
  • An example of a global network is the Internet. This worldwide network can be used for communication, delivering and searching for information.
  • the local network can be connected to another network, which can be an external network, such as Internet, and so electronic mail can be sent to the whole world to everyone connected to the external network.
  • Internet is the most common network for data communication, by for example E-mail. The fact that several local networks can be connected to other networks, Internet in particular sets up requirements for the security and the equipment therefor
  • a firewall is a security system to protect a network against infringement from unauthorized users in other networks, such as Internet
  • a firewall can hinder computers from communicating directly with other networks, such as external networks, and vice versa Instead, all communication is sent through the firewall placed outside the internal network
  • the firewall decides if it is safe to let messages and files pass between the external and the internal network on the basis of the addresses of the message, that can be in form of data packets, and different parameters
  • the firewall thus controls the communication between the internal and external network and modifies the data packets of for example TCP/IP based Internet (with respect to the TCP/IP protocol, see the next page)
  • a firewall translates network addresses and other data defining the communication so that the internal address and the internal parameters are changed to an external address and external parameters This means that for instance IP addresses used in an internal or local network are hidden from outside users
  • a packet coming from an external network to an internal network is modified back by the firewall
  • the firewall can be formed in many different ways and is usually designed individually from case to case in accordance with the
  • Another method of increasing the security is by means of protection of the messages to be sent by for instance tunneling in virtual networks.
  • virtual networks several local and global networks use Internet to be connected to each other.
  • tunneling data is transferred between two networks via a third network, such as Internet.
  • Packet mode is a transfer method that can be used in virtual connections.
  • data is sent in small "packets" with an address and a sender, so that several persons can use the connection simultaneously.
  • the other protocol is usually TCP/IP, when the transfers go through Internet.
  • the own protocols are packed in the TCP/IP packages that are sent via Internet.
  • TCP/IP Transmission Control Protocol/Internet Protocol. Standards for TCP/IP are well documented in so called RFC (Request for comments) documents.
  • the IP protocol takes care of the data packets and is responsible for that the packets find right addresses. The data packets are addressed by means of internet addresses and go from computer to computer until the right destination is reached. Communication with IP is connectionless as no fixed connection exist between communicating computers. The message is going forward step by step.
  • the TCP protocol takes care of the transferring of messages between two computers by making a virtual connection between them without any physical connection.
  • the TCP is the transport protocol that is responsible for the connection itself between sender and receiver.
  • TCP/IP Transmission Control Protocol/IP
  • the packets go through the "tunnel" maintained by Internet to the receiver, where the packets of different protocols are separated from each other and return to the original form.
  • the authorization of the receiver can be controlled in different ways.
  • the authorization control can be carried out in two steps: authentication and authorization. Authentication is carried out to control the identity of the user, while the authorization defines what the user is authorized to do.
  • the virtual networks give a high security.
  • the secret information has an own channel on Internet as a result of different methods of authentication, encryption and/or encapsulation.
  • the security of Internet is not sufficient for all types of transfers. There are however ways to protect e-mail and other messages sent through internet from others. Especially high security can be achieved by encryption.
  • Encryption means that messages are changed before sending so that they cannot be read before decryption with a special key and usually also by confirming that the right person sent the message (authentication).
  • Encryption means that messages are changed before sending so that they cannot be read before decryption with a special key and usually also by confirming that the right person sent the message (authentication).
  • firewalls One problem with firewalls is the need of extensive equipment for the firewall computer if the traffic amount of traffic through the firewall is high.
  • firewalls Another problem with firewalls is that if protection methods are used and the network is protected with a firewall, the firewall cannot identify the messages to be sent and will therefore not let them pass. In existing methods, the protection function or the parameters for the protection are given to the firewall so that the firewall can identify or protect the message and the message can then be sent through the firewall. The drawback with such methods is decreased security for the local network as secret information is delivered outside the local network.
  • US patent 0715668 is mentioned as such prior art.
  • the patent is about secure transfer of information between firewalls over an unprotected network.
  • Internet protocol security and IPSec messages are handled in the firewall without assuming that encrypted messages has access to all services by decrypting the message and controlling the access.
  • an electronic data transfer system transmits a message between the first computer system, arranged within a firewall, and a second computer system. Messages that are not suitable for transmission through a firewall are translated in a format that is appropriate for transmission across the firewall.
  • An object of the invention is a method of sending messages that decreases the work to be done by the firewall computer compared with previously known methods.
  • the second object of the invention is a safer method of sending protected messages through a firewall. More in detail, the second object of the invention is a method wherein protected messages can be sent through a firewall without delivering information about the parameters of the protection outside the local network to the firewall.
  • a message is sent on a computer network from a first computer system to at least one other computer system through a firewall.
  • step a) a request with data for a new connection between the first computer system and at least one other computer system is sent from the first computer system to the firewall.
  • step b) up on approval of the message, information about the necessary modifications to be made in a message that is sent via the requested connection through the firewall is sent from the firewall to the first computer system.
  • the protected message to be sent is modified in the first computer system in accordance with the information sent from the firewall.
  • step d) which is optional and can be carried out before step c) or after step c)
  • identification data of the connection for the message to be sent between said computer systems is sent to the firewall so that the message can be identified by the firewall to be able to pass the same.
  • step e) the protected message is then sent from the first computer system to the at least one other computer system through the firewall.
  • the message to be sent is protected as the method is very suitable for sending protected messages.
  • the message to be sent between said computer systems is in that case protected in step c) after it has been modified, whereby step d) is necessary and the data to be sent from the first computer system to the firewall includes the necessary information so that the connection for the message can be identified by the firewall.
  • the protection method can be some method known in the art.
  • One suitable way to protect the message is to use methods defined in the standard RFC 1825 for TCP/IP
  • RFC 1825 is a standard defining the IPSec security system standard, which consists of technology principles for the method used IPSec, in turn, has sub standards for encryption, such as ESP, which is an abbreviation for encapsulated security protocol and AH, which is an abbreviation for a standard in IP for authentication
  • ESP which is an abbreviation for encapsulated security protocol
  • AH which is an abbreviation for a standard in IP for authentication
  • the authentication method might be MD5, SHA or other method known in the art
  • the encryption method might be some known method such as DES Blowfish or the like
  • the request for a new communication sent from the first computer system to the firewall contains for instance data of the new connection to be opened between the first computer system and at least one other computer system in for example in form of address identification data and such other parameters Typical other parameters are for instance IP Data (the sender address, the receiver address), the type of protocol and TCP data the sender port and the receiver port The port defines the application for sending the data with e g TCP/IP, such as the program used, the web browser etc
  • step b) typical parameters that the firewall modifies so that the messages can pass through are the above data, for instance IP Data (the sender address, the receiver address), the type of protocol and TCP data the sender port and the receiver port
  • IP Data the sender address, the receiver address
  • TCP Transmission Control Protocol
  • step b) typical parameters that the firewall modifies so that the messages can pass through are the above data, for instance IP Data (the sender address, the receiver address), the type of protocol and TCP data the sender port and the receiver port
  • the modifications might comprise all data of step a) or a part of them All of the data to be modified might be known by the firewall even if not exactly included in step a)
  • step d) identification data for the protection used to protect the message to be sent between said computer systems is sent to the firewall so that the protected message can be identified by the firewall.
  • the identification data is in such a form that the firewall can identify the actual connection but not the actual parameters that have been used to protect the message. There exist many allowed connections with the same IP address but different other parameters.
  • the actual protected message is sent in accordance with the parameters of one of the allowed connections and shall be identified by the firewall as being allowed and safe to deliver. If the message is not protected, step d) might be unnecessary in some embodiments, but is still advantageous to carry out in other embodiments, for instance if much traffic is going through the firewall, step d) might speed up the sending.
  • the inventive idea is that a part of the firewall functionality has been given to another computer function and is carried out in the first computer system. If the message is protected, the firewall and the first computer system transfers necessary information so that the firewall would be able to pass the protected messages without having knowledge about the actual parameters used to protect the message to be sent.
  • Figure 1 is a flow sheet over the different steps of the method of invention
  • FIG. 2 is a schematic view of the computer network within which the data communication of the invention is carried out DETAILED DESCRIPTION OF THE INVENTION
  • Figure 2 is a schematic view of a computer network within which the data communication of the invention can be carried out.
  • a message shall be sent from a first computer system C1 to a second computer system C2.
  • the first computer system belongs to an internal network.
  • the internal network is protected by a firewall, so that all messages to be sent and received through the firewall has to be identified and accepted by the firewall.
  • the firewall controls data of the connection via which the messages are sent and if the connection is accepted by the firewall, the messages can pass the firewall. Before the messages can pass the firewall, they are modified in the firewall in accordance with given parameters, such as address changes and protocol changes.
  • the computer system C1 has a virtual connection to computer system C2, which means that messages to be sent from the first computer system C1 to the second computer system C2 are sent via one or more other networks, such as external networks, for instance Internet, after having passed the firewall before ending up at and received by the second computer system C2.
  • Figure 1 is a flow sheet over the different steps of an embodiment of the method of the invention.
  • a message shall be sent on a computer network from the first computer system C1 to a second computer system C2 through a firewall, which is placed outside the internal or local network to which the first computer system C1 belongs.
  • the method of the invention can be used both for the purpose to decrease the work to be carried out by the firewall and/or for sending protected messages. If the message to be sent shall be protected before sending in accordance with the second embodiment of the invention, it can not be sent through the firewall in the normal way, because the firewall is not able to control address identification data of protected messages or forward encrypted messages.
  • an information message is sent from the first computer system C1 to the firewall containing data about a new connection between the first computer system C1 and a second computer system C2 system in form of for instance address identification data, and possible other parameters for the message to be sent between said computer systems. If the firewall accepts this connection, the sending proceeds so that according to step b), information about necessary changes to be made in the message is sent from the firewall to the first computer system C1 so that the message can be sent through the firewall.
  • the message that is intended to be protected with some protection method, that can be an authentication method and/or encryption method and shall be sent is according to step c) first modified by the first computer system C1 in accordance with the information sent from the firewall before protection.
  • identification data of the protection method that have been used for protection of the message is according to point d) sent from the first computer system C1 to the firewall F so that the protected message can be identified but not read by the firewall to be able to be passed by the same. If the message is not protected, step d) is optional if the firewall used is able to identify the message. Step d) can also be carried out before step c). The protected message is then according to step e) sent from the first computer system C1 to the other computer system C2 through the firewall.

Abstract

The invention is concerned with a method for sending a message ona computer network from a first computer system to at least one other computer system through a firewall. The method comprises the following steps: a request with data for a new connection between the first computer system and at least one other computer system is sent from the first computer system to the firewall for a message to be sent between said computer systems. Up on approval of the connection by the firewall, information about necessary modifications to be made in a message that is sent via the requested connection through the firewall is sent from the firewall to the first computer system. The message to be sent is modified in the first computer system in accordance with the information sent from the firewall. Optionally, and before or after the foregoing step, identification data of the connection for the message to be sent between said computer systems is sent from the first computer system to the firewall so that the connection for the message can be identified by the firewall and the message can pass the firewall. The message is sent from the first computer system to the at least one other computer system through the firewall. The message to be sent between said computer systems can be protected after it has been modified, whereby the data to be sent from the first computer system to the firewall includes the necessary information so that the connection for the message can be identified by the firewall.

Description

DATA COMMUNICATION METHOD FOR SENDING A MESSAGE THROUGH A FIREWALL
TECHNICAL FIELD
The invention is concerned with a data communication method for sending a message on a computer network from a first computer system to at least one other computer system through a firewall. The method can be used for sending protected messages with various kinds of protection methods, computer networks and network protocols and is expected to be very useful for instance for sending secret messages.
DESCRIPTION OF RELATED ART
A computer network is formed when two or more computers are connected to each other. Local area networks (or internal networks) may be formed of the computers within a company, while wide area networks may be extended over bigger areas, such as many towns and even countries. The networks may be connected via cables, fibers and/or radio links.
An example of a global network is the Internet. This worldwide network can be used for communication, delivering and searching for information.
If an internal system for electronic post is installed, everyone connected to the local network can send messages to each other. The local network can be connected to another network, which can be an external network, such as Internet, and so electronic mail can be sent to the whole world to everyone connected to the external network. Internet is the most common network for data communication, by for example E-mail. The fact that several local networks can be connected to other networks, Internet in particular sets up requirements for the security and the equipment therefor
There are different systems for the improving of the security It is important that data within an internal network is protected so that only right users can change and read it The users usually identify themselves with a user name and a password Also other security details exist Other security problems are network errors and work stops With increasing complexity, advanced security systems become important
The popularity of Internet can be seen on the fact that new network products and services are developed all the time These products are developed in accordance with new Internet standards and are applied to the protocols used in transfers on Internet
A firewall is a security system to protect a network against infringement from unauthorized users in other networks, such as Internet A firewall can hinder computers from communicating directly with other networks, such as external networks, and vice versa Instead, all communication is sent through the firewall placed outside the internal network The firewall decides if it is safe to let messages and files pass between the external and the internal network on the basis of the addresses of the message, that can be in form of data packets, and different parameters The firewall thus controls the communication between the internal and external network and modifies the data packets of for example TCP/IP based Internet (with respect to the TCP/IP protocol, see the next page) Usually, a firewall translates network addresses and other data defining the communication so that the internal address and the internal parameters are changed to an external address and external parameters This means that for instance IP addresses used in an internal or local network are hidden from outside users A packet coming from an external network to an internal network is modified back by the firewall The firewall can be formed in many different ways and is usually designed individually from case to case in accordance with the actual needs of the network. If the amount of traffic through the firewall is very high, quite extensive hardware for the firewall computer is needed.
Another method of increasing the security is by means of protection of the messages to be sent by for instance tunneling in virtual networks. In virtual networks several local and global networks use Internet to be connected to each other. By tunneling, data is transferred between two networks via a third network, such as Internet. In this technique, a given kind of data packets of a given protocol is encapsulated in packets of another protocol. Packet mode is a transfer method that can be used in virtual connections. In this technique data is sent in small "packets" with an address and a sender, so that several persons can use the connection simultaneously. The other protocol is usually TCP/IP, when the transfers go through Internet. The own protocols are packed in the TCP/IP packages that are sent via Internet.
The data communication between computers is carried out according to given rules which are called protocols TCP/IP is one such protocol and is an abbreviation for Transmission Control Protocol/Internet Protocol. Standards for TCP/IP are well documented in so called RFC (Request for comments) documents. The IP protocol takes care of the data packets and is responsible for that the packets find right addresses. The data packets are addressed by means of internet addresses and go from computer to computer until the right destination is reached. Communication with IP is connectionless as no fixed connection exist between communicating computers. The message is going forward step by step. The TCP protocol takes care of the transferring of messages between two computers by making a virtual connection between them without any physical connection. The TCP is the transport protocol that is responsible for the connection itself between sender and receiver. Also other standards than TCP/IP can be used in Internet. The packets go through the "tunnel" maintained by Internet to the receiver, where the packets of different protocols are separated from each other and return to the original form. The authorization of the receiver can be controlled in different ways. The authorization control can be carried out in two steps: authentication and authorization. Authentication is carried out to control the identity of the user, while the authorization defines what the user is authorized to do.
The virtual networks give a high security. The secret information has an own channel on Internet as a result of different methods of authentication, encryption and/or encapsulation.
The security of Internet is not sufficient for all types of transfers. There are however ways to protect e-mail and other messages sent through internet from others. Especially high security can be achieved by encryption.
Encryption means that messages are changed before sending so that they cannot be read before decryption with a special key and usually also by confirming that the right person sent the message (authentication). There are a big variety of encryption methods of the above kind.
In many protection methods all connections have different parameters. The function wherein the real protection is made is called transformation. In the transformation function the packet is changed in accordance with given parameters depending on the actual protection used.
One problem with firewalls is the need of extensive equipment for the firewall computer if the traffic amount of traffic through the firewall is high.
Another problem with firewalls is that if protection methods are used and the network is protected with a firewall, the firewall cannot identify the messages to be sent and will therefore not let them pass. In existing methods, the protection function or the parameters for the protection are given to the firewall so that the firewall can identify or protect the message and the message can then be sent through the firewall. The drawback with such methods is decreased security for the local network as secret information is delivered outside the local network.
US patent 0715668 is mentioned as such prior art. The patent is about secure transfer of information between firewalls over an unprotected network. Internet protocol security and IPSec messages are handled in the firewall without assuming that encrypted messages has access to all services by decrypting the message and controlling the access.
Another such method is described in US patent 0586231 , wherein a firewall computer is allowed to provide virtual tunnel records and secret keys.
In the European patent application EP 0 858 201 an electronic data transfer system transmits a message between the first computer system, arranged within a firewall, and a second computer system. Messages that are not suitable for transmission through a firewall are translated in a format that is appropriate for transmission across the firewall.
THE OBJECT OF THE INVENTION
An object of the invention is a method of sending messages that decreases the work to be done by the firewall computer compared with previously known methods.
The second object of the invention is a safer method of sending protected messages through a firewall. More in detail, the second object of the invention is a method wherein protected messages can be sent through a firewall without delivering information about the parameters of the protection outside the local network to the firewall.
DESCRIPTION OF THE INVENTION
In the method of the invention a message is sent on a computer network from a first computer system to at least one other computer system through a firewall. In step a), a request with data for a new connection between the first computer system and at least one other computer system is sent from the first computer system to the firewall. In step b), up on approval of the message, information about the necessary modifications to be made in a message that is sent via the requested connection through the firewall is sent from the firewall to the first computer system. In step c), the protected message to be sent is modified in the first computer system in accordance with the information sent from the firewall. In step d), which is optional and can be carried out before step c) or after step c), identification data of the connection for the message to be sent between said computer systems is sent to the firewall so that the message can be identified by the firewall to be able to pass the same. In step e), the protected message is then sent from the first computer system to the at least one other computer system through the firewall.
In an application of the method, the message to be sent is protected as the method is very suitable for sending protected messages. The message to be sent between said computer systems is in that case protected in step c) after it has been modified, whereby step d) is necessary and the data to be sent from the first computer system to the firewall includes the necessary information so that the connection for the message can be identified by the firewall.
The protection method can be some method known in the art. One suitable way to protect the message is to use methods defined in the standard RFC 1825 for TCP/IP This standard includes sub standards for for instance authentication methods and encryption methods, which can be used separately or simultaneously in a message sent with the method of the invention RFC 1825 is a standard defining the IPSec security system standard, which consists of technology principles for the method used IPSec, in turn, has sub standards for encryption, such as ESP, which is an abbreviation for encapsulated security protocol and AH, which is an abbreviation for a standard in IP for authentication The authentication method might be MD5, SHA or other method known in the art The encryption method might be some known method such as DES Blowfish or the like
In step a), the request for a new communication sent from the first computer system to the firewall contains for instance data of the new connection to be opened between the first computer system and at least one other computer system in for example in form of address identification data and such other parameters Typical other parameters are for instance IP Data ( the sender address, the receiver address), the type of protocol and TCP data the sender port and the receiver port The port defines the application for sending the data with e g TCP/IP, such as the program used, the web browser etc
In step b), typical parameters that the firewall modifies so that the messages can pass through are the above data, for instance IP Data ( the sender address, the receiver address), the type of protocol and TCP data the sender port and the receiver port The modifications might comprise all data of step a) or a part of them All of the data to be modified might be known by the firewall even if not exactly included in step a)
Messages can only go through a firewall if the firewall can identify them to be allowable messages In step d), identification data for the protection used to protect the message to be sent between said computer systems is sent to the firewall so that the protected message can be identified by the firewall The identification data is in such a form that the firewall can identify the actual connection but not the actual parameters that have been used to protect the message. There exist many allowed connections with the same IP address but different other parameters. The actual protected message is sent in accordance with the parameters of one of the allowed connections and shall be identified by the firewall as being allowed and safe to deliver. If the message is not protected, step d) might be unnecessary in some embodiments, but is still advantageous to carry out in other embodiments, for instance if much traffic is going through the firewall, step d) might speed up the sending.
In the invention, the inventive idea is that a part of the firewall functionality has been given to another computer function and is carried out in the first computer system. If the message is protected, the firewall and the first computer system transfers necessary information so that the firewall would be able to pass the protected messages without having knowledge about the actual parameters used to protect the message to be sent.
In the following, the invention is described by means of some preferred embodiments of the invention. The details of the embodiments can vary within the scope of the claims.
BRIEF DESCRIPTION OF DRAWINGS
Figure 1 is a flow sheet over the different steps of the method of invention
Figure 2 is a schematic view of the computer network within which the data communication of the invention is carried out DETAILED DESCRIPTION OF THE INVENTION
Figure 2 is a schematic view of a computer network within which the data communication of the invention can be carried out. A message shall be sent from a first computer system C1 to a second computer system C2.
In figure 2, the first computer system belongs to an internal network. The internal network is protected by a firewall, so that all messages to be sent and received through the firewall has to be identified and accepted by the firewall. The firewall controls data of the connection via which the messages are sent and if the connection is accepted by the firewall, the messages can pass the firewall. Before the messages can pass the firewall, they are modified in the firewall in accordance with given parameters, such as address changes and protocol changes. The computer system C1 has a virtual connection to computer system C2, which means that messages to be sent from the first computer system C1 to the second computer system C2 are sent via one or more other networks, such as external networks, for instance Internet, after having passed the firewall before ending up at and received by the second computer system C2.
Figure 1 is a flow sheet over the different steps of an embodiment of the method of the invention. A message shall be sent on a computer network from the first computer system C1 to a second computer system C2 through a firewall, which is placed outside the internal or local network to which the first computer system C1 belongs. The method of the invention can be used both for the purpose to decrease the work to be carried out by the firewall and/or for sending protected messages. If the message to be sent shall be protected before sending in accordance with the second embodiment of the invention, it can not be sent through the firewall in the normal way, because the firewall is not able to control address identification data of protected messages or forward encrypted messages. Therefor, in accordance with step a) of the invention, an information message is sent from the first computer system C1 to the firewall containing data about a new connection between the first computer system C1 and a second computer system C2 system in form of for instance address identification data, and possible other parameters for the message to be sent between said computer systems. If the firewall accepts this connection, the sending proceeds so that according to step b), information about necessary changes to be made in the message is sent from the firewall to the first computer system C1 so that the message can be sent through the firewall. The message that is intended to be protected with some protection method, that can be an authentication method and/or encryption method and shall be sent is according to step c) first modified by the first computer system C1 in accordance with the information sent from the firewall before protection. Before the protected message is sent, identification data of the protection method that have been used for protection of the message is according to point d) sent from the first computer system C1 to the firewall F so that the protected message can be identified but not read by the firewall to be able to be passed by the same. If the message is not protected, step d) is optional if the firewall used is able to identify the message. Step d) can also be carried out before step c). The protected message is then according to step e) sent from the first computer system C1 to the other computer system C2 through the firewall.

Claims

1. Method for sending a message on a computer network from a first computer system to at least one other computer system through a firewall, c h a r a c t e r i z e d in the following steps: a) sending from the first computer system to the firewall, a request with data for a new connection between the first computer system and at least one other computer system for a message to be sent between said computer systems, b) up on approval of the connection by the firewall, sending from the firewall to the first computer system, information about the necessary modifications to be made in a message that is sent via the requested connection through the firewall, c) modifying, in the first computer system, the message to be sent in accordance with the information sent from the firewall, d) optionally, and before or after step c), sending from the first computer system to the firewall identification data of the connection for the message to be sent between said computer systems so that the connection for the message can be identified by the firewall and the message can pass the firewall, e) sending the message from the first computer system to the at least one other computer system through the firewall.
2. Method of claim 1 , c h a r a c t e r i z e d in that, the message to be sent between said computer systems is protected in step c) after it has been modified, whereby step d) is necessary and the data to be sent from the first computer system to the firewall includes the necessary information so that the connection for the message can be identified by the firewall.
3. Method of claim 2, c h a r a c t e r i z e d in that the protection is made using the IP Sec system.
4. Method of claim 2 or 3, characterized in that the message to be sent is authenticated.
5. Method of any of claims 2-4, characterized in that the message to be sent is encrypted in step c).
6. Method of any of claims 1 -5, ch a ra ct e r i ze d in that the information message in point a) contains data of the new connection to be opened between the first computer system and at least one other computer system in form of address identification data and possible other parameters.
7. Method of claim 6, characterized in that the possible other parameters are data about the port and the protocol used for sending.
8. Method of any of claims 1 -7 , ch a ra ct e r i ze d in that in step b) the modifications include address identification data and/or the port and or the protocol used for sending.
9. Method of any of claim 1 -7, c h a ra ct e r i z e d in that, the message is using the TCP/IP protocol.
10. Method of any of claim 1 -8, characterized in that, the message is sent via internet.
PCT/FI2000/000075 1999-02-10 2000-02-03 Data communication method for sending a message through a firewall WO2000048372A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
AU24445/00A AU2444500A (en) 1999-02-10 2000-02-03 Data communication method for sending a message through a firewall
CA002362634A CA2362634A1 (en) 1999-02-10 2000-02-03 Data communication method for sending a message through a firewall
EP00902692A EP1153499A1 (en) 1999-02-10 2000-02-03 Data communication method for sending a message through a firewall
JP2000599188A JP2002537689A (en) 1999-02-10 2000-02-03 Data communication method of sending messages through firewall
NO20013915A NO20013915L (en) 1999-02-10 2001-08-10 Method of data communication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI990265A FI106594B (en) 1999-02-10 1999-02-10 Communication method for sending a message through a firewall
FI990265 1999-02-10

Publications (1)

Publication Number Publication Date
WO2000048372A1 true WO2000048372A1 (en) 2000-08-17

Family

ID=8553705

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2000/000075 WO2000048372A1 (en) 1999-02-10 2000-02-03 Data communication method for sending a message through a firewall

Country Status (7)

Country Link
EP (1) EP1153499A1 (en)
JP (1) JP2002537689A (en)
AU (1) AU2444500A (en)
CA (1) CA2362634A1 (en)
FI (1) FI106594B (en)
NO (1) NO20013915L (en)
WO (1) WO2000048372A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5699513A (en) * 1995-03-31 1997-12-16 Motorola, Inc. Method for secure network access via message intercept
GB2317792A (en) * 1996-09-18 1998-04-01 Secure Computing Corp Virtual Private Network for encrypted firewall
EP0858201A2 (en) * 1997-02-06 1998-08-12 Sun Microsystems, Inc. Method and apparatus for allowing secure transactions through a firewall
US5826029A (en) * 1995-10-31 1998-10-20 International Business Machines Corporation Secured gateway interface

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5699513A (en) * 1995-03-31 1997-12-16 Motorola, Inc. Method for secure network access via message intercept
US5826029A (en) * 1995-10-31 1998-10-20 International Business Machines Corporation Secured gateway interface
GB2317792A (en) * 1996-09-18 1998-04-01 Secure Computing Corp Virtual Private Network for encrypted firewall
EP0858201A2 (en) * 1997-02-06 1998-08-12 Sun Microsystems, Inc. Method and apparatus for allowing secure transactions through a firewall

Also Published As

Publication number Publication date
NO20013915D0 (en) 2001-08-10
AU2444500A (en) 2000-08-29
FI106594B (en) 2001-02-28
FI990265A (en) 2000-08-11
JP2002537689A (en) 2002-11-05
NO20013915L (en) 2001-08-10
CA2362634A1 (en) 2000-08-17
FI990265A0 (en) 1999-02-10
EP1153499A1 (en) 2001-11-14

Similar Documents

Publication Publication Date Title
EP0967765B1 (en) Network connection controlling method and system thereof
TWI362859B (en)
EP1730651B1 (en) Establishing a virtual private network for a road warrior
US6067620A (en) Stand alone security device for computer networks
US7853783B2 (en) Method and apparatus for secure communication between user equipment and private network
US8190899B1 (en) System and method for establishing a remote connection over a network with a personal security device connected to a local client without using a local APDU interface or local cryptography
US5872847A (en) Using trusted associations to establish trust in a computer network
US6212636B1 (en) Method for establishing trust in a computer network via association
Recio et al. A remote direct memory access protocol specification
US6076168A (en) Simplified method of configuring internet protocol security tunnels
US7051365B1 (en) Method and apparatus for a distributed firewall
US7624180B2 (en) Mixed enclave operation in a computer network
US7346770B2 (en) Method and apparatus for traversing a translation device with a security protocol
US5692124A (en) Support of limited write downs through trustworthy predictions in multilevel security of computer network communications
US6351810B2 (en) Self-contained and secured access to remote servers
US20040107360A1 (en) System and Methodology for Policy Enforcement
US20020035635A1 (en) Method and system for establishing a security perimeter in computer networks
CA2388114A1 (en) Methods and arrangements in a telecommunications system
WO2007103338A2 (en) Technique for processing data packets in a communication network
EP1384370B1 (en) Method and system for authenticating a personal security device vis-a-vis at least one remote computer system
US20040243837A1 (en) Process and communication equipment for encrypting e-mail traffic between mail domains of the internet
JP2007036834A (en) Encryption apparatus, program, recording medium, and method
WO2000048372A1 (en) Data communication method for sending a message through a firewall
Cisco Introduction to Cisco IPsec Technology
JP2001111612A (en) Information leakage prevention method and system, and recording medium recording information leakage prevention program

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref document number: 2362634

Country of ref document: CA

Ref country code: CA

Ref document number: 2362634

Kind code of ref document: A

Format of ref document f/p: F

ENP Entry into the national phase

Ref country code: JP

Ref document number: 2000 599188

Kind code of ref document: A

Format of ref document f/p: F

WWE Wipo information: entry into national phase

Ref document number: 2000902692

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2000902692

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWE Wipo information: entry into national phase

Ref document number: 09913213

Country of ref document: US

WWW Wipo information: withdrawn in national office

Ref document number: 2000902692

Country of ref document: EP