WO2005062233A2 - Computer security system - Google Patents

Computer security system Download PDF

Info

Publication number
WO2005062233A2
WO2005062233A2 PCT/US2004/041958 US2004041958W WO2005062233A2 WO 2005062233 A2 WO2005062233 A2 WO 2005062233A2 US 2004041958 W US2004041958 W US 2004041958W WO 2005062233 A2 WO2005062233 A2 WO 2005062233A2
Authority
WO
WIPO (PCT)
Prior art keywords
addresses
user
external
port numbers
computer system
Prior art date
Application number
PCT/US2004/041958
Other languages
French (fr)
Other versions
WO2005062233A3 (en
Inventor
Dennis Vance Pollutro
Andrew A. Almquist
Original Assignee
Applied Identity
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Applied Identity filed Critical Applied Identity
Publication of WO2005062233A2 publication Critical patent/WO2005062233A2/en
Publication of WO2005062233A3 publication Critical patent/WO2005062233A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management

Definitions

  • VPNs virtual private networks
  • firewalls allow access holes to exist.
  • Conventional firewalls create access holes by exposing ports to remote networks. They then forward network traffic through these exposed ports to network resources behind the firewall. This is called port forwarding.
  • Port scanning and other cracker techniques can reveal the presence of available applications and services resulting in a threat to data integrity. This creates a significant level of exposure which hackers, crackers, and criminals can and do exploit.
  • Third party solutions exist through which information technology (IT) organizations manage their community of legitimate access; however, because these are added as point solutions on top of an existing IT structure, various global access security issues are not resolved.
  • FIG 1 is block diagram illustration of a typical firewall 30 configured to provide port forwarding to server 10 and server 20.
  • Ports 135 and 1433 are provided externally to the firewall 30, and correspond to the respective ports of each of server 10 and server 20.
  • server 20 may be running Microsoft SQL on port 1433
  • server 10 may be running Microsoft RPC services on port 135.
  • external port 135 and external port 1433 are typically made visible to any legitimate user. Normally, only authenticated users can access the services through the firewall 30. However, if the application has a security flaw that may be exploited, a non-authenticated user may exploit the flaw without proceeding through authentication. As such, it would be desirable to provide a computer security system that allows access to network resources for authenticated users without exposing those resources to the non-authenticated users (e.g., in the case of the Internet and the general public).
  • a method of providing an authenticated user with access to a computer system and restricting an unauthenticated user from access to the computer system is provided.
  • the method includes mapping a plurality of internal IP (i.e., Internet protocol) addresses and port numbers associated with the computer system to a respective plurality of external IP addresses and port numbers.
  • the method also includes determining whether a user is authenticated for access to external IP addresses and port numbers.
  • the method also includes providing at least one of the external IP addresses and port numbers to an authenticated user of the computer system in response to a request from the authenticated user such that the authenticated user may access at least one resource of the computer system.
  • the method also includes restricting access to the external IP addresses and port numbers from a non-authenticated user of the computer system.
  • a method of restricting visibility of internal IP addresses and port numbers associated with a network device to prevent unauthorized access of the network device by users of the network device includes mapping a plurality of the internal IP addresses and port numbers associated with the network device to a respective plurality of external IP addresses and port numbers, allowing visibility of a selected one or ones of external IP addresses and port numbers to authenticated users, and restricting visibility of the internal IP addresses and port numbers to all users by replacing an internal IP addresses and port numbers with a corresponding, mapped external IP address and port number in communication packets forwarded to a respective user.
  • a computer system is provided.
  • the computer system includes a microprocessor and a computer readable medium.
  • the computer readable medium includes computer program instructions which cause the computer system to implement the above-described method of providing an authenticated user with access to a computer system and restricting an unauthenticated user from access to the computer system.
  • a computer readable carrier including computer program instructions is provided. The computer program instructions cause a computer system to implement the above-described method of providing an authenticated user with access to a computer system and restricting an unauthenticated user from access to the computer system.
  • Figure 1 is a block diagram illustrating a portion of a computer network protected by a conventional firewall
  • Figure 2 is a block diagram illustrating a single-homed port forwarding system for mapping external network addresses to internal network addresses useful in connection with an exemplary embodiment of the present invention
  • Figure 3 is a block diagram illustrating a multi -homed port forwarding system for mapping external network addresses to internal network addresses useful in connection with an exemplary embodiment of the present invention
  • Figures 4 is a block diagram illustrating another multi-homed port forwarding system for mapping external network addresses to internal network addresses useful in connection with an exemplary embodiment of the present invention
  • Figure 5 is a flow diagram illustrating a computer system security process in accordance with an exemplary embodiment of the present invention.
  • the external port numbers and IP addresses are not visible to each and every individual who requests the data. Rather, after receiving a request from an authenticated user, the user is provided with access data (i.e., a corresponding portion of the external port numbers and IP addresses) based on the authenticated user's identity or classification. If the user is non-authenticated, the access data is not provided, and the request may simply be ignored.
  • access data i.e., a corresponding portion of the external port numbers and IP addresses
  • a communications packet is sent to the security system from an external source (e.g., a user).
  • a determination is made as to whether the communications packet originated from a session owned by an authenticated user. If the user is authenticated to access at least one resource of the protected system, a session and a session identifier are established such that the authenticated user has access to the at least one resource.
  • a communications packet is passed or rejected depending upon whether or not the packet is addressed to a resource permitted by the user's authentication.
  • the time elapsed after receiving a communications packet from a user during the session is calculated.
  • the session is terminated upon the calculated time exceeding a predetermined value.
  • the security system may control the visibility of network resources to remote users of that network.
  • the network is configured to provide a set of external IP addresses and port numbers through which communication is forwarded to a set of internal IP addresses and port numbers.
  • the mapping of IP addresses and port numbers can be arbitrary.
  • the security system acts as an umbrella over the remotely accessed network.
  • all connectivity to the protected network must pass through the security system. Additionally, the security system may monitor for connections on only 1 IP address and 1 port. Thus, no network resources are exposed to remote computers.
  • a user must log into the network before the network resources are made visible.
  • the user can only view the origination IP address a nd port number, nothing within the network is exposed to the user prior to sign on to the network (e.g., sign on enables the user to sign in once and be automatically signed into other applications when the user uses them).
  • All communication between the user and the network may also be encrypted so as to hide the communications from other authenticated and non-authenticated users (including users connected via the Internet).
  • IP addresses and port numbers to the application servers e.g ., servers that allow users to run applications residing on the server from a remote location
  • the security system of the present invention may include a number of features to ensure that once a user (i.e., the person accessing an object) is logged in, the user only has access to what he/she has been granted access to.
  • the security system controls access to resources based on information related to user identity, group identity, permissions (i.e., rules permitting access to perform a specific action on an object), and objects (i.e., an entity that can have actions performed on it by a user).
  • Users may belong to a group, and users and groups are given permissions to access objects.
  • a page, application, web service, or document may be used to accomplish a delegation of access privileges. Permissions to access objects are assigned to a user or to a group for an object relating the user, group, and object together.
  • a record giving a user access to an object may include, for example, a permission ID, a user ID (i.e., a unique identifier representing a single user), and/or an object ID (i.e., a unique identifier representing any object which can have permissions associated with it).
  • the record may contain the permission ID, the group ID (i.e., a unique identifier representing a single group of users), and/or the object ID.
  • the group ID i.e., a unique identifier representing a single group of users
  • the system may first check to determine the group that the current user belongs to, and the relationship of the group to the permissions required to perform the desired action. If this check is not successful (i.e., the user does not belong to the group having the permissions required), the system may continue to determine if the user is related to the permission required to perform the action.
  • the security system of the present invention may use cookies and a unique ID (e.g., a session ID) to maintain state with a user of a normal connection, such as an HTTP connection or a secure socket layer connection (i.e., a standard connection for communicating securely over the Internet in which all communications are encrypted using a high level of encryption).
  • a unique ID e.g., a session ID
  • a dynamic session ID is assigned to the user, and the session ID may be stored on the client computer in the form of a cookie.
  • the session ID cookie exists, unless dynamically changed through the completion of an interaction, until the user closes the application that houses the cookie.
  • a timeout feature may also be provided whereby the expiration of a predetermined period of inactivity is used to determine when the session (and the session ID) should be terminated. During the user's session, the inactivity/timeout period is continually updated.
  • the timeout period is set by resources in the network and if the user does not perform an action/interaction within the predetermined timeout period (i.e., the period set by the network resources), the session is terminated by deleting it from those same resources in the network.
  • This allows a high level of security because no meaningful information is stored on the user's computer. Further, even if someone does gain access to the user's computer, after the timeout period has expired, any information that might be stored in a cookie on the user's computer is no longer valid.
  • a number of checks may take place each time the user moves within the system in order to determine what resources the user can access. For example, the security system determines the identity of the user accessing the system.
  • the session may be validated by checking the user ID against a database of user IDs on the network. If a session ID does not exist, the session is invalid, and the user is forced to log in before accessing the system. If the session ID does exist, the system retrieves the associated user ID and continues to perform whatever actions are necessary to finish displaying the approved information.
  • a resource e.g. , an application
  • the process of accessing a resource on a remote server begins with the user logging into the security system (e.g., logging in using a single sign on software that logs the user directly into the security system). Once logged in, the user can run client applications that connect to applications hosted on the application server and view objects if the client applications have been pre-configured with the addresses of the applications servers.
  • the user can be provided with a unique token that provides a single use link to the application server.
  • the token either contains the information required to connect to the application server or retrieves the information required to connect to the application server.
  • the client application then connects to the application server, and the application server then displays all objects and applications approved for the user.
  • the figures described herein illustrate a security system whose architecture may utilize common programming languages. This security system contemplates the desire to provide secure access to all remote applications, software, and content. The security system also contemplates and provides embodiments that do not require installation of the services on the remote user's device.
  • the security system architecture can provide an efficient and meaningful security solution without the overhead of extra or robust hardware.
  • the security system architecture can operate with any number of application services or terminal services installed either on the local physical server, or in a configuration utilizing outside objects from remote servers or locations. By aggregating these objects, the end user is provided with desirable services defined by their current role in one location with a reduced investment in hardware.
  • This architecture allows for different and interchangeable service delivery options.
  • the system provides the end user with access to the services for which they have been granted access. As such, a more productive end user specific service is provided that, while unique to each and every user, also contemplates and mitigates the security risks associated with remote access to a multiple user network (e.g., a corporate network).
  • the security system of the present invention may be implemented in a number of mediums.
  • the system can be installed on an existing computer system/server as software.
  • the system can operate on a stand alone computer system (e.g., a security server) that is installed between another computer system (e.g., an application server) and an access point to another computer system.
  • the system may operate from a computer readable carrier (e.g., solid state memory, optical disk, magnetic disk, radio frequency carrier wave, audio frequency carrier wave, etc.) that includes computer instructions (e.g., computer program instructions) related to the security system.
  • the present invention relates to mapping external IP addresses and port numbers to internal network resources.
  • Figures 2-4 illustrate various exemplary port mapping configurations.
  • Figure 2 is a block diagram illustrating a case where all internal network resources 200, 210 and 220 are exposed through a single IP address (i.e., a single homed port forwarding system).
  • Figure 2 illustrates two client computers 230 and 240 (i.e., with IP addresses 10.0.0.100 and 10.0.0.101, respectively) through which users desire to retrieve applications/resources operating on one of the internal network resources 200, 210 and 220 (i.e., port 23 at IP address 192.168.1.20, port 23 at IP address 192.168.1.21, and port 21 at IP address 192.168.1.22).
  • IP address 10.0.0.20 is a for security system 250 in accordance with the exemplary aspects of the present invention through which access to the internal network resources 200, 210, 220 is accomplished.
  • Each of the port numbers and IP addresses of each of the internal network resources 200, 210 and 220 is mapped to a corresponding external port number and IP address.
  • the external IP address 10.0.0.20 port 23 is mapped to the internal IP address 192.168.1.20 port 23.
  • the external IP address 10.0.0.20 port 2323 is mapped to the internal IP address 192.168.1.21 port 23.
  • FIG. 10 is a block diagram illustrating a case where all internal network resources 300, 310 and 320 are mapped to external IP addresses using the same port number. It is sometimes desirable to keep port numbers constant to be compatible with client applications.
  • multiple IP addresses are used (i.e., the security system 330) so that the port numbers can remain the same.
  • the external IP address 10.0.0.20 port 21 is mapped to the internal IP address 192.168.0.21 port 21.
  • the external IP address 10.0.0.20 port 1433 is mapped to the internal IP address 192.168.0.22 port 1433.
  • the external IP address 10.0.0.20 port 23 is mapped to the internal IP address 192.168.0.20 port 23.
  • the external IP address 10.0.0.21 port 23 is mapped to the internal IP address 192.168.0.21 port 23.
  • the external IP address 10.0.0.21 port 21 is mapped to the internal IP address 192.168.0.22 port 21.
  • the external IP address 10.0.0.21 port 80 is mapped to the internal IP address 192.168.0.20 port 80.
  • Figure 3 illustrates the two client computers 230 and 240 (i.e., with IP addresses 10.0.0.100 and 10.0.0.101, respectively) through which users desire to retrieve applications/resources operating on one of the internal network resources 300, 310 and 320.
  • Figure 4 is a block diagram illustrating a case where the internal network resources 400, 410, 420 and 430 are mapped to more than one external IP address and the port numbers are not consistent.
  • IP addresses are mapped to one of the external IP addresses of the security system S2 server 440 (i.e., 10.0.0.20 and 10.0.0.21) and the internal port numbers are mapped to one of the external port numbers.
  • the external IP address 10.0.0.20 port 80 is mapped to the internal IP address 192.168.0.20 port 80.
  • the external IP address 10.0.0.20 port 21 is mapped to the internal IP address 192.168.0.22 port 21.
  • the external IP address 10.0.0.20 port 4000 is mapped to the internal IP address
  • the external IP address 10.0.0.20 port 23 is mapped to the internal IP address 192.168.0.21 port 23.
  • the external IP address 10.0.0.20 port 1433 is mapped to the internal IP address 192.168.0.23 port 1433.
  • the external IP address 10.0.0.21 port 23 is mapped to the internal IP address 192.168.0.20 port 23.
  • the external IP address 10.0.0.21 port 21 is mapped to the internal IP address
  • FIG. 5 illustrates one client computer 230 (i.e., with IP addresses 10.0.0.100) through which users desire to retrieve applications/resources operating on one of the internal network resources 400, 410, 420 and 430. Regardless of how port mapping is accomplished, network resources may still be exposed to unauthenticated users.
  • the communications process is modified, for example, as illustrated in Figure 5.
  • the process starts with an incoming packet.
  • a determination is made as to whether the incoming packet is part of an existing session. If it is part of an existing session (Yes), the process proceeds to step 2.
  • step 3 a determination is made as to whether the packet is addressed to an IP address and port number that is permitted for that session. If the packet is targeted for a permitted location (Yes), the packet is accepted and forwarded. If the packet is targeted for a forbidden location (No), the packet is dropped.
  • step 3 a determination is made as to whether the packet is a new connection request and is addressed to a designated IP address and port number. If the packet is not a new connection request and targeted to the designated IP and port number (No), the packet is dropped. If the packet is a new connection request and is addressed to the designated IP address and port number (Yes), the process proceeds to step 4. At step 4, the connection is established, and user authentication is requested.
  • step 5 user authentication is checked. If the user is not authenticated (No), the connection is closed. If the user is authenticated (Yes), a new session is created. Additionally, a timeout limit for a session may also be provided. The timeout process may be accomplished by checking the last received packet of the session against a set timeout period. When a packet is received, the system checks to see if the time elapsed between packets with the current session is greater than the predetermined timeout period. If the calculated time exceeds the timeout period, the packet is dropped, the established session is destroyed, and the user must re- authenticate before being permitted to access any resources on the network.
  • the security system and the methods of hiding network resources from unauthenticated users disclosed herein have diverse applicability in a range of markets including financial services, horizontal wireless LAN (e.g., wireless sales force automation and contractor services), and government regulated markets such as banking and healthcare.
  • financial services horizontal wireless LAN (e.g., wireless sales force automation and contractor services)
  • horizontal wireless LAN e.g., wireless sales force automation and contractor services
  • government regulated markets such as banking and healthcare.
  • the present invention is not limited thereto.
  • the present invention has been largely described in terms of a user attempting to connect to a resource/application on a computer system (e.g., an application server), it is not limited thereto.
  • the present invention may be embodied in software, in a machine (e.g., a computer system, a microprocessor based appliance, etc.) that includes software in memory, or in a computer readable carrier configured to carry out the protection scheme (e.g., in a self contained silicon device, a solid state memory, an optical disk, a magnetic disk, a radio frequency carrier wave, an audio frequency carrier wave, etc.).
  • a machine e.g., a computer system, a microprocessor based appliance, etc.
  • the protection scheme e.g., in a self contained silicon device, a solid state memory, an optical disk, a magnetic disk, a radio frequency carrier wave, an audio frequency carrier wave, etc.
  • the remote system is not limited to an application server
  • the resource is not limited to an application on an application server.
  • the remote system may be any remotely accessible microprocessor based device (e.g., a PDA, a personal computer, a network server, etc.), and the resource may be any resource installed on (or accessible through a connection to) the remotely accessible device.
  • a PDA personal computer
  • a network server etc.
  • the resource may be any resource installed on (or accessible through a connection to) the remotely accessible device.
  • the present invention is largely described in terms of internal IP addresses being mapped to one or two external IP addresses, it is not limited thereto.

Abstract

A method of providing an authenticated user with access to a computer system (200, 210 and 220) and restricting an unauthenticated user from access to the computer system (200, 210 and 220) is provided. The method includes mapping a plurality of internal IP addresses and port numbers associated with the computer system (200, 210 and 220) to a respective plurality of external IP addresses and port numbers. The method also includes determining whether a user is authenticated for access to external IP addresses and port numbers. The method also includes providing at least one of the external IP addresses and port numbers to an authenticated user of the computer system (200, 210 and 220) in response to a request from the authenticated user such that the authenticated user may access at least one resource of the computer System (200, 210 and 220). The method also includes restricting access to the external IP addresses and port numbers from a non-authenticated user of the computer System (200, 210 and 220).

Description

COMPUTER SECURITY SYSTEM
This PCT application claims the benefit of U.S. Provisional Application 60/530,013 filed in the U.S. Patent and Trademark Office on December 16, 2003, the contents of which are herein incorporated by reference. FIELD OF THE INVENTION This invention relates to computer system security and, more particularly, to a method and system for providing an authenticated user with access to a computer system and restricting an unauthenticated user from access to the computer system. BACKGROUND OF THE INVENTION It is often desirable to control the accessibility of computer system resources that are accessible directly or through networks such as LANs, WANs, and the Internet. Recently, security and access concerns have grown as malicious trespasses have increased the desirability to have improved access control. Further, the heightened state of awareness related to threats of cyber-terrorism make the desire to reduce existing vulnerabilities greater than ever before. Conventional virtual private networks (i.e., VPNs) and firewalls allow access holes to exist. Conventional firewalls create access holes by exposing ports to remote networks. They then forward network traffic through these exposed ports to network resources behind the firewall. This is called port forwarding. Port scanning and other cracker techniques can reveal the presence of available applications and services resulting in a threat to data integrity. This creates a significant level of exposure which hackers, crackers, and criminals can and do exploit. Third party solutions exist through which information technology (IT) organizations manage their community of legitimate access; however, because these are added as point solutions on top of an existing IT structure, various global access security issues are not resolved. Most specifically, there exists a vulnerability in existing firewalls at the connection level. Most security solutions focus on encrypting data or authenticating access; however, they still provide access to the protected servers and applications through some sort of port forwarding. Thus, malicious users may still gain access to protected servers and applications. For example, if the servers and applications have security flaws that allow one to access and/or control them without having to go through authentication, the systems may be vulnerable. Figure 1 is block diagram illustration of a typical firewall 30 configured to provide port forwarding to server 10 and server 20. Ports 135 and 1433 are provided externally to the firewall 30, and correspond to the respective ports of each of server 10 and server 20. For example, server 20 may be running Microsoft SQL on port 1433, and server 10 may be running Microsoft RPC services on port 135. In order to make those services available to legitimate users, external port 135 and external port 1433 are typically made visible to any legitimate user. Normally, only authenticated users can access the services through the firewall 30. However, if the application has a security flaw that may be exploited, a non-authenticated user may exploit the flaw without proceeding through authentication. As such, it would be desirable to provide a computer security system that allows access to network resources for authenticated users without exposing those resources to the non-authenticated users (e.g., in the case of the Internet and the general public). SUMMARY OF THE INVENTION According to an exemplary embodiment of the present invention, a method of providing an authenticated user with access to a computer system and restricting an unauthenticated user from access to the computer system is provided. The method includes mapping a plurality of internal IP (i.e., Internet protocol) addresses and port numbers associated with the computer system to a respective plurality of external IP addresses and port numbers. The method also includes determining whether a user is authenticated for access to external IP addresses and port numbers. The method also includes providing at least one of the external IP addresses and port numbers to an authenticated user of the computer system in response to a request from the authenticated user such that the authenticated user may access at least one resource of the computer system. The method also includes restricting access to the external IP addresses and port numbers from a non-authenticated user of the computer system. According to another exemplary embodiment of the present invention, a method of restricting visibility of internal IP addresses and port numbers associated with a network device to prevent unauthorized access of the network device by users of the network device is provided. The method includes mapping a plurality of the internal IP addresses and port numbers associated with the network device to a respective plurality of external IP addresses and port numbers, allowing visibility of a selected one or ones of external IP addresses and port numbers to authenticated users, and restricting visibility of the internal IP addresses and port numbers to all users by replacing an internal IP addresses and port numbers with a corresponding, mapped external IP address and port number in communication packets forwarded to a respective user. In another exemplary embodiment of the present invention, a computer system is provided. The computer system includes a microprocessor and a computer readable medium. The computer readable medium includes computer program instructions which cause the computer system to implement the above-described method of providing an authenticated user with access to a computer system and restricting an unauthenticated user from access to the computer system. In yet another exemplary embodiment of the present invention, a computer readable carrier including computer program instructions is provided. The computer program instructions cause a computer system to implement the above-described method of providing an authenticated user with access to a computer system and restricting an unauthenticated user from access to the computer system. BRIEF DESCRIPTION OF THE DRAWINGS Exemplary embodiments of the invention will be described with reference to the drawings, of which: Figure 1 is a block diagram illustrating a portion of a computer network protected by a conventional firewall; Figure 2 is a block diagram illustrating a single-homed port forwarding system for mapping external network addresses to internal network addresses useful in connection with an exemplary embodiment of the present invention; Figure 3 is a block diagram illustrating a multi -homed port forwarding system for mapping external network addresses to internal network addresses useful in connection with an exemplary embodiment of the present invention; Figures 4 is a block diagram illustrating another multi-homed port forwarding system for mapping external network addresses to internal network addresses useful in connection with an exemplary embodiment of the present invention; and Figure 5 is a flow diagram illustrating a computer system security process in accordance with an exemplary embodiment of the present invention. DETAILED DESCRIPTION OF THE INVENTION Preferred featu res of selected embodiments of this invention will now be described with reference to the figures. It will be appreciated that the spirit and scope of the invention is not limited to the embodiments selected for illustration. It is contemplated that any of the embodiments described hereafter can be modified within the scope of this invention. The present invention relates to computer system security. U.S. patent application 10/423,444, filed April 25, 2003, entitled "COMPUTER SECURITY SYSTEM," also relates to computer system security, and is incorporated by reference herein in its entirety. Generally, the present invention relates to a security system that provides an authenticated user with access to at least a portion of the external port numbers and IP addresses that are mapped to the internal port numbers and IP addresses. The external port numbers and IP addresses are not visible to each and every individual who requests the data. Rather, after receiving a request from an authenticated user, the user is provided with access data (i.e., a corresponding portion of the external port numbers and IP addresses) based on the authenticated user's identity or classification. If the user is non-authenticated, the access data is not provided, and the request may simply be ignored. Through the various exemplary embodiments disclosed herein, a security system for information is provided. Additionally, methods of providing access to information, and restricting access to information, using the security system, are also disclosed. The disclosed invention is particularly suited to the security of remotely accessed network environments through a network connection; however, direct accessed computers are contemplated as well. According to an exemplary embodiment of the present invention, access to a network service is provided to an authenticated user, and the network service is not exposed to unauthorized users. Certain embodiments of the invention may also incorporate an arbitrary multi-homed port forwarding scheme. According to certain exemplary embodiments of the present invention, a communications packet is sent to the security system from an external source (e.g., a user). A determination is made as to whether the communications packet originated from a session owned by an authenticated user. If the user is authenticated to access at least one resource of the protected system, a session and a session identifier are established such that the authenticated user has access to the at least one resource. A communications packet is passed or rejected depending upon whether or not the packet is addressed to a resource permitted by the user's authentication. According to certain exemplary embodiments of the present invention, the time elapsed after receiving a communications packet from a user during the session is calculated. The session is terminated upon the calculated time exceeding a predetermined value. When used in conjunction with a network, the security system may control the visibility of network resources to remote users of that network. The network is configured to provide a set of external IP addresses and port numbers through which communication is forwarded to a set of internal IP addresses and port numbers. The mapping of IP addresses and port numbers can be arbitrary. However, the security system acts as an umbrella over the remotely accessed network. According to an exemplary embodiment of the present invention, all connectivity to the protected network must pass through the security system. Additionally, the security system may monitor for connections on only 1 IP address and 1 port. Thus, no network resources are exposed to remote computers. A user must log into the network before the network resources are made visible. In certain exemplary embodiments, because the user can only view the origination IP address a nd port number, nothing within the network is exposed to the user prior to sign on to the network (e.g., sign on enables the user to sign in once and be automatically signed into other applications when the user uses them). All communication between the user and the network may also be encrypted so as to hide the communications from other authenticated and non-authenticated users (including users connected via the Internet). As such, after log in, if a user has permission to access resources/applications on the network, IP addresses and port numbers to the application servers (e.g ., servers that allow users to run applications residing on the server from a remote location) that include the desired resources/applications are sent to the user. The security system of the present invention may include a number of features to ensure that once a user (i.e., the person accessing an object) is logged in, the user only has access to what he/she has been granted access to. For example, in certain embodiments, the security system controls access to resources based on information related to user identity, group identity, permissions (i.e., rules permitting access to perform a specific action on an object), and objects (i.e., an entity that can have actions performed on it by a user). Users may belong to a group, and users and groups are given permissions to access objects. Further, a page, application, web service, or document may be used to accomplish a delegation of access privileges. Permissions to access objects are assigned to a user or to a group for an object relating the user, group, and object together. A record giving a user access to an object may include, for example, a permission ID, a user ID (i.e., a unique identifier representing a single user), and/or an object ID (i.e., a unique identifier representing any object which can have permissions associated with it). Similarly, to grant a group of users the same permission, the record may contain the permission ID, the group ID (i.e., a unique identifier representing a single group of users), and/or the object ID. In the same way a user belongs to a group, a record exists that relates a user ID to a group ID. This allows permission to access an object to be granted to a group or to a user, while at the same time requiring permission to be granted in order for the access to be permitted. According to aspects of the present invention, when a user attempts to access a protected object, a number of actions take place to determine what the user is permitted to do to an object. On any object and for any action, the system may first check to determine the group that the current user belongs to, and the relationship of the group to the permissions required to perform the desired action. If this check is not successful (i.e., the user does not belong to the group having the permissions required), the system may continue to determine if the user is related to the permission required to perform the action. If neither of the above cases is true (i.e., the user does not belong to the group having the permissions required, or otherwise, the user does not have the permissions required), the user is denied access. If one or both cases is true, the action is performed. For example, the action could include viewing an object, modifying the content of an object, approving an object, creating an object, deleting an object, or any other appropriate action. The security system of the present invention may use cookies and a unique ID (e.g., a session ID) to maintain state with a user of a normal connection, such as an HTTP connection or a secure socket layer connection (i.e., a standard connection for communicating securely over the Internet in which all communications are encrypted using a high level of encryption). After logging into the security system a dynamic session ID is assigned to the user, and the session ID may be stored on the client computer in the form of a cookie. The session ID cookie exists, unless dynamically changed through the completion of an interaction, until the user closes the application that houses the cookie. As described above, a timeout feature may also be provided whereby the expiration of a predetermined period of inactivity is used to determine when the session (and the session ID) should be terminated. During the user's session, the inactivity/timeout period is continually updated. The timeout period is set by resources in the network and if the user does not perform an action/interaction within the predetermined timeout period (i.e., the period set by the network resources), the session is terminated by deleting it from those same resources in the network. This allows a high level of security because no meaningful information is stored on the user's computer. Further, even if someone does gain access to the user's computer, after the timeout period has expired, any information that might be stored in a cookie on the user's computer is no longer valid. In certain embodiments of the present invention, after the user has logged in, a number of checks may take place each time the user moves within the system in order to determine what resources the user can access. For example, the security system determines the identity of the user accessing the system. The session may be validated by checking the user ID against a database of user IDs on the network. If a session ID does not exist, the session is invalid, and the user is forced to log in before accessing the system. If the session ID does exist, the system retrieves the associated user ID and continues to perform whatever actions are necessary to finish displaying the approved information. Through various exemplary embodiments, the process of accessing a resource (e.g. , an application) on a remote server begins with the user logging into the security system (e.g., logging in using a single sign on software that logs the user directly into the security system). Once logged in, the user can run client applications that connect to applications hosted on the application server and view objects if the client applications have been pre-configured with the addresses of the applications servers. If the client applications have not been pre-configured with the addresses of the application servers, the user can be provided with a unique token that provides a single use link to the application server. The token either contains the information required to connect to the application server or retrieves the information required to connect to the application server. The client application then connects to the application server, and the application server then displays all objects and applications approved for the user. The figures described herein illustrate a security system whose architecture may utilize common programming languages. This security system contemplates the desire to provide secure access to all remote applications, software, and content. The security system also contemplates and provides embodiments that do not require installation of the services on the remote user's device. In certain exemplary embodiments, by utilizing common industry standards, the security system architecture can provide an efficient and meaningful security solution without the overhead of extra or robust hardware. The security system architecture can operate with any number of application services or terminal services installed either on the local physical server, or in a configuration utilizing outside objects from remote servers or locations. By aggregating these objects, the end user is provided with desirable services defined by their current role in one location with a reduced investment in hardware. This architecture allows for different and interchangeable service delivery options. The system provides the end user with access to the services for which they have been granted access. As such, a more productive end user specific service is provided that, while unique to each and every user, also contemplates and mitigates the security risks associated with remote access to a multiple user network (e.g., a corporate network). The security system of the present invention may be implemented in a number of mediums. For example, the system can be installed on an existing computer system/server as software. Further, the system can operate on a stand alone computer system (e.g., a security server) that is installed between another computer system (e.g., an application server) and an access point to another computer system. Further still, the system may operate from a computer readable carrier (e.g., solid state memory, optical disk, magnetic disk, radio frequency carrier wave, audio frequency carrier wave, etc.) that includes computer instructions (e.g., computer program instructions) related to the security system. The present invention relates to mapping external IP addresses and port numbers to internal network resources. Figures 2-4 illustrate various exemplary port mapping configurations. Of course, other configurations are contemplated within the scope of the present invention. Figure 2 is a block diagram illustrating a case where all internal network resources 200, 210 and 220 are exposed through a single IP address (i.e., a single homed port forwarding system). Figure 2 illustrates two client computers 230 and 240 (i.e., with IP addresses 10.0.0.100 and 10.0.0.101, respectively) through which users desire to retrieve applications/resources operating on one of the internal network resources 200, 210 and 220 (i.e., port 23 at IP address 192.168.1.20, port 23 at IP address 192.168.1.21, and port 21 at IP address 192.168.1.22). IP address 10.0.0.20 is a for security system 250 in accordance with the exemplary aspects of the present invention through which access to the internal network resources 200, 210, 220 is accomplished. Each of the port numbers and IP addresses of each of the internal network resources 200, 210 and 220 is mapped to a corresponding external port number and IP address. The external IP address 10.0.0.20 port 23 is mapped to the internal IP address 192.168.1.20 port 23. The external IP address 10.0.0.20 port 2323 is mapped to the internal IP address 192.168.1.21 port 23. The external IP address
10.0.0.20 port 21 is mapped to the internal IP address 192.168.1.22 port 21. Because this exemplary port mapping scheme exposes only a single IP address, services using the same port are mapped to different ports. More specifically, certain services running on 192.168.1.20 and 192.168.1.21 each are on port 23, however, because of the mapping, one of the ports is externally seen as on port 2323 at IP address 10.0.0.20. Mapping services to non-standard ports can help disguise the nature of the service to unauthorized users. Figure 3 is a block diagram illustrating a case where all internal network resources 300, 310 and 320 are mapped to external IP addresses using the same port number. It is sometimes desirable to keep port numbers constant to be compatible with client applications. In this exemplary configuration, multiple IP addresses are used (i.e., the security system 330) so that the port numbers can remain the same. To the outside world (e.g., users, the Internet, etc.) there appears to be more than one machine (i.e., security system 330) because of the multiple IP addresses (10.0.0.20 and 10.0.0.21). The external IP address 10.0.0.20 port 21 is mapped to the internal IP address 192.168.0.21 port 21. The external IP address 10.0.0.20 port 1433 is mapped to the internal IP address 192.168.0.22 port 1433. The external IP address 10.0.0.20 port 23 is mapped to the internal IP address 192.168.0.20 port 23. The external IP address 10.0.0.21 port 23 is mapped to the internal IP address 192.168.0.21 port 23. The external IP address 10.0.0.21 port 21 is mapped to the internal IP address 192.168.0.22 port 21. The external IP address 10.0.0.21 port 80 is mapped to the internal IP address 192.168.0.20 port 80. Figure 3 illustrates the two client computers 230 and 240 (i.e., with IP addresses 10.0.0.100 and 10.0.0.101, respectively) through which users desire to retrieve applications/resources operating on one of the internal network resources 300, 310 and 320. Figure 4 is a block diagram illustrating a case where the internal network resources 400, 410, 420 and 430 are mapped to more than one external IP address and the port numbers are not consistent. Multiple IP numbers are used (thereby appearing to be more than one machine), but no effort is made to keep the port numbers the same. This represents a more flexible port mapping scheme than those illustrated in Figures 2-3. This is because there are two levels of re-mapping. More specifically, the internal IP addresses are mapped to one of the external IP addresses of the security system S2 server 440 (i.e., 10.0.0.20 and 10.0.0.21) and the internal port numbers are mapped to one of the external port numbers. The external IP address 10.0.0.20 port 80 is mapped to the internal IP address 192.168.0.20 port 80. The external IP address 10.0.0.20 port 21 is mapped to the internal IP address 192.168.0.22 port 21. The external IP address 10.0.0.20 port 4000 is mapped to the internal IP address
192.168.0.23 port 21. The external IP address 10.0.0.20 port 23 is mapped to the internal IP address 192.168.0.21 port 23. The external IP address 10.0.0.20 port 1433 is mapped to the internal IP address 192.168.0.23 port 1433. The external IP address 10.0.0.21 port 23 is mapped to the internal IP address 192.168.0.20 port 23. The external IP address 10.0.0.21 port 21 is mapped to the internal IP address
192.168.0.21 port 21. The external IP address 10.0.0.21 port 1433 is mapped to the internal IP address 192.168.0.22 port 1433. Figure 4 illustrates one client computer 230 (i.e., with IP addresses 10.0.0.100) through which users desire to retrieve applications/resources operating on one of the internal network resources 400, 410, 420 and 430. Regardless of how port mapping is accomplished, network resources may still be exposed to unauthenticated users. Thus, the communications process is modified, for example, as illustrated in Figure 5. The process starts with an incoming packet. At step 1, a determination is made as to whether the incoming packet is part of an existing session. If it is part of an existing session (Yes), the process proceeds to step 2. If it is not part of an existing session (No), the process proceeds to step 3. At step 2, a determination is made as to whether the packet is addressed to an IP address and port number that is permitted for that session. If the packet is targeted for a permitted location (Yes), the packet is accepted and forwarded. If the packet is targeted for a forbidden location (No), the packet is dropped. At step 3, a determination is made as to whether the packet is a new connection request and is addressed to a designated IP address and port number. If the packet is not a new connection request and targeted to the designated IP and port number (No), the packet is dropped. If the packet is a new connection request and is addressed to the designated IP address and port number (Yes), the process proceeds to step 4. At step 4, the connection is established, and user authentication is requested. At step 5, user authentication is checked. If the user is not authenticated (No), the connection is closed. If the user is authenticated (Yes), a new session is created. Additionally, a timeout limit for a session may also be provided. The timeout process may be accomplished by checking the last received packet of the session against a set timeout period. When a packet is received, the system checks to see if the time elapsed between packets with the current session is greater than the predetermined timeout period. If the calculated time exceeds the timeout period, the packet is dropped, the established session is destroyed, and the user must re- authenticate before being permitted to access any resources on the network. The security system and the methods of hiding network resources from unauthenticated users disclosed herein have diverse applicability in a range of markets including financial services, horizontal wireless LAN (e.g., wireless sales force automation and contractor services), and government regulated markets such as banking and healthcare. However, these are merely exemplary applications: the present invention is not limited thereto. Although the present invention has been largely described in terms of a user attempting to connect to a resource/application on a computer system (e.g., an application server), it is not limited thereto. As described herein, for example, the present invention may be embodied in software, in a machine (e.g., a computer system, a microprocessor based appliance, etc.) that includes software in memory, or in a computer readable carrier configured to carry out the protection scheme (e.g., in a self contained silicon device, a solid state memory, an optical disk, a magnetic disk, a radio frequency carrier wave, an audio frequency carrier wave, etc.). Further, when the present invention is embodied in a user connecting to a remote system to access a resource, the remote system is not limited to an application server, and the resource is not limited to an application on an application server. As described herein, the remote system may be any remotely accessible microprocessor based device (e.g., a PDA, a personal computer, a network server, etc.), and the resource may be any resource installed on (or accessible through a connection to) the remotely accessible device. Although the present invention is largely described in terms of internal IP addresses being mapped to one or two external IP addresses, it is not limited thereto.
Any desirable number of external IP addresses can be provided. Likewise, the port number configurations disclosed herein are exemplary in nature, and the present invention is not limited thereto. Although the invention is illustrated and described herein with reference to specific embodiments, the invention is not intended to be limited to the details shown.
Rather, various modifications may be made in the details within the scope and range of equivalents of the claims and without departing from the invention.

Claims

What is Claimed: 1. A method of providing an authenticated user with access to a computer system and restricting an unauthenticated user from access to the computer system , said method comprising the steps of: mapping a plurality of internal IP addresses and port numbers associated with the computer system to a respective plurality of external IP addresses and port numbers; determining whether a user is authenticated for access to external IP addresses and port numbers; providing at least one of the external IP addresses and port numbers to an authenticated user of the computer system in response to a request from the authenticated user such that the authenticated user may access at least one resource of the computer system; and restricting access to the external IP addresses and port numbers from a non-authenticated user of the computer system.
2. A method of restricting visibility of internal IP addresses and port numbers associated with a network device to prevent unauthorized access of the network device by users of the network device, said method comprising the steps of: mapping a plurality of the internal IP addresses and port numbers associated with the network device to a respective plurality of external IP addresses and port numbers; allowing visibility of a selected one or ones of external IP addresses and port numbers to authenticated users; and restricting visibility of the internal IP addresses and port numbers to all users by replacing internal IP addresses and port numbers with corresponding, mapped external IP addresses and port numbers in communication packets forwarded to a respective user.
3. The method according to claim 2, wherein the step of mapping of the plurality of the internal IP addresses and port numbers associated with the network device to the respective plurality of external IP addresses and port numbers comprises: mapping each of the IP addresses of each internal network resource to a corresponding external IP address; and maintaining each of the port numbers of each internal network resource to a corresponding external port number.
4. The method according to claim 2, wherein the step of mapping of the plurality of the internal IP addresses and port numbers associated with the network device to the respective plurality of external IP addresses and port numbers comprises: mapping each of the port numbers and IP addresses of each internal network resource to a corresponding external port number and a corresponding external IP address.
5. The method according to claim 2, wherein the step of mapping of the plurality of the internal IP addresses and port numbers associated with the network device to the respective plurality of external IP addresses and port numbers comprises: mapping the internal IP addresses to one of a plurality of external IP addresses; and mapping the internal port numbers to one of a plurality of external port numbers.
6. The method according to claim 2, further comprising the steps of: determining whether a respective communication packet is addressed to a resource permitted to be accessed by the authenticated user; and passing or rejecting the respective communication packet in a communication between the respective user and the network device depending upon a result of the determination.
7. The method according to claim 2, further comprising the steps of: establishing a session for each respective authenticated user; calculating an elapsed time after receiving each respective communication packet from the respective authenticated user during the session; and terminating the session when the calculated elapsed time exceeds a predetermined value.
8. The method according to claim 7, wherein the step of passing or rejecting the respective communication packet in the communication between the respective user and the network device further comprises: passing the respective communication packet to the network device if the respective user has permission to perform a specified action or if the respective user belongs to any group that has permission to perform the specified action; and rejecting the communication packet if the respective user does not have permission to perform the specified action and/or if the respective user does not belong to any group that has permission to perform the specified action by deny access to the network device to prevent performance of the specified action.
9. The method according to claim 7, wherein the step of establishing the session comprises the steps of: establishing a session identifier for each session; and assigning a dynamic session identifier cookie to the respective user to be stored on a computer used by the respective user, the session identifier cookie existing until dynamically changed by completion of the session or until the respective user closes an application that houses the dynamic session identifier cookie.
10. The method according to claim 2, further comprising the step of encrypting all communications between the respective users and the network device.
11. A method of controlling access to a computer system, said method comprising the steps of: determining whether the incoming communication packet from the user is part of an existing session; and if the communication packet is part of the existing session : determining whether the communication packet is addressed to an external IP address and port number that is permitted for the session and if the communication packet is addressed to the external IP address and port number that is permitted for the session; mapping the external IP address and port number to an internal IP address and port number; and forwarding the communications packet with the internal IP address and port number to the computer system.
12. The method according to claim 11, further comprising the step of: if the communication packet is not part of the existing session or if the communication packet is addressed to an unauthorized location, dropping the communication packet such that the communication package is not permitted to be forwarded to the computer system.
13. The method according to claim 12, further comprising the steps of: determining whether the incoming communication packet from the user is a new connection request and is addressed to a designated external IP address and port number; if the packet is not the new connection request or is not addressed to the designated external IP address and port number, dropping the packet such that the communication package is not permitted to be forwarded to the computer system; and if the packet is the new connection request and is addressed to the designated external IP address and port number, establishing the new connection.
14. The method according to claim 13, further comprising the steps of: checking the requested user authentication; if the user is not authenticated, terminating the new connection; and if the user is authenticated, creating a session.
15. The method according to claim 11, further comprising the steps of: setting a timeout limit for the session; and checking a time elapse between a last received communication packet and the just previously received communication packet against the set timeout limit such that if the elapsed time exceeds the set timeout limit, the last received communication packet is dropped and the existing session is terminated.
16. The method according to claim 15, wherein if the elapsed time exceeds the set timeout limit, enabling access to any resources on the computer system only after re-authentication of the user.
17. A network security device for restricting visibility of internal IP addresses and port numbers associated with a network device to prevent unauthorized access of the network device by users of the network device, the network security device comprising: a processor to map a plurality of the internal IP addresses and port numbers associated with the network device to a respective plurality of external IP addresses and port numbers, to allow visibility of a selected one or ones of external IP addresses and port numbers to authenticated users, and to restrict visibility of the internal IP addresses and port numbers to all users by replacing internal IP addresses and port numbers with corresponding mapped external IP addresses and port numbers in communications between a respective user and the network device.
18. The network security device according to claim 17, wherein access to only one external IP address and one port number of the network security device is allowed to establish authentication of a respective user.
19. A computer system comprising; a microprocessor; and a computer readable medium including computer program instructions which cause the computer system to implement a method of providing an authenticated user with access to a computer system and restricting an unauthenticated user from access to the computer system, the method comprising the steps of: mapping a plurality of internal IP addresses and port numbers associated with the computer system to a respective plurality of external IP addresses and port numbers;, determining whether a user is authenticated for access to external IP addresses and port numbers; providing at least one of the external IP addresses and port numbers to an authenticated user of the computer system in response to a request from the authenticated user such that the authenticated user may access at least one resource of the computer system; and restricting access to the external IP addresses and port numbers from a non-authenticated user of the computer system.
20. A computer readable carrier including computer program instructions which cause a computer to implement a method of providing an authenticated user with access to a computer system and restricting an unauthenticated user from access to the computer system, the method comprising the steps of: mapping a plurality of internal IP addresses and port numbers associated with the computer system to a respective plurality of external IP addresses and port numbers; determining whether a user is authenticated for access to external IP addresses and port numbers; providing at least one of the external IP addresses and port numbers to an authenticated user of the computer system in response to a request from the authenticated user such that the authenticated user may access at least one resource of the computer system; and restricting access to the external IP addresses and port numbers from a non-authenticated user of the computer system.
PCT/US2004/041958 2003-12-16 2004-12-15 Computer security system WO2005062233A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US53001303P 2003-12-16 2003-12-16
US60/530,013 2003-12-16

Publications (2)

Publication Number Publication Date
WO2005062233A2 true WO2005062233A2 (en) 2005-07-07
WO2005062233A3 WO2005062233A3 (en) 2005-08-25

Family

ID=34710152

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2004/041958 WO2005062233A2 (en) 2003-12-16 2004-12-15 Computer security system

Country Status (1)

Country Link
WO (1) WO2005062233A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007076883A1 (en) * 2005-12-30 2007-07-12 Telecom Italia S.P.A. Method and system for secure communication between a public network and a local network
CN112565287A (en) * 2020-12-18 2021-03-26 深信服科技股份有限公司 Asset exposure surface determining method and device, firewall and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061798A (en) * 1996-02-06 2000-05-09 Network Engineering Software, Inc. Firewall system for protecting network elements connected to a public network
EP1035702A2 (en) * 1999-03-04 2000-09-13 Sun Microsystems, Inc. Secure communication with mobile hosts
US20030009561A1 (en) * 2001-06-14 2003-01-09 Sollee Patrick N. Providing telephony services to terminals behind a firewall and /or network address translator
US20030043740A1 (en) * 2001-06-14 2003-03-06 March Sean W. Protecting a network from unauthorized access
US20030154399A1 (en) * 2002-02-08 2003-08-14 Nir Zuk Multi-method gateway-based network security systems and methods
US20030200318A1 (en) * 2002-03-29 2003-10-23 Realtek Semiconductor Corp. Apparatus and method for NAT/NAPT session management

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061798A (en) * 1996-02-06 2000-05-09 Network Engineering Software, Inc. Firewall system for protecting network elements connected to a public network
EP1035702A2 (en) * 1999-03-04 2000-09-13 Sun Microsystems, Inc. Secure communication with mobile hosts
US20030009561A1 (en) * 2001-06-14 2003-01-09 Sollee Patrick N. Providing telephony services to terminals behind a firewall and /or network address translator
US20030043740A1 (en) * 2001-06-14 2003-03-06 March Sean W. Protecting a network from unauthorized access
US20030154399A1 (en) * 2002-02-08 2003-08-14 Nir Zuk Multi-method gateway-based network security systems and methods
US20030200318A1 (en) * 2002-03-29 2003-10-23 Realtek Semiconductor Corp. Apparatus and method for NAT/NAPT session management

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007076883A1 (en) * 2005-12-30 2007-07-12 Telecom Italia S.P.A. Method and system for secure communication between a public network and a local network
US8274979B2 (en) 2005-12-30 2012-09-25 Telecom Italia S.P.A. Method and system for secure communication between a public network and a local network
CN112565287A (en) * 2020-12-18 2021-03-26 深信服科技股份有限公司 Asset exposure surface determining method and device, firewall and storage medium
CN112565287B (en) * 2020-12-18 2023-05-12 深信服科技股份有限公司 Asset exposure surface determination method, device, firewall and storage medium

Also Published As

Publication number Publication date
WO2005062233A3 (en) 2005-08-25

Similar Documents

Publication Publication Date Title
US9781114B2 (en) Computer security system
US7644434B2 (en) Computer security system
US7383573B2 (en) Method for transparently managing outbound traffic from an internal user of a private network destined for a public network
US10542006B2 (en) Network security based on redirection of questionable network access
US10382436B2 (en) Network security based on device identifiers and network addresses
US11190493B2 (en) Concealing internal applications that are accessed over a network
US10764264B2 (en) Technique for authenticating network users
US7861285B2 (en) System, method and computer program product for authenticating users using a lightweight directory access protocol (LDAP) directory server
US7886335B1 (en) Reconciliation of multiple sets of network access control policies
US20030217148A1 (en) Method and apparatus for LAN authentication on switch
US8191131B2 (en) Obscuring authentication data of remote user
US20140289830A1 (en) Method and system of a secure access gateway
US20100138910A1 (en) Methods for encrypted-traffic url filtering using address-mapping interception
US20050138417A1 (en) Trusted network access control system and method
US8661524B2 (en) Selective desktop control of virtual private networks (VPN's) in a multiuser environment
US20080301801A1 (en) Policy based virtual private network (VPN) communications
AU2003294304B2 (en) Systems and apparatuses using identification data in network communication
US7594268B1 (en) Preventing network discovery of a system services configuration
WO2005062233A2 (en) Computer security system
WO2009005698A1 (en) Computer security system
US10560478B1 (en) Using log event messages to identify a user and enforce policies
Dalwadi Network and Data Security
WO2005067260A1 (en) Method and system for delegating access to computer network resources

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase