GB2410401A - A communication apparatus and method - Google Patents

A communication apparatus and method Download PDF

Info

Publication number
GB2410401A
GB2410401A GB0401294A GB0401294A GB2410401A GB 2410401 A GB2410401 A GB 2410401A GB 0401294 A GB0401294 A GB 0401294A GB 0401294 A GB0401294 A GB 0401294A GB 2410401 A GB2410401 A GB 2410401A
Authority
GB
United Kingdom
Prior art keywords
communication
communication device
connection
communication connection
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0401294A
Other versions
GB0401294D0 (en
Inventor
Stephen Russell George Dakin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
MOBOTEL SOLUTIONS Ltd
Original Assignee
MOBOTEL SOLUTIONS Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by MOBOTEL SOLUTIONS Ltd filed Critical MOBOTEL SOLUTIONS Ltd
Priority to GB0401294A priority Critical patent/GB2410401A/en
Publication of GB0401294D0 publication Critical patent/GB0401294D0/en
Publication of GB2410401A publication Critical patent/GB2410401A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A communication apparatus 100 for making a communication connection between a first communication device 110 and a second communication device 104, in which the first communication device 110 wishes to make a communication connection with the second communication device 104. The second communication device 104 comprises transmitting means 202 for transmitting a request for communication connection. As shown web servers 112 requiring access to a database server 102 protected be a firewall 106 send requests to a port of a client side redirector or listening device 110 which when subsequently polled on a different one of its ports, by a server side redirector 104 repeatedly trying to open a communication connection, accepts the connection. The connection is thus effectively initiated from the server side and the server port used can be regularly changed to make it harder for a hacker to correctly focus an attack. The invention is particularly applicable where remote office and home workers require computer support services from a corporate headquarters e.g. via GPRS (General Packet Radio Service).

Description

A COMMUNICATION APPARATUS AND METHOD
BACKGROUND OF THE INVENTION
The present invention relates to a communication apparatus and a method of making a communication connection.
Computer systems should be secure from unauthorized access. One way to prevent such unauthorized access is to allow no communication at all from outside the secure area. However, it is often desirable to allow some sort of external access. For example, a remote website can require access to a confidential database within a secure area.
Firewalls are often used as a security device to select who can access resources located behind it. They should allow authorised access to the resource while preventing unauthorized access. However, to access resources behind a firewall, a conventional computer system has to communicate through the firewall. Such a system 10 is illustrated in Figure 1. The system 10 comprises a server 12 (in this example a database server hosting a confidential database at IP (Internet protocol) address 142.107.22.133). (Note that all the IP addresses used in this specification are purely exemplary and are fictitious.) A firewall 14 separates the server 12 from clients 16 (in this example Web servers). A particular client 16 can only communicate to the server 12 if the client provides the firewall 14 with valid authentication such as a user identification and a password. The attempt to open communication is made to the IP address of the server 12 on a known port 18. The port 18 normally used for this type of traffic is well known. If a client is authorised by the firewall, communication is established between the server 12 and the client 16. - 2 -
In summary, known systems operate as follows.
Referring to Fig 2, database server 12 listens on an IP port, say port 1433. Any client (in this case the web server 16) wishing to communicate with the database server 12 attempts to open a TCP/IP (transmission control protocol/ Internet protocol) socket on port number 1433 over the Internet 13 to the IP address (142.107.22.133, in this example) at which the database 12 server resides.
On receiving the incoming request, the database server 12 0 starts another process (for example, software designed to handle the user requests coming from the web server 16).
This process accepts the incoming connection. The database server 12 thus accepts the incoming connection and the database server 12 carries on listening for is incoming connection requests on port 1433.
Thus, 1) the database server 12 is always listening on port 18, 2) web servers 16 wishing to communicate with the database server 12 do so by opening a connection to the database server 12 which has the effect that the database server 12 starts a completely new process running to handle the requests of the web server 16, and 3) the database server 12 may handle many simultaneous client processes, each of which has been initiated in the same way, and which will behave entirely independently once launched.
An example of this type of system is a web site in a DMZ (a so-called demilitarized zone) that updates database information on the far side of a firewall. An example of this is a retailer running a website into which customers enter purchase information; many thousands of businesses run this sort of system. This information is then typically fed into a database for storage on the far side of the firewall. Communication from the web server 16 to the database server 12 to - 3 - retrieve information relies on rules on the firewall 14 allowing inbound communication through the firewall 14 from the web server 16 to the database server 12.
Communication in this way is the source of many of the security breaches experienced by corporations.
The same problem as that described above is encountered when remote broadband users connect through firewalls to corporate networks around the world.
We have appreciated that security flaws in the lo present system are caused by the firewall 14 having to be configured to allow incoming connections. This is because, by allowing communication through the firewall 14 in this way, a vulnerable access point is provided which can be exploited by unauthorized users.
Furthermore, in conventional systems, communication through the firewall 14 takes place on one port 18 only or on one from a small set of ports. This increases the vulnerability of the system because an unauthorized attack can be concentrated on the port or ports 18 where communication through the firewall 14 is most likely to occur. In some systems, the port 18 used is regularly changed so that it is harder for an unauthorized user to correctly focus an attack. However, there is only a small set of ports that can be used and as such this vulnerability is only somewhat reduced.
An increase in communication traffic often signifies an unauthorized attack on a server 12. An intrusion detection device can be used which detects this change in traffic and can warn that an unauthorized attack may be underway. The intrusion detection device would be located in a DMZ (demilitarized zone) outside the area protected by the firewall 14. Nevertheless, such security systems can still be penetrated by an unauthorized user. - 4 -
It is desirable to be able to initiate a communication connection to a remote device where the IP address of the remote device is indeterminable. This need has become particularly apparent with the growth in broadband communications and the increase in remote office and home workers who require, for example, computer support services. Software such as "PC Anywhere" or "Remote Desktop" is typically used to connect from a support person's device at base such as, lo for example, a corporate headquarters to another given IP address across a local area network (LAN). This allows a support person to access a remote device and thus provide support services for it. However, if the remote device is not part of the same LAN as the support person's device, the support person's device cannot find the IP address of the remote device. This is because 1) firewalls and routers stand between the devices, and 2) the address of the remote device is floating, i.e. unknown. Hence, remote access support services cannot be offered to remote users. If a remote device requires technical support, the support person must visit the remote device to take control of the device. This is expensive both because of the time taken for a support person to visit a remote device and the work time lost due to the problems with the remote device.
It is desirable to make a connection from corporate applications to a mobile device in order to send update data to the mobile device. However, in known systems the corporate applications cannot map to the remote device.
so This is because IP addresses are dynamically assigned to remote devices and cannot be found by the corporate applications because the network obscures them.
In some PC (personal computer) systems, it is desirable to be able to form a communication connection - 5 - from a control centre located at a site remote from the PC. However, in some systems, such as those whose only form of external communication is via GPRS (General Packet Radio Service), a remote communication connection cannot be made to the system because a GPRS system does not allow a connection to be made to it. The GPRS device has to request and form the communication connection itself.
In a particular system, PCs are installed remotely from a server. They can only communicate outwardly using GPRS. The PCs can set-up a connection to the remote server in a control centre to report. However, the control centre server cannot establish a connection with the PC itself which is useful if, for example, the PC malfunctions. Normally, in this situation, an engineer would have to visit the PC on-site. Since PCs can be spread out over a large distance this can be very inconvenient.
SUMMARY OF THE INVENTION
The invention in its various aspects is defined in the independent claims below, to which reference should now be made. Advantageous features are set forth in the appendant claims.
A preferred communication apparatus embodying the present invention, described in more detail below, includes a communication apparatus for making a communication connection between a first communication device and a second communication device, in which the first communication device wishes to make a communication connection with the second communication device. The second communication device comprises transmitting means for transmitting a request for communication connection. - 6 -
In one embodiment, the second communication device further comprises polling means for periodically transmitting a signal to determine that a communication connection between the first communication device and the second communication device is valid.
As described above, in a conventional system, for a first communication device to form a communication connection to a second communication device, a request for communication connection is made from the first lo communication device to the second communication device.
In the present invention, the opposite approach is taken.
In that, for a communication connection to be made between a first communication device and a second communication device, a request for communication is connection is made from the second communication device side to the first communication device side. The second communication device side tries to open a communication connection with the first communication device side and it is the first communication device side that decides whether to accept the communication connection or not depending on whether it wishes to connect.
In an embodiment if the present invention, the "listening socket" is relocated. Typically, communication between a client and a server is initiated by the client trying to "talk" to the server who sits "listening". In this example, the "listening socket" is relocated to outside a firewall and has a process trying to communicate from the secure site out to a very tightly specified client.
The actual nature of the data transmitted is not important. The present system can work in conjunction with current security features, such as firewalls and virtual private networks allowing a further layer of security on top. - 7 -
In the present system, the need to tolerate inbound communication rules on a firewall is no longer necessary.
As such, corporations will experience fewer expensive outages due to security breaches or hacking.
The present system allows a base device to provide technical support to remote devices at will. This is achieved by allowing the support person's device to trigger the remote device to provide a return path back and thus connect to a service requiring an inbound 0 connection such as "PC Anywhere" or "Remote Desktop".
One embodiment of the present invention allows a control channel to be established from the remote device to base. A support person's device, for example, is then connected to the remote device and support services can be provided. The control channel can be established at start up and constantly maintained. Alternatively, it can be initiated in response to a requirement for technical support from the remote user. Once established, the control channel can be used to initiate a communication connection which is inbound (base to remote device).
Such a system could also be used for mobile computing devices which connect to corporate applications via networks such as GPRS (General Packet Radio Service), WiFi and 3G (the third generation mobile telephone system). Users include, for example, despatch workers, sales personnel and health workers.
One embodiment of the present invention allows corporate applications to trigger a mobile device at will to provide a return path back from the remote device to the corporate application. This allows the corporate applications to form a channel to send the mobile device update data. Hence, data can be sent to IP based mobile devices without the mobile device needing to initiate the - 8 - connection. That is to say, new information can be sent to the mobile device rather than the remote user of the mobile device needing to initiate a manual check for possible new data.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will now be described in more detail, by way of example, with reference to the drawings, in which:
Figure 1 shows a schematic diagram of a prior art
0 system; Figure 2 shows another schematic diagram of the
prior art system of Figure 1;
Figure 3 shows a schematic diagram of a communication system embodying the present invention; Figures 4 to 8 each show a schematic diagram of the operation of the communication system of Figure 3 at successive time intervals; Figure 9 shows a schematic diagram of components forming a server side redirector embodying the present invention; Figure 10 shows a flow chart of steps performed by the server side redirector of Figure 9; Figure 11 shows a schematic diagram of components forming a client side redirector embodying the present invention; Figure 12 shows a flow chart of steps performed by the client side redirector of Figure 11; Figure 13 shows a time line of steps performed by an embodiment of the present invention; Figures 14 and 15 show time lines of steps performed by alternative embodiments of the present invention; and - 9 - Figure 16 shows a schematic diagram of an embodiment of the present invention using GPRS.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
Security Device The communication apparatus 100 embodying the present invention, shown in Figure 3, comprises a server 102 (which provides a service) identified by IP address 142.107.22.133 and a communication device in the form of a server side redirector 104 identified by IP address 0 142.107.22.12 on one side of a firewall 106. The parts of the apparatus 100 located on the other side of the firewall 106 comprise a plurality of communication devices in the form of client side redirectors 110 each having one or more authorised clients 112 associated with it. Each redirector or listening device 110 is connected to its associated client 112 by one or more connections 114. Each client side redirector 110 may be connected to one or many clients 112. In the example shown, there are three client side redirectors Al, A2 and A3. A1 is connected to client Cat, A2 is connected to client C2 and A3 is connected to clients C3 and C4.
Referring to Figure 4, the web server 16 and the database server 12 are unchanged from the prior art described above in the introduction. However, the client side redirector 110 and the server side redirector 104 have been added, and the web server 16 has been configured so that it thinks that its database server 12 is at IP address 161.131.161.45 i.e. the IP address of the client side redirector 110.
The operation of this system is as follows.
Referring to Figure 5, communication connection is initiated in the same way as the prior art system, that is, by the web server 16 attempting to open a TCP/IP - 10 socket on port number 1433 to the IP address on which it thinks the database server 12 resides (in this case, 161.131.161.45).
As shown in Figure 5, the client side redirector 110 is configured to always listen on the port 1433 that is to be redirected so that it appears to behave in an identical way to the database server 12 in the prior art system described above.
Figure 6 shows that on receiving the incoming 0 communication connection request, the client side redirector 110 starts a thread 550 which listens for an incoming communication connection request on a different port (6060 in this case). The thread 550 will ultimately handle all user data associated with the communication connection illustrated here.
The server side redirector 104 is configured to attempt repeatedly to communicate to one or more client side redirectors 110 over the Internet 13, preferably using a virtual private network (VPN). It is thus repeatedly trying to open a communication connection on port 6060 to 161. 131.161.45 (the IP address of the client side redirector 110). Once (but only when) the client side redirector 110 starts thread 550, the communication connection will be accepted. At this stage, there is a private data pipe 570 between the client side redirector and server side redirector 104 where, for example, validation and authentication may be performed if required.
As shown in Figure 7, the server side redirector 104 now starts a new thread 560 to handle the communications. The thread 560 is given the open port 6060 of the client side redirector 110. The server side redirector 104 then goes back to attempting to open a communication connection to all the other client side - 11 - redirectors 110 it is configured to attempt to connect to.
The thread 560 now attempts to open a communication connection to the database server 12 on port 1433. The database server 12 now sees exactly the same thing as it would do if the web server 16 was contained within the database server's local network (not shown). On opening this communication connection, all data from the database server 12 is passed straight to the client side 0 redirector 110, and all data from the client side redirector 110 is passed straight to the web server 16.
Figure 8 shows that the thread 550 accepts the communication connection from the web server 16 and passes all data from the web server 16 to the server side redirector 104 which passes the data to the database server 12 without caring what form the data takes.
The web server 16 and the database server 12 are now connected together to allow communication between them.
Thus it is seen that the communication connection over the Internet 13 was initiated outbound by the server side redirector 104. The client side redirector 110 and the server side redirector 104 run their parts of the communication connection on separate threads 550,560, allowing for the client side redirector 110 to handle many local clients 16 and for the server side redirector 104 to handle many communication connections from the same or multiple client side redirectors 110. Both threads 550,560 handle an individual communication connection from web server 16 to the database server 12 and are responsible for closing the other end of their communication path upon termination of a communication connection. - 12
In summary, and referring to Figure 3, in order for a communication connection to be made between an authorised client 112 (for example the client C4 with IP address 161.131.161.12) and the server 102, the server side redirector 104 tries to open a communication connection with each client side redirector 110 in turn, one after the other. If a particular client 112 wishes to connect to the server 102, when the server side redirector 104 asks to connect to the client side 0 redirector 110 associated with the particular client 112 (for example, the client 110 C4 with IP address 161.131.161.12), the client side redirector 110 accepts the communication connection. A communication connection is then made between server side redirector 104 and is server 102 via connections 108 and the communication connection between the client 112 and the server 102 is completed.
If the particular client 112 does not wish to connect to the server 102, when the server side redirector 104 requests communication connection to the client side redirector 110 associated with the particular client 112, the client side redirector 110 does not accept the communication connection.
It should be noted that the only reconfiguration that needs to be made to the conventional client 16 is to the IP address it tries to make a communication connection with. In order to make a communication connection with the server 102, the client 16 should be reconfigured to seek a communication connection to the IP address of the client side redirector rather than the IP address of the server. Other than that, as far as the client 16 is aware, it is connecting to a conventional system. The server 102 is the same as the server 12 of the conventional system. - 13
Each component of the system 100 is described in detail below with reference to Figures 9 to 15.
The server side redirector 104 is shown in Figure 9. It comprises a processor 200 which is connected to the server 102 and a transmitting means in the form of a "shouter" 202. The processor 200 also has a connection 204 to the Internet 13. The shouter 202 has a port 206 which can periodically emit a ping to indicate a request for communication connection. The operation of the lo server side redirector 104 is illustrated in the flow diagram 300 of Figure 10.
In the first stage 302, an attempt is made to open a communication connection with a client side redirector via port 206. A ping is sent periodically from the port 206 to the port 406 (port number 6060) (see Figure 11) of the client side redirector 110. If the communication connection request is accepted, the shouter 202 of the server side redirector 104 first signals to the client side redirector 110 that it is no longer "shouting" (sending pings). This is shown at stage 304.
This is necessary because as it is desired to handle multiple connections between the client 16 and the server 12, once a client side redirector 110 accepts a client 16, or a server side redirector 104 process associated with it accepts a connection, they must both signal to their respective processors that another process is required to accept the next connection from the client 112. If required, an authentication routine 306 is then run to check that the request has come from an authorised client side redirector 110. If the request is not authentic, the attempt to open a communication connection is terminated 308. If the request is authentic, then a separate server side thread is started in the processor 200. As shown by 310, the thread tries to establish a - 14 communication connection from the server side redirector 104 to the port 1433 of the server 102 and the server side redirector 104. If the communication path is closed, the communication connection between the server side redirector 104 and client side redirector is closed (shown at 312). If a communication connection is established to the server 102 then all data coming from and going to the server side redirector 104 from the client side redirector 110 is redirected to and from the lo server 102. This is shown at 314. In this example, the data is transmitted over the Internet 13 and controlled by the thread operating on the processor 200 (the thread 560 of Figure 7). If either the communication connection between the server side redirector 104 and the server 102 is or the communication connection between the server side redirector 104 and the client side redirector 110 are closed, then the other connection is closed and the thread is also terminated at 318.
In this example, the ping sent from the port 206 can be of any time period. Furthermore, in this example, although communication between the client 112 and the server 102 is made using the Internet 13, the present system is communication layer independent and any suitable communication system can be used.
A schematic diagram of a client side redirector 110 is shown in Figure 11. The client side redirector 110 comprises listening means in the form of a listener 400 which is connected to a process initiation device 402 which is connected to a data listener 404. The listener 400 has a port 406 (port number 6060).
The operation of the client side redirector 110 shown in Figure 11 is illustrated in the flow chart 500 of Figure 12. - l c ci -
The listener 400 permanently listens on port 406 for an incoming communication request (see 502 and 504 of Figure 12). If a communication connection has been requested by the client 112 then, when a connection request has been received by the port 406 a new thread (the thread 550 of Figures 6 and 7) is started on the processor 402 which continues to listen for a request for communication connection on a different port. An attempt is then made to set up a private data pipe between the lo client side redirector 110 and the server side redirector 104 (see stage 506 of Figure 12). If this is not possible, then the communication connection is refused (as shown at 508). If the private data pipe is set up, then a signal is sent to the processor 402 indicating is that the original thread is no longer listening for a request for communication connection (stage 510).
Validation and authentication procedures are then carried out through the private data pipe as shown at 512.
Authentication certificates can be used to authenticate so the request for communication connection. Encryption keys could also be generated or passed to encrypt the data flow over the Internet 13. By using encryption keys, in some circumstances it may not be necessary to use a virtual private network (VPN) when passing data over the Internet 13. This methodology would require data to not be passed transparently, but to be encrypted at one end, and decrypted at the other end. This simplifies the system because VPNs are complicated particularly when a large number of client sites are so involved, as each one requires its own VPN.
If the request for communication connection does not pass the validation and authentication procedure 512, then the communication connection request is refused (508). However, if the validation and authentication 16 procedure 512 is passed, the thread of the server side redirector 110 sends an open signal 514 to the apparently open socket 206 of the client side redirector 104. If the apparently open socket 206 of the client side redirector 104 is in fact closed, then the communication connection is refused 508. However, if the socket 206 is in fact open then the communication connection is complete, and all incoming data to the relevant thread of the server side redirector 110 is passed to the open lo socket 206 of the client side redirector 104 and handled by the relevant thread. This is shown at step 516.
The communication connection both to and from the client side redirector is monitored to see if it has become closed, 518. If the connection has been closed at either end, the other end is then closed, 520.
In the example given above, only one data listener 400 is shown. In practice, any number of data listeners 400 can be used, each being able to support a communication connection with a server side thread.
A time line 600 showing the operation of the whole system 100 is shown in Figure 13. The time axis extends down the page. Each event is shown by an arrow. In the first instance, at time to, the server side redirector 104 sends a ping 602 to the client side redirector 110 to request a communication connection. At this time, the client (in this example a web server 112) does not wish to form a communication connection. Hence, no communication connection is established. At time t2, the server side redirector 104 sends another ping 604 to the client side redirector 110 to request a communication connection. Again, the client 112 does not wish to form a communication connection. Hence, no communication connection is established. The same event 606 occurs at the next time step, t3.
Between t3 and t4, the client web server 112 attempts to form a communication connection with the server 102 as indicated by signal 608. The next time the client side redirector 110 receives a ping 610 from the server side redirector 104 indicating an attempt to establish communication connection, the client side redirector 110 sends a signal 612 to the server side redirector 104 to indicate that it wishes to establish a communication connection. Having received this signal, 0 the server side redirector 104 requests a communication connection 614 with the server 102. During time period x, the server side redirector 104 and the client side redirector 110 have a private period, where additional validation can be performed if required. Once any validation has beendone, the web server 112 accepts the communication connection 616 and the client 112 and server 102 can communicate.
Throughout this procedure, the server side redirector 104 continues to send pings 618 at every time step t to the client side redirector 110 to request a communication connection.
In an alternative embodiment 700 illustrated in Figure 14, a ping 702, sent from the web server 112 to the client side redirector 110 to indicate that the web server 112 wishes to establish a communication connection, is sent soon after a ping 704 from the server side redirector 104 to the client side redirector 110 to indicate an attempt to establish communication connection. Soon after receiving the ping 704, a ping 706 is sent from the client side redirector 110 to the server side redirector 104 to indicate that it wishes to establish a communication connection. The remaining procedure is the same as that described above for the embodiment of Figure 13. The embodiment of Figure 14 - 18 does not have to wait for the next ping 610 between the server side redirector 104 and the client side redirector to request connection communication (as in the example of Figure 13). This is because all the pings take a finite length of time before they fail. So, if the ping 704 between the server side redirector 104 and the client side redirector 110 is still happening when the ping 702 indicating a communication request from the web server 112 to the client side redirector 110 is 0 received at the client side redirector 110, then the ping 706 between the client side redirector and the server side redirector is immediately triggered (the embodiment of Figure 14). Otherwise, the system 600 (as illustrated in Figure 13) will have to wait for the next ping 610 (a request for communication connection from the server side redirector 104 to the client side redirector 112) before the ping 612 (the signal accepting the communication connection between the client side redirector 110 and the server side redirector 104) is triggered (the embodiment of Figure 13).
A yet further embodiment of a time line 800 showing the operation of the whole system 100 is illustrated in Figure 15. In practice, this embodiment is simpler to implement than the two embodiments described above.
The time axis t again extends down the page. As before, one process (the server side redirector 104) is always shouting, and one process (the client side redirector 110) is always listening. In this embodiment, at time t1 the ping 802 from the server side redirector 104 is accepted 804 by the client side redirector 110 at the first attempt. Validation and authentication procedures are then run and the transfer of encryption keys may take place. This connection is held open regardless of whether a communication connection from the - 19 web server 112 to the client side redirector 110 is attempted or not. This holding open may involve polling 806,808 (periodic communication) at times t2 end t3 (in this example) from the server side redirector 104 to the client side redirector 110 to determine that the connection is still valid.
When the web server 112 attempts 810 to make a communication connection to the client side redirector (a try from the web server 112 at time t3), a 0 connection from the server side redirector 104 to the client side redirector 110 is already established. The attempt from the web server 112 to the client side redirector 110 is signalled by a control signal 812 at time t4 from the client side redirector 110 to the server side redirector 104. On receiving this signal 812, at time tS the server side redirector 104 now attempts to open communication connection to the server 102 via signal 814. On success, the server side redirector 104 sends a control signal 816 at time t6 to the client side redirector 110 and the server side redirector 104 and the client side redirector 110 now form a communication connection between them and data is passed transparently between them.
At the point where a connection request is first made at time t4, the process 110 of client side redirector 110 signals its controller to start another client side redirector process 110, and at tS' on receiving notification of this event, the server side redirector 104 now signals its controller to start another server side redirector 104 process. This ensures that there is always an open and waiting connection between database server 102 and web server 112 waiting for a communication connection request from the web server 112. -
In summary, in all three embodiments, two
processes are run, one within the secure database site 102, and one at the site of the web server 112. The web server 112 process is constantly listening for a connection on the port which the web server 112 thinks the database is on. When the web server 112 opens communications to this port, the web site process 402 then starts listening on a configurable port to which the database site 102 process is permanently trying to lo connect. The database site 102 process is constantly trying to connect to a configurable address on a configurable socket of the web server 112. When it manages to do so, it opens communications back to the database server 102 which is also configured with this address and port.
The system 100 described above provides the advantage that the client 112 can access the server 102 without any traffic passing from the client side of the firewall 106 to the server side of the firewall 106. As such, the firewall can be configured so that it is very difficult for unauthorized users to access the server 102. This is because any port allowing communication through the firewall 106 from the client side to the server side would be vulnerable to attack from an unauthorized user, but by removing this direction of communication, the vulnerability is removed. All communications are to specified addresses and ports.
These are at trusted sites which are expected to require access to the server 102. Furthermore, if a client is identified by an IP address, since these are difficult to copy, it is extremely difficult for an unauthorized client to impersonate an authorised client. As an additional security bonus, communication can take place on a different port to that which is normally expected - 21 for this type of traffic. No gateway is required on the server side of the firewall 106. A VPN may also be used over the Internet 13.
Communication Connection Device
As described in the introduction above the present
system can be used for applications other than as a security device. In another application of the present system 900 illustrated in Figure 16, the system can be lo used to allow a server 902 to connect to a client 912 when the server 902 cannot initiate a connection to the client 912 but the client 912 can initiate a connection to the server 902. Such a situation occurs when the client 912 can, for example, only communicate with the server 902 via GPRS (General Packet Radio Service).
The server 902 has an associated server side redirector 904 and each client 912 has a client side redirector 910 associated with it which can only make an outbound communication via GPRS. The client side redirector 910 tries to form a communication connection with the server side redirector 904. The server side redirector 904 will only accept the connection if its associated server 902 wishes to make a communication connection to the client 912. If the server 902 wishes to make a communication connection, the request from the client side redirector 910 is accepted and a communication connection is made between the server 902 and the client 912. However, if the server 902 does not wish to make a communication connection with the client 912, the request from the client side redirector 910 is not accepted. The client side redirector 910 will continue to request a communication connection with the listening device 904 at regular time intervals.
Hence, if a specific client 902 needs to be - 22 monitored by the server 902, all that has to be done is to start the server side redirector 904 associated with the server 902 listening for a communication connection request from a specific client side redirector 910. The specific client side redirector 910 will then open the connection to the server side redirector 904 and a new communication connection will be established.
Embodiments of the present invention have been described with particular reference to the examples lo illustrated. However, it will be appreciated that variations and modifications may be made to the examples described within the scope of the present invention.
In particular, each client side redirector does not have to be interrogated by the server side redirector one after the other. For example, client side redirectors which are more likely to want to form a connection could be interrogated more often than client side redirectors that are less likely to want to make a connection.
Furthermore, the system described above could be implemented in software, hardware or a combination of hardware and software. The present system could be implemented in communications systems other than GPRS where outbound communications are not allowed and all communication between clients and a server have to be initiated by the client. The system is suitable for all types of server-to-client communications where the server listens for incoming client connections. A database server is just one example of this. - 23

Claims (25)

1. A communication apparatus comprising: at least one first communication device, the or each first communication device comprising: listening means for listening for a request for communication connection; and accepting means for indicating an acceptance of the request for communication connection; and at least one second communication device, the or JO each second communication device comprising: transmitting means for transmitting a request for communication connection; in which, in use, if a first communication device wishes to make a communication connection with a second communication device, when the transmitting means of the second communication device transmits a request for communication connection and it is received at the listening means of the first communication device, the accepting means of the first communication device indicates acceptance of the request for communication connection and a communication connection is made between the first and the second communication device.
2. A communication apparatus according to claim 1, wherein the or each transmitting means can periodically transmit a request for communication connection.
3. A communication apparatus according to claim 1 or 2, wherein the or each second communication device further comprises polling means for periodically transmitting a signal to determine that a communication connection between the first communication device and the second communication device is valid. - 24
4. A communication apparatus according to claim 1, 2 or 3, wherein the at least one second communication device can make a communication connection to a service.
5. A communication apparatus according to any of claims 1 to 4, wherein the at least one first communication device accepts a communication connection from a client.
6. A communication apparatus according to any of claims 1 to 5, wherein another communication device to cannot initiate a communication connection to the at least one second communication device.
7. A communication apparatus according to claim 6, wherein the transmitting means of the at least one second communication device comprises: a GPRS device, a third generation mobile telephone device, or a WiFi device.
8. A communication device for making a communication connection to a second communication device, in which the communication device wishes to make a communication connection with the second communication device, the so communication device comprising: listening means for listening for a request for communication connection; and accepting means for accepting the request for communication connection; in which, in use, when a request for communication connection is received from the second communication device at the listening means, the accepting means accepts the communication connection.
9. A communication device for making a communication - 25 connection to a second communication device, in which the second communication device wishes to make a communication connection with the communication device, the communication device comprising: transmitting means for transmitting a request for communication connection; in which, in use, when a request for communication connection is accepted by the second communication device a communication connection is made between the first and lo the second communication device.
10. A communication device according to claim 9, wherein the transmitting means can periodically transmit a request for communication connection.
11. A communication device according to claim 9 or 10, wherein the communication device further comprises polling means for periodically transmitting a signal to determine that a communication connection between the communication device and the second communication device is valid.
12. A communication device according to claim 9, 10 or 11, wherein another communication device cannot initiate a communication connection to the communication device.
13. A communication device according to claim 12, wherein the transmitting means of the communication :s device comprises: a GPRS device, a third generation mobile telephone device, or a WiFi device.
14. A method of making a communication connection between a first communication device and a second communication device, wherein the first communication - 26 device wishes to make a communication connection to the second communication device, the method comprising the steps of: the second communication device sending a request for communication connection to the first communication device; the first communication device accepting the request for communication connection; and a communication connection being made between the to first communication device and the second communication device.
15. A method of making a communication connection according to claim 14, wherein the second communication device sends a second request for communication Is connection to the first communication device before transmitting data through the communication connection.
16. A communication apparatus for making a communication connection between a first communication device and a second communication device, in which the first communication device wishes to make a communication connection with the second communication device, wherein the first communication device comprises: listening means for listening for a request to make a communication connection.
17. A communication apparatus for making a communication connection between a first communication device and a second communication device, in which the first communication device wishes to make a communication connection with the second communication device, wherein the second communication device comprises: transmitting means for transmitting a request for - 27 communication connection.
18. A communication apparatus according to claim 17, wherein the second communication device further comprises polling means for periodically transmitting a signal to determine that a communication connection between the first communication device and the second communication device is valid.
19. A communication apparatus according to claim 17 or 18, wherein another communication device cannot initiate lo a communication connection to the second communication device.
20. A communication apparatus according to claim 19, wherein the transmitting means of the second communication device comprises: a GPRS device, a third generation mobile telephone device, or a WiFi device.
21. A communication apparatus according to any of claims 17 to 20, wherein the second communication device can make a communication connection to a service.
22. A communication apparatus according to any of claims 17 to 21, wherein the first communication device accepts a communication connection from a client.
23. A communication apparatus as herein described with reference to and as illustrated by the accompanying drawings of Figures 3 to 16.
24. A communication device as herein described with reference to and as illustrated by the accompanying drawings of Figures 3 to 16. - 28
25. A method of making a communication connection as herein described with reference to and as illustrated by the accompanying drawings of Figures 3 to 16.
GB0401294A 2004-01-21 2004-01-21 A communication apparatus and method Withdrawn GB2410401A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0401294A GB2410401A (en) 2004-01-21 2004-01-21 A communication apparatus and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0401294A GB2410401A (en) 2004-01-21 2004-01-21 A communication apparatus and method

Publications (2)

Publication Number Publication Date
GB0401294D0 GB0401294D0 (en) 2004-02-25
GB2410401A true GB2410401A (en) 2005-07-27

Family

ID=31971213

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0401294A Withdrawn GB2410401A (en) 2004-01-21 2004-01-21 A communication apparatus and method

Country Status (1)

Country Link
GB (1) GB2410401A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2401717A1 (en) * 2000-03-01 2001-09-07 Spicer Corporation Secure network resource access system
US20020143773A1 (en) * 2000-03-01 2002-10-03 Steven Spicer Secure network resource access system
EP1255395A2 (en) * 2001-04-30 2002-11-06 Xerox Corporation External access to protected device on private network
WO2002098100A1 (en) * 2001-05-31 2002-12-05 Preventon Technologies Limited Access control systems
EP1313292A2 (en) * 2001-11-16 2003-05-21 Docent, Inc. Sending notifications through a firewall
US20030131259A1 (en) * 2002-01-10 2003-07-10 Barton Christopher Andrew Transferring data via a secure network connection

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2401717A1 (en) * 2000-03-01 2001-09-07 Spicer Corporation Secure network resource access system
US20020143773A1 (en) * 2000-03-01 2002-10-03 Steven Spicer Secure network resource access system
EP1255395A2 (en) * 2001-04-30 2002-11-06 Xerox Corporation External access to protected device on private network
WO2002098100A1 (en) * 2001-05-31 2002-12-05 Preventon Technologies Limited Access control systems
EP1313292A2 (en) * 2001-11-16 2003-05-21 Docent, Inc. Sending notifications through a firewall
US20030131259A1 (en) * 2002-01-10 2003-07-10 Barton Christopher Andrew Transferring data via a secure network connection

Also Published As

Publication number Publication date
GB0401294D0 (en) 2004-02-25

Similar Documents

Publication Publication Date Title
US9680795B2 (en) Destination domain extraction for secure protocols
US8200818B2 (en) System providing internet access management with router-based policy enforcement
US10027556B2 (en) Delegated network management services
US7305546B1 (en) Splicing of TCP/UDP sessions in a firewalled network environment
US6718388B1 (en) Secured session sequencing proxy system and method therefor
EP1311930B1 (en) System and method for authenticating a user to a web server
EP3641266A1 (en) Data processing method and apparatus, terminal, and access point computer
EP2850770B1 (en) Transport layer security traffic control using service name identification
US5699513A (en) Method for secure network access via message intercept
US20040249922A1 (en) Home automation system security
US20050277434A1 (en) Access controller
US20040088409A1 (en) Network architecture using firewalls
US7895334B1 (en) Remote access communication architecture apparatus and method
CN101420455A (en) Systems and/or methods for streaming reverse http gateway, and network including the same
JP2008533784A (en) Method, system, and computer program for communication in a computer system
US20030167411A1 (en) Communication monitoring apparatus and monitoring method
JP4492248B2 (en) Network system, internal server, terminal device, program, and packet relay method
WO2023020606A1 (en) Method, system and apparatus for hiding source station, and device and storage medium
US20050086533A1 (en) Method and apparatus for providing secure communication
CN113612790A (en) Data security transmission method and device based on equipment identity pre-authentication
CN100428748C (en) Dual-status-based multi-party communication method
JP2004295166A (en) Remote access system and remote access method
US7640580B1 (en) Method and apparatus for accessing a computer behind a firewall
JP2006277752A (en) Computer remote-managing method
GB2410401A (en) A communication apparatus and method

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)