METHOD AND DEVICE FOR DATA COMMUNICATION THROUGH A FIREWALL
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a method for establishing a connection to a first unit located inside a firewall, wherein the connection is desired from a second unit located outside said firewall.
It also relates to a system used for establishing a connection to a first unit located behind a firewall, wherein the connection is desired from a second unit located outside said firewall.
Furthermore it relates to an intermediate unit used for establishing a connection to a first unit located inside a firewall, said connection being desired from a second unit located outside the firewall, said intermediate unit being reachable from said second unit.
RELATED ART
Firewalls are used for protecting terminals or a network of terminals from insight and influences from other terminals. However a problem arises when a terminal outside this firewall wants to connect to a terminal inside the firewall. As defined in this document, firewalls are usually constructed to allow a unit located inside the firewall to connect to a unit located outside the firewall but not the other way around.
Different examples of how to contact a terminal inside a firewall are present today. For example, mail can be used as an information carrier towards the terminal. The problem with mail is that it does not provide any delivery guarantees and it is da- tagram oriented. Most applications today want stream oriented communication and timely delivery.
Another possible way to contact a terminal inside a firewall today is to use socks. However, there are drawbacks with this method. For example, the applications in the terminals located inside the firewall have to be converted to use the socks proto- col and the application has to have knowledge of the location of the socks server. This can not be achieved transparently to the application.
US 60 1797 discloses a method for establishing connections from outside and in through a firewall. However this method requires that the firewall is manipulated or configured in a particular way and furthermore it is only certain trusted terminals outside the firewall that are given a port number to connect to and thus have the possibility to connect to a terminal inside the firewall.
One problem with all these methods is that they need some kind of configurations to be done to the clients. For example, the client in the US-patent mentioned above needs to know which port number to connect to. Another problem is that in most of these existing methods the firewall has to be affected or configured in some way.
SUMMARY
One object of the invention is to provide a method and a system for easily and transparently to the applications used connecting to a terminal inside a firewall.
Another object of the invention is to provide a method for connecting to a terminal inside a firewall where no configurations need to be done to the applications.
A further object of the invention is to provide such a method and system where the firewall does not need to be affected in any way.
These objects are achieved in a method as initially described where the method comprises the steps described below but not necessarily performed in the mentioned
order, whereby step iii) could be performed anywhere between step i) and step iv) and step vi) could be performed anywhere between step i) and vii) but after step iii): i) providing an intermediate unit outside the firewall, reachable from at least the second unit; ii) making a unique ID, which is associated with the first unit and with the intermediate unit, available to the second unit and other units located outside the firewall; iii) establishing a first connection, being a control channel, from the first unit to the intermediate unit, said intermediate unit being reachable from at least the second unit; iv) requesting, from the second unit, a connection to said unique ID; v) forwarding this connection request from the intermediate unit to the first unit through the first connection; vi) establishing a data channel from the first unit to the intermediate unit; vii) transferring data between the second unit and the first unit.
The objects are also achieved by a system, as initially described, which comprises an intermediate unit, which is located outside the firewall and which is reachable from at least the second unit, said intermediate unit being adapted to mediate con- nections required from the second unit to the first unit, whereby a unique ID corresponding to the first unit points out a low level address of the intermediate unit to units located outside the firewall.
The objects are further achieved by an intermediate unit as initially described com- prising connection means adapted to receive a control channel and a data channel from the first unit, said channels being used for communication between the intermediate unit and the first unit, said intermediate unit comprising further receiving means adapted to receive a request from the second unit for a connection to the first unit and forwarding means adapted to forward the request to the first unit.
Hereby a method for connecting to a terminal inside a firewall from a terminal outside the firewall where no configurations or manipulations need to be done to neither the firewall nor the applications used in the communicating- units is achieved.
Preferably the requesting of a connection from the second unit further comprises the steps of:
- resolving, from the second unit, a low level address corresponding to the re-
, quested unique ID, the corresponding low level address being the low level address of the intermediate unit since connections to the first unit has to go through the intermediate unit;
- establishing, from the second unit, a connection to the retrieved low level address;
- initiating a http-dialogue from the second unit;
- forwarding, from the intermediate unit to the first unit, the connection request made by the second unit since the first unit corresponds to the requested unique
ID.
Suitably the method further comprises enclosing the unique ID, being a dns-name, together with the low level address, being an IP-address, in the connection request sent to the intermediate unit from the second unit. Hereby the intermediate unit knows which unit the second unit wants to connect to.
The data channel could be a new separate second connection between the first unit and the intermediate unit adapted for transferring data.
Otherwise the establishing of a data channel includes multiplexing of the traffic on the first connection and wherein the data channel thus is included in the first connection.
The method could further comprise communicating the unique ID corresponding to the first unit from the first unit to the intermediate unit after the initial establishment of the first connection.
Alternatively the method comprises assigning a unique ID to the first unit in the intermediate unit.'
Suitably the method comprises making the unique ID, which corresponds to the first unit, available outside the firewall by including the unique ID in an external dns. Hereby other units, which are located outside the firewall and can reach the intermediate unit, can resolve the unique ID of the first unit.
Http ( = hypertext transfer protocol) could be used as the communication protocol.
Alternatively https ( = hypertext transfer protocol-security) could be used as the communication protocol.
Preferably a public key infrastructure (PKI) is used. This will further increase the security.
Suitably tcp-( = transmission control protocol)-connections are used.
One or more of the units could be gateways in computer networks. Furthermore one or more of the units could be servers in computer networks.
Suitably the first unit and the intermediate units are provided with software necessary for the communication between these two units.
Advantageously the first unit and the intermediate unit are http-proxies.
BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a schematic view of a first embodiment of a system according to the inven- tion.
Fig. 2 is a flow chart of a method according to the invention.
Fig. 3 is a schematic view of an intermediate unit according to the invention.
Fig. 4 is a schematic view of a second embodiment of a system according to the invention.
DETAILED DESCRIPTION OF EMBODIMENTS
Fig. 1 is a schematic view of a first embodiment of a system according to the invention. The system comprises a first unit 1 hidden by a firewall 3. Outside the firewall 3 an intermediate unit 5 is located, which is reachable from a second unit 7. The intermediate unit 5 and the second unit 7 could for example be connected to the same network. This could for example be the Internet.
In Fig. 2 the different steps of a method according to the invention are shown: The steps are divided into different blocks illustrated in Figure 2, where the blocks are described in order below:
B25: A first connection 9 (Fig. 1) is established from the first unit 1 to the intermediate unit 5. This first connection 9 is established from the first unit 1 when the first unit 1 wants that units located outside the firewall should be able to connect to the first unit. This first connection 9 is a control channel. The control channel could in one embodiment be set up through a sock-server. The intermediate unit 5 needs to know a unique ID corresponding to the first unit 1. This is in this embodiment a dns-(domain name system)-name. There are different possibilities for the intermedi-
ate unit 5 to achieve a dns-name corresponding to the first unit 1. Two of these possibilities are illustrated in Fig. 2 by two parallel blocks, block B27 and B29.
B27: The first unit 1 communicates its dns-name over the first connection 9 to the intermediate unit 9.
B29: The other, here described, possibility is that the intermediate unit 5 assigns a dns-name to the first unit 1. This could be done when the first unit 1 does not already have a dns-name.
B31 : The dns-name is in this embodiment made available to other units, which can reach the intermediate unit. This is performed from the intermediate unit 5 by including the dns-name in an external domain name system. For example it is registered in the dns-information in the intermediate unit 5. Hereby all the units which can reach the intermediate unit will reach this name when they are searching for it. It is also possible that the dns-name has been made available in the network outside the firewall sometime before the first connection was established. The first unit 1 may have connected to another unit outside the firewall just to let it announce its dns-name. The dns-name should always be connected to a low level address, for ex- ample the IP-address, of the intermediate unit 5 since a connection to the first unit 1 always has to go through the intermediate unit 5.
B32: A unit, which can reach the intermediate unit 5, for example the second unit 7, resolves the dns-name of the first unit 1. The dns-name is found since it is registered in the external dns. The IP-address given to the second unit 7 is the IP-address of the intermediate unit 5 since all connections to the first unit 1 has to go through the intermediate unit 5.
B35: The second unit 7 connects to the retrieved IP-address and believes that this is the unit corresponding to the wanted dns-name. In fact the second unit 7 is connecting to the intermediate unit 5. The connection is made to the IP-address but the
dns-name is always enclosed in the request. This is an important feature of the invention since it makes it possible to forward the connection request to the correct destination. The second unit 7 initiates in one embodiment an http-(hypertext transfer protocol)-dialogue.
B37: The intermediate unit 5 forwards the connection request to the first unit 1, which corresponds to the requested dns-nanie. The connection request is transferred to the first unit 1 through the first connection 9. To enable the communication between the first unit 1 and the second unit 7 the first unit 1 now establishes a data channel from the first unit 1 to the intermediate unit 5. It is also possible that the data channel already had been established when the second unit 7 requests a connection to the first unit 1. The data channel between the first unit 1 and the intermediate unit 5 can in fact be established at any time. The data channel establishment could be done in different ways. Two ways are described in the two parallel blocks B39 and B41.
B39: One possibility is to establish a new separate second connection 13 (Fig. 1) from the first unit 1 to the intermediate unit 5. This second connection 13 is used for data communication.
B41 : The other possibility is that the first connection 9 is utilised also for the data channel. Then, multiplexing of all the traffic on the first connection 9 is needed.
B43: Once the data channel is established the transfer of data between the second unit 7 and the first unit 1 is started and the data is transferred through the data channel, the intermediate unit 5 and through the connection between the second unit 7 and the intermediate unit 5.
In one described embodiment, http is used as the communication protocol and any port(s) may be used. A big advantage is that the applications in neither the first nor the second unit need to be configured or manipulated in any way to be able to per-
form the communication through the firewall. The applications need not even to be aware of the firewall and the method to get through the firewall. The second unit 7 only needs to communicate using, for example, the usual http protocol. It is also possible to use https (hypertext transfer protocol security) as the communication protocol. If https is used, a PKI ( Public Key Infrastructure) could also be integrated. A PKI would, for example, ensure that the communication layer between the first unit 1 and the intermediate unit 5 is authenticated.
It is also preferred to use tcp-(transmission control protocol)-connections since tcp, for example, has its own flow control and no further flow control needs to be added.
The first unit 1, the intermediate unit 5, and the second unit 7 can all be gateways or servers in networks. For example if the first unit 1 is a server connected to a plurality of computers the first unit 1 can transfer the connection request to a third unit in this network if the second unit 7 requests a connection to the third unit. This is possible thanks to the addressing system used according to this invention where even though the connection required from the second unit is established to the retrieved IP-address the wanted dns-name is always enclosed in the request. Thus, when the first unit 1 receives a connection request from the intermediate unit 5, it can forward this connection request to the unit with the requested dns-name. The first unit needs to find the IP-address corresponding to the dns-name. This is done using dns.
As mentioned above no configurations need to be done to the applications in neither the first unit 1 nor the second unit 7. Furthermore the user of the second unit 7 does not have to know anything more than the dns-name of the first unit 1. The firewall also need not be configured to enable communication initiated from outside the firewall. However, the first unit 1 has to be provided with software enabling the communication with the intermediate unit 5. The first unit 1 should be able to initiate the first connection 9 with the intermediate unit 5, possibly transfer the dns- name, maintain the dialogue and initiate a second data connection 13 or multiplex the traffic on the first connection 9. The software in the first unit needs to take care
of this. Also, the intermediate unit 5 needs software of the same kind being able to communicate with the first unit 1. Possibly these functions could be implemented in the hardware of the first unit and the intermediate unit.
Fig. 3 is a schematic view of an intermediate unit according to the invention. Said intermediate unit comprises software defining a connection means 81 adapted to receive the first connection 9 and also possibly the second connection 13 from the first unit. In this embodiment the software also defines an assigning means 83 adapted to assign a dns-name to the first unit 1. The assigning means 83 is connected to the connection means 81. Furthermore the intermediate unit comprises a receiving means 87 adapted to receive a connection request from the second unit 7 and a forwarding means 89 connected to the receiving means 87 and to the connection means 81 adapted to forward this request through the first connection 9 to the first unit 1. All these described functions comprised in the intermediate unit are defined by the integrated software.
The intermediate unit according to the invention can serve more than one unit located inside a firewall. It can serve more units inside the same firewall and also units inside different firewalls. Thus it is in accordance with the invention possible to establish a connection from one unit inside a first firewall to another unit inside a second firewall.
Fig. 4 is a schematic view of a second embodiment of a system according to the invention. In this embodiment it is shown that it is possible to penetrate more than one firewall with the method according to the invention thanks to the addressing system where the dns-name is enclosed in the request. Here a first unit 61 is located behind a first firewall 63. Outside the first firewall 63 a first intermediate unit 65 is located. This first intermediate unit 65 is connectable to a third unit 67. The third unit 67 and the first intermediate unit 65 are shielded by a second firewall 69. Outside this sec- ond firewall 69 a second intermediate unit 71 and a second unit 73, which is connectable to the second intermediate unit 71, are located. The process when the sec-
ond unit 73 requests a connection to the first unit 61 is similar to the process described for the first embodiment. The difference is that the third unit 67 forwards the request coming from the second intermediate unit to the first intermediate unit 65 since the dns-name not corresponds to the third unit 67. The first intermediate unit 65 in turn forwards the request to the first unit 61 which corresponds to the dns- name requested by the second unit and the connection process is performed in the ■ same way as described above.