« PreviousContinue »
METHOD AND SYSTEM FOR TRANSMITTING INFORMATION ACROSS A FIREWALL
 The present invention relates to a method and system for transmitting information across a firewall.
 Networks implementing distributed data processing systems, and in particular the INTERNET, have attained a widespread diffusion in the last years. A major concern of organisations wishing to embrace the INTERNET as a way of conducting business is that of exposing their internal private network to the outside world. Several security issues are raised by this kind of applications, which involve attachment of the (secure) private network of the organisation to the largely uncontrolled environment of the INTERNET. Particularly, the organisation must be protected from intruders attempting to gain unauthorised access to the private network or attempting to compromise its operation.
 Most security measures involve the use of a firewall. A firewall consists of hardware and/or software controlling the traffic between the INTERNET and the private network; all messages entering or leaving the private network pass through the firewall, which allows only certain traffic to transit as specified by a firewall administrator.
 A large number of resource management environments, such as the Tivoli Management Environment, or TME (TME is a trademark of International Business Machines Corporation) have been developed before the diffusion of the INTERNET. Generally, these management environments are designed to run in a back-office, wherein the network is considered close and secure. For example, the management environment can freely open logical connections (or ports) between any couple of computers of the network, or it assumes that connections can be made using not-secure protocols, such as the suite of the Transmission Control Protocol/Internet Protocol (TCP/IP); moreover, the management environment is allowed to broadcast messages over the network, for example through the User Datagram Protocol (UDP). The above-mentioned characteristics (or other equivalent ones) make these management environments firewall-incompatible.
 Different solutions have been proposed for interfacing existing management environments with an extension of the private network of the organisation (a so called Demilitarised Zone, or DMZ), which is in contact with the INTERNET directly. For example, a solution known in the art consists of reducing the number of ports that can be opened across the firewall; moreover, the range from which these ports are selected is restricted to a small set of values. More recently, proposals have been made to limit the use of ports even further; in these proposals, every communication between two computers across the firewall should be consolidated to a single, well-defined port.
 However, none of the solutions known in the art is completely satisfactory. In fact, limiting the number of ports makes a security hole in the firewall smaller, but it does not close the private network to intruders.
 Moreover, the proposed new features require the management environment to be modified directly. However, any maintenance operation carried out on the management environment involves high costs and delays, due to the complexity of these systems.
 As a consequence, organisations with a consolidate resource management environment cannot manage the DMZ, so that their access to the INTERNET is strongly limited.
 It is an object of the present invention to overcome the above-mentioned drawbacks. In order to achieve this object, a method as set out in the first claim is proposed.
 Briefly, the present invention provides a method of transmitting information across a firewall among a plurality of computers, at least one first of the computers being at a first side of the firewall and at least one second of the computers being at a second side of the firewall, wherein at least one first proxy and at least one second proxy are associated with the at least one first computer at the first side of the firewall and with the at least one second computer at the second side of the firewall, respectively, and wherein a pass through communication tunnel directly connects each first and second proxy, the tunnel being secured by mutual authentication of the corresponding first and second proxies, the method including the steps of: causing a transmitting one of the computers to send a firewall-incompatible message for a receiving one of the computers at the other side of the firewall to a transmitting one of the associated at least one proxy, sending the message from the transmitting proxy to a receiving one of the at least one proxy at the other side of the firewall through the corresponding tunnel, associating the message with the receiving computer, and forwarding the message from the receiving proxy to the receiving computer.
 The present invention also provides a computer program application for performing the method, a product storing the program application, and a corresponding system.
 Further features and the advantages of the solution according to the present invention will be made clear by the following description of a preferred embodiment thereof, given purely by way of a non-restrictive indication, with reference to the attached figures, in which:
 FIG. la shows a schematic block diagram of a data processing system in which the method of the invention can be used;
 FIG. lb is a diagrammatic representation of a gateway proxy and of an endpoint proxy of the system;
 FIG. 2 depicts a partial content of a working memory of the gateway proxy and of the endpoint proxy;
 FIG. 3 and FIGS. 4a-4b show flow charts describing the logic of a method executed on the gateway proxy and on the endpoint proxy, respectively, for transmitting information across a firewall of the system.
 With reference in particular to FIG. 1, a data processing system 100 that relies on the INTERNET 105 is depicted. The INTERNET 105 consists of a network including millions of computers connected to each other through public media. This structure allows an uncontrolled access to the network, so that the INTERNET 105 is open and unprotected, and then not trusted for its own nature.
 A private network 110 of an organisation (such as a service provider) interfaces with the INTERNET 105. The private network 110 implements a secure structure, which
uses trusted communications lines (for example private lines belonging to the service provider), and it is then closed and protected. The private network 110 is connected to the INTERNET 105 through a Demilitarised Zone (DMZ) 115. The DMZ 115 is an internal line of defence of the private network 110, which sits between the INTERNET 105 and the private network 110. All the communications between the private network 110 and the INTERNET 105 pass through the DMZ 115; in this way, the private network 110 cannot be accessed from the INTERNET 105 directly, in order to avoid exposing the private network 110 to attacks from the outside.
 The DMZ 115 includes multiple endpoint computers 120, such as Web (HTTP) servers, FTP servers, SMTP (e-mail) servers and other servers, which are grouped into one or more clusters. The endpoints 120 of each cluster communicate with a lower number of gateway proxies 125g; in the example shown in the figure, a cluster of endpoints 120 is associated with a single gateway proxy 125g, and another cluster of endpoints 120 is associated with two gateway proxies 125g. The DMZ 115 is separated from the INTERNET 105 and from the private network 110 by one or more firewalls 130a and one or more firewalls 130fc, respectively.
 A firewall is a hardware and/or software system that is installed at a point where two networks with a different level of security meet (also known as choke point), and that enforces a security policy between the two networks; in this way, the firewall can protect the more secure network from attacks coming from the less secure network. All packets entering or leaving the more secure network pass through the firewall, which examines each packet and blocks those that do not meet specified security criteria. Known firewalls use different techniques for controlling the traffic flow between the two networks, such as packet filters (wherein packets are examined at a network layer), application-layer gateways (wherein all application layers are examined, bringing context information into the decision process), and stateful inspection (wherein the state-related information required for security decisions is extracted from all application layers and maintained in dynamic state tables for evaluating subsequent connection attempts).
 Each gateway proxy 125g is directly connected to a single endpoint proxy 125e (in the private network 110) by means of a pass through communication tunnel 132, which crosses the firewall 130fc with a point-to-point connection establishing a transparent pipe between the two proxies 125g,125e; security of the tunnel 132 is ensured by mutual authentication of the gateway proxy 125g and the endpoint proxy 125e at its ends. Multiple gateway computers 135 communicate with the endpoint proxy 125e. Each gateway 135 couples one or more endpoints 120 to a server computer 140, which manages the resources of the endpoints 120 from the private network 110.
 As shown in FIG. lb, a generic gateway proxy 125g (for example consisting of a mid-range computer) is formed by several units that are connected in parallel to a communication bus 142g. In detail, multiple microprocessors (mp) 143g control operation of the gateway proxy 125g, a RAM 144g is directly used as a working memory by the microprocessors 143g, and a ROM 145g stores basic programs for a bootstrap of the gateway proxy 125g. Several
peripheral units are further connected to the bus 142g (by means of respective interfaces). Particularly, a bulk memory consists of a magnetic hard-disk 150g and a driver 155g for reading CD-ROMs 160g. Moreover, the gateway proxy 125g includes input devices 165g (for example consisting of a keyboard and a mouse), and output devices 170g (for example consisting of a monitor and a printer). A Network Interface Card (NIC) 175g is used to couple the gateway proxy 125g to the associated endpoints and to the endpoint proxy.
 The endpoint proxy 125e is likewise formed by a bus 142e, multiple microprocessors 143e, a RAM 144e, and a ROM 145e; the endpoint proxy 125e further includes a hard-disk 150e, a driver 155e for CD-ROMs 160e, input devices 165e and output devices 170e. A network interface card 175e is used to couple the endpoint proxy 125e to the gateways and to the gateway proxies.
 Similar considerations apply if the system is used for different applications (such as an e-commerce site), if the system relays on different networks, if the system has a different architecture (for example with a compartmentalised environment), if each cluster of endpoints is associated with a different number of gateway proxies, if a single gateway proxy is associated with all the endpoints or if two or more endpoint proxies are associated with the gateways, if a different number of endpoints and gateways are provided (down to a single one), if the gateway and endpoint proxies have a different structure or include different units (for example, if the gateway proxy has two NICs for the associated endpoints and endpoint proxy, respectively, or if the endpoint proxy has two NICs for the associated gateways and gateway proxies, respectively), and the like.
 Considering now FIG. 2, a partial content of the working memories 144g and 144e of a generic gateway proxy and of the endpoint proxy, respectively, is shown; the information (programs and data) is typically stored on the hard-disks and loaded (at least partially) into the working memories when the programs are running. The programs are initially installed onto the hard disks from CD-ROM.
 With reference in particular to the gateway proxy, a listening process 205 (implemented by means of a corresponding software module) receives packets transmitted from the endpoints. Each packet is provided to a forwarding process 210; the forwarding process 210 detects the IP address of the source endpoint, and attaches the IP address to the packet. The packet (with the attached IP address) is then supplied to a tunnelling process 215. The tunnelling process 215 acts as a pass through between the gateway proxy and the endpoint proxy, so as to transmit the packet to a receiving process 220 running on the endpoint proxy.
 The packet received from the gateway proxy is provided to a converting process 225. The converting process 225 manages a series of memory structures. Particularly, a persistent table 230 is formed by a record for each endpoint currently controlled by the endpoint proxy. The record is composed of a field EP_ID that contains an identifier that is dynamically assigned to the endpoint by the server. A field EP_IP stores the IP address of the endpoint, and a field EP_PORT stores the number of an endpoint port identifying a logical connection to the endpoint. A field EP_K is used for storing an encryption key dynamically generated for the endpoint (together with a possible indica