United States Patent (19)
`Vu
`
`54 APPARATUS AND METHOD FOR
`PROVIDING ASECURE GATEWAY FOR
`COMMUNICATION AND DATA EXCHANGES
`BETWEEN NETWORKS
`
`75 Inventor: Hung T. Vu, Ottawa, Canada
`73) Assignee: Milkway Networks Corporation,
`Ottawa, Canada
`
`21 Appl. No. 342,772
`22 Filed:
`Nov. 21, 1994
`(51) int. Cl." ............................................... G06F 11/00
`52 U.S. Cl. ................................. 395/187.01; 395/188.01
`58 Field of Search ......................... 395/187.01, 188.01,
`395/186, 182.02, 187.02, 180; 380/4
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`6/1991 Johnson et al. ............................. 380/4
`5,023,907
`5,416,842 5/1995 Aziz et al. .......
`... 380.4
`5,548,646 8/1996 Aziz et al. ................................ 380/23
`OTHER PUBLICATIONS
`Stempel, "paccess-an Internet Service Access System for
`Firewall Installations', Network and Distributed System
`Security, IEEE, pp. 31-41. Feb. 1995.
`Nueman, "Proxy-Based Authproization and Accounting for
`Dsitributed Systems', Distributed Computing systems,
`IEEE Conf. pp. 283-291. Jan. 1993.
`Bellowin et al., "Network Firewalls', IEEE Communications
`Magazine. pp. 50-57 Sep. 1994.
`Tirenin et al., "Enhanced Multinet Gateway: Survivable
`Multi-Level Secure Data Communications', Milcom IEEE,
`pp. 740-744 1991.
`A Network Firewall, Marcus J. Ranum, Digital Equipment
`Corporation, Washington Open Systems Resource Center,
`Greenbelt, MD, Jun. 12, 1992.
`White Paper-InterLock 2.1, Ans Co-Re Systems, Inc.,
`Aug. 18, 1993.
`
`
`
`
`
`19853. 64.7
`
`USOO56236O1A
`11) Patent Number:
`(45) Date of Patent:
`
`5,623,601
`Apr. 22, 1997
`
`Checkpoint Firewall-1" Technical White Paper, Check
`Point Software Technologies Ltd., 1994.
`Thinking about Firewalls, Marcus J. Ranum, Trusted Infor
`mation Systems, Inc. Glenwood, Md., 1993.
`Socks, David Koblas and Michelle Koblas, 1993.
`Internet Firewalls - An Overview, Marcus J. Ranum, Aslide
`presentation, 1993, Trusted Information Systems, Inc.
`Screen External Access Link (SEAL) Introductory Guide,
`Digital, publication date unknown.
`Increasing Security on IP Networks, Cisco Systems, Inc.,
`advertising brochure, publication date unknown.
`
`Primary Examiner-Robert W. Beausoliel, Jr.
`Assistant Examiner Joseph E. Palys
`Attorney, Agent, or Firm-Ralph H. Dougherty
`
`ABSTRACT
`(57)
`An apparatus and method for providing a secure firewall
`between a private network and a public network are dis
`closed. The apparatus is a gateway station having an oper
`ating system that is modified to disable communications
`packet forwarding, and further modified to process any
`communications packet having a network encapsulation
`address which matches the device address of the gateway
`station. The method includes enabling the gateway station to
`transparently initiate a first communications session with a
`client on a first network requesting a network service from
`a host on a second network, and a second independent
`Communications session with the network host to which the
`client request was addressed. The data portion of commu
`nications packets from the first session are passed to the
`Second session, and vice versa, by application level proxies
`which are passed the communications packets by the modi
`fied operating system. Data sensitivity screening is prefer
`ably performed on the data to ensure security. Only com
`munications enabled by a security administrator are
`permitted. The advantage is a transparent firewall with
`application level security and data screening capability.
`
`41 Claims, 7 Drawing Sheets
`
`
`
`
`
`98.53, 84.1
`
`19853, 30.2
`
`92.68, 7.
`
`
`
`92.88.7.
`
`Relaying
`News Server
`
`and
`News Server
`
`EXHIBIT 1004
`Guest-Tek v. Nomadix, IPR2018-00376
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 1 of 7
`
`5,623,601
`
`9.
`
`
`
`?u ?ka 1981
`
`I ’5) I „H
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(…)
`
`Ad Ala - O 24 re-e O ?ing
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 2 of 7
`
`5,623,601
`
`Art)
`I P Header (Pri
`15 16
`O
`O A
`4-bit
`4-bit heade
`8-bit type of survice
`version
`length
`ios
`
`26
`
`A?
`16-bit total length (in bytes)
`
`31
`
`
`
`18-bit identification
`
`3-bit
`
`13-bit fragrant off set
`
`8-bit '' Ye
`
`8-bit protocol
`
`8-bit hoader check won
`
`32-bit source P address
`
`32-bit destination tP address
`options (if any)
`
`
`
`
`
`
`
`
`
`ter Header (Prior Art)
`6-bit source port number
`
`38 31
`28
`36 16
`16-bit destination port number
`
`32-bit sequence nundbor
`
`
`
`-
`
`R
`
`ge:
`
`32-bit acknowledgemont audbur
`8-bit window size
`
`8-bit TCP checksum
`
`10-bit urgent pointer
`
`options (if any)
`
`UDP Header (Prior Art)
`O
`
`15 16
`
`16-bit source port number
`
`16-bit destination port number
`
`16-bit UDP length
`
`8-bit UDP checlosun
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 3 of 7
`
`5,623,601
`
`Ethernet Encapsulation (RFC 894)
`
`dest nation
`
`44
`
`4
`
`6
`
`
`
`
`
`
`
`6
`
`2
`
`(Prior Art) 46-1500
`
`40 42 FIG 3
`
`B. 53,64.
`
`
`
`
`
`
`
`
`
`12
`
`8. S3, S4,
`
`. Relaying
`News Sever
`
`
`
`
`
`
`
`
`
`Gateway
`Station
`
`F. G. 4
`
`192. 68.77.
`
`18
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 4 of 7
`
`5,623,601
`
`(Prior Art)
`
`
`
`Receive Data
`
`48
`
`Packet
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`50
`
`52
`
`D EE, N
`S. a O.
`Addras Device
`Addr.
`
`
`
`Y
`
`Drop Packet
`
`54
`
`
`
`
`
`56
`
`58
`
`Any
`IP
`ÉErg
`Gainy
`O
`as
`fAadrir )Y-X
`P'ei
`Station? /
`Port?
`
`Ol
`
`N
`
`Drop Packet
`
`N
`
`62
`
`Y
`
`Forward Packet
`
`59
`
`- 60
`
`61.
`
`Start TCP or
`UDP Session
`With P Source
`
`Deliver Packet
`To Bound
`Proxy Process
`
`Attempt
`to
`Process Packet
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 5 of 7
`
`5,623,601
`
`Receive Data
`
`64
`
`Packet
`
`
`
`
`
`
`
`Encapsul.
`Destination
`Addr.sc. Device
`
`N
`
`Drop Packet
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Process
`Bound to
`Destination
`Port?
`
`72
`
`74
`
`N
`
`Drop Packet
`
`Any
`Proxy
`Process
`Bound to
`Port
`598132
`
`
`
`
`
`
`
`Start TCP or
`UDP Session
`With IP Source
`
`78
`
`Deliver Packet
`To Bound
`Proxy Process
`
`FI G. 6
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 6 of 7
`
`5,623,601
`
`(A)
`
`80
`
`82
`
`Wait for Data
`to Arrive on
`Port XXX Fron
`the Kernel
`
`86
`
`N Drop session
`
`88
`
`
`
`
`
`Is
`User Level
`Authentication
`Required?
`
`Authenti cate
`User
`
`
`
`Is
`User
`Authenticated?
`
`
`
`
`
`
`
`
`
`94
`
`Drop session
`
`FI G. 7 a
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 7 of 7
`
`5,623,601
`
`104
`
`106
`
`Initiate Session
`With the IP
`Destination
`Address
`
`Wait for Dat a Fron
`One Session to be
`Passed Fron Kernel
`and Relay Data to
`Other Session
`
`
`
`
`
`
`
`
`
`
`
`Is
`Either
`Sessi O
`Terminated?
`
`FI G. b
`
`
`
`96
`
`
`
`
`
`Addr.s An IP
`Addr. of
`
`
`
`Initiate Session
`to Perrit IP
`Source to Enable
`or Disable
`Transparent Mode
`
`98
`
`Wait for Data
`to Arrive on
`Port XXX Fron
`the Kernel
`
`O
`10
`
`Process Packet
`to Perit IP
`Source to Enable
`or Disable
`Transparent Mode
`
`1O1
`
`Is
`Sessi O
`Teri Inated?
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`5,623,601
`
`1
`APPARATUS AND METHOD FOR
`PROVIDING ASECURE GATEWAY FOR
`COMMUNICATION AND DATA EXCHANGES
`BETWEEN NETWORKS
`
`TECHNICAL FIELD
`This application relates generally to internetwork com
`munications and data exchanges and, in particular, to Secure
`gateways which serve as firewalls between computer net
`works to inhibit electronic vandalism and espionage.
`
`10
`
`2
`gateway, as can the public network but the private network
`cannot communicate with the public network except via the
`public side of the dual homedgateway. Application level or
`"proxy” gateways are often used to enhance the function
`ality of dual homed gateways. Much of the protocol level
`software on networks operates in a store-and-forward mode.
`Prior art application level gateways are service-specific
`store-and-forward programs which commonly operate in
`user mode instead of at the protocol level.
`All of the internetwork gateways known to date suffer
`from certain disadvantages which compromise their security
`or inconvenience users. Most known internetwork gateways
`are also potentially susceptible to intruders if improperly
`used or configured.
`The only firewall for many network installations is a
`screening router which is positioned between the private
`network and the public network. The screening router is
`designed to permit communications only through certain
`predesignated ports. Many network services are offered on
`specific designated ports. Generally, screening routers are
`configured to permit all outbound traffic from the private
`network while restricting inbound traffic to those certain
`specific ports allocated to certain network services. A prin
`cipal weakness of screening routers is that the router's
`administrative password may be compromised. If an
`intruder is capable of communicating directly with the
`router, the intruder can very easily open the entire private
`network to attack by disabling the screening algorithms.
`Unfortunately, this is extremely difficult to detect and may
`go completely unnoted until serious damage has resulted.
`Screening routers are also subject to permitting vandalism
`by "piggybacked' protocols which permit intruders to
`achieve a higher level of access than was intended to be
`permitted.
`Packet filters are a more sophisticated type of screening
`that operates on the protocol level. Packet filters are gener
`ally host-based applications which permit certain commu
`nications over predefined ports. Packet filters may have
`associated rule bases and operate on the principle of "that
`which is not expressly permitted is prohibited'. Public
`networks such as the Internet operate in TCP/IP protocol. A
`UNIX operating system running TCP/IP has a capacity of
`64K communication ports. It is therefore generally consid
`ered impractical to construct and maintain a comprehensive
`rule base for a packet filter application. Besides, packet
`filtering is implemented using the simple Internet Protocol
`(IP) packet filtering mechanisms which are not regarded as
`being robust enough to permit the implementation of an
`adequate level of protection. The principal drawback of
`packet filters is that they are executed by the operating
`system kernel and there is a limited capacity at that level to
`perform screening functions. As noted above, protocols may
`be piggybacked to either bypass or fool packet filtering
`mechanisms and may permit skilled intruders to access the
`private network.
`The dual homed gateway is an often used and easy to
`implement alternative. Since the dual homed gateway does
`not forward TCP/IP traffic, it completely blocks communi
`cation between the public and private networks. The ease of
`use of a dual homed gateway depends upon how it is
`implemented. It may be implemented by giving users logins
`to the public side of the gateway host, or by providing
`application gateways for specific services. If users are per
`mitted to log on to the gateway, the firewall security is
`seriously weakened because the risk of an intrusion
`increases substantially, perhaps exponentially, with each
`user login due to the fact that logins are a vulnerable part of
`
`BACKGROUND OF THE INVENTION
`As computing power and computer memory have been
`miniaturized and become more affordable, computer net
`works have largely displaced mainframe and minicomputer
`technology as a business automation platform. Public infor
`mation networks have also sprung up around the world. The
`largest and most pervasive public network is the Internet
`which was created in the late 1960s as a United States
`Department of National Defence project to build a network
`connecting various military sites and educational research
`centers. While the interconnection of private networks with
`public networks such as the Internet may provide business
`opportunities and access to vital information, connecting a
`private, secure network to a public network is hazardous
`unless some form of secure gateway is installed between the
`two networks to serve as a "firewall'.
`Public networks, as their name implies, are accessible to
`anyone with compatible hardware and software. Conse
`quently, public networks attract vandals as well as amateurs
`and professionals involved in industrial espionage. Private
`networks invariably store trade secret and confidential infor
`mation which must be protected from exposure to unautho
`rized examination, contamination, destruction or retrieval.
`Any private network connected to a public network is
`vulnerable to such hazards unless the networks are inter
`connected through a secure gateway which prevents unau
`thorized access from the public network.
`A great deal of effort has been dedicated to developing
`secure gateways for internetwork connection. As noted
`above, these gateways are commonly referred to as firewalls.
`The term firewall is broadly used to describe practically any
`internetwork security scheme. Firewalls are generally devel
`oped on one or more of three models: the screening router,
`the bastion host and the dual homed gateway. These models
`may be briefly defined as:
`Screening router-Screening routers typically have the
`ability to block traffic between networks or specific hosts on
`an IP port level. Screening routers can be specially config
`ured commercial routers or host-based packet filtering appli
`cations. Screening routers are a basic component of many
`firewalls. Some firewalls consist exclusively of a screening
`router or a packet filter.
`Bastion host-Bastion hosts are host systems positioned
`between a private network and a public network which have
`particular attention paid to their security. They may run
`special security applications, undergo regular audits, and
`include special features such as "sucker traps' to detect and
`identify would-be intruders.
`Dual homed gateway-A dual homed gateway is a bas
`tion host with a modified operating system in which TCP/IP
`forwarding has been disabled. Therefore, direct traffic
`between the private network and the public network is
`blocked. The private network can communicate with the
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`

`

`5,623,601
`
`O
`
`15
`
`20
`
`25
`
`30
`
`3
`any security system. Logins are often compromised by a
`number of known methods and are the usual entry path for
`intruders.
`The alternative implementation of a dual homed gateway
`is the provision of application gateways for specific network
`services. Application gateways have recently gained general
`acceptance as a method of implementing internetwork fire
`walls. Application gateways provide protection at the appli
`cation level and the Transmission Control Protocol (TCP)
`circuit layer. They therefore permit data sensitivity checking
`and close loopholes left in packet filters. Firewalls equipped
`with application gateways are commonly labelled applica
`tion level firewalls. These firewalls operate on the principle
`of "that which is not expressly permitted is prohibited'.
`Users can only access public services for which an appli
`cation gateway has been installed on the dual homed gate
`way. Although application level firewalls are secure, the
`known firewalls of this type are also inefficient. The prin
`cipal disadvantage of known application level firewalls is
`that they are not transparent to the user. They generally
`require the user to execute time-consuming extra operations
`or to use specially adapted network service programs. For
`example, in an open connection to the Internet, a user can
`Telnet directly to any host on the Internet by issuing the
`following command:
`Telnet target.machine
`However if the user is behind an application level firewall,
`the following command must be issued:
`Telnet firewal
`After the user has established a connection with the
`firewall, the user will optionally enter a user ID and a
`password if the firewall requires authentication. Subsequent
`to authentication, the user must request that the firewall
`connect to the final Telnet target machine. This problem is
`the result of the way in which the UNIX operating system
`handles IP packets. A standard TCP/IP device will only
`accept and attempt to process IP packets addressed to itself.
`Consequently, if a user behind an application firewall issues
`the command:
`Telnet target.machine
`an IP packet will be generated by the user workstation that
`is encapsulated with the device address of the firewall but
`with an IP destination address of the target.machine. This
`packet will not be processed by the firewall station and will
`therefore be discarded because IP packet forwarding has
`been disabled in the application level firewall.
`Known application level firewalls also suffer from the
`disadvantage that to date application interfaces have been
`required for each public network service. The known appli
`cation level firewalls will not support "global service' or
`applications using "dynamic port allocations' assigned in
`real time by communicating systems.
`Users on private networks having an application level
`firewall interface therefore frequently install "back doors' to
`the public network in order to run services for which
`applications have not been installed, or to avoid the incon
`venience of the application gateways. These back doors
`provide an unscreened, unprotected security hole in the
`private network which renders that network as vulnerable as
`if there were no firewall at all.
`
`4
`It is a further object of the invention to provide an
`internetwork security gateway which provides application
`proxy flexibility, security and control while permitting users
`to transparently access public network services.
`It is a further object of the invention to provide an
`internetwork security gateway which supports any currently
`offered or future network service.
`It is yet a further object of the invention to provide an
`internetwork security gateway which supports applications
`using port numbers that are dynamically assigned in real
`time by the communicating systems.
`It is yet a further object of the invention to provide an
`internetwork security gateway which listens to all commu
`nications ports in order to detect any attempted intrusion into
`a protected network, regardless of the intruder's point of
`attack.
`In accordance with a first aspect of the invention there is
`disclosed a method of providing a secure gateway between
`a private network and a potentially hostile network, com
`prising the steps of:
`a) accepting from either network all communications
`packets that are encapsulated with a hardware destina
`tion address that matches the device address of the
`gateway;
`b) determining whether there is a process bound to a
`destination port number of an accepted communica
`tions packet;
`c) establishing a first communications session with a
`source address/source port of the accepted communi
`cations packet if there is a process bound to the
`destination port number, else dropping the packet;
`d) establishing a second communications session with a
`destination address/destination port number of the
`accepted communications packet if a first communica
`tions session is established; and
`e) transparently moving data associated with each subse
`quent communications packet between the respective
`first and second communications sessions, whereby the
`first session communicates with the source and the
`second session communicates with the destination
`using the data moved between the first and second
`sessions.
`In accordance with a further aspect of the invention there
`is disclosed an apparatus for providing a secure gateway for
`data exchanges between a private network and a potentially
`hostile network, comprising in combination:
`a gateway station adapted for connection to a telecom
`munications connection with each of the private net
`work and the potentially hostile network;
`an operating system executable by the gateway station, a
`kernel of the operating system having been modified so
`that the operating system:
`a) cannot forward any communications packet from the
`private network to the potentially hostile network or
`from the potentially hostile network to the private
`network, and
`b) will accept for processing any communications
`packet from either of the private network and the
`potentially hostile network provided that the packet
`is encapsulated with a hardware destination address
`that matches the device address of the gateway
`station on the respective networks; and
`at least one proxy process executable by the gateway
`station, the proxy process being adapted to transpar
`ently initiate a first communications session with a
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`SUMMARY OF THE INVENTION
`It is an object of the invention to provide an internetwork
`security gateway which overcomes the known disadvan
`tages of prior art internetwork Security gateways.
`
`65
`
`

`

`25
`
`S
`source of an initial data packet accepted by the oper
`ating System and to transparently initiate a second
`communications session with a destination of the
`packet, and to transparently pass a data portion of
`packets received by the first communications session to
`the second communications session and to pass the data
`portion of packets received by the second communica
`tions session to the first communications session,
`whereby the first session communicates with the source
`using data from the second session and the second
`session communicates with the destination using data
`received from the first session.
`The invention therefore provides a method and an appa
`ratus which permits a private network to be securely inter
`connected with a public or a potentially hostile network.
`The method in accordance with the invention involves
`protecting a private network interconnected with a poten
`tially hostile network whereby a gateway between the two
`networks transparently imitates a host when a communica
`tion data packet is received from a client on one of the
`networks by initiating a communication session with the
`client. If the client is determined to have access rights to the
`requested service, the gateway station imitates the client to
`the host on the other network by initiating a communications
`session with the host. Thereafter, data is passed between the
`client session and the host session by a process which
`coordinates communications between the two distinct, inter
`dependent communications sessions which proceed between
`the client and the gateway station and the host and the
`gateway station.
`For instance, using a gateway station in accordance with
`the invention as an internetwork interface, a user on the
`private network can issue the command:
`telnet publictarget.machine
`and the command will appear to the user to be executed as
`if no gateway existed between the networks so long as the
`user is permitted by the rule bases maintained by the private
`network security administrator to access the publictarget
`machine.
`In order to achieve transparency of operation, the gateway
`station is modified to accept for processing all IP packets
`encapsulated in a network operating system capsule (e.g. an
`ethernet capsule) having a destination address which
`matches the device address of the gateway station, regard
`less of the destination address of the IP packet. This modi
`45
`fication permits the gateway station to provide transparent
`service to users on either network, provided the users are
`authorized for the service. Furthermore, the gateway station
`in accordance with the invention runs a novel generic proxy
`which permits it to listen to all of the 64K communications
`ports accommodated by the UNIX operating system which
`are not served by a dedicated proxy process. As is well
`known to those skilled in the art, certain internetwork
`services have been assigned specific ports for communica
`tion. Most of the designated ports on the Internet are those
`port numbers in the range of 0-1K (1,024). Other applica
`tions and services use port numbers in the range of 1K to
`64K. As noted above, the gateway station in accordance with
`the invention "listens' to all 64K ports. The generic proxy
`process which is executed by the gateway station responds
`to any request for service that is not served by a dedicated
`proxy process, regardless of the destination port number to
`which the request for service is made. Every request for
`service may therefore be responded to. When an intruder
`attacks a private network, the intruder must attempt to access
`the network through the gateway station. Most firewalls
`listen to only a limited subset of the available communica
`
`6
`tions ports. An intruder can therefore probe unattended areas
`of the firewall without detection. The gateway station in
`accordance with the invention will, however, detect a probe
`on any port and may be configured to set an alarm condition
`if repeated probes are attempted. The gateway station in
`accordance with the invention can also be configured to
`perform data sensitivity screening because all communica
`tions packets are delivered by the kernel to the application
`level where the data portion of each packet is passed from
`one in progress communications session to the other. Data
`sensitivity screening permits the detection of sophisticated
`intrusion techniques such as piggybacked protocols, and the
`like.
`The apparatus in accordance with the invention is mod
`eled on the concept of a bastion host, preferably configured
`as a dual home firewall. The apparatus in accordance with
`the invention may also be configured as a multiple-home
`firewall, a single-home firewall or a screened subnet.
`Regardless of the configuration, the apparatus preferably
`comprises a UNIX station which executes a modified oper
`ating system in which IP packet forwarding is disabled. The
`apparatus in accordance with the invention will not forward
`any IP packet, process ICMP direct messages nor process
`any source routing packet between the potentially hostile
`network and the private network. Without IP packet for
`warding, direct communication between the potentially hos
`tile network and the private network are disabled. This is a
`common arrangement for application level firewalls. The
`apparatus in accordance with the invention is, however,
`configured to provide a transparent interface between the
`interconnected networks so that clients on either network
`can run standard network service applications transparently
`without extra procedures, or modifications to accomplish
`communications across the secure gateway. This maximizes
`user satisfaction and minimizes the risk of a client estab
`lishing a "back door' to a potentially hostile network.
`The methods and the apparatus in accordance with the
`invention therefore provide a novel communications gate
`way for interconnecting private and public networks which
`permit users to make maximum use of public services while
`providing a tool for maintaining an impeccable level of
`security for the private network.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`A preferred embodiment of the invention will now be
`further explained by way of example only and with refer
`ence to the following drawings, wherein:
`FIG. 1 is a schematic diagram of a preferred configuration
`for an apparatus in accordance with the invention for pro
`viding a secure gateway for data exchanges between a
`private network and a potentially hostile network;
`FIG. 2 is a schematic diagram of an IP header, a TCP and
`a UDP header in accordance with standard TCP/IP format;
`FIG.3 is a schematic diagram of ethernet encapsulation in
`accordance with RFC 894;
`FIG. 4 is a schematic diagram of a communications flow
`path between a gateway station in accordance with the
`invention, a client on a private network and a host on a
`public network;
`FIG. 5 is a flow diagram of a general overview of TCP
`routing by the kernel of a UNIX station in accordance with
`the prior art,
`FIG. 6 is a flow diagram of a general overview of TCP
`routing by a modified UNIX kernel in accordance with the
`invention;
`
`5,623,601
`
`10
`
`15
`
`20
`
`30
`
`35
`
`40
`
`50
`
`55
`
`60
`
`65
`
`

`

`5,623,601
`
`7
`FIG. 7a is a first portion of a flow diagram of a general
`overview of the implementation of the invention at the
`application level of a gateway station; and
`FIG.7b is a second portion of the flow diagram shown in
`FIG. 7a.
`
`8
`directly through the gateway station 14. As will be explained
`below in some detail, these functions have been replaced
`with processes which ensure that all communications data
`packets from the private network 10 to the public network
`12, or vice versa, are properly authenticated.
`Public network communications are typically in TCP/IP
`format. FIG. 2 shows a schematic diagram of an IP header
`26, a TCP header 28 and a UDP (User Datagram Protocol)
`header 30. Each IP header includes a 32-bit source IP
`address 32 and a 32-bit destination IP address 34. Each TCP
`header and each UDP header include a 16-bit source port
`number 36 and a 16-bit destination port number 38. Each
`communication data packet therefore includes a source
`address/source port number and a destination address/des
`tination port number, in accordance with this communica
`tions protocol which is well known in the art. In addition to
`the TCP/IP communications protocol, local area networks
`often operate using ethernet network control software which
`handles intranetwork communications. In accordance with
`ethernet protocol, TCP/IP packets are encapsulated with an
`ethernet encapsulation packet to facilitate routing and ensure
`error free transmission.
`FIG. 3 shows a schematic diagram of an ethernet encap
`sulation packet in accordance with RFC 894. Each encap
`sulation includes an ethernet destination address 40, an
`ethernet source address 42 and a check sum 44 for facili
`tating error detection and correction.
`FIG. 4 illustrates schematically a typical communications
`session between a client station 16 on the private network 10
`and a public host 46 on the public network 12. All commu
`nications between the networks are handled by the gateway
`station 14. When a client 16 wishes to communicate with the
`public network 12, such as in accessing a public host 46, the
`client 16 issues a network command as if the client were not
`behind a firewall. For instance, client 16 may issue the
`command:
`Telnet Target.Machine
`The private network 10 is configured so that all packets
`directed to the public network 12 are encapsulated with the
`ethernet destination address (192.168.77.1) of the gateway
`station 14. A TCP/IP packet encapsulated with the ethernet
`destination address of the gateway station 14 is therefore
`dispatched by the client 16. A normally configured UNIX
`device will not accept for processing TCP/IP packets which
`do not have an IP destination address equal to its own IP
`address. The kernel of the operating system of the gateway
`station 14 is modified so that the gateway station 14 will
`accept for processing any TCP/IP packet having an encap
`sulation destination address 40 that matches the device
`address of the gateway station 14. When the gateway station
`14 receives the client packet containing the Telnet com
`mand, a process is initiated on the gateway station 14 which
`responds to the client 16 to establish a communication
`session 17 as if it were the target machine. As will be
`explained below in detail, the process then authenticates the
`client's authorization to access the requested service and if
`the client 16 is determined to have the required authoriza
`tion, the gateway station 14 initiates a second communica
`tions process 19 with the remote host 46 in which the
`gateway station 14 simulates the client 16 without revealing
`the client address. Once the two communication sessions 17,
`19 are operative, communication is effected between the
`client 16 and the host 46 by passing communication data
`between the two interdependent communication sessions.
`This is accomplished by a process that operates at the
`application level on the gateway station 14, as will be
`explained in detail below. The process accepts communica
`
`10
`
`15
`
`20
`
`25
`
`35
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`Most UNIX hosts communicate using TCP/IP protocol.
`The preferred embodiment of the invention is therefore
`constructed from a UNIX station having a UNIX operating
`system. While the preferred embodiment of the invention
`described below is explained with particular reference to the
`UNIX environment, it is to be well understood by those
`skilled in the art that the principles, concepts and methods
`described may be readily adapted to function with other
`inte