The present invention generally relates to communications. More specifically, the invention relates to bidirectional communications across a firewall.
Network security is a daunting challenge for network administrators. The administrator must keep the networks open enough to satisfy operational demands, while secure enough to maintain a high degree of security. Typically, administrators operate a firewall to limit communications into and out of a secured network. Computer networks and devices “behind” the firewall are protected from undesired communications, while computer networks “outside” the firewall are not protected by the firewall and are considered “unsecured” Computer networks outside the firewall may be protected by a firewall, but are considered unsecure since the level of protection is unknown.
Historically, firewalled networks are difficult to traverse from a central location outside the firewall. This difficulty is enhanced by a common firewall policy that disallows connections from outside the firewall, and only allows connections from inside the firewall. In other words, many firewalls do not allow connections to a secured network from an unsecured network.
This inability to connect to a resource within a secured network has been previously addressed with the use of proxies. These proxy solutions rely on the secured network polling for connection requests from the unsecured network. While generally effective, such polling is complicated and can be slow. Additionally, this solution does not scale well.
It is therefore a challenge to develop a method to provide bidirectional communication to overcome these, and other, disadvantages.
A first embodiment of the invention includes a method of bidirectional communication through a firewall. The method includes opening a command channel across the firewall between a gateway manager within a secure network and a gateway service and receiving a resource request via the command channel from the gateway service at the gateway manager. The method further includes determining a resource within the secure network and an agent associated with the resource request, sending a resource access notification from the gateway manager to the determined resource, and receiving a resource communication from the associated resource responsive to the notification. The method further includes tying the associated resource to the agent based on the resource communication.
The foregoing embodiment and other embodiments, objects, and aspects as well as features and advantages of the present invention will become further apparent from the following detailed description of various embodiments of the present invention. The detailed description and drawings are merely illustrative of the present invention, rather than limiting the scope of the present invention being defined by the appended claims and equivalents thereof.
An operating system runs on processor 152 to coordinate and provide control of various components within computer system 150. The operating system may be any appropriate available operating system such as Windows, Macintosh, UNIX, LINUX, or OS/2, which is available from International Business Machines Corporation. “OS/2” is a trademark of International Business Machines Corporation. Instructions for the operating system, an object-oriented operating system, and applications or programs are located on storage devices, such as hard disk drive 176 and may be loaded into main memory 154 for execution by processor 152.
Those of ordinary skill in the art will appreciate that the hardware in
In
Having opened the command channel 345 (
The gateway manager 305 determines at least one resource 325 within the secure network 398 associated with the resource request at step 330. The determination can include parsing the request to identify the resource. Additionally, in one embodiment, determining the resource includes determining at least one network address of the resource associated with the resource request and determining availability of the resource. Determining availability can include pinging the resource to determine a status of the resource, as well as determining network conditions (such as congestion, distance, etc.) between the resource and gateway manager, and selecting one of a plurality of similar resources if appropriate.
At least one agent 335 associated with the resource request is determined at step 340. Agent 335 is any software or hardware residing on a network behind firewall 392 that intends to access a resource, such as resource 325 residing behind firewall 391. The determination of the agent is based on a particular request encoded in the resource request, in one embodiment. In another embodiment, the determination is responsive to at least one characteristic encoded in the resource request. In one embodiment, the resource request includes at least one port number on which the agent intends to communicate with the resource. The encoded characteristic can be, for example, an address, a name, a functional description, or the like.
Gateway manager 305 sends a resource access notification to the determined resource at step 350. The resource access notification is a message requesting formation of a connection from the gateway manager 305 to the resource 325.
A resource communication is received at the gateway manager from the resource at step 360. The resource communication is a message encoded with information relating to the availability of the resource. In one embodiment, the information includes a port number on which the resource will communicate with the agent.
The gateway manager ties the resource to the gateway service based on the resource communication at step 370. Tying the resources allows the agent to have largely unrestricted access to the resource.
The gateway manager further determines a resource port based on the resource communication at step 520. The resource port is a port on which the resource will communicate with the agent. The gateway manager can determine the resource port polling the resource to determine the resource port, or by decoding the resource communication to determine if the resource port is included in the resource communication.
Having determined the resource port and agent port, the gateway manager then sends the resource port to the agent at step 530 and sends the agent port to the resource at step 540. Communications thereafter between the agent and resource can be directed to the appropriate port, expediting transmission through the firewall and gateway manager.
Having determined the address, method 600 then determines availability of the resource at step 620. Availability of the resource can be affected by resource usage, network usage, network conditions, network congestion, physical distance between devices or other factors.
The gateway service receives a resource request at step 720. The resource request is implemented, for example, in a similar fashion as in step 320. The resource request is sent to the gateway manager via the command channel at step 730. After sending the resource request, the gateway service receives a resource communication from the gateway manager at step 740. The resource communication includes at least one communication tied to the resource associated with the resource request or a denial of connection. Based on receiving a tied communication, the gateway service ties a communication between the agent and the gateway manager at step 750.
Use of the methods described herein result in the formation of a virtual connection between the agent and resource via the tied communications. This virtual connection extends through the firewall isolating the resource from unsecured networks. Each tied connection operates so that the connection in and connection out behave as a single connection.
The invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment containing both hardware and software elements. In a preferred embodiment, the invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, etc. Furthermore, the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device), or a propagation medium such as a carrier wave. Examples of a computer-readable medium include a semiconductor or solid-state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk.
While the embodiments of the present invention disclosed herein are presently considered to be preferred embodiments, various changes and modifications can be made without departing from the spirit and scope of the present invention. The scope of the invention is indicated in the appended claims, and all changes that come within the meaning and range of equivalents are intended to be embraced therein.