System and method for automatically initiating and dynamically establishing secure internet connections between a fire-walled server and a fire-walled client

Abstract

A system and method for automatically and dynamically initiating and establishing secure connections between a Server and a Client using a session control server (SCS). Both the Server and the Client are connected to an untrusted network (such as the Internet) through a Network Address Translator or Translation (NAT) router or a firewall. The SCS, independently trusted by both the Server and the Client, brokers the required connection parameters to establish a secure connection between the Server and the Client. The system and method does not require any user configuration on the Client and eliminates the need for the Server to accept explicit connection requests or packets from the Client, thereby allowing the Server firewall to always remain closed to all inbound traffic.

Description

RELATED APPLICATION [0001] This application claims priority to U.S. Provisional patent application No. 60 / 561,806 filed Apr. 12, 2004 which is incorporated herein by reference in its entirety.FIELD OF THE INVENTION [0002] The present invention relates to the field of computer networking and network security. More specifically it relates to a method automatically and dynamically initiating and establishing secure connections between a computer (i.e., Server) and a plurality of computers (i.e., clients), each of which is behind a Network Address Translator router and / or firewall. BACKGROUND OF THE INVENTION [0003] The Internet continues undergoing rapid expansion in the numbers of connected computers and it is estimated that the trend towards widely available wireless connectivity and portable computing devices will increase exponentially the number of new computers that connect each day. This rapid expansion has increased radically the need for protecting computers from unauthorized ...

AI Technical Summary

Benefits of technology

[0010] In accordance with an embodiment of the present invention, the method and system automatically and dynamically initiates and establishes connections, preferably secured connections, between a server and a fire-walled client device (Client), both connected to an untrusted network (such as the Internet) through a Network Address Translator or Translation (NAT) router or a firewall. The secure connections of present invention are initiated and established without requiring any user configuration on the Client and without accepting any explicit connection request and / or packets from the Client by the Server, thereby advantageously allowing the Server firewall to always remain closed to all inbound traffic.

[0011] The present invention enables the creation of dynamically instantiated virtual point to point network connections over the Internet to securely connect Servers and Clients on demand, thereby advantageously providing the common user with one single action access (such as one mouse-click, or power-on or network plug-in action) to the Servers with unprecedented ease to use.

[0012] In accordance with an embodiment of the present invention, the system and method as aforementioned utilizes a third Computer, e.g., a trusted party such as a session control server (“SCS”), with a public IP address, independently trusted by both Server and Client, to securely broker the connection parameters required to establish a connection between Server and the Client, preferably a secure connection. The SCS only participates in the Server / Client connection setup and plays no part in the subsequent communications (i.e., exchange of messages) between the Server and the Client. Accordingly, the present invention avoids the performance and security problems associated with the relay and other server based techniques discussed herein.

[0013] The Client sends a connection request containing its own address and a randomly generated unique identifier (different for each Client connection request to each Server) to the SCS, thus providing the SCS with the Client's connection parameters otherwise hidden by the NAT router and / or by the firewall. The Client can be programmed to always perform this step automatically at power-on, upon connection to any new NAT-ted network, upon any change of its network parameters, thus providing for automatic and dynamic initiation / establishment and re-establishment of the secure connection with the Server without any user configuration or intervention.

[0014] The SCS then provides each of the Client and the Server with the respective connection parameters, which are then exchanged securely between them so that first the Client's connection parameters are delivered and uniquely identified to the Server and finally, upon successful completion of the preceding step, the Server initiates the secure connection to the Client through the Client's NAT router or firewall, thus enabling an externally initiated connection to be made by securely overcoming the inbound traffic restrictions imposed by the Client NAT router or firewall and allowing the Server to maintain its own NAT router / firewall closed to all inbound traffic coming from the untrusted network.

[0016] In order to appreciate the current invention, one must understand that even with all the advances in computer security, the Internet remains an inherently insecure environment because it is difficult to reconcile “ease of use” issues with trusted access elements. This invention strikes at the heart of this problem by supplying a methodical approach that eliminates the possibility that fraudulent users can masquerade as legitimate ones, while at the same time, it does not add, in fact it eliminates, many elements that common users would find burdensome.

Problems solved by technology

This rapid expansion has increased radically the need for protecting computers from unauthorized access and has already started causing a number of scalability problems for the Internet network itself.

The practical limit however, is much lower, due to inefficiencies in how IP addresses are allocated and routed.

As such, IPv4 does not provide sufficient unique addresses for the current expansion of the Internet.

However, this is a problem for applications that require Servers to securely connect to Clients, through incoming connections going through their NAT routers, such as file sharing, games applications, video conferencing, voice-over-IP internet telephony or for secure access to computer servers that do not allow clients to directly connect to them from the internet.

When one of these computers is behind a NAT router, then the other computer cannot connect to it, without the use of special techniques and often complex manual configuration required for every change in connection type, location, service or NAT router / firewall type.

Therefore the asymmetric nature of the addressing and connectivity established by NAT does create a number of problems that a) limit the security of widely available internet services to outbound-only applications, such as the World Wide Web, and b) limit the usability and mass market availability of many additional internet applications and services potentially attractive to large consumer markets, to a smaller number of professionally trained users capable of managing the complex configuration and system management requirements imposed by the currently available NAT and NAT-transverse technology.

Images