Reverse access method for securing front-end applications and others

A System that provides a secured connection between servers on the LAN and clients on the WAN comprises the LAN (which includes LAN Server and LAN Controller) and the DMZ (which includes DMZ Server and DMZ Stack Pool Service). Wherein the Client Request reaches the DMZ Server it stores it in the DMZ Stack Pool Service and the LAN Controller establishes outbound TCP based connection to the DMZ Stack Pool Service that passes the Client Connection Information to the LAN Server via the LAN Controller. Then the LAN Server then generates a connection between the Service and DMZ Server.

Skip to: Description  ·  Claims  ·  References Cited  · Patent History  ·  Patent History
Description

This application is a continuation reissue application of U.S. application Ser. No. 16/838,401, filed on Apr. 2, 2020, which is a reissue of U.S. application Ser. No. 14/379,305, filed Aug. 18, 2014 (issued as U.S. Pat. No. 9.935,958, on Apr. 3, 2018), which is a National Stage of International Application No. PCT/IL2013/000017 having a filing date of Feb. 13, 2013, which claims foreign priority from Israeli Application No. 218185 having a filing date of Feb. 19, 2012. Each of the foregoing applications is incorporated by reference in its entirety.

Notice: More than one reissue application has been filed for the reissue of U.S. Pat. No. 9,935,958. The reissue application Ser. Nos. are 16/838,401 and the present application.

The following is an invention for securing electronically stored data, the computer on which the data resides on and the communications of the computer with its computer network.

BACKGROUND ART

It is a well-known fact that the computers in an organization's internal network (also known as the local area network or LAN) which provide services to users outside of the organization are highly prone to attacks from external hackers and malicious code. Due to this risk, it is a common practice to protect the LAN by placing external-facing computers in a segregated sub-network and thereby shield the rest of the network in case of an attack. This sub-network is commonly known as the DMZ (or De-Militarized Zone). Any computer running programs that provide services to users outside of the organization^ organization's internal network can be placed on the DMZ. The most common type of computers are web servers, email servers, FTP servers and VoIP servers. Since the DMZ is a sub-network that contains the organization's external services to a larger untrusted network (usually the Internet), potential hackers and malicious code may gain access to the DMZ, but rarely do they gain access to the LAN. The computers on the DMZ have limited connectivity to the computers on the LAN and are usually separated by a firewall that controls the traffic between the DMZ computers and the LAN computers. The DMZ can be seen as an additional layer of security to the LAN.

Organizations that have Internet portals which enable communications with the general public via the Internet are vulnerable to infiltration from the outside. Therefore, many of these organizations establish a DMZ to protect their sensitive data and to reduce the ability of hackers to infiltrate the LAN. The ways and methods under which the DMZ works is known to any expert in the field, and therefore there is no need to describe them here in further detail.

Establishing a DMZ requires the duplication of relevant data and computer programs so they can reside on both the DMZ computers and on the LAN computers. This duplication of data and computer programs has several drawbacks. It can be costly to purchase additional licenses required to install multiple instances of the same computer program on both the LAN and on the DMZ. Supporting and managing duplicate computer programs and data on the LAN and on the DMZ can be costly and difficult. Furthermore, since the DMZ interfaces with the external systems, the data on the DMZ is vulnerable to hacking attacks and external malicious code.

The following invention aims to overcome these disadvantages and to provide an efficient system for protecting the data on the LAN.

DESCRIPTION OF THE DRAWINGS

The intention of the drawings attached to the application is not to limit the scope of the invention and its application. The drawings are intended only to 5 illustrate the invention and they constitute only one of its many possible implementations.

FIG. 1 describes the System that includes the LAN (30) which includes the Service (33), the LAN Server (31) and the LAN Controller (32); The, the DMZ (20) 5 which includes the DMZ Server (21), the DMZ Stack Pool Service (22);, and the WAN (10);, and the connections between these components.

 THE INVENTION

As described above, there is a strong need for a computer system that enables users to communicate with the LAN and in the same time protects the LAN from external threats. The following invention provides an efficient solution for the issues that are mentioned above.

The present invention provides a System for securing the data and the hosts that reside in the LAN and in the same time enable users to communicate with the LAN in a secured way.

For the sake of clarity and for simplifying the explanation of the System, the following terms are used: WAN: Wide Area Network (10); DMZ: De-5 Militarized Zone (20); LAN: Local Area Network (30); LAN Server: Server running in the LAN (31); DMZ Server: Server running in the DMZ (21); DMZ Stack Pool Service: Stores and handles Client's Requests (22) in the DMZ; Client Request: HTTP/HTTPS (Web browser)/

SSH/SFTP/FTP/FTPS/RDP/SMTP/TLS, and any other TCP/IP based protocols; 10 Client Connection Information: IP-address/Port number of the relevant destination service inside the LAN; LAN Controller: a controller running in the LAN that manages the Client Connection Information (32); Connection Binder: Handshake between two TCP/IP sockets; Service: HTTP/HTTPS (Web Server)/SSH/SFTP/FTP/FTPS/RDP/SMTP/TLS, and any other TCP/IP 15 based services. For the sake of clarity and for simplifying the explanation of the System, the following terms are used: WAN: Wide Area Network (10); DMZ: De-Militarized Zone (20); LAN: Local Area Network (30); LAN Server: Server running in the LAN (31); DMZ Server: Server running in the DMZ (21); DMZ Stack Pool Service: Stores and handles Client's Requests (22) in the DMZ; Client Request: HTTP/HTTPS (Web browser)/SSH/SFTP/FTP/FTPS/RDP/SMTP/TLS, and any other TCP/IP based protocols; Client Connection Information: IP-address/Port number of the relevant destination service inside the LAN; LAN Controller: a controller running in the LAN that manages the Client Connection Information (32); Connection Binder: Handshake between two TCP/IP sockets; Service: HTTP/HTTPS (Web Server)/SSH/SFTP/FTP/FTPS/RDP/SMTP/TLS. and any other TCP/IP based services.

The objective of this invention is to provide a secured connection between servers in the LAN and the clients in the WAN.

FIG. 1 describes the main components of the System. The LAN (30) includes the Service (33), the LAN Server (31) and the LAN Controller (32); The DMZ (20) includes the DMZ Server (21), the DMZ Stack Pool Service (22); and the WAN (10) that by its nature includes the clients and the ‘outside’ world. In addition, FIG. 1 describes the connections between the System components.

The connections between the System components will be described while 10 describing the System flow. The connection flow of the System is as follow:

First step: The Client Request (of the client (11)) reaches the DMZ Server (21). Second step: The DMZ Server (21) stores the Client Request in the DMZ Stack Pool Service (22). Third step: The LAN Controller (32) establishes outbound 15 TCP based connection (41) to the DMZ Stack Pool Service (22). One of the innovative aspects of the System is that the LAN Controller (32) constantly, and/or on a predefined set of time basis, checks for Client Requests stored in the DMZ Stack Pool Service (22). Fourth step: The DMZ Stack Pool Service (22) then passes the Client Connection Information, to the LAN Server (31) via 20 the LAN Controller (32).

The Fifth step: The LAN Server (31) then generates two TCP/IP connections: One connection is to the Service (33), which is the destination service, based on 5 the Client Connection Information. The second connection is an outbound connection (42) to the DMZ Server (21). In addition the LAN Server (31) creates a Connection Binder in the LAN Server between the Service (33) and the outbound connection (42). The Sixth step: The DMZ Server (21) then creates a Connection Binder in the DMZ Server between the incoming Client 10 Request (that is stored in the DMZ Stack Pool Service (22)) and the outbound connection (42) arriving from the LAN Server (31), and by that completes the route of the Client Request.

Once the Connection Binder, in the DMZ Server, binds the Client Request and 15 the outbound connection (42) arriving from the LAN Server, the Client Request is then streamed through the DMZ Server and the LAN Server over the System, and then the client request data streams from the Service (33) to the Client (11).

In accordance with this invention as described above, no administrative management is required in the LAN Server (31) to establish or maintain 5 communications after it is initially installed and configured on the LAN (30) and on the DMZ (20). The LAN Controller (32) permanently or periodically queries the DMZ Stack Pool Service (22) for incoming Client Requests. The DMZ Server (20) will accept all Client Requests and route them to the LAN-Server (31), without changing the data that the Client Requests contains. For 10 example, if a Client Request uses the HTTPS connection protocol, then the HTTPS connection protocol will be transmitted over the System, as with any other common protocols such as SSH/SFTP/FTP/FTPS/RDP/SMTP/TLS/ or any other TCP/IP based protocols.

Claims

1. A system for reverse access, said system comprising:

a De-Militarized Zone (DMZ) Stack Pool Service located in a De-Militarized Zone, the DMZ Stack Pool Service being arranged to store requests received from a client, wherein said requests are stored at the TCP/IP level;
a local area network (LAN) Controller configured to check for existence in said DMZ Stack Pool Service of said requests, wherein said checking is performed at the TCP/IP level and said LAN Controller is located in a LAN; and
a DMZ server configured to receive said requests from a LAN server of said LAN, and to route said requests to said client, wherein receiving and routing by said DMZ server occurs at the TCP/IP level;
wherein said DMZ Stack Pool Service, said LAN Controller, and said DMZ server do not change the data of said requests and the system requires no administrative management after initial installation and configuration.

2. The system of claim 1, wherein computer programs and sensitive data of said LAN server reside only in the LAN.

3. A method for reverse access, said method comprising:

storing requests received from a client, wherein said requests are stored in a De-Militarized zone (DMZ) Stack Pool Service at the TCP/IP level, wherein said DMZ Stack Pool Service is located in a De-Militarized Zone;
checking at the TCP/IP level, said DMZ Stack Pool Service for existence of said requests, wherein said checking is performed by a local area network (LAN) Controller located in a LAN; and
receiving said requests from a LAN server of said LAN and routing said requests to said client;
wherein said storing and routing occurs at the TCP/IP level and said storing and routing does not change data of said requests; and
wherein said method requires no administrative management of the LAN server after initial installation and configuration.

4. The method of claim 3, wherein computer programs and sensitive data of said LAN server, reside only in the LAN.

5. A system for reverse access, the system comprising:

a De-Militarized Zone (DMZ) Stack Pool Service executing on a device in a DMZ, the DMZ Stack Pool Service being configured to store a request received from a client, wherein the request is stored at a TCP/IP level using a TCP/IP protocol;
a network Controller located in a network, the network Controller being configured to check for existence of the request in the DMZ Stack Pool Service, wherein the checking is performed at the TCP/IP level; and
a DMZ server configured to provide data responsive to the request to the client, wherein the providing by the DMZ server occurs at the TCP/IP level using the TCP/IP protocol;
wherein the DMZ server does not change the data of the request and the
system requires no administrative management after initial installation and configuration to perform the storing, checking, and providing.

6. The system of claim 5, wherein a computer program and certain data of the system reside only in the network.

7. The system of claim 5, wherein the network Controller passes client connection information to a server of the network.

8. The system of claim 7, wherein the client connection information includes an Internet Protocol (IP) address associated with a service on the network.

9. The system of claim 7, wherein the client connection information includes a port number associated with a service on the network.

10. The system of claim 5, wherein the DMZ is a subnetwork of the network.

11. The system of claim 10, wherein the subnetwork is configured to interface with computers outside of the network and with computers inside the network.

12. The system of claim 5, wherein the network is a web server network.

13. The system of claim 5, wherein the network is an email network.

14. The system of claim 5, wherein the network is a file storage network.

15. The system of claim 5, wherein the network is an Internet Protocol-based telephone network.

16. A method for reverse access, the method comprising:

storing a request received from a client in a De-Militarized Zone (DMZ) Stack Pool Service, in a DMZ, at a TCP/IP level using a TCP/IP protocol;
checking, at the TCP/IP level, the DMZ Stack Pool Service for existence of the request, wherein the checking is performed by a network Controller located in a network;
establishing an outbound connection from a network server of the network and routing data responsive to the request to the client; and
wherein the storing and routing occurs at the TCP/IP level using the TCP/IP protocol and a DMZ server does not change data of the request; and
wherein the method requires no administrative management of a server of the network after initial installation and configuration to perform the storing, checking, and providing.

17. The method of claim 16, wherein a computer program and certain data of the network server reside only in the network.

18. The method of claim 16, wherein the checking for existence of the request is performed continuously.

19. The method of claim 16, wherein the checking for existence of the request is performed periodically.

20. The method of claim 16, further comprising, in response to the checking, passing client connection information to the network server.

21. The method of claim 20, wherein the client connection information is passed to the network server via the network Controller.

22. The method of claim 16, further comprising creating a connection binder between at least one of the requests and the outbound connection.

23. The method of claim 22, further comprising, after creating the connection binder, routing the data responsive to the request to the client.

24. The method of claim 23, wherein routing the data comprises streaming the data.

Referenced Cited
U.S. Patent Documents
6470386 October 22, 2002 Combar et al.
7181493 February 20, 2007 English et al.
7707628 April 27, 2010 Saito
20030204613 October 30, 2003 Hudson
20050240994 October 27, 2005 Burcham
20060031929 February 9, 2006 Saito
20060200547 September 7, 2006 Edwards
20070050843 March 1, 2007 Manville
20070073869 March 29, 2007 Guan
20090064307 March 5, 2009 Holar
20090094691 April 9, 2009 Dargis
20100131616 May 27, 2010 Walter
20170118214 April 27, 2017 Vainstein
Foreign Patent Documents
1731786 February 2006 CN
1324565 July 2003 EP
2031817 March 2009 EP
2031817 March 2009 EP
Other references
  • Forrester Research, 2012, “The Complete File-Transferring Suit,” 2 pages.
  • TCP/IP Networking an Example, May 25, 2002, CS 458 Slides, University of Virginia, pp. 1-12.
  • International Search Report from PCT Application No. PCT/IL2013/000017.
  • First Office Action from the Israel Patent Office for Israeli Patent Application No. 218185 dated Jul. 12, 2015.
  • Second Office Action from the Israel Patent Office for Israeli Patent Application No. 218185 dated Jun. 4, 2017.
  • The First Office Action for Chinese Application No. 201380020710.4, SIPO, dated Sep. 21, 2016.
  • The Second Office Action for Chinese Application No. 201380020110.4, SIPO, dated Feb. 21, 2017.
  • The Third Office Action for Chinese Application No. 201380020710.4, SIPO, dated Jun. 13, 2017.
  • Fourth Office Action for Chinese Patent Application No. 2013800207104, SIPO, dated Nov. 28, 2017.
Patent History
Patent number: RE50745
Type: Grant
Filed: Jul 19, 2024
Date of Patent: Jan 6, 2026
Assignee: NetNut Ltd. (Tel Aviv-Jaffa)
Inventor: Amir Mizhar (Hod Hasharon)
Primary Examiner: Ovidio Escalante
Application Number: 18/778,056
Classifications
Current U.S. Class: Computer-to-computer Data Streaming (709/231)
International Classification: H04L 29/06 (20060101); G06F 21/60 (20130101); H04L 9/40 (20220101);