Apparatus and method for providing a secure gateway for communication and data exchanges between networks

Claims

I claim:

1. A method of providing a secure gateway between a private network and a potentially hostile network, comprising the steps of:

(a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to the host, but encapulating the packets with a hardware destination address that matches a device address of the gateway;

(b) accepting at the gateway communications packets from either network that are encapsulated with a hardware destination address which matches the device address of the gateway;

(c) determining at the gateway whether there is a process bound to a destination port number of an accepted communications packet;

(d) establishing transparently at the gateway a first communications session with a source address/source port of the accepted communications packet if there is a process bound to the destination port number, else dropping the packet;

(e) establishing transparently at the gateway a second communications session with a destination address/destination port of the accepted communications packet if a first communications session is established; and

(f) transparently moving data associated with each subsequent communications packet between the respective first and second communications sessions, whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions.

2. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 1 wherein the step of determining involves checking to determine if a process is bound to the destination port number, and passing the packet to a generic process if a process is not bound to the destination port number, the generic process acting to establish the first and second communications sessions and to move the data between the first and second communications sessions.

3. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 1 wherein the method further involves the steps of:

a) checking a rule base to determine if the source address requires authentication; and

b) authenticating the source by requesting a user identification and a password and referencing a database to determine if the user identification and password are valid.

4. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 1 wherein the method further involves the steps of:

a) referencing a rule base after the first communications session is established to determine whether the source address is permitted access to the destination address for a requested type of service; and

b) cancelling the first communications session if the rule base does not include a rule to permit the source address to access the destination address for the requested type of service.

5. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 3, wherein the method further involves the steps of:

a) creating a user authentication file which contains the source address of the authenticated user in a user authentication directory; and

b) referring to the authentication file to determine if a source address has been authenticated each time a new communications session is initiated so that the gateway is completely transparent to an authenticated source.

6. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 5 wherein the user authentication file includes a creation time variable which is set to a system time value when the user is authenticated.

7. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 6 wherein the method further involves the steps of:

a) updating a modification time variable of the authentication file each time the user initiates a new communications session through the gateway station.

8. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 7 wherein the method further involves the steps of:

a) periodically checking each user authentication file to determine whether one of a first difference between the authentication time variable and the system time and a second difference between the modification time variable and the system time has exceeded a predefined threshold; and

b) deleting the user file from the user authentication directory if the threshold has been exceeded by each of the first and second differences.

9. A method for providing a secure gateway between a private network and potentially hostile network as claimed in claim 1 wherein the method further involves the steps of:

a) performing a data sensitivity check on the data associated with each packet as a step in the process of moving the data between the respective first and second communications sessions.

10. A method of providing a secure gateway between a private network and a potentially hostile network, comprising the steps of:

(a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to host, but encapulating the packets with a hardware destination address that matches a device address of the gateway;

(b) accepting from either network all TCP/IP packets that are encapsulated with a hardware destination address which matches the device address of the gateway;

(c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet;

(d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number, else dropping the packet;

(e) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base, and dropping the packet if a permission rule cannot be located;

(f) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located; and

(g) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions, whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions.

11. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 10 wherein the step of determining involves checking a table to determine if a custom proxy process is bound to the destination port number, and passing the packet to a generic proxy process if a custom proxy process is not bound to the destination port number, the generic proxy process being executed to establish the first and second communications sessions and to move the data between the first and second communications sessions.

12. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 10 wherein the step of establishing a first communications session with a source address/source port number further involves the steps of:

a) checking a rule base to determine if the source requires authentication;

b) checking an authentication directory to determine if an authentication file exists for the source in an instance where the source requires authentication; and

c) if the source requires authentication and an authentication file for the source cannot be located, authenticating the source by requesting a user identification and a password and referencing a user identification database to determine if the user identification and password are valid.

13. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 12 wherein the method further involves the steps of:

a) referencing a rule base as a first step after the first communications session is established to determine whether the user identification/password at the source address is permitted to communicate with the destination address for a requested service; and

b) cancelling the first communications session if the rule base does not include a rule to permit the user identification/password at the source address to communicate with the destination address for the requested type of service.

14. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 12, wherein the method further involves the steps of:

a) creating a user authentication file which contains the source address of the authenticated user in a user authentication directory; and

b) referring to the authentication file to determine if a source address has been authenticated each time a new communications session is initiated so that the gateway is completely transparent to an authenticated source having an authentication file in the authentication directory.

15. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 14 wherein a file creation time variable which is automatically set by an operating system of the gateway station to a system time value when a file is created, is used to monitor a time when the user is authenticated.

16. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 14 wherein the method further involves the steps of:

a) rewriting the user authentication file each time the user initiates a new communications session through the gateway station so that a modification time variable in the authentication file is automatically updated by the operating system of the secure gateway.

17. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 16 wherein the method further involves the steps of:

a) periodically checking each user authentication file to determine whether one of a first difference between the authentication time variable and the system time and a second difference between the modification time variable and the system time has exceeded a predefined threshold; and

b) deleting the user file from the user authentication directory if the threshold has been exceeded by both of the first and second differences.

18. A method for providing a secure gateway between a private network and potentially hostile network as claimed in claim 10 wherein the method further involves the steps of:

a) performing a data sensitivity check on the data portion of each packet as a step in the process of moving the data between the respective first and second communications sessions, whereby the TCP/IP packet is passed by a modified kernel of an operating system of the secure gateway to the proxy process which extracts the data from the packet and passes the data from a one of the first and second communications sessions to a proxy process which operates at an application layer of the gateway station and the proxy process executes data screening algorithms to screen the data for elements that could represent a potential security breach before the data is passed to the other of the first and second communications sessions.

19. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network, comprising in combination:

a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network;

an operating system executable by the gateway station, a kernel of the operating system having been modified so that the operating system:

a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network; and

b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network; and

at least one proxy process executable by the gateway station, the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet accepted by the operating system and to transparently initiate a second communications session with a destination of the packet without intervention by the source, and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session, whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session.

20. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network as claimed in claim 19 wherein the operating system is a Unix operating system.

21. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network as claimed in claim 19 wherein the at least one proxy process includes modified public domain proxy processes for servicing Telnet, FTP, and UDP communications.

22. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network as claimed in claim 19 wherein the at least one proxy process is a generic proxy process capable of servicing any network service which may be communicated within TCP/IP protocol, on any one of the 64K TCP/IP communications ports.

23. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network as claimed in claim 22 wherein the kernel is modified so that it will pass to the generic proxy process any communications packet having a destination port number that indicates a port to which no custom proxy process is bound, if the generic proxy process is bound to a predefined communications port when the communications packet is received by the kernel.

24. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network as claimed in claim 20 wherein the gateway station is a Unix station.

25. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network as claimed in claim 19 wherein the apparatus further includes programs for providing a security administrator with an interface to permit the security administrator to build a rule base for controlling communications through the gateway station.

26. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network as claimed in claim 19 wherein the at least one proxy process includes domain proxy processes for servicing Gopher and TCP communications.

27. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network as claimed in claim 19 wherein the Gopher proxy process is enabled to authenticate users whenever a Gopher session is initiated and user authentication is required.

28. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network as claimed in claim 22 wherein the generic proxy process capable of servicing any network service which may be communicated within TCP/IP protocol, on any one of the 64K TCP/IP communications ports is a TCP proxy process.

29. A computer system for providing a secure gateway between a private network and a potentially hostile network, comprising:

a) means for accepting from either network all communications packets that are encapsulated with a hardware destination address which matches the device address of the gateway;

b) means for determining whether there is a process bound to a destination port number of an accepted communications packet;

c) means for establishing a first communications session with a source address/source port of the accepted communications packet if there is a process bound to the destination port number, else dropping the packet;

d) means for transparently establishing, without intervention from the source, a second communications session with a destination address/destination port of the accepted communications packet if a first communications session is established; and

e) means for transparently moving data associated with each subsequent communications packet between the respective first and second communications sessions, whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions.

30. A computer system providing a secure gateway between a private network and a potentially hostile network as claimed in claim 29 wherein the means for determining checks to determine if a process is bound to the destination port number, and passes the packet to a generic process if a process is not bound to the destination port number, the generic process acting to establish the first and second communications sessions and to move the data between the first and second communications sessions.

31. A computer system for providing a secure gateway between a private network and a potentially hostile network as claimed in claim 29 wherein the system further includes:

a) means for checking a rule base to determine if the source address requires authentication; and

b) means for authenticating the source by requesting a user identification and a password and referencing a database to determine if the user identification and password are valid.

32. A computer system for providing a secure gateway between a private network and a potentially hostile network as claimed in claim 29 wherein the system further includes:

a) means for referencing a rule base after the first communications session is established to determine whether the source address is permitted to access the destination address for a requested type of service; and

b) means for cancelling the first communications session if the rule base does not include a rule to permit the source address to access the destination address for the requested type of service.

33. A computer system for providing a secure gateway between a private network and a potentially hostile network as claimed in claim 32, wherein the system further includes:

a) means for creating a user authentication file which contains the source address of the authenticated user in a user authentication directory; and

b) means for referring to the authentication file to determine if a source address has been authenticated each time a new communications session is initiated so that the gateway is completely transparent to an authenticated source.

34. A computer system for providing a secure gateway between a private network and a potentially hostile network as claimed in claim 33 wherein the user authentication file includes a creation time variable which is set to a system time value when the user is authenticated.

35. A computer system for providing a secure gateway between a private network and a potentially hostile network as claimed in claim 34 wherein the system further includes:

a) means for updating a modification time variable of the authentication file each time the user initiates a new communications session through the gateway station.

36. A computer system for providing a secure gateway between a private network and a potentially hostile network as claimed in claim 35 wherein the system further includes:

a) means for periodically checking each user authentication file to determine whether one of a first difference between the authentication time variable and the system time and a second difference between the modification time variable and the system time has exceeded a predefined threshold; and

b) means for deleting the user file from the user authentication directory if the threshold has been exceeded by each of the first and second differences.

37. A computer system for providing a secure gateway between a private network and potentially hostile network as claimed in claim 29 wherein the system further includes:

a) means for performing a data sensitivity check on the data associated with each packet as a step in the process of moving the data between the respective first and second communications sessions.

38. A computer-readable memory encoded with computer-readable instructions for providing a secure gateway between a private network and a potentially hostile network, comprising:

a) instructions for accepting from either network all communications packets that are encapsulated with a hardware destination address which matches the device address of the gateway;

b) instructions for determining whether there is a process bound to a destination port number of an accepted communications packet;

c) instructions for transparently establishing a first communications session with a source address/source port of the accepted communications packet if there is a process bound to the destination port number, else dropping the packet;

d) instructions for transparently establishing, without intervention from the source, a second communications session with a destination address/destination port of the accepted communications packet if a first communications session is established; and

e) instructions for transparently moving data associated with each subsequent communications packet between the respective first and second communications sessions, whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions.

39. A computer readable memory as claimed in claim 38 wherein the computer readable memory comprises at least one compact disk.

40. A computer readable memory as claimed in claim 38 wherein the computer readable memory comprises at least one floppy diskette.

41. A computer readable memory as claimed in claim 38 wherein the computer readable memory comprises at least one hard disk drive.

TECHNICAL FIELD

This application relates generally to internetwork communications and data exchanges and, in particular, to secure gateways which serve as firewalls between computer networks to inhibit electronic vandalism and espionage.

BACKGROUND OF THE INVENTION

As computing power and computer memory have been miniaturized and become more affordable, computer networks have largely displaced mainframe and minicomputer technology as a business automation platform. Public information networks have also sprung up around the world. The largest and most pervasive public network is the Internet which was created in the late 1960s as a United States Department of National Defence project to build a network connecting various military sites and educational research centers. While the interconnection of private networks with public networks such as the Internet may provide business opportunities and access to vital information, connecting a private, secure network to a public network is hazardous unless some form of secure gateway is installed between the two networks to serve as a "firewall".

Public networks, as their name implies, are accessible to anyone with compatible hardware and software. Consequently, public networks attract vandals as well as amateurs and professionals involved in industrial espionage. Private networks invariably store trade secret and confidential information which must be protected from exposure to unauthorized examination, contamination, destruction or retrieval. Any private network connected to a public network is vulnerable to such hazards unless the networks are interconnected through a secure gateway which prevents unauthorized access from the public network.

A great deal of effort has been dedicated to developing secure gateways for internetwork connection. As noted above, these gateways are commonly referred to as firewalls. The term firewall is broadly used to describe practically any internetwork security scheme. Firewalls are generally developed on one or more of three models: the screening router, the bastion host and the dual homed gateway. These models may be briefly defined as:

Screening router--Screening routers typically have the ability to block traffic between networks or specific hosts on an IP port level. Screening routers can be specially configured commercial routers or host-based packet filtering applications. Screening routers are a basic component of many firewalls. Some firewalls consist exclusively of a screening router or a packet filter.

Bastion host--Bastion hosts are host systems positioned between a private network and a public network which have particular attention paid to their security. They may run special security applications, undergo regular audits, and include special features such as "sucker traps" to detect and identify would-be intruders.

Dual homed gateway--A dual homed gateway is a bastion host with a modified operating system in which TCP/IP forwarding has been disabled. Therefore, direct traffic between the private network and the public network is blocked. The private network can communicate with the gateway, as can the public network but the private network cannot communicate with the public network except via the public side of the dual homed gateway. Application level or "proxy" gateways are often used to enhance the functionality of dual homed gateways. Much of the protocol level software on networks operates in a store-and-forward mode. Prior art application level gateways are service-specific store-and-forward programs which commonly operate in user mode instead of at the protocol level.

All of the internetwork gateways known to date suffer from certain disadvantages which compromise their security or inconvenience users. Most known internetwork gateways are also potentially susceptible to intruders if improperly used or configured.

The only firewall for many network installations is a screening router which is positioned between the private network and the public network. The screening router is designed to permit communications only through certain predesignated ports. Many network services are offered on specific designated ports. Generally, screening routers are configured to permit all outbound traffic from the private network while restricting inbound traffic to those certain specific ports allocated to certain network services. A principal weakness of screening routers is that the router's administrative password may be compromised. If an intruder is capable of communicating directly with the router, the intruder can very easily open the entire private network to attack by disabling the screening algorithms. Unfortunately, this is extremely difficult to detect and may go completely unnoted until serious damage has resulted. Screening routers are also subject to permitting vandalism by "piggybacked" protocols which permit intruders to achieve a higher level of access than was intended to be permitted.

Packet filters are a more sophisticated type of screening that operates on the protocol level. Packet filters are generally host-based applications which permit certain communications over predefined ports. Packet filters may have associated rule bases and operate on the principle of "that which is not expressly permitted is prohibited". Public networks such as the Internet operate in TCP/IP protocol. A UNIX operating system running TCP/IP has a capacity of 64K communication ports. It is therefore generally considered impractical to construct and maintain a comprehensive rule base for a packet filter application. Besides, packet filtering is implemented using the simple Internet Protocol (IP) packet filtering mechanisms which are not regarded as being robust enough to permit the implementation of an adequate level of protection. The principal drawback of packet filters is that they are executed by the operating system kernel and there is a limited capacity at that level to perform screening functions. As noted above, protocols may be piggybacked to either bypass or fool packet filtering mechanisms and may permit skilled intruders to access the private network.

The dual homed gateway is an often used and easy to implement alternative. Since the dual homed gateway does not forward TCP/IP traffic, it completely blocks communication between the public and private networks. The ease of use of a dual homed gateway depends upon how it is implemented. It may be implemented by giving users logins to the public side of the gateway host, or by providing application gateways for specific services. If users are permitted to log on to the gateway, the firewall security is seriously weakened because the risk of an intrusion increases substantially, perhaps exponentially, with each user login due to the fact that logins are a vulnerable part of any security system. Logins are often compromised by a number of known methods and are the usual entry path for intruders.

The alternative implementation of a dual homed gateway is the provision of application gateways for specific network services. Application gateways have recently gained general acceptance as a method of implementing internetwork firewalls. Application gateways provide protection at the application level and the Transmission Control Protocol (TCP) circuit layer. They therefore permit data sensitivity checking and close loopholes left in packet filters. Firewalls equipped with application gateways are commonly labelled application level firewalls. These firewalls operate on the principle of "that which is not expressly permitted is prohibited". Users can only access public services for which an application gateway has been installed on the dual homed gateway. Although application level firewalls are secure, the known firewalls of this type are also inefficient. The principal disadvantage of known application level firewalls is that they are not transparent to the user. They generally require the user to execute time-consuming extra operations or to use specially adapted network service programs. For example, in an open connection to the Internet, a user can Telnet directly to any host on the Internet by issuing the following command:

Telnet target.machine

However if the user is behind an application level firewall, the following command must be issued:

Telnet firewall

After the user has established a connection with the firewall, the user will optionally enter a user ID and a password if the firewall requires authentication. Subsequent to authentication, the user must request that the firewall connect to the final Telnet target machine. This problem is the result of the way in which the UNIX operating system handles IP packets. A standard TCP/IP device will only accept and attempt to process IP packets addressed to itself. Consequently, if a user behind an application firewall issues the command:

Telnet target.machine

an IP packet will be generated by the user workstation that is encapsulated with the device address of the firewall but with an IP destination address of the target.machine. This packet will not be processed by the firewall station and will therefore be discarded because IP packet forwarding has been disabled in the application level firewall.

Known application level firewalls also suffer from the disadvantage that to date application interfaces have been required for each public network service. The known application level firewalls will not support "global service" or applications using "dynamic port allocations" assigned in real time by communicating systems.

Users on private networks having an application level firewall interface therefore frequently install "back doors" to the public network in order to run services for which applications have not been installed, or to avoid the inconvenience of the application gateways. These back doors provide an unscreened, unprotected security hole in the private network which renders that network as vulnerable as if there were no firewall at all.

SUMMARY OF THE INVENTION

It is an object of the invention to provide an internetwork security gateway which overcomes the known disadvantages of prior art internetwork security gateways.

It is a further object of the invention to provide an internetwork security gateway which provides application proxy flexibility, security and control while permitting users to transparently access public network services.

It is a further object of the invention to provide an internetwork security gateway which supports any currently offered or future network service.

It is yet a further object of the invention to provide an internetwork security gateway which supports applications using port numbers that are dynamically assigned in real time by the communicating systems.

It is yet a further object of the invention to provide an internetwork security gateway which listens to all communications ports in order to detect any attempted intrusion into a protected network, regardless of the intruder's point of attack.

In accordance with a first aspect of the invention there is disclosed a method of providing a secure gateway between a private network and a potentially hostile network, comprising the steps of:

a) accepting from either network all communications packets that are encapsulated with a hardware destination address that matches the device address of the gateway;

b) determining whether there is a process bound to a destination port number of an accepted communications packet;

c) establishing a first communications session with a source address/source port of the accepted communications packet if there is a process bound to the destination port number, else dropping the packet;

d) establishing a second communications session with a destination address/destination port number of the accepted communications packet if a first communications session is established; and

e) transparently moving data associated with each subsequent communications packet between the respective first and second communications sessions, whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions.

In accordance with a further aspect of the invention there is disclosed an apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network, comprising in combination:

a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network;

an operating system executable by the gateway station, a kernel of the operating system having been modified so that the operating system:

a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network; and

b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective networks; and

at least one proxy process executable by the gateway station, the proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet accepted by the operating system and to transparently initiate a second communications session with a destination of the packet, and to transparently pass a data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session, whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session.

The invention therefore provides a method and an apparatus which permits a private network to be securely interconnected with a public or a potentially hostile network.

The method in accordance with the invention involves protecting a private network interconnected with a potentially hostile network whereby a gateway between the two networks transparently imitates a host when a communication data packet is received from a client on one of the networks by initiating a communication session with the client. If the client is determined to have access rights to the requested service, the gateway station imitates the client to the host on the other network by initiating a communications session with the host. Thereafter, data is passed between the client session and the host session by a process which coordinates communications between the two distinct, interdependent communications sessions which proceed between the client and the gateway station and the host and the gateway station.

For instance, using a gateway station in accordance with the invention as an internetwork interface, a user on the private network can issue the command:

telnet publictarget.machine

and the command will appear to the user to be executed as if no gateway existed between the networks so long as the user is permitted by the rule bases maintained by the private network security administrator to access the publictarget machine.

In order to achieve transparency of operation, the gateway station is modified to accept for processing all IP packets encapsulated in a network operating system capsule (e.g. an ethernet capsule) having a destination address which matches the device address of the gateway station, regardless of the destination address of the IP packet. This modification permits the gateway station to provide transparent service to users on either network, provided the users are authorized for the service. Furthermore, the gateway station in accordance with the invention runs a novel generic proxy which permits it to listen to all of the 64K communications ports accommodated by the UNIX operating system which are not served by a dedicated proxy process. As is well known to those skilled in the art, certain internetwork services have been assigned specific ports for communication. Most of the designated ports on the Internet are those port numbers in the range of 0-1K (1,024). Other applications and services use port numbers in the range of 1K to 64K. As noted above, the gateway station in accordance with the invention "listens" to all 64K ports. The generic proxy process which is executed by the gateway station responds to any request for service that is not served by a dedicated proxy process, regardless of the destination port number to which the request for service is made. Every request for service may therefore be responded to. When an intruder attacks a private network, the intruder must attempt to access the network through the gateway station. Most firewalls listen to only a limited subset of the available communications ports. An intruder can therefore probe unattended areas of the firewall without detection. The gateway station in accordance with the invention will, however, detect a probe on any port and may be configured to set an alarm condition if repeated probes are attempted. The gateway station in accordance with the invention can also be configured to perform data sensitivity screening because all communications packets are delivered by the kernel to the application level where the data portion of each packet is passed from one in progress communications session to the other. Data sensitivity screening permits the detection of sophisticated intrusion techniques such as piggybacked protocols, and the like.

The apparatus in accordance with the invention is modeled on the concept of a bastion host, preferably configured as a dual home firewall. The apparatus in accordance with the invention may also be configured as a multiple-home firewall, a single-home firewall or a screened subnet. Regardless of the configuration, the apparatus preferably comprises a UNIX station which executes a modified operating system in which IP packet forwarding is disabled. The apparatus in accordance with the invention will not forward any IP packet, process ICMP direct messages nor process any source routing packet between the potentially hostile network and the private network. Without IP packet forwarding, direct communication between the potentially hostile network and the private network are disabled. This is a common arrangement for application level firewalls. The apparatus in accordance with the invention is, however, configured to provide a transparent interface between the interconnected networks so that clients on either network can run standard network service applications transparently without extra procedures, or modifications to accomplish communications across the secure gateway. This maximizes user satisfaction and minimizes the risk of a client establishing a "back door" to a potentially hostile network.

The methods and the apparatus in accordance with the invention therefore provide a novel communications gateway for interconnecting private and public networks which permit users to make maximum use of public services while providing a tool for maintaining an impeccable level of security for the private network.

BRIEF DESCRIPTION OF THE DRAWINGS

A preferred embodiment of the invention will now be further explained by way of example only and with reference to the following drawings, wherein:

FIG. 1 is a schematic diagram of a preferred configuration for an apparatus in accordance with the invention for providing a secure gateway for data exchanges between a private network and a potentially hostile network;

FIG. 2 is a schematic diagram of an IP header, a TCP and a UDP header in accordance with standard TCP/IP format;

FIG. 3 is a schematic diagram of ethernet encapsulation in accordance with RFC 894;

FIG. 4 is a schematic diagram of a communications flow path between a gateway station in accordance with the invention, a client on a private network and a host on a public network;

FIG. 5 is a flow diagram of a general overview of TCP routing by the kernel of a UNIX station in accordance with the prior art;

FIG. 6 is a flow diagram of a general overview of TCP routing by a modified UNIX kernel in accordance with the invention;

FIG. 7a is a first portion of a flow diagram of a general overview of the implementation of the invention at the application level of a