System and method for automatically initiating and dynamically establishing secure internet connections between a fire-walled server and a fire-walled client
Abstract
A system and method for automatically and dynamically initiating and establishing secure connections between a Server and a Client using a session control server (SCS). Both the Server and the Client are connected to an untrusted network (such as the Internet) through a Network Address Translator or Translation (NAT) router or a firewall. The SCS, independently trusted by both the Server and the Client, brokers the required connection parameters to establish a secure connection between the Server and the Client. The system and method does not require any user configuration on the Client and eliminates the need for the Server to accept explicit connection requests or packets from the Client, thereby allowing the Server firewall to always remain closed to all inbound traffic.
Claims
exact text as granted — not AI-modified1 . A method for automatically initiating and dynamically establishing secure connections over an untrusted network between a client and a server which does not accept explicit connection requests or packets from any client, using a third party computer trusted by both said server and said client, each of said client and said server being connected to said untrusted network via a firewall or network address translator (NAT) router, the method comprising the steps of:
automatically transmitting a connection request to said third party computer by said client upon one single action by a user of said client at power-on, upon connection to said untrusted network or upon any change in said client's network parameter, said connection request comprising a request to be connected to said server; and exchanging connection parameters over said untrusted network between said server and said client using said third party computer, said connection parameters comprising a unique connection identifier to establish a secure connection between said server and said client through a NAT router associated with said client, thereby providing said user of said client with one single action access to said server.
2 . The method of claim 1 , further comprising steps of:
receiving an unsolicited packet comprising said unique connection identifier from said client by a firewall associated with said server to dynamically establish a transient mapping between said client and said server; and transmitting a response packet to said client using said dynamically established transient mapping over said untrusted network by said server if it is determined that said unique connection identifier in said unsolicited packet matches a stored unique connection identifier.
3 . The method of claim 1 , further comprising the steps of:
receiving by said server a destination inbound port of said client and a public address of said NAT router associated with said client from said third party computer; and transmitting by said server a destination port of said server and IP address of said firewall associated with said server and said unique connection identifier for said client to said third party computer.
4 . The method of claim 3 , further comprising the steps of:
receiving by said client an instruction to send said unsolicited packet to said server using said destination port of said server and said IP address of said firewall associated with said server from said third party computer; and transmitting by said server said response packet to said client if it is determined that said unsolicited packet is received on said destination port of said server from said public address of said NAT router associated with said client.
5 . The method of claim 3 , further comprising the step of initiating by said server said secure connection to said client using said destination inbound port of said client received from said third party computer.
6 . The method of claim 2 , wherein the step of receiving comprises the step of receiving an unsolicited UDP or TCP packet comprising said unique connection identifier from said client by said firewall associated with said server.
7 . A method for automatically initiating and dynamically establishing secure connections over an untrusted network between a client and a server which does not accept explicit connection requests or packets from any client, using a third party computer trusted by both said server and said client, each of said client and said server being connected to said untrusted network via a firewall or network address translator (NAT), the method comprising the steps of:
exchanging connection parameters over said untrusted network between said server and said client using said third party computer, said connection parameters comprising a unique connection identifier; receiving an unsolicited packet comprising said unique connection identifier from said client by a firewall associated with said server to dynamically establish a transient mapping between said client and said server; and transmitting a response packet to said client using said dynamically established transient mapping over said untrusted network by said server if it is determined that said unique connection identifier in said unsolicited packet matches a stored unique connection identifier, thereby establishing a secure connection between said server and said client through a NAT router associated with said client.
8 . The method of claim 7 , further comprising the steps of:
receiving by said server a destination inbound port of said client and a public address of said NAT router associated with said client from said third party computer; and transmitting by said server a destination port of said server and IP address of said firewall associated with said server and said unique connection identifier for said client to said third party computer.
9 . The method of claim 8 , further comprising the steps of:
receiving by said client an instruction to send said unsolicited packet to said server using said destination port of said server and said IP address of said firewall associated with said server from said third party computer; and transmitting by said server said response packet to said client if it is determined that said unsolicited packet is received on said destination port of said server from said public address of said NAT router associated with said client.
10 . The method of claim 8 , further comprising the step of initiating by said server said secure connection to said client using said destination inbound port of said client received from said third party computer.
11 . The method of claim 7 , wherein the step of receiving comprises the step of receiving by said firewall associated with said server an unsolicited UDP or TCP packet comprising said unique connection identifier from said client.
12 . The method of claim 7 , further comprising the step of transmitting by said client a connection request to said third party computer, said connection request comprising a request to be connected to said server.
13 . The method of claim 12 , further comprising the step of automatically transmitting said connection request to said third party computer by said client upon one single action by a user of said client at power-on, upon connection to said untrusted network or upon any change in said client's network parameter, thereby providing said user of said client with one single action access to said server.
14 . A system for automatically initiating and dynamically establishing secure connections over an untrusted network between a client and a server which does not accept explicit connection requests or packets from any client using a third party computer trusted by both said server and said client; wherein each of said client and said server being connected to said untrusted network via a firewall or network address translator (NAT); wherein said client is operable to automatically transmit a connection request to said third party computer upon one single action by a user of said client at power-on, upon connection to said untrusted network or upon any change in said client's network parameter, said connection request comprising a request to be connected to said server; and wherein said server and said client are operable to exchange connection parameters over said untrusted network using said third party computer, said connection parameters comprising a unique connection identifier to establish a secure connection between said server and said client through a NAT router associated with said client, thereby providing said user of said client with one single action access to said server.
15 . The system of claim 14 , wherein a firewall associated with said server is operable to receive an unsolicited packet comprising said unique connection identifier from said client to dynamically establish a transient mapping between said client and said server; and wherein said server is operable to transmit a response packet to said client using said dynamically established transient mapping over said untrusted network if it is determined that said unique connection identifier in said unsolicited packet matches a stored unique connection identifier.
16 . The system of claim 14 , wherein said server is operable to receive method of claim 1 , further comprising the steps of:
receiving by said server a destination inbound port of said client and a public address of said NAT router associated with said client from said third party computer; and transmitting by said server a destination port of said server and IP address of said firewall associated with said server and said unique connection identifier for said client to said third party computer.
17 . The system of claim 16 , wherein said client is operable to receive an instruction to send said unsolicited packet to said server using said destination port of said server and said IP address of said firewall associated with said server from said third party computer; and wherein said server is operable to transmit said response packet to said client if it is determined that said unsolicited packet is received on said destination port of said server from said public address of said NAT router associated with said client.
18 . The system of claim 16 , wherein said server is operable to initiate said secure connection to said client using said destination inbound port of said client received from said third party computer.
19 . The system of claim 15 , wherein said server is operable to receive an unsolicited UDP or TCP packet comprising said unique connection identifier from said client.
20 . The system of claim 14 , wherein said client is a stateless client which does not perform any user functionality or contain any user data.
21 . The system of claim 14 , wherein said client is a single function network-aware consumer device.
22 . The system of claim 21 , wherein said single function network-aware consumer device is one of the following: a cellular phone, a music player/recorder, a video player/recorder, a game player, or a portable email device.
23 . A system for automatically initiating and dynamically establishing secure connections over an untrusted network between a client and a server which does not accept explicit connection requests or packets from any client using a third party computer trusted by both said server and said client; wherein each of said client and said server being connected to said untrusted network via a firewall or network address translator (NAT); wherein said server and said client are operable to exchange connection parameters over said untrusted network using said third party computer, said connection parameters comprising a unique connection identifier; wherein said firewall associated with said server is operable to receive an unsolicited packet comprising said unique connection identifier from said client to dynamically establish a transient mapping between said client and said server; and wherein said sever is operable to transmit a response packet to said client using said dynamically established transient mapping over said untrusted network if it is determined that said unique connection identifier in said unsolicited packet matches a stored unique connection identifier, thereby establishing a secure connection between said server and said client through said NAT router associated with said client.
24 . The system of claim 23 , wherein said server is operable to receive a destination inbound port of said client and a public address of said NAT router associated with said client from said third party computer; and wherein said client is operable to receive a destination port and IP address of said server and said unique connection identifier from said third party computer.
25 . The system of claim 24 , wherein said client is operable to receive an instruction to send said unsolicited packet to said server from said third party computer; and wherein said server is operable to transmit a response packet to said client if it is determined that said unsolicited packet is received on said destination port of said sever from said public address of said NAT router associated with said client.
26 . The system of claim 23 , wherein said server is operable to initiate said secure connection to said client using said destination inbound port of said client received from said third party computer.
27 . The system of claim 23 , wherein said client is a stateless client which does not perform any user functionality or contain any user data.
28 . The system of claim 23 , wherein said client is a single function network-aware consumer device.
29 . The system of claim 28 , wherein said single function network-aware consumer device is one of the following: a cellular phone, a music player/recorder, a video player/recorder, a game player, or a portable email device.
30 . The system of claim 23 , wherein said client is operable to transmit a connection request to said third party computer, said connection request comprising a request to be connected to said server.
31 . The system of claim 30 , wherein said client is operable to automatically transmit said connection request upon one single action by a user of said client at power-on, upon connection to said untrusted network or upon any change in said client's network parameter to said third party computer, thereby providing said user of said client with one single action access to said server.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.