Application gateway system, and method for maintaining security in a packet-switched information network
First Claim
1. A method for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising the steps of:
- intercepting, at a packet processor part, a packet that is in transit between the untrusted packet-switched information network and the protected domain, examining the packet at the packet processor part in order to determine, whether the packet contains digital data that pertains to a certain protocol, if the packet is not found to contain digital data that would pertain to said certain protocol, processing the packet at the packet processor part, and if the packet is found to contain digital data that pertains to said certain protocol, redirecting the packet to an application gateway part and processing the packet at the application gateway part according to a set of processing rules based on obedience to said certain protocol;
wherein the packet processor part is a kernel mode process running in a computer device and the application gateway part is a user mode process running in a computer device.
8 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatuses are disclosed for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain. A packet processor part intercepts a packet that is in transit between the untrusted packet-switched information network and the protected domain. The packet is examined at the packet processor part in order to determine, whether the packet contains digital data that pertains to a certain protocol. If the packet is not found to contain such digital data, it is processed at the packet processor part. If the packet is found to contain digital data that pertains to said certain protocol, it gets redirected to an application gateway part that processes the packet according to a set of processing rules based on obedience to said certain protocol. The packet processor part is a kernel mode process running in a computer device and the application gateway part is a user mode process running in a computer device.
-
Citations
74 Claims
-
1. A method for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising the steps of:
-
intercepting, at a packet processor part, a packet that is in transit between the untrusted packet-switched information network and the protected domain, examining the packet at the packet processor part in order to determine, whether the packet contains digital data that pertains to a certain protocol, if the packet is not found to contain digital data that would pertain to said certain protocol, processing the packet at the packet processor part, and if the packet is found to contain digital data that pertains to said certain protocol, redirecting the packet to an application gateway part and processing the packet at the application gateway part according to a set of processing rules based on obedience to said certain protocol;
wherein the packet processor part is a kernel mode process running in a computer device and the application gateway part is a user mode process running in a computer device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 49, 50)
-
-
39. A method for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising the steps of:
-
intercepting, at a packet processor part, a packet that is in transit between the untrusted packet-switched information network and the protected domain, examining the packet at the packet processor part in order to determine, whether the packet contains digital data that pertains to a certain protocol, if the packet is not found to contain digital data that would pertain to said certain protocol, processing the packet at the packet processor part, and if the packet is found to contain digital data that pertains to said certain protocol, replacing an original value of a certain destination information field within the packet with a replacement value that identifies an application gateway part as the destination of the packet, and redirecting the packet to the application gateway part, indicating from the packet processor part to the application gateway part the original value of the destination information field found in the packet at the moment of intercepting the packet at the packet processor part and using the indicated original value the destination information field at the application gateway part in processing the packet according to a set of processing rules based on obedience to said certain protocol. - View Dependent Claims (40)
-
-
41. A method for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising the steps of:
-
intercepting, at a packet processor part, a packet that is in transit between the untrusted packet-switched information network and the protected domain, examining the packet at the packet processor part in order to determine, whether the packet contains digital data that pertains to a certain protocol, if the packet is not found to contain digital data that would pertain to said certain protocol, processing the packet at the packet processor part, and if the packet is found to contain digital data that pertains to said certain protocol, prepending a header to the packet at the packet processor part, the prepended header containing a value that identifies an application gateway part as the destination of the packet, and redirecting the packet to the application gateway part, stripping the prepended header from the packet at the application gateway part and using the original value of the destination information field in the packet at the application gateway part in processing the packet according to a set of processing rules based on obedience to said certain protocol. - View Dependent Claims (42)
-
-
43. A method for handling digital data packets at a packet processing entity located at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising the steps of:
-
intercepting a packet when the packet is in transit between the untrusted packet-switched information network and the protected domain, examining the packet in order to determine, whether the packet contains digital data that pertains to a certain protocol, if the packet is not found to contain digital data that would pertain to said certain protocol, processing the packet at the packet processing entity, and if the packet is found to contain digital data that pertains to said certain protocol, replacing an original value of a certain destination information field within the packet with a replacement value that identifies an application gateway part as the destination of the packet, redirecting the packet to the application gateway part for processing according to a set of processing rules based on obedience to said certain protocol, and indicating to the application gateway part the original value of the destination information field found in the packet at the moment of intercepting the packet at the packet filtering entity. - View Dependent Claims (44, 45, 46)
-
-
47. A method for handling digital data packets at a packet processing entity located at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising the steps of:
-
intercepting a packet when the packet is in transit between the untrusted packet-switched information network and the protected domain, examining the packet in order to determine, whether the packet contains digital data that pertains to a certain protocol, if the packet is not found to contain digital data that would pertain to said certain protocol, processing the packet at the packet processing entity, and if the packet is found to contain digital data that pertains to said certain protocol, prepending a header to the packet, the prepended header containing a value that identifies an application gateway part as the destination of the packet, and redirecting the packet to the application gateway part for processing according to a set of processing rules based on obedience to said certain protocol. - View Dependent Claims (48)
-
-
51. A method for handling digital data packets at an application gateway entity located at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising the steps of:
-
receiving an intercepted and redirected packet from a packet processor part that intercepts packets when they are in transit between the untrusted packet-switched information network and the protected domain, receiving from the packet processor part an original value of a certain destination information field found in the packet at the moment of intercepting the packet at the packet processor part, and processing the packet according to a set of processing rules that are based on obedience to said certain protocol and take also the original value of the destination information field into account. - View Dependent Claims (52)
-
-
53. A system for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising:
-
a packet processor part that is arranged to intercept packets when they are in transit between the untrusted packet-switched information network and the protected domain and to examine the packets in order to determine, whether the packets contain digital data that pertains to a certain protocol, an application gateway part and a communications connection between the packet processor part and the application gateway part, at the packet processor part, packet processing means that are arranged to process such packets that are not found to contain digital data that would pertain to said certain protocol, at the packet processor part, redirecting means that are arranged to redirect to the application gateway part such packets that are found to contain digital data that pertains to said certain protocol, and at the application gateway part, application gateway processing means that are arranged to process such packets according to a set of processing rules based on obedience to said certain protocol that are redirected from the packet processor part to the application gateway part;
of which the packet processor part is arranged to run as a kernel mode process in a computer device and the application gateway part is arranged to run as a user mode process in a computer device. - View Dependent Claims (54, 55, 56, 57, 58, 59, 60, 61)
-
-
62. A packet processing device for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising:
-
packet intercepting means for intercepting packets when they are in transit between the untrusted packet-switched information network and the protected domain, packet examining means for examining packets in order to determine, whether they contain digital data that pertains to a certain protocol, packet processing means for processing such packets that are not found to contain digital data that would pertain to said certain protocol, replacing means for replacing, in packets that are found to contain digital data that pertains to said certain protocol, an original value of a certain destination information field with a replacement value that identifies an application gateway device as the destination of such packets, redirecting means for redirecting packets to the application gateway device for processing according to a set of processing rules based on obedience to said certain protocol, and signalling means for indicating to the application gateway part the original value of the destination information field found in packets at the moment of intercepting the packets at the packet filtering device. - View Dependent Claims (63)
-
-
64. A packet processing device for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising:
-
packet intercepting means for intercepting packets when they are in transit between the untrusted packet-switched information network and the protected domain, packet examining means for examining packets in order to determine, whether they contain digital data that pertains to a certain protocol, packet processing means for processing such packets that are not found to contain digital data that would pertain to said certain protocol, header adding means for prepending, to packets that are found to contain digital data that pertains to said certain protocol, a header containing a value that identifies an application gateway device as the destination of such packets, and redirecting means for redirecting packets to the application gateway device for processing according to a set of processing rules based on obedience to said certain protocol. - View Dependent Claims (65)
-
-
66. An application gateway device for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising:
-
means for receiving intercepted and redirected packets from a packet processor device that intercepts packets when they are in transit between the untrusted packet-switched information network and the protected domain, means for receiving from the packet processor device an original value of a certain destination information field found in packets at the moment of intercepting the packets at the packet processor part, and means for processing packets according to a set of processing rules that are based on obedience to said certain protocol and take also the original value of the destination information fields into account. - View Dependent Claims (67)
-
-
68. A software program product for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising:
-
a packet processor program that is arranged to intercept packets when they are in transit between the untrusted packet-switched information network and the protected domain and to examine the packets in order to determine, whether the packets contain digital data that pertains to a certain protocol, an application gateway program arranged to communicate with the packet processor program, at the disposal of the packet processor program, packet processing means that are arranged to process such packets that are not found to contain digital data that would pertain to said certain protocol, at the disposal of the packet processor program, redirecting means that are arranged to redirect to the application gateway program such packets that are found to contain digital data that pertains to said certain protocol, and at the disposal of the application gateway program, application gateway processing means that are arranged to process such packets according to a set of processing rules based on obedience to said certain protocol that are redirected from the packet processor program to the application gateway program;
of which the packet processor program is arranged to run as a kernel mode process in a computer device and the application gateway program is arranged to run as a user mode process in a computer device.
-
-
69. A packet processor software program product for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising:
-
packet intercepting means for intercepting packets when they are in transit between the untrusted packet-switched information network and the protected domain, packet examining means for examining packets in order to determine, whether they contain digital data that pertains to a certain protocol, packet processing means for processing such packets that are not found to contain digital data that would pertain to said certain protocol, replacing means for replacing, in packets that are found to contain digital data that pertains to said certain protocol, an original value of a certain destination information field with a replacement value that identifies an application gateway program as the destination of such packets, redirecting means for redirecting packets to the application gateway program for processing according to a set of processing rules based on obedience to said certain protocol, and signalling means for indicating to the application gateway program the original value of the destination information field found in packets at the moment of intercepting the packets at the packet filter program. - View Dependent Claims (70)
-
-
71. A packet processor software program product for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising:
-
packet intercepting means for intercepting packets when they are in transit between the untrusted packet-switched information network and the protected domain, packet examining means for examining packets in order to determine, whether they contain digital data that pertains to a certain protocol, packet processing means for processing such packets that are not found to contain digital data that would pertain to said certain protocol, header adding means for prepending, to packets that are found to contain digital data that pertains to said certain protocol, a header containing a value that identifies an application gateway program as the destination of such packets, and redirecting means for redirecting packets to the application gateway program for processing according to a set of processing rules based on obedience to said certain protocol. - View Dependent Claims (72)
-
-
73. An application gateway software program product for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain, comprising:
-
means for receiving intercepted and redirected packets from a packet processor program that intercepts packets when they are in transit between the untrusted packet-switched information network and the protected domain, means for receiving from the packet processor program an original value of a certain destination information field found in packets at the moment of intercepting the packets at the packet processor program, and means for processing packets according to a set of processing rules that are based on obedience to said certain protocol and take also the original value of the destination information field into account. - View Dependent Claims (74)
-
Specification