Method and system for securely scanning network traffic
First Claim
1. A method for implementing secure network communications between a first device and a second device, at least one of the devices communicating with the other device via a separate computer, the method comprising:
- obtaining an encryption parameter that is shared by the first device, second device and separate computer;
copying a data packet sent by the first device, within the separate computer;
decrypting the copy of the data packet within a portion of the separate computer, wherein contents of the portion are inaccessible to an operator of the separate computer; and
scanning the decrypted copy of the data packet for compliance with a predetermined criterion associated with the separate computer for allowing transmissions therethrough.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and system for implementing secure network communications between a first device and a second device, at least one of the devices communicating with the other device via a firewall device, are provided. The method and system may include obtaining an encryption parameter that is shared by the first device, second device and firewall device. A data packet sent by the first device may then be copied within the firewall device, so that decryption of the copy of the data packet within a portion of the firewall device may take place. In particular, the portion of the firewall device in which decryption takes place is defined such that contents of the portion are inaccessible to an operator of the firewall device. Thus, scanning of the decrypted copy of the data packet for compliance with a predetermined criterion may take place within the firewall device, without an operator of the firewall device having access to the contents of the data packet to be transmitted. Thereafter, the original data packet can be forwarded to its originally-intended recipient.
-
Citations
33 Claims
-
1. A method for implementing secure network communications between a first device and a second device, at least one of the devices communicating with the other device via a separate computer, the method comprising:
-
obtaining an encryption parameter that is shared by the first device, second device and separate computer;
copying a data packet sent by the first device, within the separate computer;
decrypting the copy of the data packet within a portion of the separate computer, wherein contents of the portion are inaccessible to an operator of the separate computer; and
scanning the decrypted copy of the data packet for compliance with a predetermined criterion associated with the separate computer for allowing transmissions therethrough. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A firewall device for mediating communications between a private network device and a device external to the private network, the firewall device comprising:
-
an encryption parameter determining circuit operable to determine an encryption parameter that is known to the external device and the private network device;
a content scanner containing the encryption parameter and operable to decrypt contents of a transmission from the external device for scanning, said contents being encrypted with said encryption parameter, said decrypted contents being inaccessible to an operator of the firewall device, wherein the content scanner permits a forwarding of the transmission to the private network device upon a determination that the contents of the transmission comply with a predetermined criterion of the firewall device. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. An article of manufacture, which comprises a computer readable medium having stored therein a computer program carrying out a method for scanning contents of an encrypted data packet, the computer program comprising:
-
a first code segment for acquiring an encryption parameter used by a first and second device to encrypt a data packet that is transmitted therebetween via the article of manufacture;
a second code segment for decrypting the data packet, using the encryption parameter;
a third code segment for restricting a user of the article of manufacture from accessing contents of the data packet;
a fourth code segment for filtering the data packet based on whether the contents comply with a predetermined criterion associated with the article of manufacture. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. A method of transmitting data, comprising:
-
constructing a first encryption parameter with a firewall device that receives and forwards traffic intended for a private network device associated therewith;
constructing with the firewall device, based on the first encryption parameter, a second encryption parameter that was previously negotiated between the firewall device and the private network device;
receiving at the firewall device a transmission that is encrypted using the second encryption parameter; and
sending the received transmission from the firewall device to the private network device. - View Dependent Claims (26, 27)
-
-
28. A method of transmitting data, comprising:
-
constructing an encryption parameter with a recipient device through a firewall device;
sharing the encryption parameter with the firewall device;
encrypting a transmission using the encryption parameter; and
sending the transmission to the recipient device via the firewall device. - View Dependent Claims (29)
-
-
30. A method of filtering encrypted data at a firewall device, comprising:
-
partitioning a filtering portion of the firewall device from an operator thereof;
decrypting the encrypted data within the filtering portion; and
forwarding the data if it complies with at least one filtering rule associated with the firewall device. - View Dependent Claims (31, 32)
-
-
33. A firewall device, comprising:
-
means for obtaining an encryption parameter common to both a first device and a second device;
means for decrypting encrypted data transmitted from the first device using the encryption parameter; and
means for forwarding the encrypted data to the second device.
-
Specification