Firewall providing enhanced network security and user transparency

US 20040103321A1
Filed: 11/06/2003
Published: 05/27/2004
Est. Priority Date: 02/06/1996
Status: Active Grant

First Claim

Patent Images

1. A data processing system for processing data packets transferred over a network, the data processing system comprising:

a firewall, the firewall being operable to;

receive a set of firewall policies; and

apply the firewall policies to a data packet;

an authentication application, the authentication application being operable to;

receive a set of authentication policies; and

authenticate a data packet in accordance with the authentication policies;

at least one virtual private network, each virtual private network having an associated destination address and policies; and

a controller being operable to;

detect an incoming data packet;

examine the incoming data packet for a virtual private network destination address;

identify the policies associated with the virtual private network destination;

if the policies include firewall policies, then call a firewall engine and apply the set of firewall policies corresponding to the virtual private network to the data packet;

if the policies include authentication policies, then call an authentication application and apply a set of authentication policies corresponding to the virtual private network to the data packet; and

route the data packet to the virtual private network, the virtual private network corresponding to a destination address contained in the data packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a firewall that achieves maximum network security and maximum user convenience. The firewall employs “envoys” that exhibit the security robustness of prior-art proxies and the transparency and ease-of-use of prior-art packet filters, combining the best of both worlds. No traffic can pass through the firewall unless the firewall has established an envoy for that traffic. Both connection-oriented (e.g., TCP) and connectionless (e.g., UDP-based) services may be handled using envoys. Establishment of an envoy may be subjected to a myriad of tests to “qualify” the user, the requested communication, or both. Therefore, a high level of security may be achieved. The usual added burden of prior-art proxy systems is avoided in such a way as to achieve fall transparency-the user can use standard applications and need not even know of the existence of the firewall. To achieve full transparency, the firewall is configured as two or more sets of virtual hosts. The firewall is, therefore, “multihomed,” each home being independently configurable. One set of hosts responds to addresses on a first network interface of the firewall. Another set of hosts responds to addresses on a second network interface of the firewall. In one aspect, programmable transparency is achieved by establishing DNS mappings between remote hosts to be accessed through one of the network interfaces and respective virtual hosts on that interface. In another aspect, automatic transparency may be achieved using code for dynamically mapping remote hosts to virtual hosts in accordance with a technique referred to herein as dynamic DNS, or DDNS.

Citations

38 Claims

1. A data processing system for processing data packets transferred over a network, the data processing system comprising:
- a firewall, the firewall being operable to;
  
  receive a set of firewall policies; and
  
  apply the firewall policies to a data packet;
  
  an authentication application, the authentication application being operable to;
  
  receive a set of authentication policies; and
  
  authenticate a data packet in accordance with the authentication policies;
  
  at least one virtual private network, each virtual private network having an associated destination address and policies; and
  
  a controller being operable to;
  
  detect an incoming data packet;
  
  examine the incoming data packet for a virtual private network destination address;
  
  identify the policies associated with the virtual private network destination;
  
  if the policies include firewall policies, then call a firewall engine and apply the set of firewall policies corresponding to the virtual private network to the data packet;
  
  if the policies include authentication policies, then call an authentication application and apply a set of authentication policies corresponding to the virtual private network to the data packet; and
  
  route the data packet to the virtual private network, the virtual private network corresponding to a destination address contained in the data packet.

2. A method for processing a data packet in a packet filtering device, the method comprising:
- receiving a data packet;
  
  determining a virtual local area network destination for the received data packet, including identifying a set of rules that are associated with the virtual local area network destination;
  
  applying the set of rules to the data packet; and
  
  if a virtual local area network destination has been determined for the received data packet, outputting the data packet to its virtual local area network destination, using the result from the application of the set of rules, and if a virtual local area network destination has not been determined for the received data packet, denying the data packet.

3. A packet filtering device for processing a data packet, the packet filtering device comprising:
- an input port, the input port being operable to receive a data packet;
  
  a processor, the processor being connected to the input port and being operable to;
  
  determine a virtual local area network destination for the received data packet, including identifying a set of rules that are associated with the virtual local area network destination; and
  
  apply the set of rules to the data packet; and
  
  an output port, the output port being connected to the processor and being operable to;
  
  output the data packet to its virtual local area network destination, using the result from the application of the rules if a virtual local area network destination has been determined for the received data packet; and
  
  drop the data packet if a virtual local area network destination has not been determined for the received data packet.

4. A method for examining data packets transferred over a network, the method comprising:
- connecting to at least one virtual local area networks;
  
  associating a set of firewall configuration settings with each of the at least one virtual local area networks;
  
  receiving an incoming data packet;
  
  examining the incoming data packet in accordance with a set of firewall configuration settings; and
  
  allowing the examined data packet to a particular virtual local area network among the at least one virtual local area networks, based on the result of the examination.

5. A security system, comprising:
- security system resources including firewall services; and
  
  a controller operable to partition the security system resources into a plurality of separate virtual hosts, each virtual host being configurable to enforce at least one policy relating to a specific set of host machines, and to allocate security system resources to the at least one virtual hosts.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 6. The security system of claim 5, wherein the security system is operable to allocate security system resources to a specific host machine.
  - 7. The security system of claim 6, wherein the specific host machine is associated to a computer network.
  - 8. The security system of claim 6, wherein the specific host machine is a device connected to a computer network.
  - 9. The security system of claim 5, wherein each virtual host includes a user interface for viewing, configuring and modifying a set of policies relating to a specific host machine.
  - 10. The security system of claim 9, wherein the security system resources further include authentication services.
  - 11. The security system of claim 9, wherein the security system resources further include virtual private network (VPN) services.
  - 12. The security system of claim 9, wherein the security system resources further include traffic configuration services.
  - 13. The security system of claim 12, wherein the security system resources further include encryption services.
  - 14. The security system of claim 9, wherein the security system resources further include at least one of:
    - administrative tools, logging, mapping, and resources for updating.
  - 15. The security system of claim 5, further comprising a management device operable to provide a domain name service, the set of host being configurable to enforce at least one policies for all host in the set.
  - 16. The security system of claim 15, wherein the management device includes a user interface for viewing, updating and modifying any set of policies associated with any hosts and the set of policies associated with a set of virtual host.
  - 17. The security system of claim 15, wherein the domain name service includes address mappings.
  - 18. The security system of claim 5, wherein the domain name service includes a policy for incoming data packets, a policy for outgoing packets, a policy for virtual private networking, authentication policies, traffic regulating policies and firewall policies.
  - 19. The security system of claim 5, wherein at least one of the plurality of virtual hosts includes a unique mapping.

20. A data processing system for processing data packets transferred over a network, the data processing system comprising:
- a firewall, the firewall being operable to;
  
  receive a set of firewall policies; and
  
  apply the firewall policies to a data packet;
  
  an authentication application, the authentication application being operable to;
  
  receive a set of authentication policies; and
  
  authenticate a data packet in accordance with the authentication policies;
  
  at least one virtual private network, the virtual private network having an associated destination address and policies; and
  
  a controller being operable to;
  
  detect an incoming data packet;
  
  examine the incoming data packet for a virtual private network destination address;
  
  identify the policies associated with the virtual private network destination;
  
  if the policies include firewall policies, then call a firewall engine and apply the set of firewall policies corresponding to the virtual private network destination to the data packet;
  
  if the policies include authentication policies, then call the authentication application and apply the set of authentication policies corresponding to the virtual private network destination to the data packet; and
  
  route the data packet to the virtual private network containing the data packet'"'"'s destination address.

21. A method for processing a data packet in a packet filtering device, the method comprising:
- receiving a data packet;
  
  determining a virtual local area network destination for the received data packet, including identifying a set of rules that are associated with the virtual local area network destination;
  
  applying the set of rules to the data packet;
  
  if a virtual local area network destination has been determined for the received data packet, outputting the data packet to its virtual local area network destination, using the result from the application of the rules, and if a virtual local area network destination has not been determined for the received data packet, denying the data packet.

22. A packet filtering device for processing a data packet, the packet filtering device comprising:
- an input port, the input port being operable to receive a data packet;
  
  a processor, the processor being connected to the input port and being operable to;
  
  determine a virtual local area network destination for the received data packet, including identifying a set of rules that are associated with the virtual local area network destination; and
  
  apply the set of rules to the data packet; and
  
  an output port, the output port being connected to the processor and being operable to;
  
  output the data packet to its virtual local area network destination, using the result from the application of the rules if a virtual local area network destination has been determined for the received data packet; and
  
  drop the data packet if a virtual local area network destination has not been determined for the received data packet.

23. A method for examining data packets transferred over a network, the method comprising:
- connecting to at least one virtual local area networks;
  
  associating a set of firewall configuration settings with each of the at least one virtual local area networks;
  
  receiving an incoming data packet;
  
  examining the incoming data packet in accordance with a set of firewall configuration settings; and
  
  allowing the examined data packet to a particular virtual local area network among the at least one virtual local area networks, based on the result of the examination.

24. A security system, comprising:
- security system resources including firewall services; and
  
  a controller operable to partition the security system resources into a plurality of separate virtual hosts, each virtual host being configurable to enforce at least one policy relating to a specific host machines, and to allocate security system resources to the at least one virtual hosts.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 25. The security system of claim 24, wherein the security system is operable to allocate security system resources to a specific host machines.
  - 26. The security system of claim 24, wherein the specific host machine is associated to a computer network.
  - 27. The security system of claim 24, wherein the specific host machine is a device connected to a computer network.
  - 28. The security system of claim 24, wherein each virtual host includes a user interface for viewing configuring and modifying a set of policies relating to a specific host machine.
  - 29. The security system of claim 28, wherein the security system resources further include authentication services.
  - 30. The security system of claim 28, wherein the security system resources further include virtual private network services.
  - 31. The security system of claim 28, wherein the security system resources further include traffic configuration services.
  - 32. The security system of claim 31, wherein the security system resources further include encryption services.
  - 33. The security system of claim 28, wherein the security system resources further include at least one selection from the group consisting of administrative tools, logging, mapping, and resources for updating.
  - 34. The security system of claim 24, further comprising a management device operable to provide a domain name service, the management device being configurable to enforce at least one policies for all host in the set.
  - 35. The security system of claim 34, wherein the management device includes a user interface for viewing, updating and modifying a set of policies associated with remote hosts and a set of policies associated with a set of virtual hosts.
  - 36. The security system of claim 34, wherein the domain name service includes address mappings.
  - 37. The security system of claim 24, wherein each set of domain name service policies includes policies for incoming data packets, policies for outgoing packets, policies for virtual private networking, authentication policies, traffic regulating policies and firewall policies.
  - 38. The security system of claim 24, wherein at least one of the plurality of virtual host include a unique mapping.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GraphOn Corporation
Original Assignee
Christopher D. Coley, Ralph E. Wesinger Jr
Inventors
Coley, Christopher D., Wesinger, Ralph E. Jr.

Granted Patent

US 7,028,336 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

B65B 11/004   in blanks, e.g. sheets prec...

G06F 16/958   Organisation or management ...

G06F 21/42   using separate channels for...

G06Q 20/027   involving a payment switch ...

H04L 2101/677   Multiple interfaces, e.g. m...

H04L 61/25   of the same type

H04L 61/2514   between local and global IP...

H04L 61/2521   Translation architectures o...

H04L 61/256   NAT traversal

H04L 61/35   involving non-standard use ...

H04L 61/4511   using domain name system [DNS]

H04L 61/4552   Lookup mechanisms between a...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/18   using different networks or...

H04L 69/16   Implementation or adaptatio...

H04L 69/164   Adaptation or special uses ...

H04L 9/40 : Network security protocols

View All

Firewall providing enhanced network security and user transparency

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall providing enhanced network security and user transparency

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links