Method and system for establishing a security perimeter in computer networks

US 20050010766A1
Filed: 06/25/2004
Published: 01/13/2005
Est. Priority Date: 07/30/1996
Status: Active Grant

First Claim

Patent Images

1. Cancelled.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-level network security system is disclosed for a computer host device coupled to at least one computer network. The system including a secure network interface Unit (SNIU) contained within a communications stack of the computer device that operates at a user layer communications protocol. The SNIU communicates with other like SNIU devices on the network by establishing an association, thereby creating a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within the global security perimeter. The SNIU includes a host/network interface for receiving messages sent between the computer device and network. The interface operative to convert the received messages to and from a format utilized by the network. A message parser for determining whether the association already exists with another SNIU device. A session manager coupled to said network interface for identifying and verifying the computer device requesting access to said network. The session manager also for transmitting messages received from the computer device when the message parser determines the association already exists. An association manager coupled to the host/network interface for establishing an association with other like SNIU devices when the message parser determines the association does not exist.

Citations

53 Claims

1. Cancelled.

2. A multi-level network security system comprising:
- a first secure network interface unit (SNIU) coupled to a first computer device and to a network, wherein components of the network may be individually secure or non-secure; and
  
  a second SNIU coupled to a second computer device and to the network, said second SNIU further comprising;
  
  a network interface configured to receive messages sent between the second computer device and the network;
  
  a session manager coupled to the network interface and configured to transmit said messages to the network when an association exists between the first SNIU and the second SNIU; and
  
  an association manager coupled to the network interface and configured to establish an association with the second SNIU when said association does not exist.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
- - 3. The multi-level network security system of claim 2, further comprising a third SNIU coupled to the network between the first SNIU and the second SNIU.
  - 4. The multi-level network security system of claim 2, wherein the second SNIU is further configured to perform both encryption and decryption of said messages.
  - 5. The multi-level network security system of claim 2, wherein the session manager is configured to protect the security communications between the second computer device and the network by implementing a security policy selected from a group consisting of discretionary access control, mandatory access control, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection.
  - 6. The multi-level network security system of claim 2, wherein the second SNIU is contained within a communications stack between a Network layer and a Data Link layer of the second computer device.
  - 7. The multi-level network security system of claim 2, wherein the second SNIU is configured to perform a defined trusted session layer protocol (TSP).
  - 8. The multi-level network security system of claim 2, wherein the first SNIU and the second SNIU are configured to exchange security parameters during said association.
  - 9. The multi-level network security system of claim 2, wherein the second SNIU comprises software resident on the second computer device.

10. A multi-level network security system for a computer device coupled to a network, wherein components of the network may be individually secure or non-secure, the multi-level network security system comprising:
- a first secure network interface unit (SNIU) coupled to a network; and
  
  a second SNIU coupled to the network, the second SNIU comprising;
  
  a message parser configured to determine whether an association exists between the second SNIU and the first SNIU; and
  
  an association manager configured to establish an association with the first SNIU when the message parser determines said association does not exist.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 11. The multi-level network security system of claim 10, wherein the second SNIU further comprises a network interface configured to receive messages sent between a computer device and the network.
  - 12. The multi-level network security system of claim 11, wherein the second SNIU is further configured to perform both encryption and decryption of said messages.
  - 13. The multi-level network security system of claim 12, wherein the second SNIU is further configured to generate and write cryptographic residues for outgoing messages and configured to validate cryptographic residues for incoming messages.
  - 14. The multi-level network security system of claim 10, wherein the second SNIU further comprises a session manager configured to request access to and transmit said messages to the network when the message parser determines that said association exists.
  - 15. The multi-level network security system of claim 14, wherein the session manager is configured to protect the security communications between the computer device and the network by implementing a security policy selected from a group consisting of discretionary access control, mandatory access control, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection.
  - 16. The multi-level network security system of claim 10, wherein the second SNIU is contained within a communications stack between a Network layer and a Data Link layer of a computer device coupled to the network.
  - 17. The multi-level network security system of claim 10, wherein the second SNIU is configured to perform a defined trusted session layer protocol (TSP).
  - 18. The multi-level network security system of claim 10, wherein the first SNIU and the second SNIU are configured to exchange security parameters during said association.
  - 19. The multi-level network security system of claim 10, wherein at least the second SNIU further comprises a scheduler coupled between the network and the message parser, said scheduler configured to control the flow of said data within the second SNIU.
  - 20. The multi-level network security system of claim 10, wherein the association manager is configured to generate two messages in order to establish said association.
  - 21. The multi-level network security system of claim 10, wherein the second SNIU further comprises an audit manager coupled to the association manager and configured to generate audit event messages when an invalid authorization code is received.
  - 22. The multi-level network security system of claim 10, wherein the second SNIU comprises software resident in a computer device coupled to the network.
  - 23. The multi-level network security system of claim 10, wherein the second SNIU comprises a hardware device coupling a computer device to the network.
  - 24. The multi-level network security system of claim 23, wherein the second SNIU is transparent to the computer device.

25. A multi-level network security system for a computer device coupled to a network, wherein components of the network may be individually secure or non-secure, the multi-level network security system comprising:
- first secure means for creating a security perimeter for end-to-end communications, wherein said first secure means is coupled to a first computer device and to a network; and
  
  second secure means for creating said security perimeter, wherein the second secure means is coupled to a second computer device and to the network, the second secure means comprising;
  
  means for determining whether an association exists between the second secure means and the first secure means; and
  
  means for establishing an association with the first secure means when the means for determining determines said association does not exist.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The multi-level network security system of claim 25, wherein the second secure means further comprises interface means for receiving a message sent between the second computer device and the network.
  - 27. The multi-level network security system of claim 26, wherein the second secure means further comprises means for requesting access to and transmitting said message to the network when the means for determining determines said association exists.
  - 28. The multi-level security system of claim 26, wherein the second secure means further comprises means for encrypting outgoing messages and decrypting incoming messages.
  - 29. The multi-level security system of claim 26, wherein the second secure means further comprises means for writing cryptographic residues for outgoing messages and validating cryptographic residues for incoming residues.
  - 30. The multi-level security system of claim 26, wherein the second secure means further comprises means for temporarily storing said message received from the second computer device when said association does not exist.
  - 31. The multi-level security system of claim 26, wherein the interface means further comprises means for converting said received message to and from a format utilized by the network.
  - 32. The multi-level security system of claim 25, wherein the second secure means further comprises means for generating an audit trail.

33. A secure network interface unit for use in a multi-level network security system, the secure network interface unit comprising:
- interface means for receiving messages sent between a computer device and a network, wherein components of the network may be individually secure or non-secure;
  
  means for determining whether an association exists between the secure network interface unit and a second secure network interface unit;
  
  means for requesting access to and transmitting said messages to the network when the means for determining determines said association exists, wherein said means for requesting and transmitting is coupled to said interface means; and
  
  means for establishing an association with the second secure network interface unit when the means for determining determines said association does not exist, wherein said means for establishing is coupled to said interface means.
- View Dependent Claims (34, 35, 36, 37, 38, 39)
- - 34. The secure network interface unit of claim 33, further comprising means for encrypting outgoing messages and decrypting incoming messages.
  - 35. The secure network interface unit of claim 33, further comprising means for storing said message received from the computer device when said association does not exist.
  - 36. The secure network interface unit of claim 33, wherein the interface means further comprises means for converting said received messages to and from a format utilized by the network.
  - 37. The secure network interface unit of claim 33, further comprising means for identifying and verifying the computer device requesting access to the network.
  - 38. The secure network interface unit of claim 33, wherein the interface means for receiving, the means for determining, the means for requesting, and the means for establishing comprise software resident in the computer device.
  - 39. The secure network interface unit of claim 33, wherein the interface means for receiving, the means for determining, the means for requesting, and the means for establishing are housed in a hardware device separate from the computer device.

40. A method for creating a security perimeter for end-to-end communications on a network, the method comprising:
- providing a first secure network interface unit (SNIU) between a first computer device and a network, wherein components of the network may be individually secure or non-secure; and
  
  providing a second SNIU between a second computer device and the network, wherein said second SNIU is configured to perform a plurality of security functions including;
  
  receiving messages sent between the second computer device and the network;
  
  converting the received messages to and from a format utilized by the network;
  
  identifying and verifying the second computer device requesting access to the network;
  
  determining whether an association exists between the second SNIU and the first SNIU;
  
  transmitting the received messages to the first SNIU when said association exists; and
  
  establishing an association with the first SNIU when said association does not exist.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47)
- - 41. The method of claim 40, wherein the second SNIU is placed within a communications stack of the second computer device.
  - 42. The method of claim 41, wherein the second SNIU is placed within the communications stack between a Network layer and a Data Link layer.
  - 43. The method of claim 40, wherein the second SNIU further performs the function of encrypting outgoing messages and decrypting incoming messages.
  - 44. The method of claim 40, wherein at least the second SNIU protects the security communications between the second computer device and the network by implementing a security policy selected from a group consisting of discretionary access control, mandatory access control, labeling, denial of service detection, data type integrity, cascading control, and covert channel use detection.
  - 45. The method of claim 40, wherein the second SNIU further performs a defined trusted session layer protocol (TSP).
  - 46. The method of claim 40, wherein the second SNIU further performs the function of temporarily storing the received messages from the computer device when said association does not exist.
  - 47. The method of claim 40, wherein said association is established by generating two messages.

48. A method for providing a multi-level network security system for a computer device coupled to a computer network, wherein components of the network may be individually secure or non-secure, the method comprising:
- placing a first secure network interface between a computer device and a network, wherein the first secure network interface performs a plurality of security functions including;
  
  receiving messages sent between the computer device and the network;
  
  determining whether an association exists between the first secure network interface and a second secure network interface coupled to the network; and
  
  establishing an association with the second secure network interface when said association does not exist.
- View Dependent Claims (49, 50, 51, 52, 53)
- - 49. The method of claim 48, wherein the secure network interface is placed within a communications stack of the computer device.
  - 50. The method of claim 48, wherein the secure network interface further performs a defined trusted session layer protocol (TSP).
  - 51. The method of claim 48, wherein the secure network interface further performs the function of generating an audit trail.
  - 52. The method of claim 48, wherein the secure network interface further performs the function of temporarily storing said received messages from the computer device when said association does not exist with the second secure network interface.
  - 53. The method of claim 48, wherein said association is established by generating two messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Edwin H. Wrench, James M. Holden, James O. Nickel, Stephen E. Levin
Original Assignee
Micron Technology, Inc.
Inventors
Nickel, James O., Levin, Stephen E., Wrench, Edwin H., Holden, James M.

Granted Patent

US 7,475,137 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/166
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

Method and system for establishing a security perimeter in computer networks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for establishing a security perimeter in computer networks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links