System and method for intrusion prevention in a communications network

US 20050160289A1
Filed: 11/18/2002
Published: 07/21/2005
Est. Priority Date: 11/18/2002
Status: Active Grant

First Claim

Patent Images

1. A method for preventing intrusion in a communications network having a plurality of nodes, comprising the steps of:

initiating a request for network services by a source node;

constructing a transformed packet header and transmitting a synchronization packet with the transformed packet header to a destination node;

authenticating the received packet by examination of the transformed packet header;

releasing the authenticated packet to the destination node; and

reforming the transformed packet header at the destination node.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and program for preventing intrusion in a communications network. A source node initiates a request for network services, such as session establishment, database access, or application access. Known network resources and authorized user information is stored in a database at a network portal along with access policy rules that are device and user dependent. Identification of the source node is required before the source node can construct a transformed packet header that is included with a synchronization packet before transmission to a destination node. An appliance or firewall in the communications network receives and authenticates the synchronization packet before releasing the packet to its, intended destination. The authentication process includes verification of the access policy associated with the source node. Once received at the destination node, the transformed packet header is reformed by extracting a key index value. The extracted key index is subsequently used to transform the packet header in the response transmitted to the source node.

Citations

117 Claims

1. A method for preventing intrusion in a communications network having a plurality of nodes, comprising the steps of:
- initiating a request for network services by a source node;
  
  constructing a transformed packet header and transmitting a synchronization packet with the transformed packet header to a destination node;
  
  authenticating the received packet by examination of the transformed packet header;
  
  releasing the authenticated packet to the destination node; and
  
  reforming the transformed packet header at the destination node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 70, 71, 72, 73, 74, 75, 76, 77, 79, 80, 81, 82, 84, 87, 88, 89, 90, 91, 93, 96, 97, 98, 99, 100, 101, 102, 103, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117)
- - 2. The method for preventing intrusion in a communications network of claim 1 further comprising the step of transmitting an acknowledgement response with a transformed packet header to the source node.
  - 3. The method for preventing intrusion in a communications network of claim 1 wherein the request for network services is a request for a session connection with the destination node.
  - 4. The method for preventing intrusion in a communications network of claim 1 further comprising the step of authenticating a source identification by comparing a previously stored value with the source identification value determined for the source node.
  - 5. The method for preventing intrusion in a communications network of claim 4 wherein the previously stored value and the determined source identification value are based on a hardware address of the source node and an associated user identification.
  - 6. The method for preventing intrusion in a communications network of claim 4 wherein the request for network services is terminated if the determined source identification value does not match the previously stored value.
  - 7. The method for preventing intrusion in a communications network of claim 6 further comprising the step of reporting the termination of the request for network services in a message to a network administrator and storing the message in an unauthorized event database.
  - 8. The method for preventing intrusion in a communications network of claim 1 wherein the step of constructing a transformed packet header comprises the steps of:
    - selecting a key index value from a first array of key index values;
      
      applying the selected first array key index value to transform a user identification;
      
      appending the first array key index value to the transformed user identification;
      
      selecting a key index value from a second array of index values;
      
      applying the second array key index value to the transformed user identification and appended first array key index value to form a first packet header field; and
      
      storing the first packet header field in a transmit buffer.
  - 9. The method for preventing intrusion in a communications network of claim 8 wherein the step-of constructing a transformed packet header further comprises the steps of:
    - appending the second array key index value to a determined source identification value to form a resulting source identification value;
      
      applying a transformation routine to the resulting source identification value to form a second packet header field; and
      
      storing the second packet header field in the transmit buffer.
  - 10. The method for preventing intrusion in a communications network of claim 1 further comprising the steps of:
    - inspecting each received packet to determine a corresponding transport protocol;
      
      inspecting each received packet matching a selected protocol type to determine if the received packet is a synchronization packet;
      
      retaining the received packet for further processing if the received packet is a synchronization packet.
  - 11. The method for preventing intrusion in a communications network of claim 10 further comprising the step of releasing the received packet if it does not match a selected protocol type.
  - 12. The method for preventing intrusion in a communications network of claim 10 further comprising the step of releasing the received packet if it is not a synchronization packet.
  - 13. The method for preventing intrusion in a communications network of claim 1 wherein the step of authenticating the received packet comprises the steps of:
    - determining if the received packet originated from a trusted source node; and
      
      executing an exception module if the received packet originated from an untrusted source node.
  - 14. The method for preventing intrusion in a communications network of claim 1 wherein the step of authenticating the received packet comprises the steps of:
    - determining if the received packet originated from a trusted source node;
      
      examining the packet header of the received packet to determine if the packet header has been transformed by the source node;
      
      extracting a determined source identification value and an associated source user identification from the transformed packet header; and
      
      inspecting the packet header to determine if an access policy is specified for the source node.
  - 15. The method for preventing intrusion in a communications network of claim 14 further comprising the steps of determining if a hardware policy is defined and identifying the source node requesting the network services.
  - 16. The method for preventing intrusion in a communications network of claim 14 further comprising the steps of determining if an application policy is defined and verifying a destination port.
  - 17. The method for preventing intrusion in a communications network of claim 14 further comprising the steps of determining if a destination policy is defined and verifying a destination port.
  - 18. The method for preventing intrusion in a communications network of claim 14 further comprising the step of terminating the request for network services if either no access policy is specified or if the specified access policy cannot be verified.
  - 19. The method for preventing intrusion in a communications network of claim 18 further comprising the step of reporting the termination of the request for network services in a message to a network administrator and storing the message in an unauthorized event database.
  - 20. The method for preventing intrusion in a communications network of claim 1 further comprising the step performed at the destination node of inspecting each received packet to determine if the received packet is a synchronization packet.
  - 21. The method for preventing intrusion in a communications network of claim 20 further comprising the step of examining the packet header to determine if the packet header has been transformed by the source node.
  - 22. The method for preventing intrusion in a communications network of claim 21 further comprising the steps of terminating the request for network services, reporting the termination of the request for network services in a message to a network administrator and storing the message in an unauthorized event database.
  - 23. The method for preventing intrusion in a communications network of claim 1 wherein the step of reforming the transformed packet header comprises the steps of:
    - extracting a key index value from a packet header field; and
      
      storing the key index value in a first buffer for use throughout a communications session between the source node and the destination node.
  - 24. The method for preventing intrusion in a communications network of claim 23 wherein the step of reforming the transformed packet header further comprises the steps of:
    - using the key index value to reform another packet header field; and
      
      storing a value resulting from the reformed another packet header field in a transmit buffer.
  - 25. The method for preventing intrusion in a communications network of claim 24 further comprising the steps of setting the packet header field to a zero value and storing the zero value in the packet header field in the transmit buffer.
  - 26. The method for preventing intrusion in a communications network of claim 25 further comprising the steps of applying the key index value to the packet header field and the another packet header field to transform the packet header.
  - 27. The method for preventing intrusion in a communications network of claim 1 further comprising the steps performed at the destination node after a communications session is established with a source node:
    - receiving a packet at the destination node;
      
      reforming a first packet header field using a previously stored key index value;
      
      storing the reformed first packet header field in a receive buffer;
      
      reforming a second packet header field using the key index value;
      
      storing the reformed packet header filed in the receive buffer; and
      
      processing the received packet with reformed first and second packet header fields.
  - 28. The method for preventing intrusion in a communications network of claim 27 further comprising the steps of:
    - transforming the first and second reformed packet header fields;
      
      storing the transformed first and second packet header fields in a transmit buffer; and
      
      transmitting a response packet to the source node including the transformed first and second packet header fields.
  - 29. The method for preventing intrusion in a communications network of claim 13 wherein the step of executing an exception routine comprises the steps of:
    - extracting an address of the source node from a network layer header of the received packet;
      
      determining if the source node address is an address known to the communications network;
      
      extracting an address of the destination node from a network layer header of the received packet;
      
      determining if the destination node address is an address known to the communications network;
      
      extracting a port number of the destination node from a transport layer header of the received packet; and
      
      determining if the destination port number is known to the communications network.
  - 30. The method for preventing intrusion in a communications network of claim 29 wherein the request for network services is terminated if any one of the source node address, the destination node address and the destination port number are not known to the communications network.
  - 31. The method for preventing intrusion in a communications network of claim 29 wherein the step of executing an exception routine further comprises the steps of:
    - generating an initial value for a packet header field;
      
      selecting a key index value from an array of key index values;
      
      appending the key index value to the generated initial value;
      
      applying the key index value to the generated initial value and appended key index value to form a new transformed packet header field; and
      
      reassembling the received packet including the new transformed packet header field.
  - 32. The method for preventing intrusion in a communications network of claim 31 further comprising the step of determining a checksum value for the new transformed packet header before releasing the received packet to the destination node.
  - 70. The appliance for providing trusted communications of claim 669 further comprising a component for determining if a hardware policy is defined and identifying the client device requesting a communications session with another client device.
  - 71. The appliance for providing trusted communications of claim 669 further comprising a component for determining if an application policy is defined and verifying a destination port.
  - 72. The appliance for providing trusted communications of claim 669 further comprising a component for determining if a destination policy is defined and verifying a destination port.
  - 73. The appliance for providing trusted communications of claim 669 further comprising a component for terminating the request for a communication session if either no access policy is specified or if the specified access policy cannot be verified.
  - 74. The appliance for providing trusted communications of claim 773 further comprising a component for reporting the termination of the request for the communications session to a network administrator and storing the message in an unauthorized event database.
  - 75. The appliance for providing trusted communications of claim 668 wherein the component for executing an exception routine comprises:
    - a component for extracting an address of the client device from the received packet;
      
      a component for determining if the client device address is an address known to the communications network;
      
      a component for extracting an address of another client device from the header of the received packet;
      
      a component for determining if the another client device address is an address known to the communications network;
      
      a component for extracting a port number of the another client device from the header of the received packet; and
      
      a component for determining if the another client device port number is known to the communications network.
  - 76. The appliance for providing trusted communications of claim 75 wherein the component for executing an exception routine further comprises:
    - a component for generating an initial value for a packet header field;
      
      a component for selecting a key index value from an array of key index values;
      
      a component for appending the key index value to the generated initial value;
      
      a component for applying the key index value to the generated initial value and appended key index value to form a new transformed packet header field; and
      
      a component for reassembling the received packet including the new transformed packet header field.
  - 77. The appliance for providing trusted communications of claim 776 urther comprising a component for determining a checksum value for the new transformed packet header before releasing the received packet to the another client device.
  - 79. The client device for providing trusted communications of claim 778 further comprising a component for authenticating identification of the client device by comparing a previously stored value with an identification value determined for the client device.
  - 80. The client device for providing trusted communications of claim 779 wherein the previously stored value and the determined identification value are based on a hardware address of the client device and an associated user identification.
  - 81. The client device for providing trusted communications of claim 779 wherein the request for a communications session is terminated if the determined identification value does not match the previously stored value.
  - 82. The client device for providing trusted communications of claim 880 further comprising a component for reporting the termination of the request for a communications session in a message to a network administrator and storing the message in an unauthorized event database.
  - 84. The client device for providing trusted communications of claim 883 wherein the component for constructing a transformed packet header further comprises:
    - a component for appending the second array key index value to a determined identification value to form a resulting identification value;
      
      a component for applying a transformation routine to the resulting identification value to form a second packet header field; and
      
      a component for storing the second packet header field in the transmit buffer.
  - 87. The client device for providing trusted communications of claim 886 further comprising a component for setting the packet header field to a zero value and storing the zero value in the packet header field in the transmit buffer.
  - 88. The client device for providing trusted communications of claim 887 further comprising a component for applying the key index value to the packet header field and the another packet header field to transform the packet header.
  - 89. The client device for providing trusted communications of claim 778 further comprising a component for inspecting each received packet to determine if the received packet is a synchronization packet.
  - 90. The client device for providing trusted communications of claim 889 further comprising a component for determining if the packet header has been transformed by the network device.
  - 91. The client device for providing trusted communications of claim 990 urther comprising a component for terminating the request for the communications session, reporting the termination of the request in a message to a network administrator and storing the message in an unauthorized event database.
  - 93. The computer program product for providing trusted communications of claim 992 urther comprising:
    - program instructions that inspect each received packet to determine a corresponding transport protocol; and
      
      program instructions that determine if each received packet is a synchronization packet.
  - 96. The computer program product for providing trusted communications of claim 995 further comprising program instructions that determine if a hardware policy is defined and identify the client device requesting a communications session with another client device.
  - 97. The computer program product for providing trusted communications of claim 995 further comprising a program instructions that determine if an application policy is defined and verify a destination port.
  - 98. The computer program product for providing trusted communications of claim 995 urther comprising program instructions that determine if a destination policy is defined and verify a destination port.
  - 99. The computer program product for providing trusted communications of claim 995 urther comprising program instructions that terminate the request for a communication session if either no access policy is specified or if the specified access policy cannot be verified.
  - 100. The computer program product for providing trusted communications of claim 999 further comprising program instructions that report the termination of the request for the communications session to a network administrator and store the message in an unauthorized event database.
  - 101. The computer program product for providing trusted communications of claim 994 wherein the program instructions that execute an exception routine comprise:
    - program instructions that extract an address of the client device from the received packet;
      
      program instructions that determine if the client device address is an address known to the communications network;
      
      program instructions that extract an address of another client device from the header of the received packet;
      
      program instructions that determine if the another client device address is an address known to the communications network;
      
      program instructions that extract a port number of another client device from the header of the received packet; and
      
      program instructions that determine if the another client device port number is known to the communications network.
  - 102. The computer program product for providing trusted communications of claim 1101 wherein the program instructions that execute an exception routine further comprise:
    - ;
      
      program instructions that select a key index value from an array of key index values;
      
      program instructions that append the key index value to the generated initial value;
      
      program instructions that apply the key index value to the generated initial value and appended key index value to form a new transformed packet header field; and
      
      program instructions that reassemble the received packet including the new transformed packet header field.
  - 103. The computer program product for providing trusted communications of claim 1102 further comprising program instructions that determine a checksum value for the new transformed packet header before releasing the received packet to the another client device.
  - 105. The computer program product for providing trusted communications of claim 1104 further comprising program instructions that authenticate identification of the client device by comparing a previously stored value with an identification value determined by the client device.
  - 106. The computer program product for providing trusted communications of claim 1105 wherein the previously stored value and the determined identification value are based on a hardware address of the client device and an associated user identification.
  - 107. The computer program product for providing trusted communications of claim 1105 wherein the request for a communications session is terminated if the determined identification value does not match the previously stored value.
  - 108. The computer program product for providing trusted communications of claim 1106 further comprising program instructions that report the termination of the request for a communications session in a message to a network administrator and store the message in an unauthorized event database.
  - 109. The computer program product for providing trusted communications of claim 1104 wherein the program instructions that construct a transformed packet header comprise:
    - program instructions that select a key index value from a first array of key index values;
      
      program instructions that apply the selected first array key index value to transform a user identification;
      
      program instructions that append the first array key index value to the transformed user identification;
      
      program instructions that select a key index value from a second array of index values;
      
      program instructions that apply the second array key index value to the transformed user identification and appended first array key index value to form a first packet header field; and
      
      program instructions that store the first packet header field in a transmit buffer.
  - 110. The computer program product for providing trusted communications of claim 1109 wherein the program instructions that construct a transformed packet header further comprise:
    - program instructions that append the second array key index value to a determined identification value to form a resulting identification value;
      
      program instructions that apply a transformation routine to the resulting identification value to form a second packet header field; and
      
      program instructions that store the second packet header field in the transmit buffer.
  - 111. The computer program product for providing trusted communications of claim 1104 wherein the program instructions that reform the transformed packet header comprise:
    - program instructions that extract a key index value from a packet header field; and
      
      program instructions that store the key index value in a first buffer for use throughout the communications session with the network device.
  - 112. The computer program product for providing trusted communications of claim 1104 wherein the program instructions that reform the transformed packet header further comprise:
    - program instructions that use the key index value to reform another packet header field; and
      
      program instructions that store a value resulting from the reformed another packet header field in a transmit buffer.
  - 113. The computer program product for providing trusted communications of claim 1112 further comprising program instructions that set the packet header field to a zero value and store the zero value in the packet header field in the transmit buffer.
  - 114. The computer program product for providing trusted communications of claim 1113 further comprising program instructions that apply the key index value to the packet header field and the another packet header field to transform the packet header.
  - 115. The computer program product for providing trusted communications of claim 1104 urther comprising program instructions that inspect each received packet to determine if the received packet is a synchronization packet.
  - 116. The computer program product for providing trusted communications of claim 1115 further comprising program instructtions that determine if the packet header has been transformed by the network device.
  - 117. The computer program product for providing trusted communications of claim 1116 further comprising program instructions that terminate the request for the communications session, report the termination of the request in a message to a network administrator and store the message in an unauthorized event database.

33. A method for providing trusted communications between a source device and a destination device in a communications network, comprising the steps of:
- initiating a request for a communications session at the source device;
  
  constructing a transformed packet header and transmitting a synchronization packet including the transformed packet header to the destination device;
  
  receiving the synchronization packet at the destination device;
  
  reforming the transformed packet header at the destination device; and
  
  constructing a transformed packet header and transmitting an acknowledgement response including the transformed packet header to the source device.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 34. The method for providing trusted communications of claim 33 further comprising the step of authenticating a source identification at the source device by comparing a previously stored value with a source identification value determined for the source device.
  - 35. The method for providing trusted communications of claim 34 wherein the previously stored value and the determined source identification value are based on a hardware address of the source device and an associated user identification.
  - 36. The method for providing trusted communications of claim 34 wherein the request for a communications session is terminated if the determined source identification value does not match the previously stored value.
  - 37. The method for providing trusted communications of claim 36 further comprising the step of reporting the termination of the request for a communications session in a message to a network administrator and storing the message in an unauthorized event database.
  - 38. The method for providing trusted communications of claim 33 wherein the step of constructing a transformed packet header comprises the steps of:
    - selecting a key index value from a first array of key index values;
      
      applying the selected first array key index value to transform a user identification;
      
      appending the first array key index value to the transformed user identification;
      
      selecting a key index value from a second array of index values;
      
      applying the second array key index value to the transformed user identification and appended first array key index value to form a first packet header field; and
      
      storing the first packet header field in a transmit buffer.
  - 39. The method for providing trusted communications of claim 38 wherein the step of constructing a transformed packet header further comprises the steps of:
    - appending the second array key index value to a determined source identification value to form a resulting source identification value;
      
      applying a transformation routine to the resulting source identification value to form a second packet header field; and
      
      storing the second packet header field in the transmit buffer.
  - 40. The method for providing trusted communications of claim 33 wherein the step of reforming the transformed packet header comprises the steps of:
    - extracting a key index value from a packet header field; and
      
      storing the key index value in a first buffer for use throughout the communications session between the source device and the destination device.
  - 41. The method for providing trusted communications of claim 40 wherein the step of reforming the transformed packet header further comprises the steps of:
    - using the key index value to reform another packet header field;
      
      storing a value resulting from the reformed another packet header field in a transmit buffer.
  - 42. The method for providing trusted communications of claim 41 further comprising the steps of setting the packet header field to a zero value and storing the zero value in the packet header field in the transmit buffer.
  - 43. The method for providing trusted communications of claim 42 further comprising the steps of applying the key index value to the packet header field and the another packet header field to transform the packet header.
  - 44. The method for providing trusted communications of claim 33 further comprising the step of inspecting each received packet to determine if the received packet is a synchronization packet.
  - 45. The method for providing trusted communications of claim 44 further comprising the step of determining if the packet header has been transformed by the source device.
  - 46. The method for providing trusted communications of claim 45 further comprising the steps of terminating the request for the communications session, reporting the termination of the request in a message to a network administrator and storing the message in an unauthorized event database.
  - 47. The method for providing trusted communications of claim 33 further comprising the steps performed at the destination device after a communications session is established with a source device of:
    - receiving a packet at the destination device;
      
      reforming a first packet header field using a previously stored key index value;
      
      storing the reformed first packet header field in a receive buffer;
      
      reforming a second packet header field using the key index value;
      
      storing the reformed packet header filed in the receive buffer; and
      
      processing the received packet with reformed first and second packet header fields.
  - 48. The method for providing trusted communications of claim 47 further comprising the steps of:
    - transforming the first and second reformed packet header fields;
      
      storing the transformed first and second packet header fields in a transmit buffer; and
      
      transmitting a response packet to the source device including the transformed first and second packet header fields.

49. A method for providing trusted communications in a communications network comprising the steps of:
- receiving a synchronization packet with a transformed packet header from a source device;
  
  authenticating the received packet by examination of the transformed packet header; and
  
  releasing the received packet to the destination device if the received packet is authenticated.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 50. The method for providing trusted communications of claim 49 further comprising the steps of:
    - inspecting each received packet to determine a corresponding transport protocol;
      
      determining if the received packet is a synchronization packet; and
      
      retaining the received packet for further processing if the received packet is a synchronization packet.
  - 51. The method for providing trusted communications of claim 50 further comprising the step of releasing the received packet if it does not match a selected protocol type.
  - 52. The method for providing trusted communications of claim 50 further comprising the step of releasing the received packet if it is not a synchronization packet.
  - 53. The method for providing trusted communications of claim 49 wherein the step of authenticating the received packet comprises the steps of:
    - determining if the received packet originated from a trusted source device; and
      
      executing an exception module if the received packet originated from an untrusted source device.
  - 54. The method for providing trusted communications of claim 49 wherein the step of authenticating the received packet comprises the steps of:
    - determining if the received packet originated from a trusted source device;
      
      determining if the packet header has been transformed by the source device;
      
      extracting a determined source identification value and an associated source user identification from the transformed packet header; and
      
      inspecting the packet header to determine if an access policy is specified for the source device.
  - 55. The method for providing trusted communications of claim 54 further comprising the steps of determining if a hardware policy is defined and identifying the source device requesting a communications session with a destination device.
  - 56. The method for providing trusted communications of claim 54 further comprising the steps of determining if an application policy is defined and verifying a destination port.
  - 57. The method for providing trusted communications of claim 54 further comprising the steps of determining if a destination policy is defined and verifying a destination port.
  - 58. The method for providing trusted communications of claim 55 further comprising the step of terminating the request for a communication session if either no access policy is specified or if the specified access policy cannot be verified.
  - 59. The method for providing trusted communications of claim 58 further comprising the step of reporting the termination of the request for the communications session to a network administrator and storing the message in an unauthorized event database.
  - 60. The method for providing trusted communications of claim 53 wherein the step of executing an exception routine comprises the steps of:
    - extracting an address of the source device from the received packet;
      
      determining if the source device address is an address known to the communications network;
      
      extracting an address of the destination device from the header of the received packet;
      
      determining if the destination device address is an address known to the communications network;
      
      extracting a port number of the destination device from the header of the received packet; and
      
      determining if the destination port number is known to the communications network.
  - 61. The method for providing trusted communications of claim 60 wherein the request for the communications session is terminated if any one of the source node address, the destination node address and the destination port number are not known to the communications network.
  - 62. The method for providing trusted communications of claim 60 wherein the step of executing an exception routine further comprises the steps of:
    - generating an initial value for a packet header field;
      
      selecting a key index value from an array of key index values;
      
      appending the key index value to the generated initial value;
      
      applying the key index value to the generated initial value and appended key index value to form a new transformed packet header field; and
      
      reassembling the received packet including the new transformed packet header field.
  - 63. The method for providing trusted communications of claim 62 further comprising the step of determining a checksum value for the new transformed packet header before releasing the received packet to the destination device.

64. An appliance for providing trusted communications in a communications network, comprising:
- a component for receiving a plurality of packets including transformed packet headers from a client device;
  
  a component for authenticating the plurality of received packets by examination of the transformed packet headers; and
  
  a component for releasing authenticated packets to another client device.
- View Dependent Claims (65, 66, 67, 68, 69)
- - 65. The appliance for providing trusted communications of claim 64 wherein the appliance is a standalone network device.
  - 66. The appliance for providing trusted communications of claim 64 wherein the appliance is integrated into a network device.
  - 67. The appliance for providing trusted communications of claim 64 further comprising:
    - a component for inspecting each received packet to determine a corresponding transport protocol; and
      
      a component for determining if each received packet is a synchronization packet.
  - 68. The appliance for providing trusted communications of claim 64 wherein the authentication component comprises a component for determining if the received packet originated from a trusted client device;
    - and a component for executing an exception routine if the received packet originated from an untrusted client device.
  - 69. The appliance for providing trusted communications of claim 64 further comprising:
    - a component for determining if the received packet originated from a trusted client device;
      
      a component for determining if the packet header has been transformed by the client device;
      
      a component for extracting a determined client device identification value and an associated user identification from the transformed packet header; and
      
      a component for inspecting the packet header to determine if an access policy is specified for the client device.

78. A client device for providing trusted communications in a communications network, comprising:
- a component for initiating a request for a communications session;
  
  a component for constructing a transformed packet header for transmission in a synchronization packet to a network device;
  
  a component for receiving a plurality of packets including transformed packet headers from a network device;
  
  a component for reforming transformed packet headers received from a network device; and
  
  a component for constructing a transformed packet header for transmission with an acknowledgement response to the network device.
- View Dependent Claims (83, 85, 86)
- - 83. The client device for providing trusted communications of claim 78 wherein the component for constructing a transformed packet header comprises:
    - a component for selecting a key index value from a first array of key index values;
      
      a component for applying the selected first array key index value to transform a user identification;
      
      a component for appending the first array key index value to the transformed user identification;
      
      a component for selecting a key index value from a second array of index values;
      
      a component for applying the second array key index value to the transformed user identification and appended first array key index value to form a first packet header field; and
      
      a component for storing the first packet header field in a transmit buffer.
  - 85. The client device for providing trusted communications of claim 78 wherein the component for reforming the transformed packet header comprises:
    - a component for extracting a key index value from a packet header field; and
      
      a component for storing the key index value in a first buffer for use throughout the communications session with the network device.
  - 86. The client device for providing trusted communications of claim 78 wherein the component for reforming the transformed packet header further comprises:
    - a component for using the key index value to reform another packet header field;
      
      a component for storing a value resulting from the reformed another packet header field in a transmit buffer.

92. A computer readable medium containing a computer program product for providing trusted communication sin in a communications network, comprising:
- program instructions that receive a plurality of packets including transformed packet headers from a client device;
  
  program instructions that authenticate the plurality of received packets by examination of the transformed packet headers; and
  
  program instructions that release authenticated packets to another client device.
- View Dependent Claims (94, 95)
- - 94. The computer program product for providing trusted communications of claim 92 wherein the program instructions that authenticate comprise:
    - program instructions that determine if the received packet originated from a trusted client device; and
      
      program instructions that execute an exception routine if the received packet originated from an untrusted client device.
  - 95. The computer program product for providing trusted communications of claim 92 wherein the program instructions that authenticate, further comprise:
    - program instructions that determine if the received packet originated from a trusted client device;
      
      program instructions that determine if the packet header has been transformed by the client device;
      
      program instructions that extract a determined client device identification value and an associated user identification from the packet header; and
      
      program instructions that inspect the packet header to determine if an access policy is specified for the client device.

104. A computer readable medium containing a computer program product for providing trusted communications in a communications network, comprising:
- program instructions that initiate a request for a communications session;
  
  program instructions that construct a transformed packet header for transmission in a synchronization packet to a network device;
  
  program instructions that receive a plurality of packets including transformed packet headers from a network device;
  
  program instructions that reform transformed packet headers received from a network device; and
  
  program instructions that construct a transformed packet header for transmission with an acknowledgement response to the network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Liquidware Labs, Inc.
Original Assignee
Trusted Network Technologies, Inc. (Liquidware Labs, Inc.)
Inventors
Shay, A. David

Granted Patent

US 7,386,889 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/162   at the data link layer

System and method for intrusion prevention in a communications network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

117 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for intrusion prevention in a communications network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

117 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links