Intelligent firewall

US 20050182968A1
Filed: 02/24/2005
Published: 08/18/2005
Est. Priority Date: 01/24/2002
Status: Active Grant

First Claim

Patent Images

1. A method of preventing unauthorized access to a system, comprising:

receiving a data packet at a firewall, where the firewall does not use a communication address;

analyzing the data packet with the firewall to determine the final disposition of the data packet; and

handling the data packet according to its final dispostion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intelligent firewall that prevents unauthorized access to a system has been developed. The fire wall does not use a communication address. It receives a data packet and analyzes it to determine its final disposition. Finally, the firewall handles the data packet according to its final disposition.

Citations

47 Claims

1. A method of preventing unauthorized access to a system, comprising:
- receiving a data packet at a firewall, where the firewall does not use a communication address;
  
  analyzing the data packet with the firewall to determine the final disposition of the data packet; and
  
  handling the data packet according to its final dispostion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 30, 31, 32, 33, 34, 35, 36)
- - 2. The method of claim 1, where the communication address is a TCP/IP address.
  - 3. The method of claim 1, where the communication address is a MAC address.
  - 4. The method of claim 1, where the communication address is a ethernet address.
  - 5. The method of claim 1, where handling the data packet comprises sending the data packet to a final destination within the system.
  - 6. The method of claim 1, where handling the data packet comprises sending the data packet to a final destination outside the system.
  - 7. The method of claim 1, where handling the data packet comprises dropping the data packet.
  - 8. The method of claim 1, where handling the data packet comprises denying access to the system.
  - 9. The method of claim 8, where the denying access of a data packet comprises responding to the originator of the data packet with a denial message.
  - 10. The method of claim 8, further comprising:
    - dropping the data packet.
  - 11. The method of claim 8, further comprising:
    - logging the attempted access to the system of the data packet.
  - 12. The method of claim 11, where the logging is stored on a computer in the system.
  - 13. The method of claim 8, further comprising:
    - initiating countermeasures against the originator the data packet.
  - 14. The method of claim 13, where the countermeasures comprise disguising the operating system used by the system.
  - 15. The method of claim 13, where the countermeasures comprise adjusting window sizes of the system.
  - 16. The method of claim 1, where the firewall does not access a network protocol stack.
  - 17. The method of claim 1, where the firewall accesses a network protocol stack.
  - 18. The method of claim 1, where the firewall adds information for security analysis to the data packet without violating a network communication protocol.
  - 19. The method of claim 18, where the added information is an IP address from the originating source of the data packet.
  - 20. The method of claim 18, where the added information is the operating system used by the data packet.
  - 21. The method of claim 18, where the added information is a compression flag.
  - 22. The method of claim 18, where the added information is a window size flag.
  - 23. The method of claim 18, where the added information is state session information.
  - 24. The method of claim 18, where the added information is communication port information.
  - 25. The method of claim 1, where the system is a network.
  - 26. The method of claim 1, where the data packet is analyzed by a pattern matching system.
  - 27. The method of claim 1, further comprising:
    - replacing padded data from the data packet, where the padded data is required by as system protocol.
  - 28. The method of claim 27, where the padded data is added to meet a minimum size requirement of the system protocol.
  - 30. The method of claim 27, further comprising:
    - discarding the ACK message at the firewall.
  - 31. The method of claim 27, further comprising:
    - replacing padded data from a data packet, where the padded data is required by a system protocol.
  - 32. The method of claim 27, where authenticating the ACK message comprises adding state information within the SYN/ACK message.
  - 33. The method of claim 27, where the changes to the packet information is stripped out of the recreated SYN request.
  - 34. The method of claim 27, where the changes to the packet information comprise changes to at least two protocol fields of the state information.
  - 35. The method of claim 27, where the changes to the packet information comprise changes to at least one protocol field of the state information for non-TCP protocol messages.
  - 36. The method of claim 27, where the changes to the packet information comprise changes to at least two protocol fields of the state information.

29. A method of preventing unauthorized access to a system, comprising:
- receiving a SYN request for access to a destination in the system at a firewall;
  
  replying to the SYN request with an SYN/ACK message from the firewall, where the firewall has changed packet information within the SYN/ACK message;
  
  receiving an ACK message in reply to the SYN/ACK message at the firewall;
  
  authenticating the ACK message with the firewall;
  
  recreating the SYN request; and
  
  forwarding the recreated SYN request to the destination in the system.

37. A method of preventing unauthorized access to a system, comprising:
- step for receiving data;
  
  step for analyzing the data for authorization to access the system;
  
  step for allowing access to the system for authorized data; and
  
  step for denying access to the system for unauthorized data.
- View Dependent Claims (38, 39)
- - 38. The method of claim 37, further comprising:
    - step for dropping unauthorized data.
  - 39. The method of claim 37, further comprising:
    - step for logging an attempt to access the system by unauthorized data.

40. A method of remotely managing a firewall, comprising:
- receiving a control data packet at the firewall from a remote location;
  
  analyzing the control data packet to determine if the control data packet is authorized to access the firewall; and
  
  allowing an authorized control data packet to control the firewall.
- View Dependent Claims (41, 42, 43, 44, 45)
- - 41. The method of claim 40, further comprising:
    - dropping the authorized control data packet.
  - 42. The method of claim 40, where the control data packet is analyzed for a password.
  - 43. The method of claim 42, where the password is created by hashing a sequence of closed port attempts.
  - 44. The method of claim 40, where the control data packet contains a false origination address.
  - 45. The method of claim 40, where the control data packet contains a destination address that is protected by the firewall.

46. A method of remotely managing a firewall, comprising:
- step for receiving control data at the firewall from a remote location;
  
  step for analyzing the control data to determine if the control data is authorized to access the firewall; and
  
  step for allowing authorized control data to access the firewall.
- View Dependent Claims (47)
- - 47. The method of claim 46, further comprising:
    - step for dropping the authorized control data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arxceo Corp. (Japan Communications Inc.)
Original Assignee
Arxceo Corp. (Japan Communications Inc.)
Inventors
Izatt, David, Davidson, Donald J., Langston, Russ, Wilson, Billy Ray, Hall, J. Chandler, Cashion, Jackie Smith

Granted Patent

US 7,644,436 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Intelligent firewall

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Intelligent firewall

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links