Mixed enclave operation in a computer network

US 20060020800A1
Filed: 09/28/2005
Published: 01/26/2006
Est. Priority Date: 07/30/1996
Status: Active Grant

First Claim

Patent Images

1. A system for communicating over a network having a plurality of secured users utilizing multi-level network security devices and a plurality of unsecured users employing no network security devices, the system comprising:

a first multi-level network security device configured to;

intercept a message from a first user; and

discard the message if the message violates security parameters;

wherein in a first mode, the first multi-level network security device is configured to send the message to a second user, and wherein in a second mode, the first multi-level network security device comprises an encryptor configured to encrypt the message and send the encrypted message to a second multi-level network security device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for mixed enclave operation of a computer network with users employing a multi-level network security interface and users without any network security interface. Either the network security user selects or the network security interface automatically selects whether communications are permissible with other unsecured users. Where a mixed enclave operation is selected, the network security user identifies when communications are being undertaken with another secured user or a non-secured user. Communications with a non-secured user at a lower security level entail securing the data residing with the secured user from transmission back to the non-secured user.

105 Citations

View as Search Results

20 Claims

1. A system for communicating over a network having a plurality of secured users utilizing multi-level network security devices and a plurality of unsecured users employing no network security devices, the system comprising:
- a first multi-level network security device configured to;
  
  intercept a message from a first user; and
  
  discard the message if the message violates security parameters;
  
  wherein in a first mode, the first multi-level network security device is configured to send the message to a second user, and wherein in a second mode, the first multi-level network security device comprises an encryptor configured to encrypt the message and send the encrypted message to a second multi-level network security device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1 further comprising an interface unit configured to send the message from the first user.
  - 3. The system of claim 1 wherein in the second mode, the second multi-level network security device comprises a decryptor configured to decrypt the message and send the decrypted message to a third user selected from the plurality of secured users.
  - 4. The system of claim 1, further comprising a third multi-level network security device configured to intercept the encrypted message, validate a signature of the first multi-level network security interface, and send the encrypted message from the third multi-level network security device to the second multi-level network security device.
  - 5. The system of claim 1, wherein each multi-level network security device is configured to use association establishment messages for authenticating other multi-level network security devices.
  - 6. The system of claim 1, wherein each multi-level network security device is configured to use association establishment messages for exchanging security parameters between the multi-level network security devices.
  - 7. The system of claim 1 wherein the message comprises a datagram.

8. A system for mixed enclave communications over a network having both secured and unsecured users, the system comprising:
- a network security device configured to permit communication over the network between one of the secured users and one of the unsecured users, and further configured to dynamically determine whether a user initiating communication is one of the secured users or one of the unsecured users;
  
  wherein the network security device is configured to use association establishment messages sent over the network for the secured users in authenticating each other, and wherein the network security device is configured to use association establishment messages for the secured users exchanging security parameters.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the network security device is configured to examine Internet Protocol (IP) addresses for identifying the secured and unsecured users.
  - 10. The system of claim 8, wherein the network security device comprises an encryptor configured to encrypt information residing with one of the secured users.
  - 11. The system of claim 8 wherein the message comprises a datagram.
  - 12. The system of claim 8 wherein the network security device is configured to create an entry in an association table indicative of a source of a received message.

13. A method for establishing association over a network between a plurality of secured users utilizing multi-level network security devices and a plurality of unsecured users, the method comprising:
- receiving and storing at a first security device a message from a source user to a destination user;
  
  transmitting from the first security device an association request message to a destination user upon receipt of the message;
  
  receiving an association grant message in response to the association request message from a second security device after the second security device has determined that an association between the source user and the destination user is permitted, wherein no other security devices exist between the destination user and the second security device; and
  
  sending the stored message to the second security device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13 further comprising determining at the second security device whether security parameters are violated.
  - 15. The method of claim 13 wherein the second security device transmits the association grant message when no security parameters are violated.
  - 16. The method of claim 13 further comprising sending the message from the second security device to the destination user when the source user and the destination user have the same security level.
  - 17. The method of claim 13 further comprising predicting and storing a destination user response at the second security device prior to sending the message from the second security device to the destination user when the source user has a lower security level than the destination user.
  - 18. The method of claim 13 further comprising sending the message from the second security device to the destination user when the second security device retrieves a predicted destination user response and the source user has a higher security level than the destination user.
  - 19. The method of claim 13 further comprising erasing the message when no predicted destination user response exists and the source user has a higher security level than the destination user.
  - 20. The method of claim 13 wherein receiving a message comprises receiving a datagram.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Round Rock Research LLC
Inventors
Snow, David W., Levin, Stephen E., Wrench, Edwin H., Holden, James M.

Granted Patent

US 7,624,180 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

G06F 21/31   User authentication

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/0218   Distributed architectures, ...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/126   the source of the received ...

H04L 9/40   Network security protocols

Mixed enclave operation in a computer network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mixed enclave operation in a computer network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links