Methods, devices, systems and computer program products for providing secure communications between managed devices in firewall protected areas and networks segregated therefrom

US 20060200547A1
Filed: 03/01/2005
Published: 09/07/2006
Est. Priority Date: 03/01/2005
Status: Active Grant

First Claim

Patent Images

1. A method for providing secure communications of between managed devices in a firewall protected area defined by a firewall and a network management station (NMS) in a network segregated from the firewall protected area, comprising the following carried out by a de-militarized zone (DMZ) controller in the firewall protected area:

obtaining from at least one managed device in the firewall protected area management information associated with the at least one managed device; and

transmitting the obtained management information from the DMZ controller through the firewall to a gateway module associated with the NMS, communications between the DMZ controller and the gateway module being enabled by a single firewall rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, devices, systems and computer program products for providing secure communications between managed devices in a firewall protected area defined by a firewall and a network management station (NMS) in a network segregated from the firewall protected area are provided. Management information associated with managed devices in the firewall protected area is obtained from the managed devices by a de-militarized zone (DMZ) controller. The obtained management information is transmitted from the DMZ controller through the firewall to a gateway module associated with the NMS. Communications between the DMZ controller and the gateway module are enabled by a single firewall rule.

36 Citations

View as Search Results

49 Claims

1. A method for providing secure communications of between managed devices in a firewall protected area defined by a firewall and a network management station (NMS) in a network segregated from the firewall protected area, comprising the following carried out by a de-militarized zone (DMZ) controller in the firewall protected area:
- obtaining from at least one managed device in the firewall protected area management information associated with the at least one managed device; and
  
  transmitting the obtained management information from the DMZ controller through the firewall to a gateway module associated with the NMS, communications between the DMZ controller and the gateway module being enabled by a single firewall rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein transmitting further comprises managing a flow of the obtained management information.
  - 3. The method of claim 2, wherein managing the flow of transmitted status information comprises one or more of:
    - throttling the flow of the obtained management information to the gateway module;
      
      validating syntax of the obtained management information before transmitting the obtained management information to the gateway module;
      
      buffering the obtained management information and validating the buffered management information before transmitting the buffered management information to the gateway module; and
      
      /or monitoring a rate of receipt of the obtained management information at the DMZ controller and discarding the obtained management information if the rate exceeds a predefined threshold per source.
  - 4. The method of claim 1, further comprising transmitting, from the gateway module, the obtained management information to the NMS in the form of a simple network management protocol (SNMP) trap.
  - 5. The method of claim 1, further comprising generating a simple management protocol (SNMP) request in the form of a SNMP protocol data unit (PDU) at the NMS, the SNMP request including a community string including a target community string, an identification of a DMZ controller and a target hostname.
  - 6. The method of claim 5, wherein the identification of the DMZ controller comprises an identification of a plurality of DMZ controllers.
  - 7. The method of claim 5, further comprising:
    - receiving the SNMP request at the gateway module from the NMS;
      
      analyzing the SNMP request to determine an identity of the DMZ controller identified in the community string;
      
      establishing a connection between the gateway module and the determined DMZ controller identified in the community string; and
      
      transmitting, through the determined DMZ controller and using the established connection, the SNMP request to a target host identified by the target hostname in the community string.
  - 8. The method of claim 7, wherein receiving comprises receiving a version 1 or version 2C SNMP PDU, wherein transmitting is preceded by converting the version 1 or version 2C SNMP PDU into a version 3 SNMP PDU and wherein transmitting further comprises transmitting the version 3 SNMP PDU from the determined DMZ controller to the target host.
  - 9. The method of claim 7, further comprising:
    - receiving an SNMP response in the form of an SNMP PDU from the target host at the DMZ controller;
      
      converting the SNMP response into an intermediate form at the DMZ controller;
      
      transmitting the intermediate form of the SNMP response to the gateway module over the established connection;
      
      converting the intermediate form of the SNMP response back to an SNMP PDU form after receipt at the gateway module; and
      
      transmitting the SNMP PDU form of the SNMP response to the NMS.
  - 10. The method of claim 1, further comprising encrypting the obtained management information and wherein transmitting the obtained management information comprises transmitting the encrypted management information through the firewall to the gateway module.
  - 11. The method of claim 1, wherein obtaining is followed by diagnosing problems associated with at least one managed device at the DMZ controller and wherein transmitting further comprises transmitting the diagnosed problems to the gateway module.

12. A method for providing secure communications between managed devices in a firewall protected area defined by a firewall and a network management station (NMS) in a network segregated from the firewall protected area, comprising:
- receiving at a demilitarized zone (DMZ) controller in the firewall protected area, from least one managed device in the firewall protected area, management information associated with the at least one managed device; and
  
  managing a flow of the received management information before transmitting the received management information from the DMZ controller through the firewall to a gateway module associated with the NMS.
- View Dependent Claims (13)
- - 13. The method of claim 12, wherein managing the flow of the received management information comprises one or more of:
    - throttling the flow of the received management information to the gateway module;
      
      validating syntax of the received management information before transmitting the received management information to the gateway module;
      
      buffering the received management information and validating the buffered management information before transmitting the buffered management information to the gateway module; and
      
      /or monitoring a rate of receipt of the received management information at the DMZ controller and discarding the obtained management information if the rate exceeds a predefined threshold per source.

14. A method of communicating simple network management protocol (SNMP) requests and responses through a firewall between a network management station (NMS) in a network and managed devices in a firewall protected area defined by the firewall associated with the network, comprising generating a SNMP request in the form of a protocol data unit (PDU) at the NMS, the SNMP request including a community string including a target community string, an identification of a de-militarized zone (DMZ) controller and a target hostname associated with one of the managed devices.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, further comprising:
    - receiving the SNMP request at a gateway module from the NMS;
      
      analyzing the SNMP request to determine an identity of the DMZ controller identified in the community string;
      
      establishing a connection between the gateway module and the determined DMZ controller identified in the community string; and
      
      transmitting, through the determined DMZ controller and using the established connection, the SNMP request to the managed device identified by the target hostname in the community string.
  - 16. The method of claim 15, wherein receiving comprises receiving a version 1 or version 2C SNMP PDU, wherein transmitting is preceded by converting the version 1 or version 2C SNMP PDU into a version 3 SNMP PDU and wherein transmitting further comprises transmitting the version 3 SNMP PDU from the determined DMZ controller to the target host.
  - 17. The method of claim 15, further comprising:
    - receiving an SNMP response in the form of an SNMP PDU from the target host at the DMZ controller;
      
      converting the SNMP response into an intermediate form at the DMZ controller;
      
      transmitting the intermediate form of the SNMP response to the gateway module over the established connection;
      
      converting the intermediate form of the SNMP response back to an SNMP PDU form after receipt at the gateway module; and
      
      transmitting the SNMP PDU form of the SNMP response to the NMS.

18. A method for providing secure communications between managed devices in a firewall protected area defined by a firewall and a network management station (NMS) in a network segregated from the firewall protected area, comprising the following carried out by a gateway module associated with the NMS:
- receiving management information, from a DMZ controller through the firewall, the management information being associated with at least one managed device in the firewall protected area and obtained from the at least one managed device, communications between the DMZ controller and the gateway module being enabled by a single firewall rule.
- View Dependent Claims (28)
- - 28. The system of claim 18, wherein the DMZ controller is further configured to diagnose problems associated with at least one managed device and transmit the diagnosed problems to the gateway module.

19. A method of communicating simple network management protocol (SNMP) requests and responses through a firewall between a network management station (NMS) in a network and managed devices in a firewall protected area defined by the firewall associated with the network, comprising receiving an SNMP request at a DMZ controller in the form of a protocol data unit (PDU) from the NMS, the SNMP request including a community string including a target community string, an identification of a de-militarized zone (DMZ) controller and a target hostname associated with one of the managed devices.

20. A system for providing secure communications between managed devices in a firewall protected area defined by a firewall and a network management station (NMS) in a network segregated from the firewall protected area, comprising:
- a de-militarized zone (DMZ) controller in the firewall protected area configured to obtain management information associated with at least one managed device in the firewall protected area and to transmit the obtained management information through the firewall to a gateway module associated with the network management station, communications between the DMZ controller and the gateway module being enabled by a single firewall rule.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The system of claim 20, wherein the DMZ controller is further configured manage a flow of the obtained management information.
  - 22. The system of claim 21, wherein the DMZ is further configured to:
    - throttle the flow of the obtained management information to the gateway module;
      
      validate syntax of the obtained management information before transmitting to the obtained management information to the gateway module;
      
      buffer the obtained management information and validate the buffered management information before transmitting the buffered management information to the gateway module; and
      
      /or monitor a rate of receipt of that obtained management information at the DMZ controller and discard the obtained management information if the rate exceeds a predefined threshold per source.
  - 23. The system of claim 20, wherein the NMS is configured to generate a simple network management protocol (SNMP) request in the form of a SNMP protocol data unit (PDU) at the NMS, the SNMP request including a community string including a target community string, an identification of a DMZ controller and a target hostname.
  - 24. The system of claim 23:
    - wherein the gateway module is further configured to receive the SNMP request at the gateway module from the NMS, analyze the SNMP request to determine an identity of the DMZ controller identified in the community string and establish a connection between the gateway module and the determined DMZ controller identified in the community string; and
      
      wherein the DMZ controller is further configured to transmit the SNMP request to a target host identified by the target hostname in the community string using the established connection.
  - 25. The system of claim 24:
    - wherein the gateway module is further configured to receive a version 1 or version 2C SNMP PDU; and
      
      wherein the DMZ controller is further configured to convert the version 1 or version 2C SNMP PDU into a version 3 SNMP PDU and transmit the version 3 SNMP PDU to the target host.
  - 26. The system of claim 24:
    - wherein the DMZ controller is further configured to receive an SNMP response in the form of an SNMP PDU from the target host, convert the SNMP response into an intermediate form at the DMZ controller and transmit the intermediate form of the SNMP response to the gateway module over the established connection; and
      
      wherein the gateway controller is further configured to convert the intermediate form of the SNMP response back to an SNMP PDU and transmit the SNMP PDU form of the SNMP response to the NMS.
  - 27. The system of claim 20, wherein the DMZ controller is further configured to encrypt the obtained management information and transmit the encrypted management information through the firewall to the gateway module.

29. A de-militarized zone (DMZ) controller in a firewall protected area defined by a firewall for providing secure communications between managed devices in the firewall protected area and a network management station (NMS) in a network segregated from the firewall protected area, the DMZ controller being configured to receive from at least one managed device in the firewall protected area management information associated with the at least one managed device and to manage a flow of the received management information before transmitting the received management information from the DMZ controller through the firewall to a gateway module associated with the NMS.
- View Dependent Claims (30)
- - 30. The DMZ controller of claim 29, wherein the DMZ controller is further configured to:
    - throttle the flow of the received management information to the gateway module;
      
      validate syntax of the received management information before transmitting the received management information to the gateway module;
      
      buffer the received management information and validate the buffered management information before transmitting the buffered management information to the gateway module; and
      
      /or monitor a rate of receipt of the received management information at the DMZ controller and discard the obtained management information if the rate exceeds a predefined threshold per source.

31. A system for communicating simple network management protocol (SNMP) requests and responses through a firewall between a network management station (NMS) in a network and managed devices in a firewall protected area defined by the firewall and associated with the network, wherein the NMS is configured to generate a SNMP request in the form of a protocol data unit (PDU), the SNMP request including a community string including a target community string, an identification of a de-militarized zone (DMZ) controller and a target hostname associated with one of the managed devices.
- View Dependent Claims (32, 33, 34)
- - 32. The system of claim 31:
    - wherein the gateway module is further configured to receive the SNMP request at a gateway module from the NMS, analyze the SNMP request to determine an identity of the DMZ controller identified in the community string and establish a connection with the determined DMZ controller identified in the community string; and
      
      wherein the determined DMZ controller is further configured to transmit the SNMP request to a target host identified by the target hostname in the community string using the established connection.
  - 33. The system of claim 32:
    - wherein the gateway module is further configured to receive a version 1 or version 2C SNMP PDU; and
      
      wherein the DMZ controller is further configured to convert the version 1 or version 2C SNMP PDU into a version 3 SNMP PDU and transmit the version 3 SNMP PDU from the determined DMZ controller to the target host.
  - 34. The system of claim 32:
    - wherein the DMZ controller is further configured to receive an SNMP response in the form of an SNMP PDU from the target host, convert the SNMP response into an intermediate form and transmit the intermediate form of the SNMP response to the gateway module over the established connection; and
      
      wherein the gateway module is further configured to convert the intermediate form of the SNMP response back to an SNMP PDU and transmit the SNMP PDU form of the SNMP response to the NMS.

35. A computer program product for providing secure communications between managed devices in a firewall protected area defined by a firewall and a network management station (NMS) in a network segregated from the firewall protected area, the computer program product comprising:
- a computer readable medium having computer readable program code embodied therein, the computer readable program product comprising;
  
  computer readable program code configured to obtain, from a de-militarized zone (DMZ) controller in the firewall protected area, management information from at least one managed device in the firewall protected area and associated with the at least one managed device; and
  
  computer readable program code configured to transmit the obtained management information from the DMZ controller through the firewall to a gateway module associated with the NMS, communications between the DMZ controller and the gateway module being enabled by a single firewall rule.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43)
- - 36. The computer program product of claim 35, wherein the computer readable program code configured to transmit further comprises computer readable program code configured to manage a flow of the obtained management information.
  - 37. The computer program product of claim 36, wherein the computer readable program code configured to manage the flow of transmitted management information comprises one or more of:
    - computer readable program code configured to throttle the flow of the obtained management information to the gateway module;
      
      computer readable program code configured to validate syntax of the obtained management information before transmitting the obtained management information to the gateway module;
      
      computer readable program code configured to buffer the obtained management information and validate the buffered management information before transmitting the buffered management information to the gateway module; and
      
      /or computer readable program code configured to monitor a rate of receipt of the obtained management information at the DMZ controller and discard the obtained management information if the rate exceeds a predefined threshold per source.
  - 38. The computer program product of claim 35, further comprising computer readable program code configured to generate a simple management protocol (SNMP) request in the form of a SNMP protocol data unit (PDU) at the NMS, the SNMP PDU including a community string including a target community string, an identification of a DMZ controller and a target hostname.
  - 39. The computer program product of claim 38, further comprising:
    - computer readable program code configured to receive the SNMP request at the gateway module from the NMS;
      
      computer readable program code configured to analyze the SNMP request to determine an identity of the DMZ controller identified in the community string;
      
      computer readable program code configured to establish a connection between the gateway module and the determined DMZ controller identified in the community string; and
      
      computer readable program code configured to transmit, through the determined DMZ controller and using the established connection, the SNMP request to a target host identified by the target hostname in the community string.
  - 40. The computer program product of claim 39, wherein the computer readable program code configured to receive comprises computer readable program code configured to receive a version 1 or version 2C SNMP PDU, the computer program product further comprising computer readable program code configured to convert the version 1 or version 2C SNMP PDU into a version 3 SNMP PDU, wherein the computer readable program code configured to transmit further comprises computer readable program code configured to transmit the version 3 SNMP PDU from the determined DMZ controller to the target host.
  - 41. The computer program product of claim 39, further comprising:
    - computer readable program code configured to receive an SNMP response in the form of an SNMP PDU from the target host at the DMZ controller;
      
      computer readable program code configured to convert the SNMP response into an intermediate form at the DMZ controller;
      
      computer readable program code configured to transmit the intermediate form of the SNMP response to the gateway module over the established connection;
      
      computer readable program code configured to convert the intermediate form of the SNMP response back to an SNMP PDU form after receipt at the gateway module; and
      
      computer readable program code configured to transmit the SNMP PDU form of the SNMP response to the NMS.
  - 42. The computer program product of claim 41, further comprising computer readable program code configured to encrypt the obtained management information and wherein the computer readable program code configured to transmit the obtained management information comprises computer readable program code configured to transmit the encrypted management information through the firewall to the gateway module.
  - 43. The computer program product of claim 35, further comprising computer readable program code configured to diagnose problems associated with at least one managed device at the DMZ controller and wherein the computer readable program code configured to transmit further comprises computer readable program code configured to transmit the diagnosed problems to the gateway module.

44. A computer program product for providing secure communications between managed devices in a firewall protected area defined by a firewall and a network management station (NMS) in a network segregated from the firewall protected area, the computer program product comprising:
- a computer readable medium having computer readable program code embodied therein, the computer readable program product comprising;
  
  computer readable program code configured to receive at a de-militarized zone (DMZ) controller in the firewall protected area, from least one managed device in the firewall protected area, management information associated with the at least one managed device; and
  
  computer readable program code configured to manage a flow of the received management information before transmitting the received management information from the DMZ controller through the firewall to a gateway module associated with the NMS.
- View Dependent Claims (45)
- - 45. The computer program product of claim 44, wherein the computer readable program code configured to manage the flow of the received management information comprises one or more of:
    - computer readable program code configured to throttle the flow of the received management information to the gateway module;
      
      computer readable program code configured to validate syntax of the received management information before transmitting the received management information to the gateway module;
      
      computer readable program code configured to buffer the received management information and validate the buffered management information before transmitting the buffered management information to the gateway module; and
      
      /or compute readable program code configured to monitor a rate of the received management information and discard the obtained management information if the rate exceeds a predefined threshold per source.

46. A computer program product for communicating simple network management protocol (SNMP) requests and responses through a firewall between a network management station (NMS) in a network and managed devices in a firewall protected area defined by the firewall and associated with the network, the computer program product comprising:
- a computer readable medium having computer readable program code embodied therein, the computer readable program product comprising;
  
  computer readable program code configured to generate a SNMP request in the form of a protocol data unit (PDU) at the NMS, the SNMP request including a community string including a target community string, an identification of a de-militarized zone (DMZ) controller and a target hostname associated with one of the managed devices.
- View Dependent Claims (47, 48, 49)
- - 47. The computer program product of claim 46, further comprising:
    - computer readable program code configured to receive the SNMP request at a gateway module from the NMS;
      
      computer readable program code configured to analyze the SNMP request to determine an identity of the DMZ controller identified in the community string;
      
      computer readable program code configured to establish a connection with the determined DMZ controller identified in the community string; and
      
      computer readable program code configured to transmit, through the determined DMZ controller using the established connection, the SNMP request to a target host identified by the target hostname in the community string.
  - 48. The computer program product of claim 47, wherein the computer readable program code configured to receive comprises computer readable program code configured to receive a version 1 or version 2C SNMP PDU, wherein the computer program product further comprises computer readable program code configured to convert the version 1 or version 2C SNMP PDU into a version 3 SNMP PDU, wherein computer readable program code configured to transmit further comprises computer readable program code configured to transmit the version 3 SNMP PDU from the determined DMZ controller to the target host.
  - 49. The computer program product of claim 47, further comprising:
    - computer readable program code configured to receive an SNMP response in the form of an SNMP PDU from the target host at the DMZ controller;
      
      computer readable program code configured to convert the SNMP response into an intermediate form at the DMZ controller;
      
      computer readable program code configured to transmit the intermediate form of the SNMP response to the gateway module over the established connection;
      
      computer readable program code configured to convert the intermediate form of the SNMP response back to an SNMP PDU; and
      
      computer readable program code configured to transmit the SNMP PDU form of the SNMP response to the NMS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tavve Software Co.
Original Assignee
Tavve Software Co.
Inventors
Roberts, Steven Harry, Edwards, Anthony Van Vechten, Doble, James Talmage

Granted Patent

US 8,701,175 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/28 Restricting access to netwo...

H04L 63/0209 Architectural arrangements,...

Methods, devices, systems and computer program products for providing secure communications between managed devices in firewall protected areas and networks segregated therefrom

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, devices, systems and computer program products for providing secure communications between managed devices in firewall protected areas and networks segregated therefrom

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links