Network Security Device

US 20070261112A1
Filed: 05/07/2007
Published: 11/08/2007
Est. Priority Date: 05/08/2006
Status: Active Grant

First Claim

Patent Images

1. A network security device for screening data objects flowing between a network and at least one communication device, comprising:

a) a data object memory;

b) at least one communication device port coupled to the data object memory;

c) a network communication port coupled to the data object memory;

d) a processor coupled to the data object memory;

e) a permanent memory store for storage of rules, coupled to the processor;

f) a dynamic memory store coupled to the processor;

g) a physical interface coupled to the processor;

h) a plurality of rules stored in the permanent memory store;

the processor being programmed such that a data object received at one of a communications device port or network communication port is stored into the data object memory and processed by the processor in accordance with the rules from the permanent memory store, and the data objects are transmitted by the other of the network communication port or a communications device port only if the data object is not in violation of a rule;

the device being configured such that the rules are not affected by the processing of data objects in the data object memory;

the processor being programmed such that a data object in the data object memory is not permitted to interact with the dynamic memory store or the permanent memory store, such that the operation of the device is incorruptible by the data objects being processed; and

in receiving, processing and transmitting the data objects, the device is not visible to the network or the communication devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security device which acts as an “airlock” for traffic between a communications device and a network. Data is screened using rules based analysis by the security device to counter various threats, including viruses, phishing, attempts to “hijack” communications, communications with known malicious addresses or unknown addresses, and transmission of sensitive information. Data packets can be reassembled into files for screening, and decoded or expanded as necessary, but is never executed. The data path for the data being screened is kept separate from the operations of the network security device itself, so that the device is incorruptible—its programming cannot be compromised from outside sources. Updates for rules and entry of sensitive data for screening, etc., must be done through a physical interface, not via the normal data communications channel. The device is invisible—it cannot be “seen” by the network, and thus cannot be attacked.

549 Citations

68 Claims

1. A network security device for screening data objects flowing between a network and at least one communication device, comprising:
- a) a data object memory;
  
  b) at least one communication device port coupled to the data object memory;
  
  c) a network communication port coupled to the data object memory;
  
  d) a processor coupled to the data object memory;
  
  e) a permanent memory store for storage of rules, coupled to the processor;
  
  f) a dynamic memory store coupled to the processor;
  
  g) a physical interface coupled to the processor;
  
  h) a plurality of rules stored in the permanent memory store;
  
  the processor being programmed such that a data object received at one of a communications device port or network communication port is stored into the data object memory and processed by the processor in accordance with the rules from the permanent memory store, and the data objects are transmitted by the other of the network communication port or a communications device port only if the data object is not in violation of a rule;
  
  the device being configured such that the rules are not affected by the processing of data objects in the data object memory;
  
  the processor being programmed such that a data object in the data object memory is not permitted to interact with the dynamic memory store or the permanent memory store, such that the operation of the device is incorruptible by the data objects being processed; and
  
  in receiving, processing and transmitting the data objects, the device is not visible to the network or the communication devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The network security device of claim 1, in which the processor is programmed to assemble a data object in the data object memory from a plurality of packets before processing the data object.
  - 3. The network security device of claim 1, in which the permanent memory store is read-only memory.
  - 4. The network security device of claim 1, in which the rules in the permanent memory store comprise a URL database comprising a plurality of network addresses, and at least one of the rules causes the data object in the data object memory to be processed to compare a destination address of the data object to the addresses in the URL database.
  - 5. The network security device of claim 4, in which a plurality of the network addresses in the URL database comprise a whitelist, and at least one rule prevents transmission of a data object unless the destination address of the data object matches one of the network addresses on the whitelist.
  - 6. The network security device of claim 4, in which a plurality of the network addresses in the URL database comprise a blacklist, and at least one rule prevents transmission of a data object if the destination address of the data object matches one of the network addresses on the blacklist.
  - 7. The network security device of claim 1, in which the rules in the permanent memory store comprise a sensitive information database comprising at least one item of information, and at least one of the rules causes the data object in the data object memory to be processed to compare a body of the data object to the information in the sensitive information database.
  - 8. The network security device of claim 7, in which at least one rule prevents transmission of a data object if at least part of the body of the data object matches an item of information in the sensitive information database.
  - 9. The network security device of claim 7, in which the items of information in the sensitive information database are selected from a group consisting of social security numbers, credit card numbers, bank account numbers, brokerage account numbers, specific passwords, and brokerage codes.
  - 10. The network security device of claim 1, in which the rules in the permanent memory store comprise a URL database comprising a plurality of network addresses and a sensitive information database comprising at least one item of information, and at least one of the rules causes the data object in the data object memory to be processed to compare a destination address of the data object to the addresses in the URL database and causes the data object in the data object memory to be processed to compare a body of the data object to the information in the sensitive information database, and at least one rule prevents transmission of a data object if at least part of the body of the data object matches an item of information in the sensitive information database unless the destination address of the data object matches one of the network addresses in the URL database.
  - 11. The network security device of claim 1, further comprising a physical input device for coupling with the physical interface of the network security device.
  - 12. The network security device of claim 11, in which the processor is programmed to accept changes to the rules in the permanent memory store from a physical input device coupled to the physical interface.
  - 13. The network security device of claim 1, further comprising a keypad.
  - 14. The network security device of claim 13, in which the processor is programmed to accept changes to the rules in the permanent memory store from the keypad.
  - 15. The network security device of claim 1, further comprising a display.
  - 16. The network security device of claim 1, further comprising a tamper lock.
  - 17. The network security device of claim 1, in which the permanent memory store is encrypted.
  - 18. The network security device of claim 1, in which the network security device further comprises a device identification, such that the device can be identified to a secure server communicating through the network communication port, and the processor is programmed such that the network security device can establish secure communication with the secure server through the network communication port.
  - 19. The network security device of claim 18, in which the processor is programmed to accept changes to the rules in the permanent memory store from the secure server.
  - 20. The network security device of claim 18, in which at least one of the rules causes the data object in the data object memory to be processed to perform a DNS lookup to retrieve a first IP address associated with a destination address of the data object, and also to do a DNS lookup using the secure server to retrieve a second IP address associated with a destination address of the data object, and the rule causes the processor to compare the first IP address to the second IP address, and the data object is transmitted only if the first IP address matches the second IP address.
  - 21. The network security device of claim 20, in which the rule further causes the network security device to inform the secure server if the first IP address does not match the second IP address.
  - 22. The network security device of claim 1, in which the dynamic data store and the data object memory are separate memories.
  - 23. The network security device of claim 1, in which the permanent data store and the data object memory are separate memories.
  - 24. The network security device of claim 1, in which the permanent data store is a write-protected partition of memory.
  - 25. The network security device of claim 1, in which the rules in the permanent memory store can only be changed at a determined time.

26. A system for network security comprising:
- a secure server connected to a network; and
  
  a plurality of network security devices for screening data objects flowing between a network and at least one communication device, each network security device comprising;
  
  a) a data object memory;
  
  b) at least one communication device port coupled to the data object memory;
  
  c) a network communication port coupled to the data object memory;
  
  d) a processor coupled to the data object memory;
  
  e) a permanent memory store for storage of rules, coupled to the processor;
  
  f) a dynamic memory store coupled to the processor;
  
  g) a physical interface coupled to the processor;
  
  h) a plurality of rules stored in the permanent memory store;
  
  i) a device identification, such that the device can be identified to a secure server communicating through the network communication port, and the processor is programmed such that the network security device can establish secure communication with the secure server through the network communication port;
  
  the processor being programmed such that a data object received at one of a communications device port or network communication port is stored into the data object memory and processed by the processor in accordance with the rules from the permanent memory store, and the data objects are transmitted by the other of the network communication port or a communications device port only if the data object is not in violation of a rule;
  
  the device being configured such that the rules are not affected by the processing of data objects in the data object memory;
  
  the processor being programmed such that a data object in the data object memory is not permitted to interact with the dynamic memory store or the permanent memory store, such that the operation of the device is incorruptible by the data objects being processed; and
  
  in receiving, processing and transmitting the data objects, the device is not visible to the network or the communication devices.
- View Dependent Claims (27, 28, 29)
- - 27. The network security device of claim 26, in which the processor is programmed to accept changes to the rules in the permanent memory store from the secure server.
  - 28. The network security device of claim 26, in which at least one of the rules causes the data object in the data object memory to be processed to perform a DNS lookup to retrieve a first IP address associated with a destination address of the data object, and also to do a DNS lookup using the secure server to retrieve a second IP address associated with a destination address of the data object, and the rule causes the processor to compare the first IP address to the second IP address, and the data object is transmitted only if the first IP address matches the second IP address.
  - 29. The network security device of claim 28, in which the rule further causes the network security device to inform the secure server if the first IP address does not match the second IP address.

30. A method of screening data objects flowing between a network and at least one communication device using a network security device comprising a data object memory;
- at least one communication device port coupled to the data object memory;
  
  a network communication port coupled to the data object memory;
  
  a processor coupled to the data object memory;
  
  a permanent memory store for storage of rules, coupled to the processor;
  
  a dynamic memory store coupled to the processor;
  
  a physical interface coupled to the processor; and
  
  a plurality of rules stored in the permanent memory store;
  
  the method comprising;
  
  a) receiving a data object received at one of a communications device port or network communication port, the network security device being invisible to any communication device or network;
  
  b) storing the data object into the data object memory;
  
  c) processing the data object in accordance with the rules from the permanent memory store without executing any code in the data object such that the operation of the device is incorruptible by the data objects being processed; and
  
  d) transmitting the data object by the other of the network communication port or a communications device port only if the data object is not in violation of a rule.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 31. The method of claim 30, further comprising the step of assembling a data object in the data object memory from a plurality of packets before the step of processing the data object.
  - 32. The method of claim 30, in which the rules in the permanent memory store comprise a URL database comprising a plurality of network addresses, and the step c of processing the data object comprises comparing a destination address of the data object to the addresses in the URL database.
  - 33. The method of claim 32, in which a plurality of the network addresses in the URL database comprise a whitelist, and in step d the data object is considered in violation of the rule unless the destination address of the data object matches one of the network addresses on the whitelist.
  - 34. The method of claim 32, in which a plurality of the network addresses in the URL database comprise a blacklist, and in step d the data object is considered in violation of the rule if the destination address of the data object matches one of the network addresses on the blacklist.
  - 35. The method of claim 30, in which the rules in the permanent memory store comprise a sensitive information database comprising at least one item of information, and the step c of processing the data object comprises comparing a body of the data object to the information in the sensitive information database.
  - 36. The method of claim 35, in which in step d the data object is considered in violation of the rule if at least part of the body of the data object matches an item of information in the sensitive information database.
  - 37. The method of claim 35, in which the items of information in the sensitive information database are selected from a group consisting of social security numbers, credit card numbers, bank account numbers, brokerage account numbers, specific passwords, and brokerage codes.
  - 38. The method of claim 30, in which the rules in the permanent memory store comprise a URL database comprising a plurality of network addresses and a sensitive information database comprising at least one item of information, and the step c of processing comprises comparing a destination address of the data object to the addresses in the URL database and comparing a body of the data object to the information in the sensitive information database, and in step d the data object is considered in violation of the rule if at least part of the body of the data object matches an item of information in the sensitive information database and the destination address of the data object does not match one of the network addresses in the URL database.
  - 39. The method of claim 30, in which the step c of processing the data object comprises detecting malware present in the data object, and in step d the data object is considered in violation of the rule if malware is detected in the object.
  - 40. The method of claim 30, in which the network security device further comprises a device identification, the method further comprising the steps of identifying the network security device to a secure server through the network, and establishing secure communication with the secure server through the network.
  - 41. The method of claim 40, in which the step c of processing the data object comprisesperforming a DNS lookup to retrieve a first IP address associated with a destination address of the data object,performing a DNS lookup using the secure server to retrieve a second IP address associated with a destination address of the data object, andcomparing the first IP address to the second IP address, andin step d the data object is considered in violation of the rule if the if the first IP address does not match the second IP address.
  - 42. The method of claim 41, further comprising the step of informing the secure server if the first IP address does not match the second IP address.
  - 43. The method of claim 40, further comprising the step, based on rules stored in the permanent memory store, of communicating with the secure server if a data object is flagged by a rule, and in step d the data object is considered in violation of the rule based on information received from the secure server.
  - 44. The method of claim 40, further comprising the step of stopping all transmission of data objects based on information received from the secure server.
  - 45. The method of claim 30, further comprising the step of alerting a third party if a data object violates a rule stored in the permanent memory store.
  - 46. The method of claim 45, further comprising the step of substituting decoy data for at least part of the data object before transmitting the data object in step d.
  - 47. The method of claim 45, in which the third party comprises at least one other network security device.
  - 48. The method of claim 47, in which the step of alerting comprises sending at least one rule to the other network security device.
  - 49. The method of claim 30, in which the rules comprise analysis of patterns in data in a body of a data object, and in step d the data object is considered in violation of the rule if the data in the body of the data object match a pattern.
  - 50. The method of claim 30, further comprising the step of stopping all transmission of data objects based on detection of violation of a rule in the permanent memory store.
  - 51. The method of claim 30, further comprising the step of parsing the data object to extract simple file formats, and in which step c of processing the data objects processes each of the simple files in the data object separately.
  - 52. The method of claim 51, in which, if the data object cannot be parsed, the method further comprises the step of storing the data object.
  - 53. The method of claim 52, further comprising the step of transmitting the data object to a secure server.
  - 54. The method of claim 30, in which the step c of processing the object comprises copyright authorization analysis, and in step d the data object is considered in violation of the rule if a data object is copyrighted and no authority to use or view is detected.
  - 55. The method of claim 30, in which the method only accepts data objects in step a from specified communication devices or networks.
  - 56. The method of claim 30, in which the data object is a request for a website, and the step c of processing the data object comprises the steps of:
    - retrieving an image of the website;
      
      retrieving identifying information about the website;
      
      combining the image and identifying information into a site fingerprint;
      
      retrieving a cached fingerprint for the website;
      
      comparing the site fingerprint to the cached fingerprint; and
      
      in step d the data object is considered in violation of the rule if the site fingerprint does not match the cached fingerprint.
  - 57. The method of claim 56, in which the cached fingerprint is retrieved from a secure server.

58. A method of monitoring data objects flowing between a network and at least one communication device using a network security device comprising a data object memory;
- at least one communication device port coupled to the data object memory;
  
  a network communication port coupled to the data object memory;
  
  a processor coupled to the data object memory;
  
  a permanent memory store for storage of rules, coupled to the processor;
  
  a dynamic memory store coupled to the processor;
  
  a physical interface coupled to the processor; and
  
  a plurality of rules stored in the permanent memory store;
  
  the method comprising;
  
  a) receiving a data object received at one of a communications device port or network communication port, the network security device being invisible to any communication device or network;
  
  b) storing the data object into the data object memory;
  
  c) processing the data object in accordance with the rules from the permanent memory store without executing any code in the data object such that the operation of the device is incorruptible by the data objects being processed;
  
  d) copying the data object;
  
  e) transmitting the data object by the other of the network communication port or a communications device port; and
  
  f) storing the copied data object from step d in a database.
- View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 59. The method of claim 58, further comprising the step of transmitting the copied data object to an offsite logging server.
  - 60. The method of claim 58, further comprising the step of stamping identifying indicia on the copied data object.
  - 61. The method of claim 60, in which the identifying indicia comprise date and time.
  - 62. The method of claim 58, further comprising the step of assembling a data object in the data object memory from a plurality of packets before the step of processing the data object.
  - 63. The method of claim 58, in which the rules in the permanent memory store comprise a URL database comprising a plurality of network addresses, and the steps d and f of copying and storing the data object are performed only if a destination address of the data object matches an address in the URL database.
  - 64. The method of claim 58, in which the rules in the permanent memory store comprise a URL database comprising a plurality of network addresses, and the steps d and f of copying and storing the data object are performed only if a source address of the data object matches an address in the URL database.
  - 65. The method of claim 58, further comprising the step of alerting a third party if a data object violates a rule stored in the permanent memory store.
  - 66. The method of claim 65, further comprising the step of substituting decoy data for at least part of the data object before transmitting the data object in step e.
  - 67. The method of claim 65, in which the third party comprises at least one other network security device.
  - 68. The method of claim 67, in which the step of alerting comprises sending at least one rule to the other network security device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electro Guard Corporation
Original Assignee
Electro Guard Corporation
Inventors
Todd, John, Sivanesan, Sai, Cann, David

Granted Patent

US 7,890,612 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0272   Virtual private networks

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Network Security Device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

549 Citations

68 Claims

Specification

Solutions

Use Cases

Quick Links

Network Security Device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

549 Citations

68 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links