Network Security Device
First Claim
1. A network security device for screening data objects flowing between a network and at least one communication device, comprising:
- a) a data object memory;
b) at least one communication device port coupled to the data object memory;
c) a network communication port coupled to the data object memory;
d) a processor coupled to the data object memory;
e) a permanent memory store for storage of rules, coupled to the processor;
f) a dynamic memory store coupled to the processor;
g) a physical interface coupled to the processor;
h) a plurality of rules stored in the permanent memory store;
the processor being programmed such that a data object received at one of a communications device port or network communication port is stored into the data object memory and processed by the processor in accordance with the rules from the permanent memory store, and the data objects are transmitted by the other of the network communication port or a communications device port only if the data object is not in violation of a rule;
the device being configured such that the rules are not affected by the processing of data objects in the data object memory;
the processor being programmed such that a data object in the data object memory is not permitted to interact with the dynamic memory store or the permanent memory store, such that the operation of the device is incorruptible by the data objects being processed; and
in receiving, processing and transmitting the data objects, the device is not visible to the network or the communication devices.
1 Assignment
0 Petitions
Accused Products
Abstract
A network security device which acts as an “airlock” for traffic between a communications device and a network. Data is screened using rules based analysis by the security device to counter various threats, including viruses, phishing, attempts to “hijack” communications, communications with known malicious addresses or unknown addresses, and transmission of sensitive information. Data packets can be reassembled into files for screening, and decoded or expanded as necessary, but is never executed. The data path for the data being screened is kept separate from the operations of the network security device itself, so that the device is incorruptible—its programming cannot be compromised from outside sources. Updates for rules and entry of sensitive data for screening, etc., must be done through a physical interface, not via the normal data communications channel. The device is invisible—it cannot be “seen” by the network, and thus cannot be attacked.
-
Citations
68 Claims
-
1. A network security device for screening data objects flowing between a network and at least one communication device, comprising:
-
a) a data object memory; b) at least one communication device port coupled to the data object memory; c) a network communication port coupled to the data object memory; d) a processor coupled to the data object memory; e) a permanent memory store for storage of rules, coupled to the processor; f) a dynamic memory store coupled to the processor; g) a physical interface coupled to the processor; h) a plurality of rules stored in the permanent memory store; the processor being programmed such that a data object received at one of a communications device port or network communication port is stored into the data object memory and processed by the processor in accordance with the rules from the permanent memory store, and the data objects are transmitted by the other of the network communication port or a communications device port only if the data object is not in violation of a rule; the device being configured such that the rules are not affected by the processing of data objects in the data object memory; the processor being programmed such that a data object in the data object memory is not permitted to interact with the dynamic memory store or the permanent memory store, such that the operation of the device is incorruptible by the data objects being processed; and in receiving, processing and transmitting the data objects, the device is not visible to the network or the communication devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A system for network security comprising:
-
a secure server connected to a network; and a plurality of network security devices for screening data objects flowing between a network and at least one communication device, each network security device comprising; a) a data object memory; b) at least one communication device port coupled to the data object memory; c) a network communication port coupled to the data object memory; d) a processor coupled to the data object memory; e) a permanent memory store for storage of rules, coupled to the processor; f) a dynamic memory store coupled to the processor; g) a physical interface coupled to the processor; h) a plurality of rules stored in the permanent memory store; i) a device identification, such that the device can be identified to a secure server communicating through the network communication port, and the processor is programmed such that the network security device can establish secure communication with the secure server through the network communication port; the processor being programmed such that a data object received at one of a communications device port or network communication port is stored into the data object memory and processed by the processor in accordance with the rules from the permanent memory store, and the data objects are transmitted by the other of the network communication port or a communications device port only if the data object is not in violation of a rule; the device being configured such that the rules are not affected by the processing of data objects in the data object memory; the processor being programmed such that a data object in the data object memory is not permitted to interact with the dynamic memory store or the permanent memory store, such that the operation of the device is incorruptible by the data objects being processed; and in receiving, processing and transmitting the data objects, the device is not visible to the network or the communication devices. - View Dependent Claims (27, 28, 29)
-
-
30. A method of screening data objects flowing between a network and at least one communication device using a network security device comprising a data object memory;
- at least one communication device port coupled to the data object memory;
a network communication port coupled to the data object memory;
a processor coupled to the data object memory;
a permanent memory store for storage of rules, coupled to the processor;
a dynamic memory store coupled to the processor;
a physical interface coupled to the processor; and
a plurality of rules stored in the permanent memory store;
the method comprising;a) receiving a data object received at one of a communications device port or network communication port, the network security device being invisible to any communication device or network; b) storing the data object into the data object memory; c) processing the data object in accordance with the rules from the permanent memory store without executing any code in the data object such that the operation of the device is incorruptible by the data objects being processed; and d) transmitting the data object by the other of the network communication port or a communications device port only if the data object is not in violation of a rule. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- at least one communication device port coupled to the data object memory;
-
58. A method of monitoring data objects flowing between a network and at least one communication device using a network security device comprising a data object memory;
- at least one communication device port coupled to the data object memory;
a network communication port coupled to the data object memory;
a processor coupled to the data object memory;
a permanent memory store for storage of rules, coupled to the processor;
a dynamic memory store coupled to the processor;
a physical interface coupled to the processor; and
a plurality of rules stored in the permanent memory store;
the method comprising;a) receiving a data object received at one of a communications device port or network communication port, the network security device being invisible to any communication device or network; b) storing the data object into the data object memory; c) processing the data object in accordance with the rules from the permanent memory store without executing any code in the data object such that the operation of the device is incorruptible by the data objects being processed; d) copying the data object; e) transmitting the data object by the other of the network communication port or a communications device port; and f) storing the copied data object from step d in a database. - View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- at least one communication device port coupled to the data object memory;
Specification