Real time firewall/data protection systems and methods

US 20110197273A1
Filed: 09/10/2010
Published: 08/11/2011
Est. Priority Date: 07/07/2000
Status: Active Grant

First Claim

Patent Images

1-66. -66. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for firewall/data protection that filters data packets in real time and without packet buffering are disclosed. A data packet filtering hub, which may be implemented as part of a switch or router, receives a packet on one link, reshapes the electrical signal, and transmits it to one or more other links. During this process, a number of filters checks are performed in parallel, resulting in a decision about whether each packet should or should not be invalidated by the time that the last bit is transmitted. To execute this task, the filtering hub performs rules-based filtering on several levels simultaneously, preferably with a programmable logic or other hardware device. Various methods for packet filtering in real time and without buffering with programmable logic are disclosed. The system may include constituent elements of a stateful packet filtering hub, such as microprocessors, controllers, and integrated circuits. The system may be reset, enabled, disabled, configured, and/or reconfigured with toggles or other physical switches. Audio and visual feedback may be provided regarding the operation and status of the system.

70 Citations

View as Search Results

96 Claims

1-66. -66. (canceled)

67. A method for communicating data between an external computing system and an internal computing system over a packet-based network, wherein data is transmitted and received in the form of a plurality of packets, the method comprising the steps of:
- receiving a packet from the external computing system over the network, the packet having at least a first portion and an end portion, and transmitting the packet to the internal computing system;
  
  in parallel with the step of receiving and transmitting the packet, determining characteristics of the packet from the first portion;
  
  in parallel with the step of receiving and transmitting the packet, performing one or more checks on the packet;
  
  in parallel with the step of receiving and transmitting the packet, determining if the packet should be a valid packet or an invalid packet based on the one or more checks, wherein the packet is analyzed in real time to determine if the packet should be valid or invalid while the packet is being concurrently transmitted to the internal computing system; and
  
  after receiving the end portion of the packet, selectively altering the end portion of the packet based on whether the packet has been determined to be a valid packet or an invalid packet, wherein the packet is selectively altered to be invalid if it was determined that the packet should be an invalid packet.
- View Dependent Claims (68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96)
- - 68. The method of claim 67, wherein the packet is selectively altered to be invalid if a determination has not been made as to whether the packet is valid or invalid by the time the end portion of the packet is received.
  - 69. The method of claim 67, wherein the packet is analyzed to determine if the packet is valid without the packet having been completely received and buffered.
  - 70. The method of claim 67, wherein the packet is determined to be an invalid packet if it is determined that the packet contains a virus, is unauthorized or presents a risk of harm to the internal computing system.
  - 71. The method of claim 67, wherein the one or more checks are at least in part selectively performed based on a state of a physical switch.
  - 72. The method of claim 71, wherein the physical switch comprises one or more user-controlled switches, wherein the one or more checks are selectively performed based on a user-defined state of the one or more user-controlled switches.
  - 73. The method of claim 72, wherein the one or more user-controlled switches comprise at least one user-controlled switch that controls a configuration or reconfiguration of a circuit that performs the one or more checks.
  - 74. The method of claim 73, wherein the configuration or reconfiguration of the circuit that performs the one or more checks is performed without requiring user entry of configuration commands via software running on the internal computing system.
  - 75. The method of claim 73, wherein the circuit that performs the one or more checks is configured or reconfigured based on commands from the internal computing system and based on a state of the at least one user-controlled switch.
  - 76. The method of claim 71, wherein at least a subset of the one or more checks are selectively enabled or disabled based on the user-defined state of the user-controlled switches.
  - 77. The method of claim 67, wherein the one or more checks are performed with a programmable logic device, wherein logic within the programmable logic device is selectively programmed to perform the one or more checks in parallel with the receiving and transmitting of the packet.
  - 78. The method of claim 77, wherein a first physical interface circuit receives the packet from the network, wherein the packet is coupled to the programmable logic device, wherein the packet is coupled from the programmable logic device to a second physical interface circuit for transmission to the internal computing system.
  - 79. The method of claim 78, wherein the programmable logic device performs the one or more checks while the packet is being coupled from the first physical interface to the second physical interface.
  - 80. The method of claim 67, wherein the one or more checks are selectively performed based on a communication state between the external computing system and the internal computing system.
  - 81. The method of claim 80, wherein the communication state comprises one or more network addresses and/or one or more port numbers.
  - 82. The method of claim 81, wherein the network address comprises an IP address for the external computing system and/or the internal computing system.
  - 83. The method of claim 67, further comprising the step of providing visual or audio feedback with one or more visual or audio feedback devices, wherein the one or more visual or audio feedback devices selectively provide visual or audio feedback of the operation or status of a packet filter process.
  - 84. The method of claim 83, wherein the one or more visual or audio feedback devices provide visual or audio feedback that a system performing the packet filter process is powered or operational.
  - 85. The method of claim 84, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the system performing the packet filter process is subjecting a packet to filtering criteria.
  - 86. The method of claim 84, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the system performing the packet filter process has rejected one or more packets.
  - 87. The method of claim 83, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the internal computing system is suspected to be under attack.
  - 88. The method of claim 87, wherein the one or more visual or audio feedback devices provide visual or audio feedback of an estimated severity of the attack.
  - 89. The method of claim 84, wherein the one or more visual or audio feedback devices provide visual or audio feedback of a state of the system performing the packet filter process until the one or more visual or audio feedback devices are reset by a user.
  - 90. The method of claim 89, wherein the one or more visual or audio feedback devices are reset by the state of a physical switch.
  - 91. The method of claim 84, wherein the one or more visual or audio feedback devices comprise at least one light source, wherein the light source is selectively controlled to provide information indicative of the operation or status of the system performing the packet filter process.
  - 92. The method of claim 91, wherein the light source is controlled to have a first color or a second color depending on the operation or status of the system performing the packet filter process.
  - 93. The method of claim 91, wherein the light source is controlled to selectively blink depending on the operation or status of the system performing the packet filter process.
  - 94. The method of claim 93, wherein the light source is controlled to selectively blink at a rate that is indicative of a severity level of a suspected attack on the internal computing system.
  - 95. The method of claim 91, wherein the at least one light source comprises an LED.
  - 96. The method of claim 83, wherein the one or more visual or audio feedback devices comprise a speaker.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
802 Systems Inc.
Original Assignee
802 Systems Inc.
Inventors
Krumel, Andrew K.

Granted Patent

US 8,458,784 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

Real time firewall/data protection systems and methods

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

70 Citations

96 Claims

Specification

Solutions

Use Cases

Quick Links

Real time firewall/data protection systems and methods

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

96 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links