Transparent and secure network gateway

US 5,781,550 A
Filed: 02/02/1996
Issued: 07/14/1998
Est. Priority Date: 02/02/1996
Status: Expired due to Term

First Claim

Patent Images

1. A computer implemented method for communicating packets between a trusted computer and an untrusted computer connected by a gateway having a gateway address, each packet including a source address, a destination address and a payload, comprising the steps of:

receiving in the gateway, a first packet having a source address of the trusted computer, the destination address, and a first payload and excluding the gateway address; and

in responsesending, from the gateway, a second packet having a source address of the gateway, a destination address of the untrusted computer and the first payload unchanged, if the first packet has the destination address of the untrusted computer to enable the trusted computer to securely communicate with the untrusted computer.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a computer implemented method, packets are transparently and securely communicated between a trusted computer and an untrusted computer connected by a gateway. Each packet including a source address, a destination address and a payload. The gateway, according to rules stored in a configuration database, intercepts a packet received in an Internet protocol layer of the gateway. The packet has a source address of the trusted computer, a destination address of the untrusted computer and a first payload. The intercepted packet is diverted to a proxy server operating in an application protocol layer of the gateway. The intercepted packet is consumed by the proxy server, and the proxy server generates a second packet having a source address of the gateway and the destination address of the untrusted computer and the first payload. The second packet is sent to the untrusted computer to enable the trusted computer to communicate with the untrusted computer securely.

Citations

15 Claims

1. A computer implemented method for communicating packets between a trusted computer and an untrusted computer connected by a gateway having a gateway address, each packet including a source address, a destination address and a payload, comprising the steps of:
- receiving in the gateway, a first packet having a source address of the trusted computer, the destination address, and a first payload and excluding the gateway address; and
  
  in responsesending, from the gateway, a second packet having a source address of the gateway, a destination address of the untrusted computer and the first payload unchanged, if the first packet has the destination address of the untrusted computer to enable the trusted computer to securely communicate with the untrusted computer.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the gateway includes a protocol stack, the protocol stack including a data link layer, an Internet layer, a transport layer, and an application layer, and further comprising:
    - intercepting the first packet in the Internet layer;
      
      diverting the first packet through a transport layer to a proxy server operating in the application layer; and
      
      consuming the first packet while generating the second packet.
  - 3. The method of claim 1 wherein the gateway includes a plurality of rules stored as a configuration database in a memory of the gateway, and wherein the plurality of rules includes a first rule for recognizing the destination address of the untrusted computer.
  - 4. The method of claim 3 further including a screening sub-system and wherein the configuration database includes a second rule to screen the first packet, and further comprising:
    - accepting the first packet for proxying if the source address and the destination address comply with the second rule.
  - 5. The method of claim 1 wherein the gateway includes a session control table having at least one entry to control the communication of packets between the trusted computer and the untrusted computer, the entry including a local address field and a remote address field, and further comprising:
    - storing the address of the untrusted computer in the local address field; and
      
      storing the address of the trusted computer in the remote address field to spoof the trusted computer into believing that the trusted computer is communicating directly with the untrusted computer.
  - 6. The method of claim 5 wherein the session control table includes a flags field, and further comprising:
    - marking the flags field to indicate that the gateway is proxying a foreign session on behalf of the trusted computer;
      
      establishing the foreign session between the gateway and the untrusted computer.

7. A computer implemented method for communicating packets between a trusted computer and an untrusted computer connected by a gateway having a gateway address, each packet including a source address, a destination address and a payload, comprising the steps of:
- receiving, in the gateway, a first packet having a source address of the trusted computer, the destination address, and a first payload and excluding the gateway address;
  
  sending, from the gateway, a second packet having a source address of the gateway, a destination address of the untrusted computer and the first payload if the first packet has the destination address of the untrusted computer to enable the trusted computer to securely communicate with the untrusted computer and further;
  
  receiving, in the gateway, a third packet responsive to the second packet, the third packet having the source address of the untrusted computer, the destination address, and a second payload; and
  
  in responsesending, from the gateway, a fourth packet having the source address of the untrusted computer, a destination address of the trusted computer and the second payload if the third packet has a destination address of the gateway to enable the untrusted computer to communicate transparently with the trusted computer.

8. An apparatus for communicating packets between a trusted computer and an untrusted computer connected by a gateway, each packet including a source address, a destination address and a payload, comprising:
- a data link layer of a protocol stack, the data link layer to receive a first packet having a source address of the trusted computer, a destination address, and a first payload;
  
  an Internet layer of the protocol stack, the Internet layer to intercept the first packet from the data link layer if the first packet has a destination address of the untrusted computer;
  
  a transport layer of the protocol stack, the transport layer to divert the intercepted first packet to a proxy server;
  
  an application layer executing the proxy server, the proxy server to generate a second packet having a source address of the gateway and the destination address of the untrusted computer and the first payload;
  
  means for sending the second packet to the untrusted computer to enable the trusted computer to securely communicate with the untrusted computer;
  
  means for receiving, in the gateway, a third packet responsive to the second packet, the third packet having the source address of the untrusted computer, the destination address, and a second payload; and
  
  in responsesending, from the gateway, a fourth packet having the source address of the untrusted computer, a destination address of the trusted computer and the second payload if the third packet has a destination address of the gateway to enable the untrusted computer to communicate transparently with the trusted computer.

9. A computer implemented method for communicating packets between a trusted computer and an untrusted computer connected by a gateway, each packet including a source address, a destination address and a payload, comprising the steps of:
- receiving, in the gateway, a first packet having a source address of the trusted computer, the destination address, and a first payload; and
  
  in responsesending, from the gateway, a second packet having a source address of the gateway, a destination address of the untrusted computer and the first payload if the first packet has the destination address of the untrusted computer to enable the trusted computer to securely communicate with the untrusted computer; and
  
  upon receipt of packets in said gateway from said untrusted computer forwarding said packets to said trusted computer by replacing the destination address in said packet from said gateway address to said trusted computer address.

10. An apparatus for communicating packets between a trusted computer and an untrusted computer connected by a gateway, each packet including a source address, a destination address and a payload, comprising:
- a data link layer of a protocol stack, the data link layer to receive a first packet having a source address of the trusted computer, a destination address, and a first payload;
  
  an Internet layer of the protocol stack, the Internet layer to intercept the first packet from the data link layer if the first packet has a destination address of the untrusted computer;
  
  a transport layer of the protocol stack, the transport layer to divert the intercepted first packet to a proxy server;
  
  an application layer executing the proxy server, the proxy server to generate a second packet having a source address of the gateway and the destination address of the untrusted computer and an unchanged first payload;
  
  means for sending the second packet to the untrusted computer to enable the trusted computer to securely communicate with the untrusted computer.

11. A computer implemented method for communicating packets between a trusted computer and an untrusted computer connected by a gateway having a session control table with a first entry, the first entry including a local address field and a remote address field, each packet including a source address, a destination address and a payload, the method comprising the steps of:
- receiving, in the gateway, a first packet having a source address of the trusted computer, the destination address, and a first payload;
  
  storing the address of the untrusted computer in the local address field; and
  
  sending, from the gateway, a second packet having a source address of the gateway, a destination address of the untrusted computer and the first payload unchanged, if the first packet has the destination address of the untrusted computer to enable the trusted computer to securely communicate with the untrusted computer.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the gateway includes a protocol stack, the protocol stack including a data link layer, an Internet layer, a transport layer, and an application layer, and further comprising:
    - intercepting the first packet in the Internet layer;
      
      diverting the first packet through a transport layer to a proxy server operating in the application layer; and
      
      consuming the first packet while generating the second packet.
  - 13. The method of claim 11, wherein the gateway includes a plurality of rules stored as a configuration database in a memory of the gateway, and wherein the plurality of rules includes a first rule for recognizing the destination address of the untrusted computer.
  - 14. The method of claim 13, further including a screening sub-system and wherein the configuration database includes a second rule to screen the first packet, and further comprising:
    - accepting the first packet for proxying if the source address and the destination address comply with the second rule.
  - 15. The method of claim 11, wherein the session control table includes a flags field, and further comprising:
    - marking the flags field to indicate that the gateway is proxying a foreign session on behalf of the trusted computer;
      
      establishing the foreign session between the gateway and the untrusted computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Digital Equipment Corporation (HP Inc.)
Inventors
Gupta, Ajay, Templin, Fred L., Tynan, Dermot Matthew, Skinner, Gregory D.
Primary Examiner(s)
Olms, Douglas W.
Assistant Examiner(s)
PHILLIPS, MATTHEW

Application Number

US08/594,632
Time in Patent Office

893 Days
Field of Search

370/401-405, 370/475, 370/389, 370/392, 370/902, 370/903, 370/915, 370/315, 395/187.01, 395/186, 395/200.02, 395/200.06, 395/200.12, 395/200.14, 395/200.16, 395/200.17, 395/200.55, 395/200.57, 395/200.58 , 395/200.59, 395/200.66, 395/200.67, 395/200.75
US Class Current

370/401
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/0281 Proxies

Transparent and secure network gateway

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent and secure network gateway

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links