Stand alone device for providing security within computer networks

US 5,802,178 A
Filed: 07/30/1996
Issued: 09/01/1998
Est. Priority Date: 07/30/1996
Status: Expired due to Term

First Claim

Patent Images

1. A multi-level security device for providing security between a user and at least one computer network, wherein the user is selected from the group consisting of a host computer and at least a second network, comprising:

a secure network interface Unit (SNIU) that operates at a user layer communications protocol, said SNIU communicates with other like SNIU devices by establishing an association at a session layer of a communication stack in order to provide secure end-to-end communications, comprising;

a host/network interface for receiving messages sent between said user and said at least one network, said interface operative to convert said received messages to and from a format utilized by said at least one network;

a message parser for receiving said messages from said host/network interface, determining whether said association already exists with another SNIU device and providing a signal indicative of said determination;

a session manager coupled to said interface for identifying and verifying said user requesting access to said network, said session manager also responsive to said signal from said message parser for transmitting said messages received from said user when said message parser determines said association already exists; and

an association manager coupled to said interface and responsive to said signal from said message parser for establishing an association with other like SNIU devices when said message parser determines said association does not exist, wherein said message parser stores said messages in a wait queue until said association is established.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-level security device is disclosed for providing security between a user and at least one computer network, wherein the user is selected from the group consisting of a host computer and at least a second network. A secure network interface Unit (SNIU) that operates at a user layer communications protocol, which communicates with other like SNIU devices by establishing an association at a session layer of a communication stack in order to create a global security perimeter for end-to-end communications. The SNIU includes a host/network interface for receiving messages sent between the user and the at least one network, which is operative to convert the received messages to and from a format utilized by the at least one network. A message parser for determining whether the association already exists with another SNIU device. A session manager coupled to the interface for identifying and verifying the user requesting access to the network. The session manager also for transmitting the messages received from the user when the message parser determines the association already exists. An association manager coupled to the interface for establishing an association with other like SNIU devices when the message parser determines the association does not exist.

Citations

19 Claims

1. A multi-level security device for providing security between a user and at least one computer network, wherein the user is selected from the group consisting of a host computer and at least a second network, comprising:
- a secure network interface Unit (SNIU) that operates at a user layer communications protocol, said SNIU communicates with other like SNIU devices by establishing an association at a session layer of a communication stack in order to provide secure end-to-end communications, comprising;
  
  a host/network interface for receiving messages sent between said user and said at least one network, said interface operative to convert said received messages to and from a format utilized by said at least one network;
  
  a message parser for receiving said messages from said host/network interface, determining whether said association already exists with another SNIU device and providing a signal indicative of said determination;
  
  a session manager coupled to said interface for identifying and verifying said user requesting access to said network, said session manager also responsive to said signal from said message parser for transmitting said messages received from said user when said message parser determines said association already exists; and
  
  an association manager coupled to said interface and responsive to said signal from said message parser for establishing an association with other like SNIU devices when said message parser determines said association does not exist, wherein said message parser stores said messages in a wait queue until said association is established.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The device of claim 1, wherein said association manager generates an ICMP Echo request message in order to establish an association with other like SNIU devices.
  - 3. The device of claim 2, wherein said ICMP Echo request includes the user'"'"'s security level.
  - 4. The device of claim 1, wherein said association manager generates a ICMP Echo reply in order to grant an association with other like SNIU devices.
  - 5. The device of claim 1, which further includes a card reader configured to perform integrity and authenticating functions.
  - 6. The device of claim 1, wherein said session manager protects the security communications between said computer device and said network by implementing a security policy selected from a group consisting of discretionary access control, mandatory access control, object reuse, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection.
  - 7. The device of claim 1, wherein said SNIU further includes means for performing a defined trusted session layer protocol (TSP), said TSP constituting said user layer communications protocol.
  - 8. The device of claim 1, wherein said SNIUs during said association perform a function selected from the group consisting of authenticating each other, exchanging security parameters and establishing trusted sessions for further communications.
  - 9. The device of claim 1, wherein said host/network interface also processes Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP) messages.
  - 10. The device of claim 1, wherein said SNIU further includes a scheduler coupled between said host/network and said message parser for controlling the flow of said data within said SNIU.
  - 11. The device of claim 1, wherein said SNIU further includes an audit manager coupled to said association manager for generating audit event messages when a message is received with an invalid authorization code.

12. A method of providing a multi-level network security system for a user and at least one computer network, wherein said user is selected from the group consisting of a host computer and at least a second network, comprising:
- placing a secure network interface Unit (SNIU) that operates at a user layer communications protocol, said SNIU communicates with other like SNIU devices by establishing an association at a session layer of a communication stack in order to provide secure end-to-end communications, said SNIU performing a plurality of security functions including;
  
  receiving messages sent between said user and said at least one network;
  
  converting said received messages to and from a format utilized by said at least one network;
  
  identifying and verifying said user requesting access to said network;
  
  determining whether said association already exists with another SNIU device;
  
  transmitting said messages received from said user when said association already exists;
  
  temporarily storing said received messages from said computer device when said association does not exist; and
  
  establishing an association with other like SNIU devices when said association does not exist.
- View Dependent Claims (13, 14, 15, 16, 17, 19)
- - 13. The method of claim 12, which further includes encrypting outgoing messages and decrypting incoming messages of said SNIU.
  - 14. The method of claim 13, which further includes generating and writing cryptographic residues for outgoing messages and validating cryptographic residues for incoming messages.
  - 15. The method of claim 12, wherein said SNIU protects the security communications between said computer device and said network by implementing a security policy selected from a group consisting of discretionary access control, mandatory access control, object reuse, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection.
  - 16. The method of claim 12, which further includes generating an audit trail.
  - 17. The method of claim 12, wherein said association is established by said SNIU:
    - storing a datagram including information received from the user;
      
      transmitting an ICMP Echo request message in order to request said association with other like SNIU devices;
      
      waiting to receive an ICMP Echo reply message from other like SNIU devices in order to grant said association;
      
      retrieving said stored datagram when said SNIU receives said ICMP Echo reply message; and
      
      transmitting said retrieved datagram.
  - 19. The method of claim 12, which further includes transmitting an ARP Request message including said SNIU'"'"'s hardware and IP address, and IP address of other like SNIU devices in order to locate other like SNIU devices on the network.

18. The method of claim 18, wherein said ICMP Echo request includes the user'"'"'s security level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
ITT Industries Inc (ITT, Inc.)
Inventors
Nickel, James O., Levin, Stephen E., Holden, James M., Wrench, Edwin H. Jr.
Primary Examiner(s)
Cain, David C.

Application Number

US08/688,525
Time in Patent Office

763 Days
Field of Search

380/49, 380/9, 380/23
US Class Current

713/151
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/57   Certifying or maintaining t...

G06F 2211/005   Network, LAN, Remote Access...

H04L 63/0218   Distributed architectures, ...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/12   Applying verification of th...

H04L 63/162   at the data link layer

Stand alone device for providing security within computer networks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Stand alone device for providing security within computer networks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links