System for packet filtering of data packets at a computer network interface
First Claim
1. A method for screening data packets arriving at a screening system connected between a first computer network and a second computer network and for executing actions in a proxy system connected to the screening system, including the steps of:
- (1) receiving a first data packet directed from the first network to the second network as a current packet;
(2) determining from contents of the current packet whether the current packet is of a predetermined type for being allowed to pass to the second network;
(3) if the determination of step 2 is positive, then determining a destination address within the second network as specified by the current packet, and passing the current packet to an ersatz address substituting for said destination address, the ersatz address residing in the proxy system;
(4) determining whether at least one action requested by the current packet is of a type predetermined to be allowed, and if not then rejecting the current packet and proceeding to step 6, and if so then proceeding to step 5;
(5) taking the action specified by the current packet in at least one of the screening system and the proxy system; and
(6) determining whether another data packet has arrived at the screening system, and if so then receiving that data packet as the current packet and proceeding to step 1, and if not then ending the method.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for screening data packets transmitted between a network to be protected, such as a private network, and another network, such as a public network. The system includes a dedicated computer with multiple (specifically, three) types of network ports: one connected to each of the private and public networks, and one connected to a proxy network that contains a predetermined number of the hosts and services, some of which may mirror a subset of those found on the private network. The proxy network is isolated from the private network, so it cannot be used as a jumping off point for intruders. Packets received at the screen (either into or out of a host in the private network) are filtered based upon their contents, state information and other criteria, including their source and destination, and actions are taken by the screen depending upon the determination of the filtering phase. The packets may be allowed through, with or without alteration of their data, IP (internet protocol) address, etc., or they may be dropped, with or without an error message generated to the sender of the packet. Packets may be sent with or without alteration to a host on the proxy network that performs some or all of the functions of the intended destination host as specified by a given packet. The passing through of packets without the addition of any network address pertaining to the screening system allows the screening system to function without being identifiable by such an address, and therefore it is more difficult to target as an IP entity, e.g. by intruders.
-
Citations
12 Claims
-
1. A method for screening data packets arriving at a screening system connected between a first computer network and a second computer network and for executing actions in a proxy system connected to the screening system, including the steps of:
-
(1) receiving a first data packet directed from the first network to the second network as a current packet; (2) determining from contents of the current packet whether the current packet is of a predetermined type for being allowed to pass to the second network; (3) if the determination of step 2 is positive, then determining a destination address within the second network as specified by the current packet, and passing the current packet to an ersatz address substituting for said destination address, the ersatz address residing in the proxy system; (4) determining whether at least one action requested by the current packet is of a type predetermined to be allowed, and if not then rejecting the current packet and proceeding to step 6, and if so then proceeding to step 5; (5) taking the action specified by the current packet in at least one of the screening system and the proxy system; and (6) determining whether another data packet has arrived at the screening system, and if so then receiving that data packet as the current packet and proceeding to step 1, and if not then ending the method. - View Dependent Claims (2, 3)
-
-
4. A method for screening data packets arriving at a screening system connected between a first computer network and a second computer network and for executing actions in a proxy system connected to the screening system, including the steps of:
-
(1) receiving a first data packet directed from the first network to the second network as a current packet; (2) determining from contents of the first data packet a requested operation, a source address and a destination address for the first data packet; (3) determining, based upon at least one predetermined criterion, an action to be taken in response to the requested operation; (4) passing the current packet to a proxy host substituting for said destination address, the proxy host residing in the proxy system; and (5) in the proxy system, taking the determined action. - View Dependent Claims (5, 6, 7, 8, 9)
-
-
10. A system for inhibiting targeting of a first computer network, including:
-
a screening system coupled between the first computer network and a second computer network, the screening system including a processor, a first network interface coupling the screening system to the first network, and a second network interface coupling the screening system to the second network; and a proxy network coupled to the screening system via a third network interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network; the screening system further including a memory coupled to the processor, the memory storing instruction modules executable by the processor, the modules including; a first said module for receiving a data packet via said first network interface, the data packet including a destination address including said domain; a second said module for passing the data packet to said proxy host if said destination address pertains to said proxy host; and a third said module for determining from contents of the data packet a requested operation. - View Dependent Claims (11, 12)
-
Specification