System for packet filtering of data packets at a computer network interface

US 5,802,320 A
Filed: 05/18/1995
Issued: 09/01/1998
Est. Priority Date: 05/18/1995
Status: Expired due to Term

First Claim

Patent Images

1. A method for screening data packets arriving at a screening system connected between a first computer network and a second computer network and for executing actions in a proxy system connected to the screening system, including the steps of:

(1) receiving a first data packet directed from the first network to the second network as a current packet;

(2) determining from contents of the current packet whether the current packet is of a predetermined type for being allowed to pass to the second network;

(3) if the determination of step 2 is positive, then determining a destination address within the second network as specified by the current packet, and passing the current packet to an ersatz address substituting for said destination address, the ersatz address residing in the proxy system;

(4) determining whether at least one action requested by the current packet is of a type predetermined to be allowed, and if not then rejecting the current packet and proceeding to step 6, and if so then proceeding to step 5;

(5) taking the action specified by the current packet in at least one of the screening system and the proxy system; and

(6) determining whether another data packet has arrived at the screening system, and if so then receiving that data packet as the current packet and proceeding to step 1, and if not then ending the method.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for screening data packets transmitted between a network to be protected, such as a private network, and another network, such as a public network. The system includes a dedicated computer with multiple (specifically, three) types of network ports: one connected to each of the private and public networks, and one connected to a proxy network that contains a predetermined number of the hosts and services, some of which may mirror a subset of those found on the private network. The proxy network is isolated from the private network, so it cannot be used as a jumping off point for intruders. Packets received at the screen (either into or out of a host in the private network) are filtered based upon their contents, state information and other criteria, including their source and destination, and actions are taken by the screen depending upon the determination of the filtering phase. The packets may be allowed through, with or without alteration of their data, IP (internet protocol) address, etc., or they may be dropped, with or without an error message generated to the sender of the packet. Packets may be sent with or without alteration to a host on the proxy network that performs some or all of the functions of the intended destination host as specified by a given packet. The passing through of packets without the addition of any network address pertaining to the screening system allows the screening system to function without being identifiable by such an address, and therefore it is more difficult to target as an IP entity, e.g. by intruders.

Citations

12 Claims

1. A method for screening data packets arriving at a screening system connected between a first computer network and a second computer network and for executing actions in a proxy system connected to the screening system, including the steps of:
- (1) receiving a first data packet directed from the first network to the second network as a current packet;
  
  (2) determining from contents of the current packet whether the current packet is of a predetermined type for being allowed to pass to the second network;
  
  (3) if the determination of step 2 is positive, then determining a destination address within the second network as specified by the current packet, and passing the current packet to an ersatz address substituting for said destination address, the ersatz address residing in the proxy system;
  
  (4) determining whether at least one action requested by the current packet is of a type predetermined to be allowed, and if not then rejecting the current packet and proceeding to step 6, and if so then proceeding to step 5;
  
  (5) taking the action specified by the current packet in at least one of the screening system and the proxy system; and
  
  (6) determining whether another data packet has arrived at the screening system, and if so then receiving that data packet as the current packet and proceeding to step 1, and if not then ending the method.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, including, in step 5, the step of transmitting a response data packet from the proxy system to the first network using at least a portion of said destination address as the sole identifier of the location of execution of the action.
  - 3. The method of claim 1, wherein the determination of step 4 is based upon at least one of the current packet'"'"'s source address, destination address, source port, destination port, requested action and state of connection.

4. A method for screening data packets arriving at a screening system connected between a first computer network and a second computer network and for executing actions in a proxy system connected to the screening system, including the steps of:
- (1) receiving a first data packet directed from the first network to the second network as a current packet;
  
  (2) determining from contents of the first data packet a requested operation, a source address and a destination address for the first data packet;
  
  (3) determining, based upon at least one predetermined criterion, an action to be taken in response to the requested operation;
  
  (4) passing the current packet to a proxy host substituting for said destination address, the proxy host residing in the proxy system; and
  
  (5) in the proxy system, taking the determined action.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. The method of claim 4, where the predetermined criterion is at least one of the source address, destination address, source port and destination port for the first data packet.
  - 6. The method of claim 4, wherein the predetermined criterion is the type of the requested operation.
  - 7. The method of claim 4, wherein the predetermined criterion is a state of the connection between a source in the first network and a destination in the screening system.
  - 8. The method of claim 4, wherein the predetermined criterion is the time of day at which the operation is requested.
  - 9. The method of claim 4, wherein the predetermined criterion is whether the source is at an expected internetwork location.

10. A system for inhibiting targeting of a first computer network, including:
- a screening system coupled between the first computer network and a second computer network, the screening system including a processor, a first network interface coupling the screening system to the first network, and a second network interface coupling the screening system to the second network; and
  
  a proxy network coupled to the screening system via a third network interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network;
  
  the screening system further including a memory coupled to the processor, the memory storing instruction modules executable by the processor, the modules including;
  
  a first said module for receiving a data packet via said first network interface, the data packet including a destination address including said domain;
  
  a second said module for passing the data packet to said proxy host if said destination address pertains to said proxy host; and
  
  a third said module for determining from contents of the data packet a requested operation.
- View Dependent Claims (11, 12)
- - 11. The system of claim 10, wherein said proxy host is a mirror of a host within said first network.
  - 12. The system of claim 10, wherein said proxy host is a host unique to said proxy network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Scott, Glenn C., Mulligan, Geoffrey, Baehr, Geoffrey G., Lyon, Thomas L., Patterson, Martin, Turbyfill, Carolyn, Danielson, William
Primary Examiner(s)
Robertson, David L.

Application Number

US08/444,351
Time in Patent Office

1,202 Days
Field of Search

395/200.02, 395/200.12, 395/200.15, 395/200.16, 395/200.79, 395/200.57, 395/200.59, 395/200.68, 395/200.73, 395/200.75, 370/85.13, 370/85.14, 370/355, 370/401, 370/409, 340/825.03, 340/825.04, 340/826, 340/827
US Class Current

709/249
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

System for packet filtering of data packets at a computer network interface

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

System for packet filtering of data packets at a computer network interface

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links