Mixed enclave operation in a computer network with multi-level network security

US 5,828,832 A
Filed: 07/30/1996
Issued: 10/27/1998
Est. Priority Date: 07/30/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method for communicating on a network having a secured plurality of users utilizing multi-level network security devices, each multi-level network security device being operable in a first and second mode, respectively, and an unsecured plurality of users employing no network security devices, said method comprising the steps of:

sending a communication from any first user;

intercepting said communication by a first multi-level network security device;

discarding said communication if said communication violates security parameters associated with said first multi-level network security device; and

,in said first mode, sending said communication from said first multi-level network security device to any second user; and

,in said second mode, encrypting said communication using said first multi-level network security device, sending said encrypted communication to a second multi-level network security device, decrypting said communication using said second multi-level network security device, and sending said decrypted communication from said second multi-level network security device to a third user selected from said secured plurality of users.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for mixed enclave operation of a computer network with users employing a multi-level network security interface and users without any network security interface. Either the network security user selects or the network security interface automatically selects whether communications are permissible with other unsecured users. Where a mixed enclave operation is selected, the network security user identifies when communications are being undertaken with another secured user or a non-secured user. Communications with a non-secured user at a lower security level entail securing the data residing with the secured user from transmission back to the non-secured user.

234 Citations

20 Claims

1. A method for communicating on a network having a secured plurality of users utilizing multi-level network security devices, each multi-level network security device being operable in a first and second mode, respectively, and an unsecured plurality of users employing no network security devices, said method comprising the steps of:
- sending a communication from any first user;
  
  intercepting said communication by a first multi-level network security device;
  
  discarding said communication if said communication violates security parameters associated with said first multi-level network security device; and
  
  ,in said first mode, sending said communication from said first multi-level network security device to any second user; and
  
  ,in said second mode, encrypting said communication using said first multi-level network security device, sending said encrypted communication to a second multi-level network security device, decrypting said communication using said second multi-level network security device, and sending said decrypted communication from said second multi-level network security device to a third user selected from said secured plurality of users.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein said multi-level network security interfaces are transparent to said users and the network.
  - 3. The method of claim 1, wherein said step of sending said encrypted communication to a second multi-level network security interface further comprises the steps of:
    - intercepting said encrypted communication sent by said first multi-level network security interface by a third multi-level network security interface;
      
      validating a signature of said first multi-level network security interface using said third multi-level network security interface; and
      
      ,sending said first multi-level network security interface encrypted communication from said third multi-level network security interface to said second multi-level network security interface.
  - 4. The method in accordance with claim 1, further comprising using Internet protocol (IP) addresses for identifying each of said secured plurality of users employing multi-level network security interfaces, respectively, and said remaining users employing no network security interface.
  - 5. The method in accordance with claim 1, further comprising each multi-level network security interface using association establishment messages for authenticating other multi-level network security interfaces.
  - 6. The method in accordance with claim 1, further comprising using association establishment messages for exchanging security parameters between said multi-level network security interfaces.
  - 7. The method in accordance with claim 1, further comprising said first multi-level network security interface assuming that datagrams received which are not addressed to said first multi-level network security interface are from one of said remaining users employing no network security interface.
  - 8. The method in accordance with claim 1, wherein for communications between a secured user selected from said secured plurality and an unsecured user selected from said remaining users employing no network security interface, at least one multi-level network security interface employs a waiting queue to influence passage of information.
  - 9. The method in accordance with claim 1, wherein said second user is selected from said secured plurality, and receives initial information from said first user who is selected from said remaining users employing no network security interface and which has not already established communications with said second user, and said first multi-level network security interface creates an entry in an association table indicative of at least said first users'"'"' IP address and association type.
  - 10. The method in accordance with claim 9, wherein said first multi-level network security interface compares the security level of said second user to that of the first user for determining if information to the first user can be allowed to proceed.
  - 11. The method in accordance with claim 10, wherein when the second user is at a higher security level than the first user and the first user is writing up to the second user, information intended for the second user is released.
  - 12. The method in accordance with claim 10, wherein when the second user is at security level equal to the first user, the first multi-level network security interface permits information transfers between said first and second users.
  - 13. The method in accordance with claim 12, wherein when the second user is at a higher security level than the first user and the second user is writing down to the first user, the first multi-level network security interface determines if the information intended for the first user is predicted.

14. A method for mixed enclave communications over a network including both secured and unsecured users, said method comprising the steps of:
- permitting communications over the network between one of said secured users and one of said unsecured users;
  
  discovering dynamically by said secured user whether a user initiating communications is one of said secured users or one of said unsecured users; and
  
  ,controlling passage of information between said one of said secured users and said one of said unsecured users for securing given information residing with said one of said secured users against transference to said one of said unsecured users when not permissible.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method in accordance with claim 14, wherein the step of discovering includes using Internet Protocol (IP) addresses for identifying the secured and unsecured users.
  - 16. The method in accordance with claim 14, wherein the step of discovering includes using association establishment messages for said secured users authenticating each other.
  - 17. The method in accordance with claim 14, wherein the step of discovering includes using association establishment messages for the secured users exchanging security parameters.
  - 18. The method in accordance with claim 14, wherein for communications between one of the secured users and one of the unsecured users, the secured user employs a waiting queue to influence passage of information.
  - 19. The method in accordance with claim 14, wherein when one of the secured users receives initial information from one of the unsecured users that is not already established, the secured user creates an entry in an association table indicative of at least the unsecured user'"'"'s IP address and association type.
  - 20. The method in accordance with claim 19, wherein the secured user further compares its security level to that of the unsecured user for determining if information to the unsecured user can be allowed to proceed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
ITT Industries (ITT, Inc.)
Inventors
Snow, deceased, David W., Levin, Stephen E., Holden, James M., Wrench, Edwin H. Jr.
Primary Examiner(s)
Beausoliel, Jr., Robert W.

Application Number

US08/688,524
Time in Patent Office

819 Days
Field of Search

395/186, 395/187.01, 395/188.01, 395/218, 395/244, 395/200.5
US Class Current

726/12
CPC Class Codes

G06F 21/31   User authentication

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 9/40   Network security protocols

Mixed enclave operation in a computer network with multi-level network security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

234 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mixed enclave operation in a computer network with multi-level network security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

234 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links