System and method for providing multi-level security in computer devices utilized with non-secure networks

US 5,832,228 A
Filed: 07/30/1996
Issued: 11/03/1998
Est. Priority Date: 07/30/1996
Status: Expired due to Term

First Claim

Patent Images

1. A multi-level network security system for a computer host device coupled to at least one computer network, comprising:

a secure network interface Unit (SNIU) contained within a communications stack of said computer device that operates at a user layer communications protocol, said SNIU communicates with other like SNIU devices on said network by establishing an association, thereby creating a global security perimeter for end-to-end communications and wherein said network may be individually secure or non-secure without compromising security of communications within said global security perimeter, comprising;

a host/network interface for receiving messages sent between said computer device and said network, said interface operative to convert said received messages to and from a format utilized by said network;

a message parser for determining whether said association already exists with another SNIU device;

a session manager coupled to said network interface for identifying and verifying said computer device requesting access to said network, said session manager also for transmitting said messages received from said computer device when said message parser determines said association already exists; and

an association manager coupled to said host/network interface for establishing an association with other like SNIU devices when said message parser determines said association does not exist.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-level network security system is disclosed for a computer host device coupled to at least one computer network. The system including a secure network interface Unit (SNIU) contained within a communications stack of the computer device that operates at a user layer communications protocol. The SNIU communicates with other like SNIU devices on the network by establishing an association, thereby creating a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within the global security perimeter. The SNIU includes a host/network interface for receiving messages sent between the computer device and network. The interface operative to convert the received messages to and from a format utilized by the network. A message parser for determining whether the association already exists with another SNIU device. A session manager coupled to said network interface for identifying and verifying the computer device requesting access to said network. The session manager also for transmitting messages received from the computer device when the message parser determines the association already exists. An association manager coupled to the host/network interface for establishing an association with other like SNIU devices when the message parser determines the association does not exist.

318 Citations

20 Claims

1. A multi-level network security system for a computer host device coupled to at least one computer network, comprising:
- a secure network interface Unit (SNIU) contained within a communications stack of said computer device that operates at a user layer communications protocol, said SNIU communicates with other like SNIU devices on said network by establishing an association, thereby creating a global security perimeter for end-to-end communications and wherein said network may be individually secure or non-secure without compromising security of communications within said global security perimeter, comprising;
  
  a host/network interface for receiving messages sent between said computer device and said network, said interface operative to convert said received messages to and from a format utilized by said network;
  
  a message parser for determining whether said association already exists with another SNIU device;
  
  a session manager coupled to said network interface for identifying and verifying said computer device requesting access to said network, said session manager also for transmitting said messages received from said computer device when said message parser determines said association already exists; and
  
  an association manager coupled to said host/network interface for establishing an association with other like SNIU devices when said message parser determines said association does not exist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20)
- - 2. The system of claim 1, wherein said SNIU is contained within said communications stack between a Network layer and a Data Link layer.
  - 3. The system of claim 1, which further includes means coupled to SNIU for performing both encryption and decryption functions.
  - 4. The system of claim 3, which further includes means for generating and writing cryptographic residues for outgoing messages and validating cryptographic residues for incoming residues.
  - 5. The system of claim 1, wherein said session manager protects the security communications between said computer device and said network by implementing a security policy selected from a group consisting of discretionary access control, mandatory access control, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection.
  - 6. The system of claim 1, wherein said SNIU further includes means for performing a defined trusted session layer protocol (TSP), said TSP constituting said user layer communications protocol.
  - 7. The system of claim 1, wherein said SNIUs exchange security parameters during said association.
  - 8. The system of claim 1, wherein said SNIU further includes a scheduler coupled between said host/network and said message parser for controlling the flow of said data within said SNIU.
  - 9. The system of claim 1, wherein said Association manager generates two messages in order to establish said association.
  - 10. The system of claim 1, wherein said SNIU further includes an audit manager coupled to said association manager for generating audit event messages when a message is received with an invalid authorization code.
  - 20. The method of claim 1, wherein said SNIUs exchange security parameters during said association.

11. A method of providing a multi-level network security system for a portable computer device coupled to at least one computer network, comprising:
- placing a secure network interface Unit (SNIU) within a communications stack of said computer device that operates at a user layer communications protocol, said SNIU communicates with other like SNIU devices on said network by establishing an association, thereby creating a global security perimeter for end-to-end communications and wherein said network may be individually secure or non-secure without compromising security of communications within said global security perimeter, said SNIU performing a plurality of security functions including;
  
  receiving said messages sent between said computer device and said network;
  
  converting said received messages to and from a format utilized by said network;
  
  identifying and verifying said computer device requesting access to said network at the session level;
  
  determining whether said association already exists with another SNIU device;
  
  transmitting said messages received from said computer device when said association already exists; and
  
  establishing an association with other like SNIU devices when said association does not exist.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein said SNIU is placed within said communications stack between a Network layer and a Data Link layer.
  - 13. The method of claim 11, which further includes encrypting outgoing messages and decrypting incoming messages of said SNIU.
  - 14. The method of claim 13, which further includes generating and writing cryptographic residues for outgoing messages and validating cryptographic residues for incoming residues.
  - 15. The method of claim 11, wherein said SNIU protects the security communications between said computer device and said network by implementing a security policy selected from a group consisting of discretionary access control, mandatory access control, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection.
  - 16. The method of claim 11, wherein said SNIU further performs a defined trusted session layer protocol (TSP), said TSP constituting said user layer communications protocol.
  - 17. The method of claim 11, which further includes generating an audit trail.
  - 18. The method of claim 11, which further includes temporarily storing said received messages from said computer device when said association does not exist.
  - 19. The method of claim 11, wherein said association is established by generating two messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
ITT Industries (ITT, Inc.)
Inventors
Nickel, James O., Levin, Stephen E., Wrench, Edwin H., Holden, James M.
Primary Examiner(s)
Lall, Parshotam S.
Assistant Examiner(s)
VU, VIET DUY

Application Number

US08/688,543
Time in Patent Office

826 Days
Field of Search

395/200.43, 395/200.46, 395/200.47, 395/200.49, 395/200.53, 395/200.55, 395/200.57, 395/200.59, 395/200.6, 395/200.8, 395/187.01, 380/4, 380/25
US Class Current

709/225
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 63/0218   Distributed architectures, ...

H04L 63/105   Multiple levels of security

H04L 63/14   for detecting or protecting...

System and method for providing multi-level security in computer devices utilized with non-secure networks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

318 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing multi-level security in computer devices utilized with non-secure networks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

318 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links