System for securing the flow of and selectively modifying packets in a computer network

US 5,835,726 A
Filed: 06/17/1996
Issued: 11/10/1998
Est. Priority Date: 12/15/1993
Status: Expired due to Term

First Claim

Patent Images

1. A method of inspecting and selectively modifying inbound and outbound data packets in a computer network, the inspection and selective modification of said data packets occurring in accordance with a security rule, the method comprising the steps of:

generating a definition of each aspect of the computer network inspected by said security rule;

generating said security rule in terms of said aspect definitions, said security rule controlling at least one of said aspects;

converting said security rule into a set of packet filter language instructions for controlling an operation of a packet filtering module which inspects and selectively modifies said data packets in accordance with said security rule;

coupling said packet filter module to said computer network for inspecting and selectively modifying said data packets in accordance with said security rule, said packet filter module implementing a virtual packet filtering machine; and

said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said network computer and selectively modify said data packets so accepted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses a novel system for controlling the inbound and outbound data packet flow in a computer network. By controlling the packet flow in a computer network, private networks can be secured from outside attacks in addition to controlling the flow of packets from within the private network to the outside world. A user generates a rule base which is then converted into a set of filter language instruction. Each rule in the rule base includes a source, destination, service, whether to accept or reject the packet and whether to log the event. The set of filter language instructions are installed and execute on inspection engines which are placed on computers acting as firewalls. The firewalls are positioned in the computer network such that all traffic to and from the network to be protected is forced to pass through the firewall. Thus, packets are filtered as they flow into and out of the network in accordance with the rules comprising the rule base. The inspection engine acts as a virtual packet filtering machine which determines on a packet by packet basis whether to reject or accept a packet. If a packet is rejected, it is dropped. If it is accepted, the packet may then be modified. Modification may include encryption, decryption, signature generation, signature verification or address translation. All modifications are performed in accordance with the contents of the rule base. The present invention provides additional security to a computer network by encrypting communications between two firewalls between a client and a firewall. This permits the use of insecure public networks in constructing a WAN that includes both private and public network segments, thus forming a virtual private network.

Citations

25 Claims

1. A method of inspecting and selectively modifying inbound and outbound data packets in a computer network, the inspection and selective modification of said data packets occurring in accordance with a security rule, the method comprising the steps of:
- generating a definition of each aspect of the computer network inspected by said security rule;
  
  generating said security rule in terms of said aspect definitions, said security rule controlling at least one of said aspects;
  
  converting said security rule into a set of packet filter language instructions for controlling an operation of a packet filtering module which inspects and selectively modifies said data packets in accordance with said security rule;
  
  coupling said packet filter module to said computer network for inspecting and selectively modifying said data packets in accordance with said security rule, said packet filter module implementing a virtual packet filtering machine; and
  
  said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said network computer and selectively modify said data packets so accepted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein said aspects include network objects.
  - 3. The method according to claim 1, wherein said aspects include network services.
  - 4. The method according to claim 2, wherein said aspects include network services.
  - 5. The method according to claim 4, wherein said object definitions include the address of said object.
  - 6. The method according to claim 1, wherein the filter language instructions of said step of converting are in the form of script and further comprising a compiler to compile said script into said instructions executed in said step of executing.
  - 7. The method according to claim 1, wherein in both said steps of generating said aspects of said network and of said security rule are defined graphically.
  - 8. The method according to claim 1, wherein said selective modification is chosen from the group consisting of encryption, decryption, signature generation and signature verification.

9. In a security system for inspecting and selectively modifying inbound and outbound data packets in a computer network, said security system inspecting and selectively modifying said data packets in said computer network in accordance with a security rule, where each aspect of said computer network inspected by said security rule has been previously defined, said security rule being previously defined in terms of said aspects and converted into packet filter language instructions, a method for operating said security system comprising the steps of:
- providing a packet filter module coupled to said computer network in at least one entity of said computer network to be inspected by said security rule, said packet filter module implementing a virtual packet filtering machine inspecting and selectively modifying said data packets passing into and out of said computer network; and
  
  said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network and to selectively modify said data packets so accepted.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method according to claim 9 wherein said aspects include network objects.
  - 11. The method according to claim 9 wherein said aspects include network services.
  - 12. The method according to claim 10 wherein said aspects include network services.
  - 13. The method according to claim 12 wherein said object definitions include the address of said object.
  - 14. The method according to claim 9 wherein said virtual machine performs a data extraction operation.
  - 15. The method according to claim 14 wherein said virtual machine performs a logical operation.
  - 16. The method according to claim 15 wherein said virtual machine performs a comparison operation.
  - 17. The method according to claim 9, wherein said selective modification is chosen from the group consisting of encryption, decryption, signature generation and signature verification.

18. In a security system for inspecting and selectively modifying inbound and outbound data packets in a computer network, said security system inspecting and selectively modifying said data packets in said computer network in accordance with a security rule, where each aspect of said computer network inspected by said security rule has been previously defined, said security rule being previously defined in terms of said aspects and converted into packet filter language instructions, a method for operating said security system comprising the steps of:
- providing a packet filter module coupled to said computer network in at least one entity of said computer network to be controlled by said security rule, said packet filter module emulating a virtual packet filtering machine inspecting and selectively modifying said data packets passing into and out of said computer network;
  
  said packet filter module reading and executing said packet filter language instructions for performing packet filtering operations;
  
  storing the results obtained in said step of reading and executing said packet filter language instructions in a storage device; and
  
  said packet filter module utilizing said stored results, from previous inspections, for operating said packet filter module to accept or reject the passage of said data packets into and out of said computer network and to selectively modify said data packets so accepted.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The method according to claim 18 wherein said aspects include network objects.
  - 20. The method according to claim 18 wherein said aspects include network services.
  - 21. The method according to claim 19 wherein said aspects include network services.
  - 22. The method according to claim 21 wherein said object definitions include the address of said object.
  - 23. The method according to claim 18, wherein said selective modification is chosen from the group consisting of encryption, decryption, signature generation and signature verification.

24. In a security system for inspecting and selectively modifying inbound and outbound data packets in a computer network, said security system inspecting and selectively modifying said data packets passing through said computer network in accordance with a security rule, where each aspect of said computer network controlled by said security rule has been previously defined, said security rule being previously defined in terms of said aspects and converted into packet filter language instructions, said security system comprising:
- a packet filter module coupled to said computer network, said packet filter module operating in accordance with said security rule, said packet filter module implementing a virtual packet filtering machine inspecting and selectively modifying said data packets passing into and out of said computer network; and
  
  processing means for reading and executing said packet filter language instruction integral with said packet filter module, said processing means operating said packet filtering module to either accept or reject the passage of said packets into and out of said computer network and to selectively modify said data packets so accepted.
- View Dependent Claims (25)
- - 25. The method according to claim 24, wherein said selective modification is chosen from the group consisting of encryption, decryption, signature generation and signature verification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Limited
Original Assignee
Check Point Software Technologies Limited
Inventors
Ben-Reuven, Ehud, Zuk, Nir, Dogon, Gil, Shwed, Gil, Kramer, Shlomo
Primary Examiner(s)
Asta, Frank J.
Assistant Examiner(s)
Patru, Daniel

Application Number

US08/664,839
Time in Patent Office

876 Days
Field of Search

395/200.76, 395/200.77, 395/200.79, 395/200.34, 395/200.56, 395/186, 395/187.01, 395/200.57, 395/200.59
US Class Current

709/229
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 9/3247   involving digital signatures

H04L 9/40   Network security protocols

System for securing the flow of and selectively modifying packets in a computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System for securing the flow of and selectively modifying packets in a computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links