System for packet filtering of data packet at a computer network interface
First Claim
1. A screening system connected to a first computer network and a second computer network, said screening system for screening data packets transmitted between the first and second networks without revealing an IP address, including:
- a processor;
a memory coupled to the processor;
interface circuits for transmitting and receiving data packets to and from said first and second networks; and
program instructions stored in said memory for controlling flow of data packets between the first and second networks, including;
a first program module for determining whether a first data packet transmitted from the first network to the second network meets predetermined criteria;
a second program module for passing the first data packet to the second network if the predetermined criteria are met;
a third program module for preventing passage of the first data packet to the second network, if the predetermined criteria are not met.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for screening data packets transmitted between a network to be protected, such as a private network, and another network, such as a public network. The system includes a dedicated computer with multiple (specifically, three) types of network ports: one connected to each of the private and public networks, and one connected to a proxy network that contains a predetermined number of the hosts and services, some of which may mirror a subset of those found on the private network. The proxy network is isolated from the private network, so it cannot be used as a jumping off point for intruders. Packets received at the screen (either into or out of a host in the private network) are filtered based upon their contents, state information and other criteria, including their source and destination, and actions are taken by the screen depending upon the determination of the filtering phase. The packets may be allowed through, with or without alteration of their data, IP (internet protocol) address, etc., or they may be dropped, with or without an error message generated to the sender of the packet. Packets may be sent with or without alteration to a host on the proxy network that performs some or all of the functions of the intended destination host as specified by a given packet. The passing through of packets without the addition of any network address pertaining to the screening system allows the screening system to function without being identifiable by such an address, and therefore it is more difficult to target as an IP entity, e.g. by intruders.
-
Citations
3 Claims
-
1. A screening system connected to a first computer network and a second computer network, said screening system for screening data packets transmitted between the first and second networks without revealing an IP address, including:
-
a processor; a memory coupled to the processor; interface circuits for transmitting and receiving data packets to and from said first and second networks; and program instructions stored in said memory for controlling flow of data packets between the first and second networks, including; a first program module for determining whether a first data packet transmitted from the first network to the second network meets predetermined criteria; a second program module for passing the first data packet to the second network if the predetermined criteria are met; a third program module for preventing passage of the first data packet to the second network, if the predetermined criteria are not met. - View Dependent Claims (2)
-
-
3. A proxy system coupled to a screening system connected between a first computer network and a second computer network for screening data packets sent from said first network to said second network without revealing an IP address, at least one said data packet including a first field specifying an intended recipient system for the data packet and further including a second field specifying a requested operation for said intended recipient system to execute, the proxy system including:
-
a processor; a memory connected to said processor configured for storing instruction modules specifying operations to be executed by said processor; a plurality of action modules stored in said memory including instructions specifying a predetermined set of actions to be taken with respect to at least a first said data packet received at said screening system, based upon predetermined criteria with respect to contents of said first data packet; a screening module including instructions for the screening system to block passage of said first data packet to said second computer network; and an operation module controlling said plurality of action modules to select one of said actions to be taken by said proxy system processor in lieu of said requested operation.
-
Specification
-
- Resources
-
Current AssigneeOracle America, Inc. (Oracle Corporation)
-
Original AssigneeSun Microsystems Incorporated (Oracle Corporation)
-
InventorsLyon, Thomas L., Patterson, Martin, Scott, Glenn C., Turbyfill, Carolyn, Mulligan, Geoffrey, Baehr, Geoffrey G., Danielson, William
-
Primary Examiner(s)LE, DIEU MINH T
-
Application NumberUS08/795,373Time in Patent Office770 DaysField of Search395/187.01, 395/186, 395/188.01, 395/200.3, 395/200.43, 395/200.57, 395/200.58, 395/200.59, 395/200.62, 395/200.68, 395/200.75 , 395/200.79, 370/355, 370/356, 370/401, 370/402, 370/409, 340/827, 380/4, 380/23, 380/25, 380/49US Class Current726/13CPC Class CodesH04L 63/0236 Filtering by address, proto...
