Embedded security processor

US 5,896,499 A
Filed: 02/21/1997
Issued: 04/20/1999
Est. Priority Date: 02/21/1997
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus comprising:

a processor;

a first network interface for connecting a system to a first network;

a second network interface for connecting the system to a second network; and

an embedded security processor coupled to the processor, to the first network interface, and to the second network interface, the embedded security processor ensuring that communications between the first and second networks are secure; and

at least one control signal coupled to the processor and to the embedded security processor, the processor controlling the operation of the embedded security processor via the at least one control signal and disabling the embedded security processor via the at least one control signal when the processor detects at least one predetermined error condition.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embedded security processor is used in conjunction with a main processor to provide security for a computer system that is accessible via a computer network. In a preferred embodiment of the present invention, an expansion board is provided that has an embedded security processor dedicated to network communications security tasks. The embedded security processor is controlled by the main processor and intercepts all communications from external untrusted or unverified network systems (i.e., unsecure networks) and verifies that the attempted communication is permissible before allowing the external network communication traffic to access the main processor, or other networked computer resources accessible via a secure network.

424 Citations

38 Claims

1. An apparatus comprising:
- a processor;
  
  a first network interface for connecting a system to a first network;
  
  a second network interface for connecting the system to a second network; and
  
  an embedded security processor coupled to the processor, to the first network interface, and to the second network interface, the embedded security processor ensuring that communications between the first and second networks are secure; and
  
  at least one control signal coupled to the processor and to the embedded security processor, the processor controlling the operation of the embedded security processor via the at least one control signal and disabling the embedded security processor via the at least one control signal when the processor detects at least one predetermined error condition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1 wherein the at least one predetermined error condition comprises an activity by the embedded security processor designated as an undesired activity by the processor.
  - 3. The apparatus of claim 1 wherein the at least one predetermined error condition comprises an unauthorized attempt by one of the first and second networks to access the other network.
  - 4. The apparatus of claim 1 wherein the at least one control signal comprises at least one signal on a system bus coupled to the processor and to the embedded security processor.
  - 5. The apparatus of claim 1 wherein the at least one control signal comprises at least one signal on a control bus coupled to the processor and to the embedded security processor.
  - 6. The apparatus of claim 1 wherein one of the first and second networks is a secure network and the other is an unsecure network.
  - 7. The apparatus of claim 1 wherein both the first and second networks are secure networks.
  - 8. The apparatus of claim 1 further comprising:
    - a memory coupled to the processor, the memory containing at least one firewall control program, the processor executing the at least one firewall control program to control access between the first and second networks.
  - 9. The apparatus of claim 8 wherein the firewall control program comprises a user authentication program.
  - 10. The apparatus of claim 8 wherein the firewall control program comprises an initial firewall configuration program.
  - 11. The apparatus of claim 10 wherein the initial firewall configuration program determines access allowed by the embedded security processor to the processor from the first and second networks.
  - 12. The apparatus of claim 8 wherein the firewall control program comprises a firewall monitoring program.
  - 13. The apparatus of claim 1 wherein the embedded security processor and the first network interface and the second network interface are located on an expansion board coupled to a system bus that is coupled to the processor.

14. A method for providing firewall protection between a first network and a second network, the method comprising the steps of:
- initiating a connection on one of the first and second networks, the first and second networks being coupled to an apparatus, the apparatus including an embedded security processor coupled to the first network and to the second network, the embedded security processor coupled to a processor; and
  
  using the processor to disable the embedded security processor when the processor detects an unauthorized attempt by one of the first and second network to access the other network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The method of claim 14 further comprising the steps of:
    - providing a memory coupled to the processor, the memory containing at least one firewall control program; and
      
      the processor executing the at least one firewall control program to control access between the first and second networks.
  - 16. The method of claim 15 wherein the at least one firewall control program is a user authentication program.
  - 17. The method of claim 15 wherein the at least one firewall control program is an initial firewall configuration program.
  - 18. The method of claim 15 wherein the at least one firewall control program is a firewall monitoring program.
  - 19. The method of claim 15 further comprising the step of:
    - the processor disabling the embedded security processor if the at least one firewall control program detects an activity by the embedded security processor designated as an undesired activity by the at least one firewall control program.
  - 20. The method of claim 15 further comprising the step of:
    - the processor disabling the embedded security processor if the at least one firewall control program detects an unauthorized attempt by one of the first and second networks to access the other network.
  - 21. The method of claim 14 further comprising the steps of:
    - the embedded security processor requesting firewall configuration data from the processor; and
      
      the processor reading the firewall configuration data from a protected memory and passing the firewall configuration data to the embedded security processor.
  - 22. The method of claim 14 further comprising the steps of:
    - the embedded security processor requesting at least one security program from the processor; and
      
      the processor reading the at least one security program from a protected memory and passing the at least one security program to the embedded security processor.

23. A method for providing firewall protection between a first network and a second network, the method comprising the steps of:
- initiating a connection on one of the first and second networks, the first and second networks being coupled to an apparatus, the apparatus including an embedded security processor coupled to the first network and to the second network, the embedded security processor coupled to a processor; and
  
  the embedded security processor ensuring that communications between the first network and the second network are secureproviding at least one control signal to the processor and to the embedded security processor, the processor controlling the operation of the embedded security processor via the at least one control signal and disabling the embedded security processor via the at least one control signal when the processor detects at least one security-relevant condition.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 24. The method of claim 23 wherein one of the first and second networks is a secure network and the other is an unsecure network.
  - 25. The method of claim 23 wherein both the first and second networks are secure networks.
  - 26. The method of claim 23 wherein the at least one security-relevant condition comprises an activity by the embedded security processor designated as an undesired activity by the processor.
  - 27. The method of claim 26 further comprising the steps of:
    - the embedded security processor requesting firewall configuration data from the processor; and
      
      the processor reading the firewall configuration data from a protected memory and passing the firewall configuration data to the embedded security processor.
  - 28. The method of claim 26 further comprising the steps of:
    - the embedded security processor requesting at least one security program from the processor; and
      
      the processor reading the at least one security program from a protected memory and passing the at least one security program to the embedded security processor.
  - 29. The method of claim 26 further comprising the steps of:
    - the processor to creating an activity log for the activities of the embedded security processor; and
      
      storing the activity log on a direct access storage device.
  - 30. The method of claim 23 wherein the at least one security-relevant condition comprises an unauthorized attempt by one of the first and second network interfaces to access the other network interface.
  - 31. The method of claim 23 further comprising the steps of:
    - providing a memory coupled to the processor, the memory containing at least one firewall control program; and
      
      the processor executing the at least one firewall control program to control access between the first and second networks.
  - 32. The method of claim 31 wherein the at least one firewall control program is a user authentication program.
  - 33. The method of claim 31 wherein the at least one firewall control program is an initial firewall configuration program.
  - 34. The method of claim 32 wherein the at least one firewall control program is a firewall monitoring program.
  - 35. The method of claim 32 further comprising the step of:
    - the processor disabling the embedded security processor if the at least one firewall control program detects an activity by the embedded security processor designated as an undesired activity by the at least one firewall control program.
  - 36. The method of claim 32 further comprising the step of:
    - the processor disabling the embedded security processor if the at least one firewall control program detects an unauthorized attempt by one of the first and second networks to access the other network.
  - 37. The method of claim 23 further comprising the step of:
    - transferring information from a direct access storage device to the embedded security processor after receiving an authorization signal from the processor.
  - 38. The method of claim 23 further comprising the step of:
    - transferring data to the embedded processor only after the processor has approved the transfer of information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
McKelvey, Mark Ambrose
Primary Examiner(s)
Palys, Joseph E.

Application Number

US08/803,661
Time in Patent Office

788 Days
Field of Search

395/186, 395/187.01, 395/188.01, 395/200.55, 395/200.56, 395/200.59, 380/3, 380/9, 380/23, 380/25, 707/9
US Class Current

726/11
CPC Class Codes

G06F 21/74   operating in dual or compar...

G06F 2211/005   Network, LAN, Remote Access...

H04L 63/02   for separating internal fro...

H04L 63/0209   Architectural arrangements,...

H04L 9/40   Network security protocols

Embedded security processor

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

424 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Embedded security processor

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

424 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links