Apparatus and method for providing network security
First Claim
1. A multi-level network security apparatus for a computer network having at least one user coupled thereto, the at least one user selected from a group consisting of a host computer and a second untrusted network, comprising:
- a secure network interface unit (SNIU) having a first port for coupling to said at least one user and a second port for directly connecting to the computer network which operates at a user layer communications protocol, said SNIU providing security control by controlling access to the computer network at least one of the layers above the transport layer of the communications protocol,wherein the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the computer network may be individually secure or non-secure without compromising security of communications within said global security perimeter; and
a security management architecture, including a security manager (SM) coupled to said SNIU for causing said SNIU to be initialized, operated and configured for protecting the security communications transmitted through said SNIU, said SM capable of implementing at least one of a plurality of security policies.
2 Assignments
0 Petitions
Accused Products
Abstract
A multi-level security apparatus and method for a network employs a secure network interface unit (SNIU) coupled between each host or user computer unit and a network, and a security management (SM) architecture, including a security manager (SM) coupled to the network, for controlling the operation and configuration of the SNIUs coupled to the network. Each SNIU is operative at a session level of interconnection which occurs when a user on the network is identified and a communication session is to commence. When an SNIU is implemented at each computer unit on the network, a global security perimeter is provided. In a preferred embodiment, the SNIU is configured to perform a defined session level protocol (SLP), including the core functions of user interface, session manager, dialog manager, association manager and data sealer, and network interface. The SM architecture is implemented to ensure user accountability, configuration management, security administration, and validation key management on the network. The SM functions are distributed over three platforms, i.e., a SNIU security manager (SSM), an area security manager (ASM), and a network security manager (NSM).
-
Citations
54 Claims
-
1. A multi-level network security apparatus for a computer network having at least one user coupled thereto, the at least one user selected from a group consisting of a host computer and a second untrusted network, comprising:
-
a secure network interface unit (SNIU) having a first port for coupling to said at least one user and a second port for directly connecting to the computer network which operates at a user layer communications protocol, said SNIU providing security control by controlling access to the computer network at least one of the layers above the transport layer of the communications protocol, wherein the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the computer network may be individually secure or non-secure without compromising security of communications within said global security perimeter; and a security management architecture, including a security manager (SM) coupled to said SNIU for causing said SNIU to be initialized, operated and configured for protecting the security communications transmitted through said SNIU, said SM capable of implementing at least one of a plurality of security policies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 44)
-
-
11. A method of providing multi-level network security for a computer network having at least one user coupled thereto, the at least one user selected from a group consisting of a host computer and at least a second network, said method comprising steps of:
-
coupling a secure network interface unit (SNIU) to said at least one user and directly to the computer network which operates at a user layer communications protocol, said SNIU providing security control by controlling access to the computer network at at least one of the layers above the transport layer of the communications protocol, whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the computer network may be individually secure or non-secure without compromising security of communications within said global security perimeter; and
,performing security management utilizing a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the computer network, said SM capable of implementing at least one of a plurality of security policies. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method of providing multi-level network security for a computer network having at least one user coupled thereto, the at least one user selected from a group consisting of a host computer and at least a second network, said method comprising steps of:
-
coupling a secure network interface unit (SNIU) to at least one user and directly to the computer network, and establishing a session layer interconnection between the at least one user and the computer network, whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the computer network may be individually secure or non-secure without compromising security of communications within said global security perimeter; and
,performing security management utilizing a security manager (SM) for causing said SNIU to be operated and configured for controlling access to the computer network at or above the session layer by verifying at or above the session layer if an identified user is authorized for access to the computer network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A network security apparatus for providing secure communication of information communicated via an untrusted network, said apparatus comprising:
at least one secure network interface unit (SNIU) coupled between a host computer and said untrusted network, said SNIU performing user authentication and bidirectional multi-level access control for information communicated via the untrusted network, said SNIU supporting accountability, data integrity, data confidentiality and network resource access policies on a per user basis, whereby said host computer and said untrusted network may be individually secure or non-secure without compromising security of communication of information communicated via the untrusted network. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
-
41. A network security system for providing secure communication of information communicated via an untrusted network, said system comprising:
-
a plurality of secure network interface units (SNIUs) each coupled between a respective host computer and said untrusted network, each said SNIU performing user authentication and bidirectional multi-level access control for information communicated via the untrusted network, said SNIU supporting accountability, data integrity, data confidentiality and network resource access policies on a per user basis, whereby said host computer and said untrusted network may be individually secure or non-secure without compromising security of information communicated via the untrusted network; and a security management architecture including a security manager (SM) coupled to each said SNIU having means for causing each SNIU to be initialized, operated and configured for protecting the security communications transmitted through each said SNIU, said SM capable of implementing at least one of a plurality of security policies. - View Dependent Claims (42)
-
-
43. A multi-level network security apparatus for communicating over an untrusted network between a computer user and at least a second network, comprising:
-
a secure network interface unit (SNIU) coupled at a first port to said computer user and at a second port to said untrusted network, said SNIU providing security control by controlling access and communications to the untrusted network, said SNIU operable to initialize and maintain a communication path across the untrusted network and said at least one second network with a remote SNIU for passing data therebetween; said remote SNIU coupled directly between said untrusted network and said second network and operable as a gateway to communicate with said SNIU over said communication path to transceive data at said second network when said second network uses different security labeling than said untrusted network; wherein each SNIU is implemented to create a global security perimeter for end-to-end communications; and a security management architecture including a security manager (SM) coupled to each said SNIU having means for causing each SNIU to be initialized, operated and configured for protecting the security communications transmitted through each said SNIU, said SM capable of implementing at least one of a plurality of security policies.
-
-
45. A multi-level network security apparatus for communicating over an untrusted network between a computer user and at least a second network, comprising:
-
a secure network interface unit (SNIU) coupled at a first port to said computer user and at a second port to said untrusted network, said SNIU providing security control by controlling access and communications to the untrusted network, said SNIU operable to initialize and maintain a communication path across the untrusted network and said at least one second network with a remote SNIU for passing data therebetween via duplex, simplex, or multicast communications means; said remote SNIU coupled directly between said untrusted network and said second network and operable as a router to communicate with said SNIU over said communication path to transceive data at said second network when said second network uses the same security labeling as said untrusted network and operates at different protection levels; wherein each SNIU is implemented to create a global security perimeter for end-to-end communications; and a security management architecture including a security manager (SM) coupled to each said SNIU having means for causing each SNIU to be initialized, operated and configured for protecting the security communications transmitted through each said SNIU, said SM capable of implementing at least one of a plurality of security policies.
-
-
46. A method for providing multi-level network security for an untrusted computer network having at least one host computer associated with a user coupled thereto, said method comprising the steps of:
-
coupling a secure network interface unit (SNIU) between said at least one host computer and said untrusted network, establishing a session layer interconnection between said at least one host computer and the untrusted network, performing user authentication and bi-directional multi-level access control for information communicated via said untrusted network utilizing said SNIU; and performing security management by providing accountability, data integrity, data confidentiality, and network resource access policies on a per user basis, whereby said host computer and said untrusted network may be individually secure or non-secure without compromising security of communication of information communicated via the untrusted network. - View Dependent Claims (47, 48, 49, 50, 51, 52)
-
-
53. A network security apparatus for providing secure communication of information communicated via an untrusted network, said apparatus comprising:
-
bidirectional means for performing user authentication and bidirectional multi-level access control for information communicated via the untrusted network; security means for causing said bi-directional means to be initialized, operated, and configured for protecting the security communications transmitted to said bi-directional means, said security means capable of implementing at least one of a plurality security policies on a per user basis, wherein said bidirectional means is coupled between a host computer and said untrusted network, whereby said host computer and said untrusted network may be individually secure or non-secure without compromising security of communication of information communicated by said untrusted network. - View Dependent Claims (54)
-
Specification