Access control system and method using hierarchical arrangement of security devices
First Claim
1. A system for securing a communications channel between a protected network and a public network using a hierarchical arrangement of security devices, comprising:
- a first security device, coupled between said protected network and said public network on the communications channel, said first security device having a first port coupled to said protected network, a second port, a third port and a fourth port coupled to said public network, said first security device for processing a frame using a first set of security rules; and
a second security device, coupled in parallel to said first security device, said second security device having a fifth port, a sixth port, a seventh port and an eighth port, the fifth port coupled to the second port of said first security device, and the eighth port coupled to the third port of said first security device, said second security device, responsive to the first security device not processing the frame and passing the frame through the fifth port from said first security device to said second security device, for processing the frame using a second set of security rules.
12 Assignments
0 Petitions
Accused Products
Abstract
A hierarchical arrangement of security devices for securing a protected network through a plurality of security devices having security rules of descending strictness. The system includes a first security device between two networks, and a second security device coupled to the first security device. A frame is processed by the first security device if the first security device'"'"'s security policy allows processing. If there is insufficient information for the first security device, the first security device passes the frame to the second security device for processing. Additional security devices may be added in a hierarchical chain as necessary or desired. Passing-off may also be prevented to provide multi-level security within a protected network.
63 Citations
30 Claims
-
1. A system for securing a communications channel between a protected network and a public network using a hierarchical arrangement of security devices, comprising:
-
a first security device, coupled between said protected network and said public network on the communications channel, said first security device having a first port coupled to said protected network, a second port, a third port and a fourth port coupled to said public network, said first security device for processing a frame using a first set of security rules; and a second security device, coupled in parallel to said first security device, said second security device having a fifth port, a sixth port, a seventh port and an eighth port, the fifth port coupled to the second port of said first security device, and the eighth port coupled to the third port of said first security device, said second security device, responsive to the first security device not processing the frame and passing the frame through the fifth port from said first security device to said second security device, for processing the frame using a second set of security rules. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for interconnecting a plurality of security devices in a distributed network to provide a level of security between a protected network and a public network, the method comprising the steps of:
-
receiving, by a first security device, a frame; determining, with a first set of security rules by the first security device, sufficiency of information for processing the frame; passing, responsive to a determination of insufficient information, the frame to a second security device connected in parallel to said first security device; determining, with a second set of security rules by the second security device, sufficiency of information for processing the frame; passing, responsive to a determination of insufficient information, the frame to an nth security device connected in parallel to said first security device; determining, with an nth set of security rules by the nth security device, sufficiency of information for processing the frame; and processing, by the nth security device, responsive to a determination of sufficient information, the frame. - View Dependent Claims (7, 8)
-
-
9. A method for interconnecting a plurality of security devices in a distributed network to insulate a protected network from a public network, the plurality of security devices including a first security device having a first port, a second port, a third port, and a fourth port, and a second security device having a fifth port, a sixth port, a seventh port and an eighth port, the method comprising the steps of:
-
receiving, by the first security device through the first port, a first frame from the protected network; determining, by the first security device, sufficiency of information for processing the first frame; passing, responsive to a determination of insufficient information, the first frame to the second security device through the second port; receiving, by the second security unit through the fifth port, the first frame; determining, by the second security device, sufficiency of information for processing; processing, by the second security device, responsive to sufficient information, the first frame; passing, through the eighth port, the first frame from the second security device to the third port of the first security device; and passing, through the fourth port, the first frame from the first security device to the public network. - View Dependent Claims (10)
-
-
11. A method for interconnecting a plurality of security devices in a distributed network to insulate a protected network from a public network, the plurality of security devices including a first security device having a first port, a second port, a third port and a fourth port, a second security device having a fifth port, a sixth port, a seventh port and an eighth port, and an nth security device having a ninth port and a tenth port, the method comprising the steps of:
-
receiving, by the first security device through the first port, a first frame from the protected network; determining, by the first security device, sufficiency of information for processing; passing, responsive to a determination of insufficient information, the first frame through the second port to the second security device; receiving, by the second security device through the fifth port, the first frame; determining, by the second security device, sufficiency of information for processing; passing, responsive to a determination of insufficient information, the first frame through the sixth port to the nth security device; receiving, by the nth security device through the ninth port, the first frame; determining, by the nth security device, sufficiency of information for processing; processing, by the nth security device, responsive to a determination of sufficient information, the first frame; passing, through the tenth port, the first frame from the nth security device to the seventh port of the second security device; passing, through the eighth port, the first frame to the third port of the first security device; and passing, through the fourth port, the first frame to the public network.
-
-
12. A method for interconnecting a plurality of security devices in a distributed network to insulate a protected network from a public network, the plurality of security devices including a first security device having a first port, a second port, a third port and a fourth port, a second security device having a fifth port, a sixth port, a seventh port and an eighth port, and an nth security device having a ninth port and a tenth port, the method comprising the steps of:
-
receiving, by the first security device through the fourth port, a first frame from the public network; determining, by the first security device, sufficiency of information for processing; passing, responsive to a determination of insufficient information, the first frame through the third port to the second security device; receiving, by the second security device through the eighth port, the first frame; determining, by the second security device, sufficiency of information for processing; passing, responsive to a determination of insufficient information, the first frame through the seventh port to the nth security device; receiving, by the nth security device through the tenth port, the first frame; determining, by the nth security device, sufficiency of information for processing; processing, by the nth security device, responsive to a determination of sufficient information, the first frame; passing, through the ninth port, the first frame from the nth security device to the sixth port of the second security device; passing, through the fifth port, the first frame to the second port of the first security device; and passing, through the first port, the first frame to the protected network. - View Dependent Claims (13, 14)
-
-
15. A system for securing a communications channel between a protected network and a public network using a hierarchical arrangement of security devices, comprising:
-
a first security device, coupled between said protected network and said public network, and responsive to a frame having sufficient information, for processing the frame using a first set of security rules; and a second security device, coupled in parallel to said first security device, responsive to receiving the frame having insufficient in formation for processing the frame with the first set of security rules from said first security device, for processing the frame using a second set of security rules, with the second set of security rules independent from the first set of security rules. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A method using a plurality of interconnected security devices in a distributed network to provide a level of security between a protected network and a public network, the method comprising the steps of:
-
receiving, by a first security device, a frame; processing, responsive to determining sufficient information, using a first set of security rules by the first security device, the frame; passing, responsive to a determination of insufficient information for processing the frame by the first security device, the frame to a second security device connected in parallel with said first security device; and processing, using a second set of security rules by the second security device, sufficiency of information of the frame. - View Dependent Claims (21, 22, 23, 24, 25)
-
-
26. A system using a plurality of interconnected security devices in a distributed network to provide a level of security between a protected network and a public network, comprising:
-
a first security device for receiving a frame, for determining, with a first set of security rules, any of sufficiency and insufficiency, of information for processing the frame; and a second security device, connected in parallel with said first security device, responsive to the first security device determining insufficiency of information for processing the frame, for determining, with a second set of security rules, sufficiency of information for processing the frame. - View Dependent Claims (27, 28, 29, 30)
-
Specification