Secure network proxy for connecting entities

US 6,003,084 A
Filed: 09/13/1996
Issued: 12/14/1999
Est. Priority Date: 09/13/1996
Status: Expired due to Term

First Claim

Patent Images

1. A network communication session manager comprising:

a connection manager that responds to an entity requesting a connection to a remote responding entity by simultaneously establishing a transparent session connection operable at a plurality of distinct protocol layers, between the communication session manager and the requesting entity;

a security monitor, operatively coupled to the connection manager that monitors communication from the requesting entity for conformance to predefined conditions and wherein the connection manager, responsive to the security monitor establishes an independent connection to the responding entity; and

a relay, operatively coupled to the connection manager, that relays communication between the requesting entity and the responding entity when both connections are operative, and wherein the relay operates at or below the plurality of distinct protocol layers.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy which is part of a firewall program controls exchanges of information between two application entities. The proxy interrogates attempts to establish a communication session by requesting entities with a server entity in lower layers in accordance with defined authentication procedures. The proxy interfaces with networking software to direct a communication stack to monitor connection requests to any address on specific ports. The requestor'"'"'s address, and the server'"'"'s address are checked against an access control list. If either address is invalid, the proxy closes the connection. If both are valid, a new connection is setup such that both the requestor and server are transparently connected to the proxy with variable higher levels being connected in a relay mode. Protocol data units are interrogated for conformance to a protocol session, and optionally further decoded to add additional application specific filtering. In one embodiment, an OSI architecture comprises the levels.

411 Citations

29 Claims

1. A network communication session manager comprising:
- a connection manager that responds to an entity requesting a connection to a remote responding entity by simultaneously establishing a transparent session connection operable at a plurality of distinct protocol layers, between the communication session manager and the requesting entity;
  
  a security monitor, operatively coupled to the connection manager that monitors communication from the requesting entity for conformance to predefined conditions and wherein the connection manager, responsive to the security monitor establishes an independent connection to the responding entity; and
  
  a relay, operatively coupled to the connection manager, that relays communication between the requesting entity and the responding entity when both connections are operative, and wherein the relay operates at or below the plurality of distinct protocol layers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The network communication session manager of claim 1 wherein the connection manager responds to the requesting entity and further wherein the security monitor identifies protocol and security violations on a first layer and responds on a plurality of distinct protocol layers.
  - 3. The network communication session manager of claim 2 wherein Open Systems Interconnect (OSI) communication is implemented and wherein the relay operates at an OSI transport layer.
  - 4. The network communication session manager of claim 3 wherein the security monitor monitors protocol information and data (PDUs) at the OSI transport, session, presentation and application layers and the relay relays such PDUs to the responding entity.
  - 5. The network communication session manager of claim 2 wherein the plurality of distinct layers includes a presentation layer, a session layer and a transport layer and wherein the connection manager rejects a remote responding entity by generating a response at the presentation layer, the session layer, and the transport layer.
  - 6. The network communication session manager of claim 2 wherein the plurality of distinct layers includes a presentation layer, a session layer and a transport layer and wherein the connection manager rejects a remote responding entity by generating a presentation layer P_-- CONNECT response, a session layer S-CONNECT response, and a transport layer T-DATA response.
  - 7. The network communication session manager of claim 1 and further comprising a connection monitor that monitors connection time and detects and responds to session failure conditions.
  - 8. The network communication session manager of claim 1 wherein the communication session manager acts as an RFC-1006 proxy for Open System Interconnect (OSI) application which employ Association Control Service Elements (ACSE) and Remote Operations Service Elements (ROSE).

9. A network communication session manager comprising:
- a connection manager that responds to a requesting entity for a connection to a remote device and transparently, and sinultaneously, establishes an independent connection operable at a plurality of distant protocol layers, between the network communication session manager and the remote device;
  
  a security monitor, operatively coupled to the connection manager that monitors and selectively modifies data communicated from the requesting entity for conformance to supported protocol standards and adherence to a defined security policy; and
  
  a relay, operatively coupled to the connection manger, that relays communication between the requesting entity and the remote device when both connections are operative, wherein the relay operates under the control of the security monitor, and further wherein the relay operates at or below the plurality of distinct protocol layers.

10. A method of ensuring secure communications between a requesting application entity and a serving application entity by use of a proxy therebetween, comprising:
- responding to an entity requesting a connection to the serving application entity;
  
  establishing a transparent session connection operable at a plurality of layers, between the proxy and the requesting entity;
  
  monitoring, at a plurality of distinct layer, communication from the requesting entity for conformance to a selected communication protocol; and
  
  relaying communication between the requesting entity and the serving entity responsive to the conformance to the selected communication protocol, and further wherein the relay operates at or below the plurality of distinct layers.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10 and further comprising:
    - checking an address of the requesting entity against a list of authorized addresses; and
      
      modifying the response to the requesting entity based on the check.
  - 12. The method of claim 11 wherein checking, modifying and responsing are performed at any of a plurality of layers of a communication protocol, and wherein relaying is performed at different layers of the communication protocol.
  - 13. The method of claim 10 wherein monitoring communication from the requesting entity for conformance to a selected communication protocol includes monitoring for conformance to Open Systems Interconnect (OSI) communication protocol.
  - 14. The method of claim 13 wherein monitoring includes monitoring at an OSI transport layer.
  - 15. The method of claim 10 and further comprising monitoring connection time and responding to session failure conditions.

16. A storage medium having a computer program stored thereon for causing a suitably programmed system to ensure communications between a requesting application entity and a serving application entity, by performing the following steps when such program is executed on the system:
- responding to an entity requesting a connection to the serving application entity;
  
  establishing a transparent session connection operable at a plurality of layers, between the system and the requesting entity;
  
  monitoring, at a plurality of distinct protocol layers, communication from the requesting entity for conformance to a selected communication protocol; and
  
  relaying communication between the requesting entity and the serving entity responsive to the conformance to the selected communication protocol, and further wherein the relay operates at or below the plurality of distinct protocol layers.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The storage medium of claim 16 and further comprising programming for causing the system to perform the steps of:
    - checking an address of the requesting entity against a list of authorized addresses; and
      
      modifying the response to the requesting entity based on the check.
  - 18. The storage medium of claim 17 wherein programming causes the system to perform checking, modifying and responding for any of a plurality of layers of a communication protocol, and wherein relaying is performed at different layers of the communication protocol.
  - 19. The storage medium of claim 16 wherein monitoring communication from the requesting entity for conformance to a selected communication protocol includes monitoring for conformance to Open Systems Interconnect (OSI) communication protocol.
  - 20. The storage medium of claim 19 wherein monitoring includes monitoring at an OSI transport layer.
  - 21. The storage medium of claim 16 and further comprising programming for monitoring connection time and responding to session failure conditions.

22. A network communication controller, comprising:
- a processor;
  
  a memory coupled to the processor;
  
  a communications device operatively coupled to the processor and to the memory, wherein the communications device provides any of a plurality of communication connections; and
  
  a firewall module operatively coupled to the processor that implements with the processor a communications protocol that controls communication at a plurality of distinct protocol layers, between a requestor and a server via the communications device, wherein the firewall module further comprises;
  
  a connection manger that responds to the requestor requesting a connection to the server and establishes a transparent session connection between the communication controller and the requestor;
  
  an interrogator, operatively coupled to the connection manager that monitors communication from the requestor for conformance to a selected communication protocol; and
  
  a relay, operatively coupled to the connection manager and to the server, that relays communication between the requestor and the server under the control of the connection manager and further wherein the relay operates at or below the plurality of distinct protocol layers.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The network communication controller of claim 22 wherein the communication protocol is a dual stack communication protocol which places communication between the processor and the server and the processor and the requestor in first and second burbs respectively.
  - 24. The network communication controller of claim 23 wherein the communication controller is operative in a multilayer communication system and wherein the connection manager responds to the requestor and further wherein the security monitor identifies protocol and security violations on a first layer and responds on a plurality of distinct protocol layers.
  - 25. The communication controller of claim 24 wherein the communication system is Open Systems Interconnect (OSI) communication architecture and wherein the relay operates at an OSI transport layer.
  - 26. The communication controller of claim 25 wherein the interrogator monitors protocol information and data (PDUs) at an OSI transport layer and the relay relays such PDUs to the server.
  - 27. The communication controller of claim 22 wherein the connection manager establishes a session connection between the communication controller and the requestor, and also established a session connection between the communication controller and the server.
  - 28. The communication controller of claim 27 and wherein the firewall module further comprises a connection monitor that monitors connection time and detects and responds to session failure conditions.
  - 29. The communication controller of claim 22 wherein the communication controller acts as an RFC-1006 proxy for Open System Interconnect (OSI) applications which employ Association Control Service Elements (ACSE) and Remote Operations Service Elements (ROSE).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Kruse, Ricky Ronald, Green, Michael W.
Primary Examiner(s)
Maung, Zarni
Assistant Examiner(s)
Ovedovitz, David M

Application Number

US08/713,424
Time in Patent Office

1,187 Days
Field of Search

395/187.01, 395/188.01, 709/224, 709/225, 709/227, 709/228, 709/230, 709/203, 709/219
US Class Current

709/227
CPC Class Codes

H04L 63/0281   Proxies

H04L 67/14   Session management for real...

H04L 69/24   Negotiation of communicatio...

H04L 69/32   Architecture of open system...

H04L 69/326   in the transport layer [OSI...

H04L 69/327   in the session layer [OSI l...

H04L 69/328   in the presentation layer [...

H04L 9/40   Network security protocols

Secure network proxy for connecting entities

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

411 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Secure network proxy for connecting entities

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

411 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others