Network gateway mechanism having a protocol stack proxy
First Claim
1. A system for evaluating a data packet using a network operating system, comprising:
- a protocol layer proxy stored in a kernel memory and executed in a kernel mode of said network operating system; and
a sequence of instructions stored in said kernel memory and executed in the kernel mode configured to cause a processor under control of said network operating system to execute the steps of;
evaluating said data packet in said protocol layer proxy in the kernel mode to determine whether said data packet satisfies a predetermined condition; and
passing said data packet from said protocol layer proxy to a protocol stack that is outside the kernel mode of said network operating system only if said data packet satisfies said predetermined condition.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for a network gateway that provides computer data security using a protocol stack proxy is disclosed. The system evaluates data that arrives at a computer system that is executing a network operating system. The system comprises a protocol stack proxy, coupled between a device driver on the computer system that is configured to receive the data from a network and deliver the data according to a first protocol associated with a first network layer, and one or more components of the network operating system that receive packets according to the first protocol. The protocol stack proxy has one or more protocol proxy layers configured to (A) receive the data from the device driver; (B) pass the data to a second network layer that is higher than the first network layer; (C) evaluate the data to determine whether the data satisfies a predetermined criteria; and (D) if the data satisfies the predetermined criteria, to (D1) pass the data to the first network layer, and (D2) transmit the data to the one or more components to the network operating system.
-
Citations
50 Claims
-
1. A system for evaluating a data packet using a network operating system, comprising:
-
a protocol layer proxy stored in a kernel memory and executed in a kernel mode of said network operating system; and a sequence of instructions stored in said kernel memory and executed in the kernel mode configured to cause a processor under control of said network operating system to execute the steps of; evaluating said data packet in said protocol layer proxy in the kernel mode to determine whether said data packet satisfies a predetermined condition; and passing said data packet from said protocol layer proxy to a protocol stack that is outside the kernel mode of said network operating system only if said data packet satisfies said predetermined condition. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for evaluating a data packet using a network operating system, comprising:
-
a protocol layer proxy in a kernel memory of said network operating system; and a sequence of instructions stored in said kernel memory configured to cause a processor under control of said network operating system to execute the steps of; evaluating said data packet in said protocol layer proxy to determine whether said data packet satisfies a predetermined condition; passing said data packet from said protocol layer proxy to said network operating system only if said data packet satisfies said predetermined condition; an initial security policy defining said condition of said data packet to be evaluated and coupled to said protocol layer proxy; a security policy decision tree in said kernel memory structured as a binary tree and comprising as nodes thereof said security policy and at least a second security policy. - View Dependent Claims (8)
-
-
9. A system for evaluating a data packet using a network operating system comprising:
-
a protocol layer proxy in a kernel memory of said network operating system; and a sequence of instructions stored in said kernel memory configured to cause a processor under control of said network operating system to execute the steps of; evaluating said data packet in said protocol layer proxy to determine whether said data packet satisfies a predetermined condition; passing said data packet from said protocol layer proxy to said network operating system only if said data packet satisfies said predetermined condition; an initial security policy defining said condition of said data packet to be evaluated and coupled to said protocol layer proxy; a network adapter card coupled to said processor; and a security policy decision tree in said kernel memory organized as a binary tree and comprising said security policy and a second security policy associated with said network adapter card. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system for evaluating a data packet using a network operating system, comprising:
-
a protocol layer proxy in a kernel memory of said network operating system, and a sequence of instructions stored in said kernel memory configured to cause a processor under control of said network operating system to execute the steps of; evaluating said data packet in said protocol layer proxy to determine whether said data packet satisfies a predetermined condition; passing said data packet from said protocol layer proxy to said network operating system only if said data packet satisfies said predetermined condition; wherein said sequence of instructions further comprises instructions configured to cause said processor to execute the step of identifying said protocol layer proxy as a device driver to said network operating system.
-
-
16. A system for evaluating a data packet using a network operating system, comprising:
-
a protocol layer proxy in a kernel memory of said network operating system; and a sequence of instructions stored in said kernel memory configured to cause a processor under control of said network operating system to execute the steps of; evaluating said data packet in said protocol layer proxy to determine whether said data packet satisfies a predetermined condition; passing said data packet from said protocol layer proxy to said network operating system only if said data packet satisfies said predetermined condition; wherein said sequence of instructions further comprises instructions configured to cause said processor to execute the step of instructing said network operating system that said protocol layer proxy is a network device.
-
-
17. A system for evaluating a data packet using a network operating system, comprising:
-
a protocol layer proxy in a kernel memory of said network operating system; and a sequence of instructions stored in said kernel memory configured to cause a processor under control of said network operating system to execute the steps of; evaluating said data packet in said protocol layer proxy to determine whether said data packet satisfies a predetermined condition; passing said data packet from said protocol layer proxy to said network operating system only if said data packet satisfies said predetermined condition; wherein said sequence of instructions further comprises instructions configured to cause said processor to execute the step of instructing a device driver coupled to said network operating system that said protocol layer proxy is a transport layer for said device driver.
-
-
18. A system for evaluating data that arrives at a computer system that is executing a network operating system, comprising:
-
a protocol stack proxy stored in a kernel memory and executed in a kernel mode of the network operating system and coupled between (a) a device driver on said computer system that is configured to receive said data from a network and deliver said data according to a first protocol associated with a first network layer and (b) a component of said network operating system that receives packets according to said first protocol; said protocol stack proxy including a proxy layer configured to (i) receive said data from said device driver; (ii) pass said data to a second network layer that is higher than said first network layer; and (iii) evaluate said data to determine whether said data satisfies a predetermined criteria, and if so, pass said data to a protocol stack of the network operating system that is executed outside the kernel mode. - View Dependent Claims (19)
-
-
20. A system for evaluating data that arrives at a computer system that is executing a network operating system, comprising:
-
a protocol stack proxy coupled between (a) a device driver on said computer system that is configured to receive said data from a network and deliver said data according to a first protocol associated with a first network layer and (b) a component of said network operating system that receives packets according to said first protocol; said protocol stack proxy including a proxy layer configured to (i) receive said data from said device driver; (ii) pass said data to a second network layer that is higher than said first network layer; and (iii) evaluate said data to determine whether said data satisfies a predetermined criteria; an application layer proxy in an application memory of said computer system; a first security policy coupled to said protocol stack proxy and defining said criteria; a second security policy defining a second condition of an application protocol of said data to be evaluated; and wherein said protocol stack proxy is configured to pass said data to said application layer proxy only if said data complies with said second security policy.
-
-
21. A system for evaluating data that arrives at a computer system that is executing a network operating system, comprising:
-
a protocol stack proxy coupled between (a) a device driver on said computer system that is configured to receive said data from a network and deliver said data according to a first protocol associated with a first network layer and (b) a component of said network operating system that receives packets according to said first protocol; said protocol stack proxy including a proxy layer configured to (i) receive said data from said device driver; (ii) pass said data to a second network layer that is higher than said first network layer; and (iii) evaluate said data to determine whether said data satisfies a predetermined criteria; a security policy decision tree in a kernel memory of said computer system and structured as a binary tree and comprising as nodes thereof said security policy and at least a second security policy. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
-
28. A system for evaluating data that arrives at a computer system that is executing a network operating system comprising:
-
a protocol stack proxy coupled between (a) a device driver on said computer system that is configured to receive said data from a network and deliver said data according to a first protocol associated with a first network layer and (b) a component of said network operating system that receives packets according to said first protocol; said protocol stack proxy including a proxy layer configured to (i) receive said data from said device driver; (ii) pass said data to a second network layer that is higher than said first network layer; and (iii) evaluate said data to determine whether said data satisfies a predetermined criteria; wherein said protocol stack proxy is configured to identify said proxy layer as said device driver to said network operating system.
-
-
29. A method for evaluating data that arrives at a computer system that is executing a network operating system, comprising the steps of:
-
establishing in a kernel memory of said computer system a protocol stack proxy that is executed in kernel mode of the network operating system and that is coupled between (a) a device driver on said computer system that is configured to receive said data from a network and deliver said data according to a first protocol associated with a first network layer and (b) a component of said network operating system that receives packets according to said first protocol; with a proxy layer in said protocol stack proxy, receiving said data from said device driver; passing said data to a second network layer that is higher than said first network layer; determining whether said data satisfies a predetermined criteria; passing said data to a protocol stack of the network operating system that is executed outside the kernel mode when the data satisfies the predetermined criteria. - View Dependent Claims (30, 31)
-
-
32. A method for evaluating data that arrives at a computer system that is executing a network operating system, comprising the steps of:
-
establishing in a memory of said computer system a protocol stack proxy coupled between (a) a device driver on said computer system that is configured to receive said data from a network and deliver said data according to a first protocol associated with a first network layer and (b) a component of said network operating system that receives packets according to said first protocol; with a proxy layer in said protocol stack proxy, receiving said data from said device driver; passing said data to a second network layer that is higher than said first network layer; evaluating said data to determine whether said data satisfies a predetermined criteria; wherein said computer system further comprises a security policy in said memory and coupled to said protocol stack proxy and defining said criteria; establishing an application layer proxy in an application memory of said computer system coupled to said protocol stack proxy; establishing a second security policy in said memory defining a second condition of an application protocol of said data to be evaluated; and passing said data to said application layer proxy only if said data complies with said second security policy.
-
-
33. A method for evaluating data that arrives at a computer system that is executing a network operating system, comprising the steps of:
-
establishing in a memory of said computer system a protocol stack proxy coupled between (a) a device driver on said computer system that is configured to receive said data from a network and deliver said data according to a first protocol associated with a first network layer and (b) a component of said network operating system that receives packets according to said first protocol; with a proxy layer in said protocol stack proxy, receiving said data from said device driver; passing said data to a second network layer that is higher than said first network layer; evaluating said data to determine whether said data satisfies a predetermined criteria; wherein said computer system further comprises a security policy in said memory and coupled to said protocol stack proxy and defining said criteria; establishing a security policy decision tree in a kernel memory of said computer system structured as a binary tree and comprising as nodes thereof said security policy and at least a second security policy. - View Dependent Claims (34, 35, 36, 37, 38, 39)
-
-
40. A method for evaluating data that arrives at a computer system that is executing a network operating system, comprising the steps of:
-
establishing in a memory of said computer system a protocol stack proxy coupled between (a) a device driver on said computer system that is configured to receive said data from a network and deliver said data according to a first protocol associated with a first network layer and (b) a component of said network operating system that receives packets according to said first protocol; with a proxy layer in said protocol stack proxy receiving said data from said device driver; passing said data to a second network layer that is higher than said first network layer; evaluating said data to determine whether said data satisfies a predetermined criteria; further comprising the step of communicating from said protocol stack proxy to said network operating system an identification that said proxy layer is said device driver.
-
-
41. A system for evaluating data that arrives at a computer system that is executing a network operating system, comprising:
-
a protocol stack proxy coupled between a device driver on the computer system that is executed in kernel mode of the network operating system and configured to receive the data from a network and deliver the data according to a first protocol associated with a first network layer; and one or more components of the network operating system that receive packets according to the first protocol; the protocol stack proxy including one or more protocol proxy layers, each proxy layer associated with one of the network layers, configured to;
(A) receive the data from the device driver;
(B) pass the data to a proxy layer associated with a second network layer that is higher than the first network layer;
(C) evaluate the data to determine whether the data satisfies a predetermined criteria; and
(D) if the data satisfies the predetermined criteria, to (D1) pass the data to the proxy layer associated with the first network layer, and (D2) transmit the data to the one or more components to the network operating system.
-
-
42. A system for evaluating a data packet using a network operating system, comprising:
-
an application layer proxy in an application memory of said network operating system; a protocol layer proxy stored in a kernel memory and executed in a kernel mode of said network operating system, and coupled to the application layer proxy; and a sequence of instructions stored in said kernel memory and executed in the kernel mode configured to cause a processor under control of said network operating system to execute the steps of; evaluating said data packet in said protocol layer proxy in the kernel mode to determine whether said data packet satisfies a predetermined condition; passing said data packet from said protocol layer proxy to a protocol stack that is outside the kernel mode of said network operating system only if said data packet satisfies said predetermined condition; passing the data packet to the application layer proxy when information in the data packet includes a request for an application layer service.
-
-
43. A computer-readable medium carrying one or more sequences of instructions for evaluating data that arrives at a computer system that is executing a network operating system, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
establishing in a kernel memory of said computer system a protocol stack proxy that is executed in kernel mode of the network operating system and that is coupled between (a) a device driver on said computer system that is configured to receive said data from a network and deliver said data according to a first protocol associated with a first network layer and (b) a component of said network operating system that receives packets according to said first protocol; with a proxy layer in said protocol stack proxy, receiving said data from said device driver; passing said data to a second network layer that is higher than said first network layer; determining whether said data satisfies a predetermined criteria; passing said data to a protocol stack of the network operating system that is executed outside the kernel mode when the data satisfies the predetermined criteria. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50)
-
Specification