Firewall security apparatus for high-speed circuit switched networks
First Claim
Patent Images
1. A firewall security apparatus for high-speed circuit switched networks deployed between an external circuit switched network and an internal circuit switched network for preventing unauthorized communications between the external and internal circuit switched networks, while permitting authorized communications, comprising:
- an external network transceiver having means for receiving incoming protocol data units (PDUs) from the external circuit switched network and transforming the physical line characteristics of the PDUs on the external circuit switched network media to a digital bit stream protocol data units and having means for receiving digital bit stream PDUs, transforming the received digital bit stream PDUs to the physical line characteristics of the external circuit switched network media, and transmitting the PDUs on the external circuit switched network;
an internal network transceiver having means for receiving incoming PDUs from the internal circuit switched network and transforming the physical line characteristics of the PDUs on the internal circuit switched network media to a digital bit stream PDUs and having means for receiving digital bit stream PDUs, transforming the received digital bit stream PDUs to the physical line characteristics of the internal circuit switched network media, and transmitting the PDUs on the internal circuit switched network;
a flow switch for switching the communications between the external and internal circuit switched networks on command, connected in series between said external network transceiver and said internal network transceiver, and having means for receiving commands, having means for receiving digital bit stream PDUs from said external network transceiver, causing the digital bit stream PDUs received from said external network transceiver to be transmitted to said internal network transceiver, and causing said internal network transceiver to transform the digital bit stream PDUs received from said external network transceiver to the physical line characteristics of the internal circuit switched network media and to transmit them on the internal circuit switch network on command and having means for receiving digital bit stream PDUs from said internal network transceiver, causing the digital bit stream PDUs received from said internal network transceiver to be transmitted to said external network transceiver, and causing said external network transceiver to transform the digital bit stream PDUs received from said internal network transceiver to the physical line characteristics of the external circuit switched network media and to transmit them on the external circuit switch network on command;
a firewall database for storing a list of all approved external circuit switched network and internal circuit switched network approved link level identifiers and endpoints and a list of link level identifiers identified as containing signalling messages and control information; and
a firewall controller for controlling communications between the external and internal circuit switched networks,having a set of active connection management rules for determining under what circumstances communications between the external and internal circuit switched networks are authorized;
having means for receiving the digital bit stream PDUs from said external network transceiver and said internal network transceiver;
having means for determining if the digital bit stream PDU received is control information, commanding said flow switch to transmit the digital bit stream PDU to the external circuit switched network for digital bit stream PDUs received from the internal circuit switched network and to the internal circuit switched network for digital bit stream PDUs received from the external circuit switched network, processing the control information to obtain routing and configuration information, and writing the routing and the configuration information to said firewall database, when the digital bit stream PDU is control information;
having means for determining if the digital bit stream PDU received is part of a signaling message, reassembling the signaling message, determining if the signaling message is a connection request signaling message, determining if the signaling message is a connection deletion signaling message, commanding said flow switch to transmit the digital bit stream PDU to the external circuit switched network for digital bit stream PDUs received from the internal circuit switched network and to the internal circuit switched network for digital bit stream PDUs received from the external circuit switched network when the digital bit stream PDU is a signaling message, removing the entry from the list of all approved external circuit switched network and internal circuit switched network approved link level identifiers and endpoints in said firewall database associated with the connection deletion signaling messages when the digital bit stream is a connection deletion signaling message, and adding a link level identifier entry to the list of all approved external circuit switched network and internal circuit switched network approved link level identifiers and endpoints in said firewall database associated with the connection request signaling messages when the link level identifier is authorized under said set of active connection management rules, when the digital bit stream PDU is a connection request signaling message; and
having means for determining if the digital bit stream PDU received is data, determining if the digital bit stream PDU is listed as approved in said firewall database, and commanding said flow switch to transmit the digital bit stream PDU to the external circuit switched network for digital bit stream PDUs received from the internal circuit switched network and to the internal circuit switched network for digital bit stream PDUs received from the external circuit switched network when the digital bit stream PDU is listed as approved in said firewall database.
2 Assignments
0 Petitions
Accused Products
Abstract
A network firewall security apparatus that enables a very high degree of traffic selectability yet avoids the usual performance penalty associated with firewalls. This approach is specific to high-speed circuit switched networks, Asynchronous Transfer Mode (ATM) networks in particular. Security management is achieved through active connection management with authentication, better suited to the cell-based environment of high-speed circuit switched networks and to the mix of circuit switched traffic, where Internet Protocol (IP) datagrams comprise a fraction of the total traffic. The information in the signaling cells is used to determine which flows, rather than which individual cells, are allowed to pass through the firewall. A hierarchical method has been devised, in which the physical location of the interrelated components may be decoupled. Active connection management is applied in determining the approval of a connection based on signaling information and network state information. Once a flow has been validated, the cells associated with that flow are allowed to proceed through the firewall at line-speed with limited intervention and no performance degradation.
-
Citations
16 Claims
-
1. A firewall security apparatus for high-speed circuit switched networks deployed between an external circuit switched network and an internal circuit switched network for preventing unauthorized communications between the external and internal circuit switched networks, while permitting authorized communications, comprising:
-
an external network transceiver having means for receiving incoming protocol data units (PDUs) from the external circuit switched network and transforming the physical line characteristics of the PDUs on the external circuit switched network media to a digital bit stream protocol data units and having means for receiving digital bit stream PDUs, transforming the received digital bit stream PDUs to the physical line characteristics of the external circuit switched network media, and transmitting the PDUs on the external circuit switched network; an internal network transceiver having means for receiving incoming PDUs from the internal circuit switched network and transforming the physical line characteristics of the PDUs on the internal circuit switched network media to a digital bit stream PDUs and having means for receiving digital bit stream PDUs, transforming the received digital bit stream PDUs to the physical line characteristics of the internal circuit switched network media, and transmitting the PDUs on the internal circuit switched network; a flow switch for switching the communications between the external and internal circuit switched networks on command, connected in series between said external network transceiver and said internal network transceiver, and having means for receiving commands, having means for receiving digital bit stream PDUs from said external network transceiver, causing the digital bit stream PDUs received from said external network transceiver to be transmitted to said internal network transceiver, and causing said internal network transceiver to transform the digital bit stream PDUs received from said external network transceiver to the physical line characteristics of the internal circuit switched network media and to transmit them on the internal circuit switch network on command and having means for receiving digital bit stream PDUs from said internal network transceiver, causing the digital bit stream PDUs received from said internal network transceiver to be transmitted to said external network transceiver, and causing said external network transceiver to transform the digital bit stream PDUs received from said internal network transceiver to the physical line characteristics of the external circuit switched network media and to transmit them on the external circuit switch network on command; a firewall database for storing a list of all approved external circuit switched network and internal circuit switched network approved link level identifiers and endpoints and a list of link level identifiers identified as containing signalling messages and control information; and a firewall controller for controlling communications between the external and internal circuit switched networks, having a set of active connection management rules for determining under what circumstances communications between the external and internal circuit switched networks are authorized; having means for receiving the digital bit stream PDUs from said external network transceiver and said internal network transceiver; having means for determining if the digital bit stream PDU received is control information, commanding said flow switch to transmit the digital bit stream PDU to the external circuit switched network for digital bit stream PDUs received from the internal circuit switched network and to the internal circuit switched network for digital bit stream PDUs received from the external circuit switched network, processing the control information to obtain routing and configuration information, and writing the routing and the configuration information to said firewall database, when the digital bit stream PDU is control information; having means for determining if the digital bit stream PDU received is part of a signaling message, reassembling the signaling message, determining if the signaling message is a connection request signaling message, determining if the signaling message is a connection deletion signaling message, commanding said flow switch to transmit the digital bit stream PDU to the external circuit switched network for digital bit stream PDUs received from the internal circuit switched network and to the internal circuit switched network for digital bit stream PDUs received from the external circuit switched network when the digital bit stream PDU is a signaling message, removing the entry from the list of all approved external circuit switched network and internal circuit switched network approved link level identifiers and endpoints in said firewall database associated with the connection deletion signaling messages when the digital bit stream is a connection deletion signaling message, and adding a link level identifier entry to the list of all approved external circuit switched network and internal circuit switched network approved link level identifiers and endpoints in said firewall database associated with the connection request signaling messages when the link level identifier is authorized under said set of active connection management rules, when the digital bit stream PDU is a connection request signaling message; and having means for determining if the digital bit stream PDU received is data, determining if the digital bit stream PDU is listed as approved in said firewall database, and commanding said flow switch to transmit the digital bit stream PDU to the external circuit switched network for digital bit stream PDUs received from the internal circuit switched network and to the internal circuit switched network for digital bit stream PDUs received from the external circuit switched network when the digital bit stream PDU is listed as approved in said firewall database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeThe United States of America As Represented By The Director National Security Agency
-
Original AssigneeThe United States of America As Represented By The Director National Security Agency
-
InventorsMchenry, John Thomas, Dowd, Patrick William
-
Primary Examiner(s)Beausoliel, Jr., Robert W.
-
Assistant Examiner(s)Iqbal, Nadeem
-
Application NumberUS09/059,041Time in Patent Office932 DaysField of Search713/200, 713/201, 713/202, 707/7, 707/9, 707/10, 380/4, 380/25, 380/23, 364/286.4, 364/286.5, 364/286.6, 340/825.34, 340/825.31, 395/200.31, 395/200.55, 395/200.68US Class Current726/11CPC Class CodesH04L 63/0254 Stateful filteringH04L 63/08 for authentication of entit...
