Internal network node with dedicated firewall

US 6,317,837 B1
Filed: 09/01/1998
Issued: 11/13/2001
Est. Priority Date: 09/01/1998
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A network arrangement comprising a first group of nodes defining an internal network and a second group of nodes defining an external network, said external network being connected in communication with said internal network by an intermediate node including a bastion firewall for protecting the nodes of the internal network from unauthorized communication originating at external nodes, the improvement comprising said internal network including,(a) a network attached device (NAD), and (b) a NAD node at which must be received every request for network access to said NAD initially originated at any other node of the network arrangement, said NAD node including computer readable medium having computer-executable instructions that perform the steps of, (i) receiving at said NAD node a request for network access to said NAD, (ii) determining whether the request for network access to said NAD is authorized, (iii) providing network access to said NAD when a request is authorized, and (iv) denying network access to said NAD when a request is not authorized,

said NAD thereby being protected by a dedicated NAD firewall at said NAD node from unauthorized network access requests originating at said intermediate and internal and external nodes of the network arrangement.

View all claims

17 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A network attached device server for implementing a network attached device and firewall management system (NADFW-MS). The NADFW-MS provides a multiple direction firewall that is dedicated for the protection of one or more associated NADs. The firewall is considered to be multiple directional because it filters data packets based on the network interface used to transport the data packets. The firewall is also able to filter data packets based on any other information contained in a data packet header. A data packet that does not penetrate the firewall is discarded and the reason for discarding the data packet is recorded in a log file. A data packet that does pass through the firewall is sent to a data management system that is responsible for providing access to the appropriate associated NAD. The data management system uses network protocol programs and interface mechanisms to process the data packet and to communicate the data packet to the appropriate NAD. The data management system may also function as a proxy server and generate a new data packet that is forwarded to another NAD server.

174 Citations

90 Claims

1. A network arrangement comprising a first group of nodes defining an internal network and a second group of nodes defining an external network, said external network being connected in communication with said internal network by an intermediate node including a bastion firewall for protecting the nodes of the internal network from unauthorized communication originating at external nodes, the improvement comprising said internal network including,(a) a network attached device (NAD), and (b) a NAD node at which must be received every request for network access to said NAD initially originated at any other node of the network arrangement, said NAD node including computer readable medium having computer-executable instructions that perform the steps of, (i) receiving at said NAD node a request for network access to said NAD, (ii) determining whether the request for network access to said NAD is authorized, (iii) providing network access to said NAD when a request is authorized, and (iv) denying network access to said NAD when a request is not authorized,
- said NAD thereby being protected by a dedicated NAD firewall at said NAD node from unauthorized network access requests originating at said intermediate and internal and external nodes of the network arrangement.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 2. The network arrangement of claim 1, wherein said NAD communicates directly with said NAD node without going over said internal network.
  - 3. The network arrangement of claim 1, wherein said NAD node comprises a NAD server connected with said NAD for communication directly therebetween without going over said internal network.
  - 4. The network arrangement of claim 1, wherein said NAD is accessible only through said NAD node.
  - 5. The network arrangement of claim 1, wherein said NAD node comprises a plurality of network protocol programs for accepting requests for network access from multiple heterogeneous network nodes.
  - 6. The network arrangement of claim 1, wherein said NAD node includes a NAD interface mechanism for communicating authorized requests for network access to said NAD.
  - 7. The network arrangement of claim 1, wherein said NAD node comprises said NAD.
  - 8. The network arrangement of claim 1, wherein said computer-executable instructions comprise distributed program modules.
  - 9. The network arrangement of claim 1, wherein said computer-executable instructions comprise a firewall component that wraps the dedicated firewall exclusively around the NAD and a data management component that accepts authorized requests for network access from the firewall component and provides the requested network access.
  - 10. The network arrangement of claim 1, wherein said NAD node comprises a NAD server including a computer processing unit and motherboard.
  - 11. The network arrangement of claim 10, wherein said NAD is connected directly to a port of said motherboard.
  - 12. The network arrangement of claim 10, wherein said NAD is connected directly to a NAD interface plugged into said motherboard.
  - 13. The network arrangement of claim 10, wherein said NAD does not communicate with said NAD server through a network interface.
  - 14. The network arrangement of claim 10, wherein said NAD server is a proxy server for a second NAD server to which said NAD directly is connected.
  - 15. The network arrangement of claim 10, wherein said NAD server provides access to a plurality of NADs.
  - 16. The network arrangement of claim 1, wherein said NAD is disposed in communication with said NAD node.
  - 17. The network arrangement of claim 16, wherein said NAD communicates with said NAD node without going over said internal network.
  - 18. The network arrangement of claim 1, wherein each request for network access is contained in a data packet.
  - 19. The network arrangement of claim 18, wherein said step of determining whether the request for network access is authorized comprises filtering the data packet based on IP addresses and other information contained in a header of the data packet.
  - 20. The network arrangement of claim 19, wherein said step of determining whether the request for network access is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete, the information relating to the network source, destination, and route of the data packet.
  - 21. The network arrangement of claim 20, further comprising the step of determining whether the information in the header of the data packet indicates that the data packet arrived via an authorized network interface.
  - 22. The network arrangement of claim 20, further comprising the step of determining whether the header of the data packet contains a valid source address.
  - 23. The network arrangement of claim 20, further comprising the step of determining whether the header of the accepted data packet contains a valid destination address.
  - 24. The network arrangement of claim 20, further comprising the steps of,(a) determining whether the header of the data packet contains information identifying a proper port of said NAD;
    - (b) passing the data packet to the proper port; and
      
      (c) at the proper port, using a network protocol program and an interface mechanism to provide the requested network access to said NAD.
  - 25. The network arrangement of claim 1, wherein said NAD comprises a storage drive.
  - 26. The network arrangement of claim 25, wherein said storage drive comprises a ZIP drive.
  - 27. The network arrangement of claim 25, wherein said storage drive comprises a JAZ drive.
  - 28. The network arrangement of claim 25, wherein said storage drive comprises a CD-ROM drive.
  - 29. The network arrangement of claim 25, wherein said storage drive comprises a DVD drive.
  - 30. The network arrangement of claim 25, wherein said storage drive comprises an optical drive.
  - 31. The network arrangement of claim 25, wherein said storage drive comprises a tape drive.
  - 32. The network arrangement of claim 25, wherein said storage drive comprises a hard drive.
  - 33. The network arrangement of claim 1, wherein said NAD comprises a printer.
  - 34. The network arrangement of claim 1, wherein said NAD comprises an audio device.
  - 35. The network arrangement of claim 1, wherein said NAD comprises a video device.
  - 36. The network arrangement of claim 1, wherein said NAD comprises a facsimile machine.

37. A method of managing access to a network attached device (NAD) in a network arrangement including a first group of nodes defining an internal network and a second group of nodes defining an external network, the external network being connected in communication with the internal network by an intermediate node including a bastion firewall for protecting the nodes of the internal network from unauthorized communication originating at external nodes, the internal network including the NAD, the method comprising the steps of:
- (a) determining for each and every request for network access to the NAD whether each request for network access to said NAD is authorized, (b) providing network access to said NAD when a request is authorized, and (c) denying network access to said NAD when a request is not authorized, whereby the NAD is protected by a dedicated NAD firewall from unauthorized network access requests originating at the intermediate and internal and external nodes of the network arrangement.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 38. The method of claim 37, wherein each request for network access is contained in a data packet.
  - 39. The method of claim 38, wherein said step of determining whether the request for network access is authorized comprises filtering the data packet based on IP addresses and other information contained in a header of the data packet.
  - 40. The method of claim 38, wherein said step of determining whether the request for network access is authorized comprises determining whether information in a header of a received data packet containing the request for network access is complete, the information relating to the network source, destination, and route of the data packet.
  - 41. The method of claim 40, further comprising the step of determining whether the information in the header of the data packet indicates that the data packet arrived via an authorized network interface.
  - 42. The method of claim 40, further comprising the step of determining whether the header of the data packet contains a valid source address.
  - 43. The method of claim 40, further comprising the step of determining whether the header of the data packet contains a valid destination address.
  - 44. The method of claim 40, further comprising the steps of,
45. The method of claim 37, wherein said NAD comprises a storage drive.
46. The method of claim 45, wherein said storage drive comprises a ZIP drive.
47. The method of claim 45, wherein said storage drive comprises a JAZ drive.
48. The method of claim 45, wherein said storage drive comprises a CD-ROM drive.
49. The method of claim 45, wherein said storage drive comprises a DVD drive.
50. The method of claim 45, wherein said storage drive comprises an optical drive.
51. The method of claim 45, wherein said storage drive comprises a tape drive.
52. The method of claim 45, wherein said storage drive comprises a hard drive.
53. The method of claim 37, wherein said NAD comprises a printer.
54. The method of claim 37, wherein said NAD comprises an audio device.
55. The method of claim 37, wherein said NAD comprises a video device.
56. The method of claim 37, wherein said NAD comprises a facsimile machine.
57. The method of claim 37, wherein said NAD comprises an audio-visual device.

58. An apparatus comprising an internal node of an internal network of a network arrangement, said internal node including a network attached device (NAD) and a computer with computer readable media having computer-executable instructions that perform the steps of,(a) communicating with the network, including receiving requests for network access to the NAD, (b) determining whether each request for network access to said NAD is authorized, (c) providing network access to said NAD when a request is authorized, and (d) denying network access to said NAD when a request is not authorized, said NAD thereby being protected from unauthorized network access by a dedicated firewall of the apparatus.
- View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78)
- - 59. The apparatus of claim 58, wherein said NAD comprises a storage drive.
  - 60. The apparatus of claim 59, wherein said storage drive comprises a ZIP drive.
  - 61. The apparatus of claim 59, wherein said storage drive comprises a JAZ drive.
  - 62. The apparatus of claim 59, wherein said storage drive comprises a CD-ROM drive.
  - 63. The apparatus of claim 59, wherein said storage drive comprises a DVD drive.
  - 64. The apparatus of claim 59, wherein said storage drive comprises an optical drive.
  - 65. The apparatus of claim 59, wherein said storage drive comprises a tape drive.
  - 66. The apparatus of claim 59, wherein said storage drive comprises a hard d rive.
  - 67. The apparatus of claim 58, wherein said NAD comprises a printer.
  - 68. The apparatus of claim 58, wherein said NAD comprises an audio device.
  - 69. The apparatus of claim 58, wherein said NAD comprises a video device.
  - 70. The apparatus of claim 58, wherein said NAD comprises a facsimile machine.
  - 71. The apparatus of claim 58, wherein said computer-executable instructions comprise a firewall component that wraps the dedicated firewall exclusively around the NAD and a data management component that accepts authorized requests for network access from the firewall component and provides the requested network access.
  - 72. The apparatus of claim 58, wherein each request for network access is contained in a data packet.
  - 73. The apparatus of claim 72, wherein said step of determining whether the request for network access is authorized comprises filtering the data packet based on IP addresses and other information contained in a header of the data packet.
  - 74. The apparatus of claim 72, wherein said step of determining whether the request for network access is authorized comprises determining whether information in a header of a received data packet containing the request for network access is complete, the information relating to the network source, destination, and route of the data packet.
  - 75. The apparatus of claim 74, further comprising the step of determining whether the information in the header of the data packet indicates that the data packet arrived via an authorized network interface.
  - 76. The apparatus of claim 74, further comprising the step of determining whether the header of the data packet contains a valid source address.
  - 77. The apparatus of claim 74, further comprising the step of determining whether the header of the data packet contains a valid destination address.
  - 78. The apparatus of claim 74, further comprising the steps of,(a) determining whether the header of the data packet contains information identifying a proper port of said NAD;
    - (b) passing the data packet to the proper port; and
      
      (c) at the proper port, using a network protocol program and an interface mechanism to provide the requested network access to said NAD.

79. An apparatus comprising an internal node of an internal network of a network arrangement, said internal node including a CD-ROM server with computer readable media having computer-executable instructions that perform the steps of,(a) communicating with the network, including receiving requests for network access to a CD, (b) determining whether each request for network access to said CD is authorized, (c) providing network access to said CD when a request is authorized, and (d) denying network access to said CD when a request is not authorized, said CD-ROM server thereby being protected from unauthorized network access by a dedicated firewall of the apparatus.
- View Dependent Claims (85, 86, 87, 88, 89, 90)
- - 85. The apparatus of claims 79, 80, 81, 82, 83, or 84, wherein each request for network access is contained in a data packet.
  - 86. The apparatus of claim 85, wherein said step of determining whether the request for network access is authorized comprises filtering the data packet based on IP addresses and other information contained in a header of the data packet.
  - 87. The apparatus of claim 85, wherein said step of determining whether the request for network access is authorized comprises, determining whether information in a header of a received data packet containing the request for network access is complete, the information relating to the network source, destination, and route of the data packet.
  - 88. The apparatus of claim 87, further comprising the step of determining whether the information in the header of the data packet indicates that the data packet arrived via an authorized network interface.
  - 89. The apparatus of claim 87, further comprising the step of determining whether the header of the data packet contains a valid source address.
  - 90. The apparatus of claim 87, further comprising the step of determining whether the header of the data packet contains a valid destination address.

80. An apparatus comprising an internal node of an internal network of a network arrangement, said internal node including a network storage server with computer readable media having computer-executable instructions that perform the steps of,(a) communicating with the network, including receiving requests for network access to network storage, (b) determining whether each request for network access to said network storage is authorized, (c) providing network access to said network storage when a request is authorized, and (d) denying network access to said network storage when a request is not authorized, said network storage server thereby being protected from unauthorized network access by a dedicated firewall of the apparatus.

81. An apparatus comprising an internal node of an internal network of a network arrangement, said internal node including an audio device and computer readable media having computer-executable instructions that perform the steps of,(a) communicating with the network, including receiving requests for network access to functions of said audio device, (b) determining whether each request for network access is authorized, (c) providing the requested network access when a request is authorized, and (d) denying the requested network access when a request is not authorized, said audio device thereby being protected from unauthorized network access by a dedicated firewall of the apparatus.

82. An apparatus comprising an internal node of an internal network of a network arrangement, said internal node including a video device and computer readable media having computer-executable instructions that perform the steps of,(a) communicating with the network, including receiving requests for network access to functions of said video device, (b) determining whether each request for network access is authorized, (c) providing the requested network access when a request is authorized, and (d) denying the requested network access when a request is not authorized, said video device thereby being protected from unauthorized network access by a dedicated firewall of the apparatus.

83. An apparatus comprising an internal node of an internal network of a network arrangement, said internal node including a facsimile machine and computer readable media having computer-executable instructions that perform the steps of,(a) communicating with the network, including receiving requests for network access to functions of said facsimile machine, (b) determining whether each request for network access is authorized, (c) providing the requested network access when a request is authorized, and (d) denying the requested network access when a request is not authorized, said facsimile machine thereby being protected from unauthorized network access by a dedicated firewall of the apparatus.

84. An apparatus comprising an internal node of an internal network of a network arrangement, said internal node including a printer and computer readable media having computer-executable instructions that perform the steps of,(a) communicating with the network, including receiving requests for network access to functions of said printer, (b) determining whether each request for network access is authorized, (c) providing the requested network access when a request is authorized, and (d) denying the requested network access when a request is not authorized, said printer thereby being protected from unauthorized network access by a dedicated firewall of the apparatus.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
FireNet Technologies, LLC (IP Investments Group LLC)
Original Assignee
ApplianceWare, LLC
Inventors
Kenworthy, Stacy
Primary Examiner(s)
Choules, Jack
Assistant Examiner(s)
CHANNAVAJJALA, SRIRAMA T

Application Number

US09/144,954
Time in Patent Office

1,169 Days
Field of Search

709/217-218, 709/225-229, 709/245, 709/249-250, 709/238, 709/231, 705/42-44, 705/54, 705/56, 705/66-67, 705/71, 713/150, 713/152-153, 713/200-202, 713/159-160, 707/9-10, 707/100-104, 707/200-205, 380/277-286, 380/45, 380/30, 340/825.29, 340/825.31, 340/825.34
US Class Current

726/11
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/6218   to a system of files or obj...

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0281   Proxies

Y10S 707/99939   Privileged access

Internal network node with dedicated firewall

First Claim

17 Assignments

Litigations

0 Petitions

Accused Products

Abstract

174 Citations

90 Claims

Specification

Solutions

Use Cases

Quick Links

Internal network node with dedicated firewall

First Claim

17 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

90 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links