System and method for redirecting network traffic to provide secure communication

US 6,321,336 B1
Filed: 03/13/1998
Issued: 11/20/2001
Est. Priority Date: 03/13/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of securing communication between an external network and a processor operating on an internal network, the method comprising the steps of:

receiving a communication from an internal network host, the communication including a first destination address;

creating a session control block and storing therein the first destination address;

replacing the first destination address with a second destination address identifying a location of a communication security firewall;

routing the communication to the security firewall through a stack after the first destination address is replaced with the second destination address;

performing a security check to determine if the communication is authorized;

accessing the session control block to retrieve the first destination address;

replacing the second destination address with the first destination address if the communication is authorized;

if authorized, routing the communication to the processor operating on the external network; and

associating communication from an external host directed at the security firewall to the internal network host.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication security system is described which uses a server to communicate to an unprotected network, such as the Internet. The system intercepts an IP packet prior to stack incursion and replaces the destination address with that of a firewall'"'"'s network interface address. Because of the modification to the IP header destination address, an IP header checksum is recalculated prior to presentation to the local stack. The system uses a shim to replace the destination address and store the original destination address. When a communication is authorized, the firewall performs a system call to retrieve the original destination address such that the data communication can be routed to the indented destination address.

350 Citations

20 Claims

1. A method of securing communication between an external network and a processor operating on an internal network, the method comprising the steps of:
- receiving a communication from an internal network host, the communication including a first destination address;
  
  creating a session control block and storing therein the first destination address;
  
  replacing the first destination address with a second destination address identifying a location of a communication security firewall;
  
  routing the communication to the security firewall through a stack after the first destination address is replaced with the second destination address;
  
  performing a security check to determine if the communication is authorized;
  
  accessing the session control block to retrieve the first destination address;
  
  replacing the second destination address with the first destination address if the communication is authorized;
  
  if authorized, routing the communication to the processor operating on the external network; and
  
  associating communication from an external host directed at the security firewall to the internal network host.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the step of creating a session control block includes storing an external host destination address.
  - 3. The method of claim 2 wherein the step of creating a session control block includes storing a destination address and port number and a source address and port number.
  - 4. The method of claim 1 wherein the step of replacing the first destination address includes the step of replacing a check sum included in the communication after the step of replacing the first destination address.
  - 5. The method of claim 1 wherein the step of replacing the first destination address is performed in a shim prior to routing the communication via the security firewall.
  - 6. The method of claim 1 wherein the firewall includes an access control list of rules that regulate flow of communications through the firewall and wherein the step of performing a security check includes the step of accessing a rule as a function of the first destination address.

7. A method of securing communication between an external network and a processor operating on an internal network, the method comprising the steps of:
- receiving a communication from the external network, the communication including a first destination address, and a first header check sum;
  
  using a shim located between a stack and a network interface adapter to identify an appropriate session control block;
  
  identifying an IP address of an internal host using the identified session control block;
  
  routing the communication to the security firewall through a TCP/IP stack;
  
  performing a security check of the communication to determine if the communication is authorized; and
  
  if the communication is authorized, routing the communication to the processor operating on the internal network.
- View Dependent Claims (8)
- - 8. The method of claim 7 wherein the step of routing includes the steps of;

9. A data communication system comprising:
- at least one internal work station coupled to an internal network; and
  
  a processor coupled to the internal network and an external network for controlling communications therebetween, wherein the processor includes an address modifier to replace a first internal destination address included in an externally received data communication with a second destination address identifying a location of a communication security firewall, and store the first destination address for later retrieval.
- View Dependent Claims (10, 11, 12)
- - 10. The data communication system of claim 9 wherein the processor includes a network driver and a network driver interface, and wherein the address modifier includes a network interface adapter used to capture the externally received data communication.
  - 11. The data communication system of claim 9 wherein the processor stores the first destination address in a session control block which can be accessed by the security firewall using a system call.
  - 12. The data communication system of claim 9 wherein the processor recalculates and substitutes a header check sum which is included in the externally received data communication.

13. A network interface computer coupled to first and second networks, the network interface computer comprising:
- a processor for controlling data communication between the first and second networks, the processor is operable to receive a communication from the second network including a first destination address of a work station on the second network, replace the first destination address with a second destination address identifying a location of a communication security firewall operating on the processor, and route the communication to the security firewall where it can be determined if the communication is authorized, the processor is further operable to replace the second destination address with the first destination address if the communication is authorized, and route the communication to an internal receiver on the network.
- View Dependent Claims (14, 15, 16)
- - 14. The network interface computer of claim 13 wherein the processor is operable to store the first destination address for later retrieval by the security firewall using a system call.
  - 15. The network interface computer of claim 13 wherein the processor routes the communication to the security firewall through a TCP/IP stack after the first destination address is replaced with the second destination address.
  - 16. The network interface computer of claim 13 wherein the processor is operable to recalculate and replace a header check sum included in the communication after the first destination address is replaced.

17. Computer-readable medium having computer-executable instructions to a cause a computer connected to an internal and an external network to perform steps comprising:
- receiving a communication from an external source via the external network, the communication includes both a header specifying a first destination address of an internal receiver on the internal network, and a header check sum;
  
  using a network interface adapter, replacing the first destination address with a second destination address specifying a location of a communication security firewall;
  
  storing the first destination address for later retrieval;
  
  routing the communication to the security firewall through a TCP/IP stack;
  
  performing a security check of the communication to determine if the communication is authorized;
  
  replacing the second destination address with the first destination address if the communication is authorized;
  
  replacing the header check sum after the first destination address is replaced; and
  
  routing the communication to the internal receiver on the network.

18. A firewall for securing traffic between an internal and an external network, comprising:
- a network interface;
  
  a network driver connected to the network interface;
  
  an application level proxy;
  
  a protocol stack connected to the application level proxy; and
  
  a network driver interface, connected to the protocol stack and the network driver, wherein the network driver interface includes means for modifying an address of network traffic to redirect the traffic up the protocol stack to the application level proxy.
- View Dependent Claims (19, 20)
- - 19. The firewall of claim 18 wherein the network driver interface includes means for modifying a header check sum of network traffic redirected up the protocol stack to the application level proxy.
  - 20. The firewall of claim 19 wherein the network driver interface includes means for storing an unmodified address and header check sum of network traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Applegate, John, Romatoski, Jeff
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
Backer, Firmin

Application Number

US09/042,293
Time in Patent Office

1,348 Days
Field of Search

713/200, 713/201, 713/150-153, 713/154, 713/162, 713/152, 709/227, 709/229, 709/226, 370/401, 370/392
US Class Current

726/11
CPC Class Codes

H04L 63/02 for separating internal fro...

System and method for redirecting network traffic to provide secure communication

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

350 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for redirecting network traffic to provide secure communication

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

350 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links