System and method for network access control using adaptive proxies

US 6,728,885 B1
Filed: 10/08/1999
Issued: 04/27/2004
Est. Priority Date: 10/09/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing security to a computer network, comprising:

receiving a first communication packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the packet includes header information and content information, the content information including application-layer information;

filtering the packet in one of at least two levels of security comprising a first level of security which examines the content information of the first packet and a second level of security which examines the first packet excluding the content information therein; and

determining the level of security which one of the at least two security level filtering to apply based on, in part, the header information of the first packet, thereby providing an appropriate level of security to the computer network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer program for providing multilevel security to a computer network. The method comprises the step of receiving a first communication packet on at least one network interface port from an outside network. The method further includes the steps of filtering the first packet in one of at least two levels of security comprising a first level of security which examines the content information of the packet and a second level of security which examines the first packet excluding the content information of the packet. The system includes a first packet filter configured to filter its input packets by examining content information of its packets and a second packet filter configured to filter its input packets by examining the header information without examining the content information of its packets. The system further includes a third filter which is configured to forward a number of packets to one of the first and second filters, thereby providing security to the computer network. The computer program includes a first module located in an application layer, a second module located in a network layer, and a third module located in a kernel space and configured to examine a number of packets received by the computer network from at least one outside network and to forward the number of packets to one of the first and second modules after examining the number of packets.

Citations

29 Claims

1. A method of providing security to a computer network, comprising:
- receiving a first communication packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the packet includes header information and content information, the content information including application-layer information;
  
  filtering the packet in one of at least two levels of security comprising a first level of security which examines the content information of the first packet and a second level of security which examines the first packet excluding the content information therein; and
  
  determining the level of security which one of the at least two security level filtering to apply based on, in part, the header information of the first packet, thereby providing an appropriate level of security to the computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising:
3. The method of claim 2 further comprising:
- if the data communication connection is determined to be established, then establishing a data communication connection between the computer network and the outside network; and
  
  determining which one of the at least two security level filters to apply to any additional packet received from through the data connection subsequent to the first packet.
4. The method of claim 3 further comprising:
- applying one of the at least two security level filters decided by the determining to any additional packet received through the data connection subsequent to the first packet.
5. The method of claim 3 further comprising:
- disconnecting the data communication connection when a packet configured to disconnect the connection is received through the physical connection.
6. The method of claim 2 further comprising:
- discarding the first packet if the connection is not approved.
7. The method of claim 1 further comprising:
- if the first packet is a packet configured to establish a communication connection between the computer network and the outside network and if the physical connection through which the first packet was received is not registered to be filtered at the first security level;
  
  then determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet.
8. The method of claim 7 further comprising:
- if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet; and
  
  if the decision by the determining is not to apply a filter of the second security level, then applying a filter of the first security level to the first packet.
9. The method of claim 1 further comprising:
- if the physical connection through which the first packet was received has established a data communication therethrough, then determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet.
10. The method of claim 9 further comprising:
- if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet; and
  
  if the decision by the determining is not to apply a filter of the second security level, then forwarding the first packet to its destination.
11. The method of claim 1 further comprising:
- if the first packet is not a packet configured to establish a communication connection between the computer network and the outside network, if the physical connection through which the first packet was received has not established a data communication therethrough, and determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet.
12. The method of claim 11 further comprising:
- if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet; and
  
  if the decision by the determining is not to apply a filter of the second security level, then applying a filter of the first security level to the first packet.

13. A computer readable medium storing a computer security program configured to provide security to a computer network when the program is executed by a computer processor, the program comprising:
- a first module located in an application layer and configured to filter packets received thereon based on application-layer information;
  
  a second module located in a network layer and configured to filter packets received thereon; and
  
  a third module located in a kernel space and configured to examine a plurality of packets received by the computer network from at least one outside network and to forward the plurality of packets to one of the first and second modules after examining the plurality of packets, thereby providing security to the computer network.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The program in the computer readable medium of claim 13 wherein the first and third module are further configured to communicate with each other through a socket interface configured to send information therebetween.
  - 15. The program in the computer readable medium of claim 14 further including a bind function configured to register the first module to a physical connection between the computer network and the at least one outside network.
  - 16. The program in the computer readable medium of claim 15 further including a listen function configured to instruct the third module to look for a packet configured to establish a data communication through the registered physical connection.
  - 17. The program in the computer readable medium of claim 16 further including an accept function configured to instruction the third module to forward an attribute information of a packet configured to establish a data communication through the registered physical connection, wherein the attribute information of the packet includes at least one of an interface port on which the packet was received, a destination address and a source address of the packet.
  - 18. The program in the computer readable medium of claim 17 further including a connect function configured to establish a data communication connection between the computer network and at least one of outside networks based on the attribute information compared with a configuration information file.
  - 19. The program in the computer readable medium of claim 18 further including a closesocket function configured to disconnect the data communication connection when a packet configured to disconnect the data connection is received therethrough.
  - 20. The program in the computer readable medium of claim 18 wherein the configuration information file comprises a plurality of connection rules to determine whether to allow the data communication connection based on the attribute information.

21. A firewall for providing security to a computer network by filtering packets including header information and content information, comprising:
- a first filter configured to filter its input packets by examining content information therein the content information including application-layer information;
  
  a second filter configured to filter its input packets by examining the header information without examining the content information therein; and
  
  a third filter coupled to the first and second filters and configured to receive a plurality of packets arriving at the firewall, wherein the third filter is further configured to forward the plurality of packets to one of the first and second filters, thereby providing security to the computer network.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The firewall of claim 21 further includes network interface card placed between the third filter and at least one outside network and configured to provide a physical connection therebetween, wherein the network interface card includes a plurality of interface ports designating each of the physically connected at least one outside network.
  - 23. The firewall of claim 22 wherein the first and third filters are coupled via a socket to allow communication therebetween and the socket is configured to allow the first filter to designate which one of the plurality of interface ports are to be registered.
  - 24. The firewall of claim 23 wherein the socket is further configured to allow the third filter to send attribute information of a communication establishing packet received through one of the registered interface ports.
  - 25. The firewall of claim 24 wherein first filter is further configured to determined whether to allow a data communication connection on the registered interface port on which the communication establishing packet was received.
  - 26. The firewall of claim 25 wherein the socket is further configured to allow the first filter to communicate with the third filter relating to whether the data communication was allowed.
  - 27. The firewall of claim 26 wherein the third filter is further configured to establish the data communication connection and allow any subsequently received packets of the data communication connection to be filtered by one of the first and second filters.
  - 28. The firewall of claim 27 wherein the third filter is further configured to disconnect the data communication connection upon receiving a disconnecting packet through the connection.

29. A method of providing security to a computer network, comprising:
- receiving a first communication packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the packet includes header information and content information, the content information including application-layer information;
  
  filtering the packet in one of at least two levels of security comprising a first level of security which examines the content information of the first packet and a second level of security which examines the first packet excluding the content information therein;
  
  determining which one of the at least two security level filtering to apply based on, in part, the header information of the first packet, thereby providing an appropriate level of security to the computer network if the first packet is a packet configured to establish a communication connection between the computer network and the outside network, and if the physical connection through which the first packet was received is registered to be filtered at the first security level, then determining at the first security level whether to establish the data communication connection based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet;
  
  if the data communication connection is determined to be established, then establishing a data communication connection between the computer network and the outside network, and determining which one of the at least two security level filters to apply to any additional packet received from through the data connection subsequent to the first packet;
  
  applying one of the at least two security level filters decided by the determining to any additional packet received through the data connection subsequent to the first packet;
  
  disconnecting the data communication connection when a packet configured to disconnect the connection is received through the physical connection;
  
  discarding the first packet if the connection is not approved;
  
  if the first packet is a packet configured to establish a communication connection between the computer network and the outside network, and if the physical connection through which the first packet was received is not registered to be filtered at the first security level, then determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet;
  
  if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet, and if the decision by the determining is not to apply a filter of the second security level, then applying a filter of the first security level to the first packet;
  
  if the physical connection through which the first packet was received has established a data communication therethrough, then determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet;
  
  if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet, and if the decision by the determining is not to apply a filter of the second security level, then forwarding the first packet to its destination;
  
  if the first packet is not a packet configured to establish a communication connection between the computer network and the outside network, if the physical connection through which the first packet was received has not established a data communication therethrough, and determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet; and
  
  if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet, and if the decision by the determining is not to apply a filter of the second security level, then applying a filter of the first security level to the first packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Tajalli, Homayoon, Taylor, Kevin R., Murugesan, Ganesh
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
NOBAHAR, ABDULHAKIM

Application Number

US09/414,711
Time in Patent Office

1,663 Days
Field of Search

713/201, 713/200, 709/238, 709/249
US Class Current

726/24
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/104   Grouping of entities

System and method for network access control using adaptive proxies

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for network access control using adaptive proxies

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links