System and method for network access control using adaptive proxies
First Claim
1. A method of providing security to a computer network, comprising:
- receiving a first communication packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the packet includes header information and content information, the content information including application-layer information;
filtering the packet in one of at least two levels of security comprising a first level of security which examines the content information of the first packet and a second level of security which examines the first packet excluding the content information therein; and
determining the level of security which one of the at least two security level filtering to apply based on, in part, the header information of the first packet, thereby providing an appropriate level of security to the computer network.
3 Assignments
0 Petitions
Accused Products
Abstract
A method, system and computer program for providing multilevel security to a computer network. The method comprises the step of receiving a first communication packet on at least one network interface port from an outside network. The method further includes the steps of filtering the first packet in one of at least two levels of security comprising a first level of security which examines the content information of the packet and a second level of security which examines the first packet excluding the content information of the packet. The system includes a first packet filter configured to filter its input packets by examining content information of its packets and a second packet filter configured to filter its input packets by examining the header information without examining the content information of its packets. The system further includes a third filter which is configured to forward a number of packets to one of the first and second filters, thereby providing security to the computer network. The computer program includes a first module located in an application layer, a second module located in a network layer, and a third module located in a kernel space and configured to examine a number of packets received by the computer network from at least one outside network and to forward the number of packets to one of the first and second modules after examining the number of packets.
-
Citations
29 Claims
-
1. A method of providing security to a computer network, comprising:
-
receiving a first communication packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the packet includes header information and content information, the content information including application-layer information;
filtering the packet in one of at least two levels of security comprising a first level of security which examines the content information of the first packet and a second level of security which examines the first packet excluding the content information therein; and
determining the level of security which one of the at least two security level filtering to apply based on, in part, the header information of the first packet, thereby providing an appropriate level of security to the computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
if the first packet is a packet configured to establish a communication connection between the computer network and the outside network, and if the physical connection through which the first packet was received is registered to be filtered at the first security level, then determining at the first security level whether to establish the data communication connection based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet.
-
-
3. The method of claim 2 further comprising:
-
if the data communication connection is determined to be established, then establishing a data communication connection between the computer network and the outside network; and
determining which one of the at least two security level filters to apply to any additional packet received from through the data connection subsequent to the first packet.
-
-
4. The method of claim 3 further comprising:
applying one of the at least two security level filters decided by the determining to any additional packet received through the data connection subsequent to the first packet.
-
5. The method of claim 3 further comprising:
disconnecting the data communication connection when a packet configured to disconnect the connection is received through the physical connection.
-
6. The method of claim 2 further comprising:
discarding the first packet if the connection is not approved.
-
7. The method of claim 1 further comprising:
-
if the first packet is a packet configured to establish a communication connection between the computer network and the outside network and if the physical connection through which the first packet was received is not registered to be filtered at the first security level;
thendetermining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet.
-
-
8. The method of claim 7 further comprising:
-
if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet; and
if the decision by the determining is not to apply a filter of the second security level, then applying a filter of the first security level to the first packet.
-
-
9. The method of claim 1 further comprising:
-
if the physical connection through which the first packet was received has established a data communication therethrough, then determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet.
-
-
10. The method of claim 9 further comprising:
-
if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet; and
if the decision by the determining is not to apply a filter of the second security level, then forwarding the first packet to its destination.
-
-
11. The method of claim 1 further comprising:
-
if the first packet is not a packet configured to establish a communication connection between the computer network and the outside network, if the physical connection through which the first packet was received has not established a data communication therethrough, and determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet.
-
-
12. The method of claim 11 further comprising:
-
if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet; and
if the decision by the determining is not to apply a filter of the second security level, then applying a filter of the first security level to the first packet.
-
-
13. A computer readable medium storing a computer security program configured to provide security to a computer network when the program is executed by a computer processor, the program comprising:
-
a first module located in an application layer and configured to filter packets received thereon based on application-layer information;
a second module located in a network layer and configured to filter packets received thereon; and
a third module located in a kernel space and configured to examine a plurality of packets received by the computer network from at least one outside network and to forward the plurality of packets to one of the first and second modules after examining the plurality of packets, thereby providing security to the computer network. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A firewall for providing security to a computer network by filtering packets including header information and content information, comprising:
-
a first filter configured to filter its input packets by examining content information therein the content information including application-layer information;
a second filter configured to filter its input packets by examining the header information without examining the content information therein; and
a third filter coupled to the first and second filters and configured to receive a plurality of packets arriving at the firewall, wherein the third filter is further configured to forward the plurality of packets to one of the first and second filters, thereby providing security to the computer network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
-
29. A method of providing security to a computer network, comprising:
-
receiving a first communication packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the packet includes header information and content information, the content information including application-layer information;
filtering the packet in one of at least two levels of security comprising a first level of security which examines the content information of the first packet and a second level of security which examines the first packet excluding the content information therein;
determining which one of the at least two security level filtering to apply based on, in part, the header information of the first packet, thereby providing an appropriate level of security to the computer network if the first packet is a packet configured to establish a communication connection between the computer network and the outside network, and if the physical connection through which the first packet was received is registered to be filtered at the first security level, then determining at the first security level whether to establish the data communication connection based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet;
if the data communication connection is determined to be established, then establishing a data communication connection between the computer network and the outside network, and determining which one of the at least two security level filters to apply to any additional packet received from through the data connection subsequent to the first packet;
applying one of the at least two security level filters decided by the determining to any additional packet received through the data connection subsequent to the first packet;
disconnecting the data communication connection when a packet configured to disconnect the connection is received through the physical connection;
discarding the first packet if the connection is not approved;
if the first packet is a packet configured to establish a communication connection between the computer network and the outside network, and if the physical connection through which the first packet was received is not registered to be filtered at the first security level, then determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet;
if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet, and if the decision by the determining is not to apply a filter of the second security level, then applying a filter of the first security level to the first packet;
if the physical connection through which the first packet was received has established a data communication therethrough, then determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet;
if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet, and if the decision by the determining is not to apply a filter of the second security level, then forwarding the first packet to its destination;
if the first packet is not a packet configured to establish a communication connection between the computer network and the outside network, if the physical connection through which the first packet was received has not established a data communication therethrough, and determining whether to apply a filter of the second security level to the first packet based on at least one attribute of the physical connection, wherein the attribute of the physical connection includes an interface port on which the packet was received, a destination address and a source address of the packet; and
if the decision by the determining is to apply a filter of the second security level, then applying the filter to the first packet, and if the decision by the determining is not to apply a filter of the second security level, then applying a filter of the first security level to the first packet.
-
Specification