Method and system for establishing a security perimeter in computer networks

US 6,760,768 B2
Filed: 08/07/2001
Issued: 07/06/2004
Est. Priority Date: 07/30/1996
Status: Expired due to Fees

First Claim

Patent Images

1. A multi-level network security system for a computer device coupled to at least one computer network, comprising:

a first secure network interface unit (SNIU), said first SNIU communicating with other like SNIU devices on a network, wherein components of said network may be individually secure or non-secure, the first SNIU comprising;

a first network interface for receiving first messages sent between a first computer device and said network, said first network interface configured to convert said received first messages to and from a format utilized by said network;

a first message parser configured to determine whether a first association exists between the first SNIU and another SNIU device;

a first session manager coupled to said first network interface and configured to request access to and transmit said first messages to said network, when said first message parser determines said first association exists; and

a first association manager coupled to said first network interface for establishing an association with other like SNIU devices when said first message parser determines said first association does not exist; and

a second SNIU comprising;

a second network interface for receiving second messages sent between a second computer device and said network, said second network interface configured to convert said received second messages to and from a format utilized by said network;

a second message parser configured to determine whether a second association exists between the second SNIU and another SNIU device;

a second session manager coupled to said second network interface and configured to request access to and transmit said second messages to said network, when said second message parser determines said second association exists; and

a second association manager coupled to said second network interface for establishing an association with other like SNIU devices when said second message parser determines said second association does not exist.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-level network security system is disclosed for a computer host device coupled to at least one computer network. The system including a secure network interface Unit (SNIU) contained within a communications stack of the computer device that operates at a user layer communications protocol. The SNIU communicates with other like SNIU devices on the network by establishing an association, thereby creating a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within the global security perimeter. The SNIU includes a host/network interface for receiving messages sent between the computer device and network. The interface operative to convert the received messages to and from a format utilized by the network. A message parser for determining whether the association already exists with another SNIU device. A session manager coupled to said network interface for identifying and verifying the computer device requesting access to said network. The session manager also for transmitting messages received from the computer device when the message parser determines the association already exists. An association manager coupled to the host/network interface for establishing an association with other like SNIU devices when the message parser determines the association does not exist.

171 Citations

26 Claims

1. A multi-level network security system for a computer device coupled to at least one computer network, comprising:
- a first secure network interface unit (SNIU), said first SNIU communicating with other like SNIU devices on a network, wherein components of said network may be individually secure or non-secure, the first SNIU comprising;
  
  a first network interface for receiving first messages sent between a first computer device and said network, said first network interface configured to convert said received first messages to and from a format utilized by said network;
  
  a first message parser configured to determine whether a first association exists between the first SNIU and another SNIU device;
  
  a first session manager coupled to said first network interface and configured to request access to and transmit said first messages to said network, when said first message parser determines said first association exists; and
  
  a first association manager coupled to said first network interface for establishing an association with other like SNIU devices when said first message parser determines said first association does not exist; and
  
  a second SNIU comprising;
  
  a second network interface for receiving second messages sent between a second computer device and said network, said second network interface configured to convert said received second messages to and from a format utilized by said network;
  
  a second message parser configured to determine whether a second association exists between the second SNIU and another SNIU device;
  
  a second session manager coupled to said second network interface and configured to request access to and transmit said second messages to said network, when said second message parser determines said second association exists; and
  
  a second association manager coupled to said second network interface for establishing an association with other like SNIU devices when said second message parser determines said second association does not exist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein at least said first SNIU is contained within a communications stack between a Network layer and a Data Link layer.
  - 3. The system of claim 1, which further includes means coupled to the first SNIU for performing both encryption and decryption functions.
  - 4. The system of claim 3, which further includes means for generating and writing cryptographic residues for outgoing messages and validating cryptographic residues for incoming residues.
  - 5. The system of claim 1, wherein said first session manager is configured to protect the security communications between said first computer device and said network by implementing a security policy selected from a group consisting of discretionary access control, mandatory access control, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection.
  - 6. The system of claim 1, wherein at least said first SNIU further includes means for performing a defined trusted session layer protocol (TSP).
  - 7. The system of claim 1, wherein said SNIUs are configured to exchange security parameters during said first association.
  - 8. The system of claim 1, wherein at least said first SNIU further includes a scheduler coupled between said host/network and said first message parser, said scheduler configured to control the flow of said data within said first SNIU.
  - 9. The system of claim 1, wherein said first association manager is configured to generate two messages in order to establish said first association.
  - 10. The system of claim 1, wherein at least said first SNIU further includes an audit manager coupled to said first association manager and configured to generate audit event messages when a message is received with an invalid authorization code.

11. A method of providing a multi-level network security system for a computer device coupled to at least one computer network, comprising:
- placing a first secure network interface Unit (SNIU) within a communications stack of said computer device, said first SNIU communicating with other like SNIU devices on said network by establishing an association, wherein components of said network may be individually secure or non-secure, and whenever said first SNIU is configured to perform a plurality of security functions including;
  
  receiving said messages sent between said computer device and said network;
  
  converting said received messages to and from a format utilized by said network;
  
  identifying and verifying said computer device requesting access to said network;
  
  determining whether said association exists with another SNIU device;
  
  transmitting said messages received from said computer device when said association exists; and
  
  establishing an association with other like SNIU devices when said association does not exist.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein at least said first SNIU is placed within said communications stack between a Network layer and a Data Link layer.
  - 13. The method of claim 11, which further includes encrypting outgoing messages and decrypting incoming messages of said first SNIU.
  - 14. The method of claim 13, which further includes generating and writing cryptographic residues for outgoing messages and validating cryptographic residues for incoming residues.
  - 15. The method of claim 11, wherein at least said first SNIU protects the security communications between said computer device and said network by implementing a security policy selected from a group consisting of discretionary access control, mandatory access control, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection.
  - 16. The method of claim 11, wherein said SNIU further performs a defined trusted session layer protocol (TSP).
  - 17. The method of claim 11, which further includes generating an audit trail.
  - 18. The method of claim 11, which further includes temporarily storing said received messages from said computer device when said association does not exist.
  - 19. The method of claim 11, wherein said association is established by generating two messages.
  - 20. The method of claim 11 wherein said SNIUs exchange security parameters during said association.

21. A multi-level network security system for a computer device coupled to at least one computer network, comprising:
- means for placing a first secure network interface Unit (SNIU) within a communications stack of said computer device, said first SNIU communicating with other like SNIU devices on said network by establishing an association, wherein components of said network may be individually secure or non-secure, said first SNIU configured to perform a plurality of security functions and comprising;
  
  means for receiving said messages sent between said computer device and said network;
  
  means for converting said received messages to and from a format utilized by said network;
  
  means for identifying and verifying said computer device requesting access to said network;
  
  means for determining whether said association exists with another SNIU device;
  
  means for transmitting said messages received from said computer device when said association exists; and
  
  means for establishing an association with other like SNIU devices when said association does not exist.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system of claim 21, which further includes means for encrypting outgoing messages and decrypting incoming messages of said first SNIU.
  - 23. The system of claim 22, which further includes means for generating and writing cryptographic residues for outgoing messages and validating cryptographic residues for incoming residues.
  - 24. The system of claim 21, which further includes means for generating an audit trail.
  - 25. The system of claim 21, which further includes means for temporarily storing said received messages from said computer device when said association does not exist.

26. A multi-level network security system for a computer device coupled to at least one computer network, comprising:
- a first secure network interface unit (SNIU) contained within a communications stack between a Network layer and a Data Link layer, said first SNIU communicating with other like SNIU devices on a network, wherein components of said network may be individually secure or non-secure, comprising;
  
  a network interface for receiving messages sent between a computer device and said network, said network interface configured to convert said received messages to and from a format utilized by said network;
  
  a message parser configured to determine whether an association exists between the first SNIU and another SNIU device;
  
  a session manager coupled to said network interface and configured to request access to and transmit said messages to said network, when said message parser determines said association exists; and
  
  an association manager coupled to said network interface for establishing an association with other like SNIU devices when said message parser determines said association does not exist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Micron Technology, Inc.
Inventors
Nickel, James O., Levin, Stephen E., Wrench, Edwin H., Holden, James M.
Primary Examiner(s)
VU, VIET DUY

Application Number

US09/924,214
Publication Number

US 20020035635A1
Time in Patent Office

1,064 Days
Field of Search

709/203, 709/217, 709/219, 709/223, 709/225, 709/227, 709/228, 709/229, 709/247, 709/250, 713/201
US Class Current

709/227
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

Method and system for establishing a security perimeter in computer networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

171 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for establishing a security perimeter in computer networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links