Firewalls that filter based upon protocol commands

US 6,832,256 B1
Filed: 12/27/1996
Issued: 12/14/2004
Est. Priority Date: 12/27/1996
Status: Expired due to Fees

First Claim

Patent Images

1. A method of controlling data transfers between a first and a second computer network, the method comprising:

monitoring protocol commands by a proxy coupled between the first and second computer networks;

interpreting protocol commands exchanged between the first and second computer networks;

determining the type of protocol being used; and

restricting access to certain resources within the first and second computer networks based on the type of communications protocol being used and the type of protocol commands exchanged between the first and second computer networks, wherein restricting access is determined dynamically based on environmental changes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data transfer is controlled between a first network and a second network of computers by a firewall-proxy combination. Active interpretation of protocol commands exchanged between the first network and the second network is performed to determine specific actions concerning completion of the protocol request. This active firewall-proxy combination may exist on either the first or second network of computers. This method of control provides centralized control and administration for all potentially reachable resources within a network.

84 Citations

View as Search Results

25 Claims

1. A method of controlling data transfers between a first and a second computer network, the method comprising:
- monitoring protocol commands by a proxy coupled between the first and second computer networks;
  
  interpreting protocol commands exchanged between the first and second computer networks;
  
  determining the type of protocol being used; and
  
  restricting access to certain resources within the first and second computer networks based on the type of communications protocol being used and the type of protocol commands exchanged between the first and second computer networks, wherein restricting access is determined dynamically based on environmental changes.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the restricting access is further based upon network resource constraints of the first and second computer networks.
  - 3. The method of claim 1 wherein the type of communications protocol used between the first and second computer networks includes at least one of the following protocols;
    - Hypertext Transfer Protocol (http), Simple Mail Transfer Protocol (SMTP), Remote Terminal Protocol (Telnet), and File Transfer Protocol (FTP).
  - 4. The method of claim 1 wherein the restricting access is additionally based upon access privileges of a requester of the data transfers.
  - 5. The method of claim 1 wherein the restricting access is additionally based upon a time of day restriction.
  - 6. The method of claim 1 wherein the exchanged protocol commands dynamically determine whether subsequent data transfers are allowed to occur.

7. A method of controlling data transfers between a first computer network and a second computer network, the first computer network includes a client computer and a firewall comprised of two routers and a proxy, the method comprising:
- monitoring actively by a proxy reviewing protocol commands;
  
  receiving by the proxy a request from the client computer to establish a session with the second computer network;
  
  establishing a session with the second computer network by the proxy;
  
  receiving protocol commands after a session is begun by the proxy from the client computer;
  
  determining the type of protocol being used;
  
  selectively allowing certain protocol commands to be transmitted to the second computer network based upon predetermined rules stored within the proxy, wherein said predetermined rules selected based upon the type of protocol being used, and allowing certain protocol commands is dynamically determined based on environmental changes; and
  
  determining completion actions based upon the transmitted protocol commands.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7 wherein the selectively allowing only certain protocol commands to be transmitted to the second computer network is based upon a mode of the data transfers.
  - 9. The method of claim 7 wherein the selectively allowing the protocol commands to be transmitted to the second computer network is based upon network resource constraints of the first computer network.
  - 10. The method of claim 7 wherein the selectively allowing the protocol commands to be transmitted to the second computer network is based upon access attributes associated with a source of the protocol commands.
  - 11. The method of claim 7 wherein the selectively allowing the protocol commands to be transmitted to the second computer network is based upon access attributes associated with a destination of the protocol commands.
  - 12. The method of claim 7 wherein the transmitted protocol commands dynamically determine whether subsequent data transfers are allowed to occur.

13. A method of controlling data transfers between a first computer network and a second computer network, the first computer network includes a client computer and a firewall comprised of two routers and a proxy, the method comprising:
- monitoring actively by a proxy reviewing protocol commands;
  
  receiving by the proxy a request from the client computer to establish a session with the second computer network;
  
  establishing a session with the second computer network by the proxy;
  
  receiving protocol commands by the proxy after a session is begun from the second computer network;
  
  determining the type of protocol being used;
  
  filtering the protocol commands to allow only certain of the protocol commands to be transmitted to the client computer based upon predetermined rules stored within the proxy, wherein said predetermined rules selected based upon the type of protocol being used, and filtering the protocol commands is dynamically determined based on environmental changes; and
  
  determining completion actions based upon the transmitted protocol commands.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13 wherein the filtering the protocol commands is based upon a mode of the data transfer.
  - 15. The method of claim 13 wherein the filtering the protocol commands is based upon resource constraints of the first computer network.
  - 16. The method of claim 13 wherein the filtering the protocol commands is based upon access attributes associated with a source of the protocol commands.
  - 17. The method of claim 13 wherein the filtering the protocol commands is based upon access attributes associated with a destination of the protocol commands.
  - 18. The method of claim 13 wherein the transmitted protocol commands dynamically determine whether subsequent data transfers are allowed to occur.

19. A computer-readable medium comprising program instructions for controlling data transfers between a first computer network and a second computer network by performing the following:
- monitoring protocol commands;
  
  interpreting protocol commands exchanged between the first and second computer networks;
  
  determining completion actions based upon the type of communications protocol being used and the exchanged interpreted protocol commands for restricting access to certain resources within the first and second computer networks.
- View Dependent Claims (20)
- - 20. The computer-readable medium of claim 19 wherein the completion actions dynamically determine whether subsequent data transfers are allowed to occur.

21. An apparatus for controlling data transfer between a first and a second computer network, the apparatus comprising:
- a proxy server;
  
  a first filter-router coupled between the first computer network and said proxy server;
  
  a second filter-router coupled between the second computer network and said proxy server; and
  
  wherein said proxy server monitors and interprets exchanged protocol commands between the first and second computer networks after a session is begun to determine completion actions based upon the type of communications protocol being used and the type of protocol commands exchanged between the first and second networks.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The apparatus of claim 21 wherein the completion actions dynamically determine whether subsequent data transfers are allowed to occur.
  - 23. The apparatus of claim 21 wherein the proxy server determines the completion actions based upon network resource constraints of the first and second computer networks.
  - 24. The apparatus of claim 21 wherein the proxy server allows partial data transfers based upon the exchanged protocol commands.
  - 25. The apparatus of claim 21 wherein the type of communications protocol used between the first and second computer networks includes at least one of the following protocols;
    - Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), Remote Terminal Protocol (Telnet), and File Transfer Protocol (FTP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Toga, James E.
Primary Examiner(s)
Alam, Hosain
Assistant Examiner(s)
Tran, Philip B.

Application Number

US08/773,692
Time in Patent Office

2,909 Days
Field of Search

395/200.59, 395/187.01, 395/200.79, 709/229, 709/249, 709/227, 709/224, 709/230, 713/201
US Class Current

709/229
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

H04L 63/0281 Proxies

Firewalls that filter based upon protocol commands

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

84 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Firewalls that filter based upon protocol commands

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links