Method and system for securely scanning network traffic
First Claim
1. A method for implementing secure network communications between a first device and a second device, the first device communicating with the second device via a separate computer, the method comprising:
- obtaining an encryption parameter that is shared by the first device, second device and separate computer;
copying a data packet sent by the first device, within the separate computer;
decrypting the copy of the data packet within a portion of the separate computer;
wherein contents of the decrypted copy of the data packet is restricted to a pre-determined portion of the separate computer, the separate computer adapted for restricting all operators of the separate computer from accessing contents of the decrypted copy of the data packet; and
at the pre-determined portion of the separate computer;
scanning the decrypted copy of the data packet for compliance with a predetermined criterion associated with the separate computer for allowing transmissions therethrough, the pre-determined portion of the separate computer adapted to provide only an affirmative response or a negative response regarding compliance with the predetermined criterion.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and system for implementing secure network communications between a first device and a second device, at least one of the devices communicating with the other device via a firewall device, are provided. The method and system may include obtaining an encryption parameter that is shared by the first device, second device and firewall device. A data packet sent by the first device may then be copied within the firewall device, so that decryption of the copy of the data packet within a portion of the firewall device may take place. In particular, the portion of the firewall device in which decryption takes place is defined such that contents of the portion are inaccessible to an operator of the firewall device. Thus, scanning of the decrypted copy of the data packet for compliance with a predetermined criterion may take place within the firewall device, without an operator of the firewall device having access to the contents of the data packet to be transmitted. Thereafter, the original data packet can be forwarded to its originally-intended recipient.
55 Citations
33 Claims
-
1. A method for implementing secure network communications between a first device and a second device, the first device communicating with the second device via a separate computer, the method comprising:
-
obtaining an encryption parameter that is shared by the first device, second device and separate computer; copying a data packet sent by the first device, within the separate computer; decrypting the copy of the data packet within a portion of the separate computer;
wherein contents of the decrypted copy of the data packet is restricted to a pre-determined portion of the separate computer, the separate computer adapted for restricting all operators of the separate computer from accessing contents of the decrypted copy of the data packet; andat the pre-determined portion of the separate computer;
scanning the decrypted copy of the data packet for compliance with a predetermined criterion associated with the separate computer for allowing transmissions therethrough, the pre-determined portion of the separate computer adapted to provide only an affirmative response or a negative response regarding compliance with the predetermined criterion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A firewall device for mediating communications between a private network device and a device external to a private network, the firewall device comprising:
-
an encryption parameter determining circuit operable to determine an encryption parameter that is known to the external device and the private network device; a content scanner containing the encryption parameter and operable to decrypt contents of a transmission from the external device for scanning, said contents encrypted with said encryption parameter, said decrypted contents is restricted to be present only in said content scanner, said content scanner adapted for restricting all operators of the firewall device from accessing said decrypted contents, wherein the content scanner permits a forwarding of the transmission to the private network device upon a determination that the contents of the transmission comply with a predetermined criterion of the firewall device, the content scanner adapted to provide only an affirmative response or a negative response regarding the determination that the contents of the transmission comply with the predetermined criterion. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. An article of manufacture, which comprises a computer readable medium having stored therein a computer program carrying out a method for scanning contents of an encrypted data packet, the computer program comprising:
-
a first code segment adapted for acquiring an encryption parameter adapted to be used by a first and second device to encrypt a data packet that is transmitted therebetween via the article of manufacture; a second code segment adapted for decrypting the data packet, using the encryption parameter; a third code segment adapted for restricting users of the article of manufacture from accessing contents of the data packet, said third code segment adapted for restricting the contents of the data packet to a pre-determined portion of said article of manufacture; a fourth code segment adapted for filtering the data packet based on whether the contents comply with a predetermined criterion associated with the article of manufacture, said fourth code segment adapted to provide only an affirmative response or a negative response regarding a determination that the contents of the data packet comply with the predetermined criterion. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. A method of transmitting data, comprising:
-
constructing a first encryption parameter wit a firewall device tat receives and forwards traffic intended for a private network device associated therewith; constructing with the firewall device, based on the first encryption parameter, a second encryption parameter that was previously negotiated between the firewall device and the private network device; receiving at the firewall device a transmission that is encrypted wing the second encryption parameter decrypting the received transmission, the decrypted transmission restricted to be present only in a predetermined portion of the firewall device, the firewall device adapted for restricting all operators of the firewall device from accessing the decrypted transmission, the predetermined portion of the firewall device adapted to provide only an affirmative response or a negative response regarding a determination that the received transmission complies with rules of the firewall device; and sending the received transmission from the firewall device to the private network device. - View Dependent Claims (26, 27)
-
-
28. A method of transmitting data, comprising:
-
constructing an encryption parameter with a recipient device through a firewall device; sharing the encryption parameter wit the firewall device; encrypting a transmission using the encryption parameter; decrypting the transmission, the decrypted transmission restricted to be present only in a predetermined portion of the firewall device, the firewall device adapted for restricting all operators of the firewall device from accessing contents of the decrypted transmission, the predetermined portion of the firewall device adapted to provide only an affirmative response or a negative response regarding a determination that the transmission complies with rules of the firewall device; and sending the transmission to the recipient device via the firewall device. - View Dependent Claims (29)
-
-
30. A method of filtering encrypted data at a firewall device, comprising:
-
partitioning a filtering portion of the firewall device from an operator thereof; decrypting the encrypted data within the filtering portion, the decrypted data restricted to be present only in the filtering portion of the firewall device, the firewall device adapted for restricting all operators of the firewall device from accessing contents of the decrypted data, the filtering portion of the firewall device adapted to provide only an affirmative response or a negative response regarding a determination that the decrypted data complies with rules of the firewall device; and forwarding the data if it complies with at least one filtering rule associated with the firewall device. - View Dependent Claims (31, 32)
-
-
33. A firewall device, comprising:
-
means for obtaining an encryption parameter common to both a first device and a second device; means for decrypting encrypted data transmitted from the first device using the encryption parameter, the decrypted data restricted to be present only in a predetermined portion of said means for decrypting encrypted data, said means for decrypting encrypted data adapted for restricting all operators of said means for decrypting encrypted data from accessing contents of the decrypted data, said predetermined portion of said means for decrypting encrypted data adapted to provide only an affirmative response or a negative response regarding a determination that the decrypted data complies with rules of said means for decrypting encrypted data; and means for forwarding the encrypted data to the second device.
-
Specification