Method and system for securely scanning network traffic
First Claim
1. A method comprising:
- at a firewall device operating on an edge of a private network, regarding a data packet encrypted utilizing an encryption parameter shared by a first device, a second device, and said firewall device, said firewall device adapted to communicate with said second device via a public wide area network, said firewall device adapted to form a first security association with said first device, said firewall device adapted to form a second security association with said second device, said firewall device adapted to calculate a first secret key associated with said first security association and a second secret key associated with said second security association, said encrypted data packet sent by said first device to said second device;
causing said firewall device to decrypt said encrypted data packet within said firewall device, said firewall device adapted to restrict all operators of said firewall device from accessing contents of said data packet.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and system for implementing secure network communications between a first device and a second device, at least one of the devices communicating with the other device via a firewall device, are provided. The method and system may include obtaining an encryption parameter that is shared by the first device, second device and firewall device. A data packet sent by the first device may then be copied within the firewall device, so that decryption of the copy of the data packet within a portion of the firewall device may take place. In particular, the portion of the firewall device in which decryption takes place is defined such that contents of the portion are inaccessible to an operator of the firewall device. Thus, scanning of the decrypted copy of the data packet for compliance with a predetermined criterion may take place within the firewall device, without an operator of the firewall device having access to the contents of the data packet to be transmitted. Thereafter, the original data packet can be forwarded to its originally intended recipient.
-
Citations
20 Claims
-
1. A method comprising:
at a firewall device operating on an edge of a private network, regarding a data packet encrypted utilizing an encryption parameter shared by a first device, a second device, and said firewall device, said firewall device adapted to communicate with said second device via a public wide area network, said firewall device adapted to form a first security association with said first device, said firewall device adapted to form a second security association with said second device, said firewall device adapted to calculate a first secret key associated with said first security association and a second secret key associated with said second security association, said encrypted data packet sent by said first device to said second device; causing said firewall device to decrypt said encrypted data packet within said firewall device, said firewall device adapted to restrict all operators of said firewall device from accessing contents of said data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
19. A method comprising:
at a firewall device operating on an edge of a private network, regarding a data packet encrypted utilizing an encryption parameter shared by a first device, a second device, and said firewall device, said firewall device adapted to communicate with said second device via a public wide area network, said firewall device adapted to form a first security association with said first device, said firewall device adapted to form a second security associated with said second device, said firewall device adapted to calculate a first secret key associated with said first security association and a second secret key associated with said second security association, said encrypted data packet sent by said first device to said second device; decrypting said encrypted data packet within said firewall device, said firewall device adapted to restrict all operators of said firewall device from accessing contents of said data packet.
-
20. A machine-readable medium comprising a computer program adapted to:
-
at a firewall device operating on an edge of a private network, regarding a data packet encrypted utilizing an encryption parameter shared by a first device, a second device, and said firewall device, said firewall device adapted to communicate with said second device via a public wide area network, said firewall device adapted to form a first security association with said first device, said firewall device adapted to form a second security association with said second device, said firewall device adapted to calculate a first secret key associated with said first security association and a second secret key associated with said second security association, said encrypted data packet sent by said first device to said second device; decrypt said encrypted data packet within said firewall device, said firewall device adapted to restrict all operators of said firewall device from accessing contents of said data packet.
-
Specification