Method and system for securely scanning network traffic

US 7,543,332 B2
Filed: 02/06/2007
Issued: 06/02/2009
Est. Priority Date: 04/04/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

via an obtained encryption parameter shared by a first device, a second device, and a separate computer, forwarding only each data packet, of a plurality of received packets, that is in compliance with a predetermined criterion associated with said separate computer, a decrypted copy of each data packet scanned for compliance with said predetermined criterion at a predetermined portion of said separate computer, said predetermined portion of said separate computer adapted to provide only an affirmative response or a negative response regarding compliance with said predetermined criterion, wherein contents of said decrypted copy of each data packet is restricted to said predetermined portion of said separate computer, said separate computer adapted for restricting all operators of said separate computer from accessing contents of said decrypted copy of each data packet, said separate computer adapted to communicate with second device via a public wide area network said separate computer adapted to form a first security association with said first device said separate computer adapted to form a second security association with said second device, said separate computer adapted to calculate a first secret key associated with said first security association and a second secret key associated with said second security association.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for implementing secure network communications between a first device and a second device, at least one of the devices communicating with the other device via a firewall device, are provided. The method and system may include obtaining an encryption parameter that is shared by the first device, second device and firewall device. A data packet sent by the first device may then be copied within the firewall device, so that decryption of the copy of the data packet within a portion of the firewall device may take place. In particular, the portion of the firewall device in which decryption takes place is defined such that contents of the portion are inaccessible to an operator of the firewall device. Thus, scanning of the decrypted copy of the data packet for compliance with a predetermined criterion may take place within the firewall device, without an operator of the firewall device having access to the contents of the data packet to be transmitted. Thereafter, the original data packet can be forwarded to its originally intended recipient.

66 Citations

View as Search Results

19 Claims

1. A method comprising:
- via an obtained encryption parameter shared by a first device, a second device, and a separate computer, forwarding only each data packet, of a plurality of received packets, that is in compliance with a predetermined criterion associated with said separate computer, a decrypted copy of each data packet scanned for compliance with said predetermined criterion at a predetermined portion of said separate computer, said predetermined portion of said separate computer adapted to provide only an affirmative response or a negative response regarding compliance with said predetermined criterion, wherein contents of said decrypted copy of each data packet is restricted to said predetermined portion of said separate computer, said separate computer adapted for restricting all operators of said separate computer from accessing contents of said decrypted copy of each data packet, said separate computer adapted to communicate with second device via a public wide area network said separate computer adapted to form a first security association with said first device said separate computer adapted to form a second security association with said second device, said separate computer adapted to calculate a first secret key associated with said first security association and a second secret key associated with said second security association.
- View Dependent Claims (2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - obtaining said encryption parameter, said encryption parameter stored in said separate computer only in a hardware chipset that is not accessible by an administrator of said separate computer.
  - 4. The method of claim 1, further comprising:
    - decrypting said copy of each data packet within said separate computer computer adapted to utilize a distinct loop-back address for each of a plurality of devices on said private network, said firewall device adapted to communicatively couple said second device with a plurality of devices on said private network via a security association only with said separate computer.
  - 5. The method of claim 1, further comprising:
    - forwarding each data packet to said second device if said copy of each data packet complies with said predetermined criterion, said separate computer adapted to determine whether to use an IPSec ESP flow process or an IPSec AH flow based upon a check of a protocol field in each data packet.
  - 6. The method of claim 1, further comprising:
    - deleting each data packet that does not comply with said predetermined criterion.
  - 7. The method of claim 1, further comprising:
    - deleting said decrypted copy of each data packet after each data packet has been scanned.
  - 8. The method of claim 1, wherein said predetermined portion of said separate computer that is inaccessible to any operator of said computer is a hardware chipset within said separate computer.
  - 9. The method of claim 1, further comprising:
    - obtaining said encryption parameter via;
      
      building a first secret key with said first device during a negotiation of a first security association;
      
      building a second secret key, based on said first secret key, with said second device during a negotiation of a second security association;
      
      communicating information to said first device that allows said first device to calculate said second secret key using said first secret key, wherein said second secret key is used as said encryption parameter.
  - 10. The method of claim 1, wherein public keys associated with said first device, said second device, or said separate computer are authenticated by virtue of an inclusion of one or more of said public keys on a digital certificate.
  - 11. The method of claim 1, further comprising:
    - obtaining said encryption parameter via;
      
      building a first secret key with said first device during a negotiation of a first security association;
      
      building a second secret key, based on said first secret key, with said second device during a negotiation of a second security association;
      
      communicating information to said first device that allows said first device to calculate said second secret key using said first secret key, wherein said second secret key is used as said encryption parameter, wherein said information is a public key of said second device.
  - 12. The method of claim 1, further comprising:
    - obtaining said encryption parameter via;
      
      building a first secret key with said first device during a negotiation of a first security association;
      
      building a second secret key, based on said first secret key, with said second device during a negotiation of a second security association;
      
      communicating information to said first device that allows said first device to calculate said second secret key using said first secret key, wherein said second secret key is used as said encryption parameter, wherein said first security association is negotiated between said first device and a first address of said separate computer associated with said first device, and said second security association is negotiated between said second device and a second address of said separate computer associated with said first device.
  - 13. The method of claim 1, further comprising:
    - obtaining said encryption parameter via;
      
      negotiating, transparently through said separate computer, a first security association between said first device and said second device;
      
      sharing said encryption parameter between said first and second devices using said first security association;
      
      negotiating a second security association between said first device and said separate computer; and
      
      sharing said encryption parameter between said first device and said separate computer through said second security association.

3. The method of claim, further comprising:
- copying each data packet within said separate computer.

14. A device comprising:
- a content scanner adapted to, via an obtained encryption parameter shared by a first device, a second device, and a separate computer, forward only each data packet, of a plurality of received packets, that is in compliance with a predetermined criterion associated with said separate computer, a decrypted copy of each data packet scanned for compliance with said predetermined criterion at a predetermined portion of said separate computer, said predetermined portion of said separate computer adapted to provide only an affirmative response or a negative response regarding compliance with said predetermined criterion, wherein contents of said decrypted copy of each data packet is restricted to said predetermined portion of said separate computer, said separate computer adapted for restricting all operators of said separate computer from accessing contents of said decrypted copy of each data packet, said separate computer adapted to communicate with said second device via a public wide area network, said separate computer adapted to form a first security association with said first device, said separate computer adapted to form a second security association with said second device, said separate computer adapted to calculate a first secret key associated with said first security association and a second secret key associated with said second security association.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The device of claim 14, wherein each data packet is forwarded to said second device if said copy of each data packet complies with said predetermined criterion.
  - 16. The device of claim 14, wherein each data packet is deleted if said copy of each data packet does not comply with said predetermined criterion.
  - 17. The device of claim 14, wherein said copy of each data packet is deleted after each data packer has been scanned for compliance with said predetermined criterion.
  - 18. The device of claim 14, wherein said predetermined portion of said separate computer that is inaccessible to any operator of said computer is a hardware chipset within said separate computer.

19. A system comprising:
- a firewall device adapted to, via an obtained encryption parameter shared by a first device, a second device, and a separate computer, forward only each data packet, of a plurality of received packets, that is in compliance with a predetermined criterion associated with said separate computer, a decrypted copy of each data packet scanned for compliance with said predetermined criterion at a predetermined portion of said separate computer, said predetermined portion of said separate computer adapted to provide only an affirmative response or a negative response regarding compliance with said predetermined criterion, wherein contents of said decrypted copy of each data packet is restricted to said predetermined portion of said separate computer, said separate computer adapted for restricting all operators of said separate computer from accessing contents of said decrypted copy of each data packet, firewall device adapted to communicate with said second device via a public wide area network, said firewall device adapated to form a first security association with said first device, said firewall device adapted to form a second security association with said second device, said firewall device adapted to calculate a first secret key associated with said first security association and a second secret key associated with said second security association; and
  
  said first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures II LLC (Intellectual Ventures LLC)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Galand, Claude, Sommerlatt, Jean-Marie, Le Pennec, Jean-Francois, Balissat, Joel
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US11/703,020
Publication Number

US 20070169187A1
Time in Patent Office

847 Days
Field of Search

726/15, 726/11, 726/13, 726/22, 713/151
US Class Current

726/15
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

Method and system for securely scanning network traffic

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Method and system for securely scanning network traffic

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others