System, method and apparatus for securing network data

US 7,631,179 B2
Filed: 08/02/2002
Issued: 12/08/2009
Est. Priority Date: 08/02/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A system for securing network data, comprising:

a network;

first and second storage elements;

a network server in communication with said first storage element via said network, wherein the network server is configured provide both a request and associated metadata to the first storage element via different protocols with the network server configured to provide the request via a protocol that more greatly limits access for unauthorized users than the protocol via which the network server provides the associated metadata; and

a database server in communication with said first storage element and said second storage element, wherein the first storage element receives and stores the request from only said network server in a first predetermined location and data from only said database server in a second predetermined location, wherein only said network server is capable of accessing the data stored by said first storage element in the second predetermined location even though data is only stored in the second predetermined location by the database server, and wherein only said database server is capable of accessing the request stored by said first storage element in the first predetermined location even though data is only stored in the first predetermined location by the network server, such that said network server and said database server are capable of exchanging the request and responsive data via said first storage element without creating a concurrent operating session so as to avoid establishing any direct communication between said network server and said database server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system, method and apparatus for securing network data of the present invention provide security for internal networks by utilizing a common storage element for the exchange of data between the external and internal components, without creating a concurrent session between the external and internal components. In addition, when the protocol of the external network is Internet Protocol (IP), the protocol used for the internal network may be a non-IP messaging protocol that is a more secure protocol than IP, and insulates the internal network from the type of attacks that are common in IP networks. These security measures may be implemented without a significant change to the hardware or software elements of the internal or external networks, and, therefore, without adding significant cost to the network administration and without the network performance degradation that is characteristic of conventional security measures.

Citations

28 Claims

1. A system for securing network data, comprising:
- a network;
  
  first and second storage elements;
  
  a network server in communication with said first storage element via said network, wherein the network server is configured provide both a request and associated metadata to the first storage element via different protocols with the network server configured to provide the request via a protocol that more greatly limits access for unauthorized users than the protocol via which the network server provides the associated metadata; and
  
  a database server in communication with said first storage element and said second storage element, wherein the first storage element receives and stores the request from only said network server in a first predetermined location and data from only said database server in a second predetermined location, wherein only said network server is capable of accessing the data stored by said first storage element in the second predetermined location even though data is only stored in the second predetermined location by the database server, and wherein only said database server is capable of accessing the request stored by said first storage element in the first predetermined location even though data is only stored in the first predetermined location by the network server, such that said network server and said database server are capable of exchanging the request and responsive data via said first storage element without creating a concurrent operating session so as to avoid establishing any direct communication between said network server and said database server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 23, 25, 27)
- - 2. The system of claim 1, wherein said network server is configured to provide the metadata to the storage device via Internet Protocol (IP).
  - 3. The system of claim 2, wherein said network server and said database server transmit the request to said first storage element and access data from said first storage element via a non-IP messaging protocol.
  - 4. The system of claim 3, wherein the non-IP messaging protocol is Fiberchannel protocol.
  - 5. The system of claim 2, further comprising a firewall security device within said network between the at least one client element and said network server.
  - 6. The system of claim 5, wherein the at least one client element is capable of transmitting data to and from said network server through said firewall security device.
  - 7. The system of claim 1, wherein said database server is also capable of transmitting and receiving metadata that at least partially defines associated data.
  - 8. The system of claim 7, wherein said first storage element stores metadata received from said network server in a third predetermined location, wherein the metadata defines the first predetermined location at which the request that is also received from said network server is stored, and wherein said database server accesses the metadata from the third predetermined location to obtain the first predetermined location of the request.
  - 9. The system of claim 7, wherein said first storage element stores metadata received from said database server in a fourth predetermined location, wherein the metadata defines the second predetermined location at which data that is also received from said database server is stored, and wherein said network server accesses the metadata from the fourth predetermined location to obtain the second predetermined location of the data.
  - 10. The system of claim 1, wherein said network server and said database server are capable of periodically polling said first storage element to determine if additional data or an additional request has been stored.
  - 11. The system of claim 1, wherein said second storage element comprises a storage area network.
  - 12. The system of claim 1, wherein said first storage element comprises a storage area network.
  - 23. The system of claim 1 further comprising a plurality of network servers in communication with the storage device for exchanging requests and responsive data with the database server.
  - 25. The system of claim 1 wherein the network server and the database server include instructions which define the first and second predetermined locations, respectively, prior to providing the request and data thereto, respectively.
  - 27. The system of claim 1 wherein the network server and the database server are each configured to execute an algorithm to dynamically determine the first and second locations.

13. A method for securing network data, comprising:
- receiving a request and associated metadata from a network server via a network and in accordance with different protocols with the protocol via which the request is received more greatly limiting access for unauthorized users than the protocol via which the associated metadata is received, wherein receiving the request comprises receiving the request from the network server in a first predetermined location of a first storage element, wherein the first storage element only receives the request in the first predetermined location from the network server;
  
  receiving data from a database server in a second predetermined location of the first storage element, wherein the first storage element only receives data in the second predetermined location from the database server;
  
  providing access, only to the database server, to the request stored in the first predetermined location of the first storage element by the network server; and
  
  providing access, only to the network server, to the data stored in the second predetermined location of the first storage element by the database server;
  
  wherein the network server and the database server exchange the request and responsive data via the first storage element without creating a concurrent operating session so as to avoid establishing any direct communication between the network server and the database server.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 26, 28)
- - 14. The method of claim 13, wherein receiving associated metadata comprises receiving associated metadata from the network server via IP.
  - 15. The method of claim 14, wherein receiving data and providing access to data comprises receiving data and providing access to data via a non-IP messaging protocol.
  - 16. The method of claim 15, wherein the non-IP messaging protocol is a Fiberchannel protocol.
  - 17. The method of claim 13, further comprising:
    - establishing communications between the database server and a second storage element; and
      
      receiving information at the database server from the second storage element that was requested by the request, andwherein receiving data from the database server in a second predetermined location comprises receiving the data provided to the database server by the second storage element in the second predetermined location.
  - 18. The method of claim 13, further comprising establishing communications between the database server and a storage area network.
  - 19. The method of claim 13, further comprising establishing communications between the network server and a storage area network and between the database server and the same storage area network.
  - 20. The method of claim 13, further comprising storing metadata received from the network server in a third predetermined location, wherein the metadata defines the first predetermined location at which the request that is also received from the network server is stored, and accessing the metadata by the database server from the third predetermined location to obtain the first predetermined location of the request.
  - 21. The method of claim 13, further comprising storing metadata received from the database server in a fourth predetermined location, wherein the metadata defines the second predetermined location at which data that is also received from the database server is stored, and accessing the metadata by the network server from the fourth predetermined location to obtain the second predetermined location of the data.
  - 22. The method of claim 13, further comprising polling the storage element by the network server and the database server to determine if additional data or an additional request has been stored.
  - 24. The method of claim 13 wherein further comprising receiving requests and associated metadata from a plurality of network servers.
  - 26. The method of claim 13 wherein the first and second predetermined locations are defined for the network server and the database server, respectively, prior to receiving the request and data from the network server and the database server, respectively.
  - 28. The method of claim 13 further comprising executing an algorithm at both the network server and the database server in order to dynamically determine the first and second locations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Mott, Michael Robert, Kuehn, Dennis Lee
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US10/211,086
Publication Number

US 20040025008A1
Time in Patent Office

2,685 Days
Field of Search

None
US Class Current

713/151
CPC Class Codes

H04L 63/02 for separating internal fro...

System, method and apparatus for securing network data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and apparatus for securing network data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links