Computerized access device with network security
First Claim
1. A network access device adapted to provide network security functions, comprising:
- a software stack operative to run on said access device; and
first network security apparatus for use with said stack, said security apparatus adapted to communicate data with other network security apparatus resident on a computing device over a data network by establishing an association, and where said first network security apparatus is configured to;
receive a message sent from said other network security apparatus of said computing device over a first physically non-secure network;
determine whether an association between said network security apparatus and said other network security apparatus of said computing device on said network exists;
convert at least a portion of said received message to a format utilized by said network; and
transmit said message received from said other network security apparatus of said computing device to a third network security apparatus over a second physically non-secure network when said association does exist without having to resort to an external entity to secure communications between said other network security apparatus and said third network security apparatus;
wherein said establishing of said association between said first network security apparatus and said other network security apparatus resident on said computing device results in the execution of a key exchange algorithm in which said network access device and said computing device exchange cryptographic keys over said first physically non-secure network.
2 Assignments
0 Petitions
Accused Products
Abstract
A computerized access device useful within a network and adapted to provide communication security. In one embodiment, the network comprises an untrusted network, and the access device comprises stand-alone network security apparatus adapted to create associations with other network security devices on the network. Traffic between the associated devices may be encrypted for e.g., data confidentiality and integrity protection. In one variant, the network security apparatus comprises a software entity disposed at least partly within the software stack of a stand-alone hardware device. In another variant, the device functions as a gateway or portal to another network (e.g., the Internet or another untrusted network), or to another device within the same network.
-
Citations
98 Claims
-
1. A network access device adapted to provide network security functions, comprising:
-
a software stack operative to run on said access device; and first network security apparatus for use with said stack, said security apparatus adapted to communicate data with other network security apparatus resident on a computing device over a data network by establishing an association, and where said first network security apparatus is configured to; receive a message sent from said other network security apparatus of said computing device over a first physically non-secure network; determine whether an association between said network security apparatus and said other network security apparatus of said computing device on said network exists; convert at least a portion of said received message to a format utilized by said network; and transmit said message received from said other network security apparatus of said computing device to a third network security apparatus over a second physically non-secure network when said association does exist without having to resort to an external entity to secure communications between said other network security apparatus and said third network security apparatus; wherein said establishing of said association between said first network security apparatus and said other network security apparatus resident on said computing device results in the execution of a key exchange algorithm in which said network access device and said computing device exchange cryptographic keys over said first physically non-secure network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A portal device in communication with one or more devices via a physically unsecure data network and further adapted to provide network security functions, comprising:
-
a software stack operative to run on said portal device; and network security apparatus for use with said stack, said security apparatus adapted to communicate data between a second network security apparatus resident on a computerized device on said physically unsecure data network and said one or more devices also located on said physically unsecure data network;
said network security apparatus operative to;establish an ad hoc and temporary association between said portal device and said second network security apparatus of said computerized device by utilizing at least a key exchange algorithm in which said portal device and said second network security apparatus exchange cryptographic keys over said physically non-secure network; receive a message sent from said computerized device; modify at least a part of said received message to produce a modified message; and transmit said modified message to at least one of said one or more devices resident on said physically unsecure data network; wherein said network security functions comprise; providing confidentiality for at least a portion of said modified message; providing integrity protection for at least a portion of said modified message; and authenticating said one or more devices as well as authenticating said portal device to said one or more devices. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
-
-
60. A substantially stand-alone gateway device adapted to provide network security functions and bridging between two physically unsecure networks, comprising:
-
a software stack operative to run on said device; and first network security apparatus for use with said stack, said security apparatus adapted to communicate data with other network security apparatus over at least one of first and second physically unsecure data networks in data communication with said gateway device by establishing an association, and where said first network security apparatus is configured to; receive a message sent from a higher layer process in said device for transmission over at least one of said networks; determine whether an association between said first network security apparatus and another network security apparatus in communication with said at least one network exists; convert at least a portion of said received message to a format utilized by said at least one network; transmit at least portions of said message to said another network security apparatus when said association does exist; and establish an association with said another network security apparatus if said association does not exist by dynamically generating at least one encryption key for each association, said act of generating not requiring intervention by an external entity, said at least one key being specific to a particular session between said first network security apparatus and said another network security apparatus; wherein said substantially stand-alone gateway provides said network security functions while being directly coupled only to unsecure networks. - View Dependent Claims (61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85)
-
-
86. A network access device adapted to provide network security functions, comprising:
-
a software stack operative to run on said access device; and first network security apparatus for use with said stack, said security apparatus adapted to communicate data with other network security apparatus resident on a computing device over a unsecure data network to a third computing device by establishing an association, said association comprising a non-permanent trusted communications channel between and unique to said first network security apparatus and said other network security apparatus of said computing device, and where said first network security apparatus is configured to; receive a message sent from said other network security apparatus of said computing device via said unsecure data network; determine whether an association between said network security apparatus and said other network security apparatus of said computing device on said network exists; execute a mutual authentication process, wherein said network security apparatus is adapted to authenticate said other network security apparatus, and further adapted to authenticate itself to said other network security apparatus convert at least a portion of said received message to a format utilized by said network; and transmit said message received from said other network security apparatus of said computing device to said third computing device via said unsecure network when said association does exist; wherein said establishing of said association between said first network security apparatus and said other network security apparatus resident on said computing device results in the execution of a key exchange algorithm adapted to cause said network access device and said computing device to exchange cryptographic keys; and wherein said network security apparatus is adapted to dynamically generate at least one encryption key for each association, said at least one key being specific to a particular session between said network security apparatus and said other network security apparatus, said act of generating not requiring either (i) intervention by a network administrator;
or (ii) intervention by an external network entity in order to transmit said message to said third computing device via said unsecure network.
-
-
87. A gateway device in communication with one or more devices via a first physically unsecure data network and further adapted to provide network security functions, comprising:
-
a software stack operative to run on said gateway device; and network security apparatus for use with said stack, said security apparatus adapted to communicate data between a second network security apparatus resident on a computerized device on a second physically unsecure data network and said one or more devices located on said first physically unsecure data network;
said network security apparatus operative to;establish an ad hoc and temporary association between said gateway device and said second network security apparatus of said computerized device by utilizing at least a key exchange algorithm in which said gateway device and said second network security apparatus exchange cryptographic keys over said second physically non-secure network; receive a message sent from said computerized device; modify at least a part of said received message to produce a modified message; and transmit said modified message to at least one of said one or more devices resident on said first physically unsecure data network; wherein said network security functions comprise; providing confidentiality for at least a portion of said modified message; providing integrity protection for at least a portion of said modified message; and authenticating said one or more devices as well as authenticating said gateway device to said one or more devices. - View Dependent Claims (88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98)
-
Specification