Method and apparatus for regulating data flow between a communications device and a network
First Claim
1. A method of screening data objects flowing between a network and at least one communication device using a network security device comprising a data object memory;
- at least one communication device port coupled to the data object memory;
a network communication port coupled to the data object memory;
a processor coupled to the data object memory;
a permanent memory store for storage of rules, coupled to the processor;
a dynamic memory store coupled to the processor;
a physical interface coupled to the processor; and
a plurality of rules stored in the permanent memory store;
the method comprising;
a) receiving a data object at a communication device port or at the network communication port, the network security device being invisible to any communication device and the network;
b) storing the data object into the data object memory;
c) processing the data object in accordance with the plurality of rules stored in the permanent memory store, determining if the data object is in violation of at least one of the plurality of rules, without executing any code in the data object such that the operation of the device is incorruptible by the data objects being processed; and
d) if the data object is not in violation of at least one of the plurality of rules, transmitting the data object by the network communication port if the data object was received from a communication device port or transmitting the data object by a communication device port if the data object was received from the network communication port.
1 Assignment
0 Petitions
Accused Products
Abstract
A network security device which acts as an “airlock” for traffic between a communications device and a network. Data is screened using rules based analysis by the security device to counter various threats, including viruses, phishing, attempts to “hijack” communications, communications with known malicious addresses or unknown addresses, and transmission of sensitive information. Data packets can be reassembled into files for screening, and decoded or expanded as necessary, but is never executed. The data path for the data being screened is kept separate from the operations of the network security device itself, so that the device is incorruptible—its programming cannot be compromised from outside sources. Updates for rules and entry of sensitive data for screening, etc., must be done through a physical interface, not via the normal data communications channel. The device is invisible—it cannot be “seen” by the network, and thus cannot be attacked.
445 Citations
68 Claims
-
1. A method of screening data objects flowing between a network and at least one communication device using a network security device comprising a data object memory;
- at least one communication device port coupled to the data object memory;
a network communication port coupled to the data object memory;
a processor coupled to the data object memory;
a permanent memory store for storage of rules, coupled to the processor;
a dynamic memory store coupled to the processor;
a physical interface coupled to the processor; and
a plurality of rules stored in the permanent memory store;
the method comprising;a) receiving a data object at a communication device port or at the network communication port, the network security device being invisible to any communication device and the network; b) storing the data object into the data object memory; c) processing the data object in accordance with the plurality of rules stored in the permanent memory store, determining if the data object is in violation of at least one of the plurality of rules, without executing any code in the data object such that the operation of the device is incorruptible by the data objects being processed; and d) if the data object is not in violation of at least one of the plurality of rules, transmitting the data object by the network communication port if the data object was received from a communication device port or transmitting the data object by a communication device port if the data object was received from the network communication port. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 37, 38, 39, 42, 43)
- at least one communication device port coupled to the data object memory;
-
29. A network security device for screening data objects flowing between a network and at least one communication device, comprising:
-
a) a data object memory; b) at least one communication device port coupled to the data object memory; c) a network communication port coupled to the data object memory; d) a processor coupled to the data object memory; e) a permanent memory store for storage of rules, coupled to the processor; f) a dynamic memory store coupled to the processor; g) a physical interface coupled to the processor; h) a plurality of rules stored in the permanent memory store; the processor being programmed such that a data object received at one of the at least one communication device port or at the network communication port is stored into the data object memory and processed by the processor in accordance with the rules from the permanent memory store, determining if the data object is in violation of at least one of the plurality of rules, and if the data object is not in violation of a rule, the data object is transmitted by the network communication port if the data object was received at the at least one communication device port, and the data object is transmitted by at least one communication device port if the data object was received at the network communication port; the device being configured such that the rules are not affected by the processing of data objects in the data object memory; the processor being programmed such that a data object in the data object memory is not permitted to interact with the dynamic memory store or the permanent memory store, such that the device is incorruptible by the data objects being processed; and in receiving, processing and transmitting the data objects, the network security device is not visible to the network or the at least one communication device. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 40, 41, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
-
-
54. A method of monitoring data objects flowing between a network and at least one communication device using a network security device comprising a data object memory;
- at least one communication device port coupled to the data object memory;
a network communication port coupled to the data object memory;
a processor coupled to the data object memory;
a permanent memory store for storage of rules, coupled to the processor;
a dynamic memory store coupled to the processor;
a physical interface coupled to the processor; and
a plurality of rules stored in the permanent memory store;
the method comprising;a) receiving a data object at a communication device port or at the network communication port, the network security device being invisible to any communication device and the network; b) storing the data object into the data object memory; c) processing the data object in accordance with the plurality of rules stored in the permanent memory store, determining if the data object is in violation of at least one of the plurality of rules, without executing any code in the data object such that the operation of the device is incorruptible by the data objects being processed; d) copying the data object; e) transmitting the data object by the network communication port if the data object was received from a communication device port or transmitting the data object by a communication device port if the data object was received from the network communication port; and f) storing the copied data object from step d in a database. - View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- at least one communication device port coupled to the data object memory;
-
65. A system for network security comprising:
-
a secure server connected to a network; and a plurality of network security devices for screening data objects flowing between a network and at least one communication device, each network security device comprising; a) a data object memory; b) at least one communication device port coupled to the data object memory; c) a network communication port coupled to the data object memory; d) a processor coupled to the data object memory; e) a permanent memory store for storage of rules, coupled to the processor; f) a dynamic memory store coupled to the processor; g) a physical interface coupled to the processor; h) a plurality of rules stored in the permanent memory store; i) a device identification, such that the device can be identified to a secure server communicating through the network communication port, and the processor is programmed such that the network security device can establish secure communication with the secure server through the network communication port; the processor being programmed such that a data object received at one of the at least one communication device port or at the network communication port is stored into the data object memory and processed by the processor in accordance with the rules from the permanent memory store, determining if the data object is in violation of at least one of the plurality of rules, and if the data object is not in violation of a rule, the data object is transmitted by the network communication port if the data object was received at the at least one communication device port, and the data object is transmitted by at least one communication device port if the data object was received at the network communication port; the device being configured such that the rules are not affected by the processing of data objects in the data object memory; the processor being programmed such that a data object in the data object memory is not permitted to interact with the dynamic memory store or the permanent memory store, such that the operation of the network security device is incorruptible by the data objects being processed; and in receiving, processing and transmitting the data objects, the network security device is not visible to the network or the at least one communication device. - View Dependent Claims (66, 67, 68)
-
Specification