Method and system for establishing a security perimeter in computer networks
First Claim
1. A method of providing security between two computer networks, at least one of said networks having a server, said two networks having a network interface unit coupled therebetween, the method comprising;
- using said network interface unit for identifying a user requesting access to or from one of said networks, verifying if the identified user is authorized for access to or from at least one of the two networks;
establishing a session with another entity on one of said two networks if said identified user is verified for access, said act of establishing a session resultant from a dynamic generation and exchange of at least one encryption key for each session; and
providing a security manager in communication with said network interface unit, said security manager adapted to perform the functions of controlling the operation and configuration of said network interface unit in order to protect the security of data present in one of said two networks that is transmitted via said secure network interface unit to the other of said two networks.
2 Assignments
0 Petitions
Accused Products
Abstract
A multi-level network security system is disclosed for a computer host device coupled to at least one computer network. The system including a secure network interface Unit (SNIU) contained within a communications stack of the computer device that operates at a user layer communications protocol. The SNIU communicates with other like SNIU devices on the network by establishing an association, thereby creating a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within the global security perimeter. The SNIU includes a host/network interface for receiving messages sent between the computer device and network. The interface operative to convert the received messages to and from a format utilized by the network. A message parser for determining whether the association already exists with another SNIU device. A session manager coupled to said network interface for identifying and verifying the computer device requesting access to said network. The session manager also for transmitting messages received from the computer device when the message parser determines the association already exists. An association manager coupled to the host/network interface for establishing an association with other like SNIU devices when the message parser determines the association does not exist.
-
Citations
54 Claims
-
1. A method of providing security between two computer networks, at least one of said networks having a server, said two networks having a network interface unit coupled therebetween, the method comprising;
-
using said network interface unit for identifying a user requesting access to or from one of said networks, verifying if the identified user is authorized for access to or from at least one of the two networks; establishing a session with another entity on one of said two networks if said identified user is verified for access, said act of establishing a session resultant from a dynamic generation and exchange of at least one encryption key for each session; and providing a security manager in communication with said network interface unit, said security manager adapted to perform the functions of controlling the operation and configuration of said network interface unit in order to protect the security of data present in one of said two networks that is transmitted via said secure network interface unit to the other of said two networks. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A portable computerized apparatus adapted to communicate messages over a network to a second computerized apparatus, the apparatus comprising:
-
a computerized host having a memory and a communications stack; said memory having at least one computer program stored thereon, the at least one computer program configured to; identify a user requesting to transmit or receive messages over said network; support the authentication of said portable apparatus to an entity of said network with which said portable apparatus may communicate; authenticate said entity of said network; establish a security association between said portable apparatus and said entity if said authentications are successfully completed; and establish a user session between said portable apparatus and said second computerized apparatus via said network and said entity after said security association has been established; wherein the data integrity of said messages is protected at least between said portable apparatus and said entity based on at least one cryptographic key. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. An apparatus for providing security over a non-secure network, the apparatus comprising:
-
a processor; and a secure network interface for providing secure communications of data on said non-secure network, said secure network interface configured to perform a trusted layer protocol, said trusted layer protocol setting up secure sessions by; utilizing a cryptographic data exchange algorithm, said cryptographic data exchange algorithm comprising an exchange of cryptographic data, said cryptographic data being substantially unique to each session; performing sealing algorithms on said data based at least in part on said exchange of cryptographic data; and using the facilities of existing lower level protocols to transmit data across said non-secure network; a security manager adapted to cause said secure network interface to be initialized, operated and configured for protecting the security of said data transmitted through said secure network interface, said security manager capable of participating in the implementation of at least one of a plurality of security policies; and an application programming interface (API), said API being adapted to interface with a card, said card providing at least one security related function. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. An apparatus adapted to communicate messages over a network, the apparatus comprising:
-
a computerized host device having a memory and a communications stack; said memory having at least one computer program stored thereon, the at least one computer program configured to; identify a user requesting access to said network, support the authentication of said apparatus to another entity of said network with which said apparatus communicates; establish a security association between said apparatus and said another entity if said authentication is successfully completed by utilizing a key exchange algorithm that causes said apparatus and said another entity to exchange cryptographic keys; and establish a user session via said network and said another entity based at least in part on said established security association; wherein said apparatus is further adapted to protect the integrity of messages sent from said host device over at least a portion of said network using at least one cryptographic key; and a security manager in communication with computer program, said security manager adapted to provide said message integrity protection using said at least one cryptographic key. - View Dependent Claims (32, 33, 34, 35, 36, 37)
-
-
38. A method of providing security between two computer networks, at least one of said networks having a server, said two networks having a network interface unit coupled therebetween, the method comprising;
-
using said network interface unit for identifying a user requesting access to or from one of said networks, verifying if the identified user is authorized for access to or from at least one of the two networks; establishing a session with another entity on one of said two networks if said identified user is verified for access, said act of establishing a session resultant from a dynamic generation of at least one cryptographic element for each session; and providing a security manager in communication with said network interface unit, said security manager adapted to perform the functions of controlling the operation and configuration of said network interface unit in order to protect the security of data present in one of said two networks that is transmitted via said secure network interface unit to the other of said two networks. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. An apparatus adapted to communicate messages over a network, the apparatus comprising:
-
a computerized host device having a memory and a communications stack; said memory having at least one computer program stored thereon, the at least one computer program configured to; identify a user requesting access to said network, support the authentication of said apparatus to another entity of said network with which said apparatus communicates; establish a security association between said apparatus and said another entity if said authentication is successfully completed by utilizing a cryptographic transfer algorithm that causes said apparatus and said another entity to transfer cryptographic data between them; and establish a user session via said network and said another entity based at least in part on said established security association; wherein said apparatus is further adapted to protect the integrity of messages sent from said host device over at least a portion of said network using at least one cryptographic element; and a security manager in communication with computer program, said security manager adapted to provide said message integrity protection using said at least one cryptographic element. - View Dependent Claims (49, 50, 51, 52, 53, 54)
-
Specification