Communications systems firewall

US 8,037,520 B2
Filed: 09/12/2006
Issued: 10/11/2011
Est. Priority Date: 09/13/2005
Status: Active Grant

First Claim

Patent Images

1. A method of providing communications network security, the method comprising the steps of:

providing computerized communication systems comprising;

a filter having in input channel and an output channel;

an operating system having an input channel coupled to the output channel of the filter, and an output channel;

a receiver coupled to an upper interface to the operating system below and at a lower interface to a content checker above;

a protocol stack coupled at a lower interface to the operating system below and at an upper interface to the content checker above;

configuring the content checker to receive data from the upper interface to the receiver and to forward said data to the upper interface of the protocol stack responsive to content checks applied to said data;

configuring the receiver to forward to the content checker only data received from the operating system which is contained in network layer protocol transmission units each consisting of a protocol frame, cell, or packet which is invalid with respect to the protocol stack;

sending to the filter the series of one or more a network layer protocol transmission units, the network layer protocol transmission units being deliberately malformed according to the predetermined rule;

configuring the filter to forward to the operating system only network layer protocol transmission units which are invalid with respect to the protocol stack; and

receiving at the filter a series of one or more network layer protocol transmission units;

forwarding from the filter only network layer protocol transmission units which are invalid with respect to the definition of the protocol.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus, programs and signals for providing communications network security. The approach is based on using established “standard” protocols, but packets (or cells or frames) are deliberately malformed by the sender, optionally according to a predetermined rule (for example by inverting a packet check digit). A filter forwards only packets identified as being invalid, optionally in accordance with the rule; packets which are valid with respect to the “standard” protocol are dropped. The filter is preferably implemented in hardware to mitigate the risk of its being compromised by a malicious attack.

20 Citations

View as Search Results

10 Claims

1. A method of providing communications network security, the method comprising the steps of:
- providing computerized communication systems comprising;
  
  a filter having in input channel and an output channel;
  
  an operating system having an input channel coupled to the output channel of the filter, and an output channel;
  
  a receiver coupled to an upper interface to the operating system below and at a lower interface to a content checker above;
  
  a protocol stack coupled at a lower interface to the operating system below and at an upper interface to the content checker above;
  
  configuring the content checker to receive data from the upper interface to the receiver and to forward said data to the upper interface of the protocol stack responsive to content checks applied to said data;
  
  configuring the receiver to forward to the content checker only data received from the operating system which is contained in network layer protocol transmission units each consisting of a protocol frame, cell, or packet which is invalid with respect to the protocol stack;
  
  sending to the filter the series of one or more a network layer protocol transmission units, the network layer protocol transmission units being deliberately malformed according to the predetermined rule;
  
  configuring the filter to forward to the operating system only network layer protocol transmission units which are invalid with respect to the protocol stack; and
  
  receiving at the filter a series of one or more network layer protocol transmission units;
  
  forwarding from the filter only network layer protocol transmission units which are invalid with respect to the definition of the protocol.
- View Dependent Claims (2, 3, 4)
- - 2. A method according to claim 1 in which the one or more network layer protocol transmission units are invalid in accordance with a predetermined rule.
  - 3. A method according to claim 1 further comprising the step of:
    - receiving forwarded network layer protocol transmission units at the receiver.
  - 4. A method according to claim 1 in which the protocol is a version of the internet protocol.

5. A communications system comprising:
- a filter comprising computer hardware and having an input channel and an output channel;
  
  an operating system having an input channel coupled to the output channel of the filter, and an output channel;
  
  a receiver coupled at an upper interface to the operating system below and at a lower interface to a content checker above;
  
  a protocol stack coupled at a lower interface to the operating system below and at an upper interface to the content checker above;
  
  the content checker being configured to receive data from the upper interface of the receiver and to forward said data to the upper interface of the protocol stack responsive to content checks applied to said data; and
  
  wherein the receiver is configured to forward to the content checker only data received from the operating system which is contained in network layer protocol transmission units each consisting of a protocol frame, cell, or packet which is invalid with respect to the protocol stack; and
  
  wherein the filter is arranged to forward to the operating system only network layer protocol transmission units which are invalid with respect to the protocol stack; and
  
  a sender arranged to send to the filter, the series of one or more protocol transmission units, transmission units intended for onward forwarding being deliberately malformed with respect to the protocol stack.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. A communications system according to claim 5 in which the filter is arranged to forward only protocol transmission units which are invalid with respect to the protocol stack and in accordance with a predetermined rule.
  - 7. A communications system according to claim 5 in which the protocol is an internet protocol.
  - 8. A communications system according to claim 5 in which the receiver comprises a protocol engine implemented in one of hardware and firmware.
  - 9. A communications system according to claim 5 in which of the receiver is arranged to accept network layer protocol transmission units whose format is the same as those accepted by the network layer of the protocol stack, but whose content is invalid with respect to the network layer protocol of the protocol stack.
  - 10. A communications system according to claim 5 in which the filter is implemented in one of hardware and firmware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qinetiq Limited (QinetiQ Group PLC)
Original Assignee
Qinetiq Limited (QinetiQ Group PLC)
Inventors
Wiseman, Simon Robert, Cant, Christopher James
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US12/066,419
Publication Number

US 20080209542A1
Time in Patent Office

1,855 Days
Field of Search

726/11, 726/13, 726/14, 726/23, 726/24, 726/25, 726/1, 726/12, 726/22, 709/230, 709/238, 709/246
US Class Current

726/14
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/029   Firewall traversal, e.g. tu...

Communications systems firewall

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Communications systems firewall

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links