Communications systems firewall
First Claim
Patent Images
1. A method of providing communications network security, the method comprising the steps of:
- providing computerized communication systems comprising;
a filter having in input channel and an output channel;
an operating system having an input channel coupled to the output channel of the filter, and an output channel;
a receiver coupled to an upper interface to the operating system below and at a lower interface to a content checker above;
a protocol stack coupled at a lower interface to the operating system below and at an upper interface to the content checker above;
configuring the content checker to receive data from the upper interface to the receiver and to forward said data to the upper interface of the protocol stack responsive to content checks applied to said data;
configuring the receiver to forward to the content checker only data received from the operating system which is contained in network layer protocol transmission units each consisting of a protocol frame, cell, or packet which is invalid with respect to the protocol stack;
sending to the filter the series of one or more a network layer protocol transmission units, the network layer protocol transmission units being deliberately malformed according to the predetermined rule;
configuring the filter to forward to the operating system only network layer protocol transmission units which are invalid with respect to the protocol stack; and
receiving at the filter a series of one or more network layer protocol transmission units;
forwarding from the filter only network layer protocol transmission units which are invalid with respect to the definition of the protocol.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, apparatus, programs and signals for providing communications network security. The approach is based on using established “standard” protocols, but packets (or cells or frames) are deliberately malformed by the sender, optionally according to a predetermined rule (for example by inverting a packet check digit). A filter forwards only packets identified as being invalid, optionally in accordance with the rule; packets which are valid with respect to the “standard” protocol are dropped. The filter is preferably implemented in hardware to mitigate the risk of its being compromised by a malicious attack.
20 Citations
10 Claims
-
1. A method of providing communications network security, the method comprising the steps of:
-
providing computerized communication systems comprising; a filter having in input channel and an output channel; an operating system having an input channel coupled to the output channel of the filter, and an output channel; a receiver coupled to an upper interface to the operating system below and at a lower interface to a content checker above; a protocol stack coupled at a lower interface to the operating system below and at an upper interface to the content checker above; configuring the content checker to receive data from the upper interface to the receiver and to forward said data to the upper interface of the protocol stack responsive to content checks applied to said data; configuring the receiver to forward to the content checker only data received from the operating system which is contained in network layer protocol transmission units each consisting of a protocol frame, cell, or packet which is invalid with respect to the protocol stack; sending to the filter the series of one or more a network layer protocol transmission units, the network layer protocol transmission units being deliberately malformed according to the predetermined rule; configuring the filter to forward to the operating system only network layer protocol transmission units which are invalid with respect to the protocol stack; and receiving at the filter a series of one or more network layer protocol transmission units; forwarding from the filter only network layer protocol transmission units which are invalid with respect to the definition of the protocol. - View Dependent Claims (2, 3, 4)
-
-
5. A communications system comprising:
-
a filter comprising computer hardware and having an input channel and an output channel; an operating system having an input channel coupled to the output channel of the filter, and an output channel; a receiver coupled at an upper interface to the operating system below and at a lower interface to a content checker above; a protocol stack coupled at a lower interface to the operating system below and at an upper interface to the content checker above;
the content checker being configured to receive data from the upper interface of the receiver and to forward said data to the upper interface of the protocol stack responsive to content checks applied to said data; and
wherein the receiver is configured to forward to the content checker only data received from the operating system which is contained in network layer protocol transmission units each consisting of a protocol frame, cell, or packet which is invalid with respect to the protocol stack; and
wherein the filter is arranged to forward to the operating system only network layer protocol transmission units which are invalid with respect to the protocol stack; anda sender arranged to send to the filter, the series of one or more protocol transmission units, transmission units intended for onward forwarding being deliberately malformed with respect to the protocol stack. - View Dependent Claims (6, 7, 8, 9, 10)
-
Specification