Method and system for securely scanning network traffic
First Claim
1. A method for scanning network traffic, comprising:
- forwarding a first data packet from a first device to a second device based on an obtained encryption parameter shared by the first device, the second device, and a separate computer, wherein the encryption parameter is determined based upon a first security association between the first device and the separate computer and a second security association between the second device and the separate computer, wherein the separate computer is adapted to calculate a first secret key associated with the first security association and a second secret key associated with the second security association;
forwarding a copy of the first data packet to a predetermined portion of the separate computer that is restricted from access by operators of the separate computer;
scanning the copy of the first data packet to determine compliance with a predetermined criterion associated with the separate computer;
forwarding the first data packet and deleting the copy of the first data packet if the copy scanned is determined to be in compliance with the predetermined criterion; and
discarding both the first data packet and the copy of the first data packet if the copy scanned is determined to be in non-compliance with the predetermined criterion.
7 Assignments
0 Petitions
Accused Products
Abstract
A method and system for implementing secure network communications between a first device and a second device, at least one of the devices communicating with the other device via a firewall device, are provided. The method and system may include obtaining an encryption parameter that is shared by the first device, second device and firewall device. A data packet sent by the first device may then be copied within the firewall device, so that decryption of the copy of the data packet within a portion of the firewall device may take place. In particular, the portion of the firewall device in which decryption takes place is defined such that contents of the portion are inaccessible to an operator of the firewall device. Thus, scanning of the decrypted copy of the data packet for compliance with a predetermined criterion may take place within the firewall device, without an operator of the firewall device having access to the contents of the data packet to be transmitted. Thereafter, the original data packet can be forwarded to its originally intended recipient.
65 Citations
20 Claims
-
1. A method for scanning network traffic, comprising:
-
forwarding a first data packet from a first device to a second device based on an obtained encryption parameter shared by the first device, the second device, and a separate computer, wherein the encryption parameter is determined based upon a first security association between the first device and the separate computer and a second security association between the second device and the separate computer, wherein the separate computer is adapted to calculate a first secret key associated with the first security association and a second secret key associated with the second security association; forwarding a copy of the first data packet to a predetermined portion of the separate computer that is restricted from access by operators of the separate computer; scanning the copy of the first data packet to determine compliance with a predetermined criterion associated with the separate computer; forwarding the first data packet and deleting the copy of the first data packet if the copy scanned is determined to be in compliance with the predetermined criterion; and discarding both the first data packet and the copy of the first data packet if the copy scanned is determined to be in non-compliance with the predetermined criterion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A device for scanning network traffic, comprising:
-
a content scanner adapted to scan a copy of a first data packet transmitted from a first device to a second device to determine noncompliance with a predetermined criterion, wherein the scanning of the copy is enabled based on an obtained encryption parameter shared by a first device, a second device, and a separate computer, and wherein the copy of the first data packet is stored in a predetermined portion of the separate computer that is restricted from access by operators of the separate computer; automatically delete the first data packet transmitted from the first device to the second device and the copy of the first data packet based upon noncompliance with the predetermined criterion being determined, wherein the encryption parameter is determined based upon a first security association between the first device and the separate computer and a second security association between the second device and the separate computer, and wherein the separate computer is adapted to calculate a first secret key associated with the first security association and a second secret key associated with the second security association; and forwarding the first data packet and deleting the copy of the first data packet based upon compliance with the predetermined criterion.
-
-
19. A system for scanning network traffic, comprising:
a firewall device adapted to forward a first data packet from a first device to a second device based on an obtained encryption parameter shared by the first device, the second device, and the firewall device, wherein the firewall device is adapted to decrypt a copy of the first data packet with the encryption parameter shared between the first device, the second device and the firewall device, wherein contents of the copy of the first data packet are restricted to a predetermined portion of the firewall device, wherein the firewall device is adapted to restrict all operators of the firewall device from accessing the contents of the copy of the first data packet, wherein the firewall device is adapted to determine whether to use an IPSec ESP flow process or an IPSec AH flow based upon a check of a protocol field in the data packet, wherein the firewall device forwards the first data packet and deletes the copy of the first data packet if the copy is determined to be in compliance with the predetermined criterion, and wherein the firewall device discards both the first data packet and the copy of the first data packet if the copy scanned is determined to be in non-compliance with the predetermined criterion; and
the first device.
-
20. A non-transitory machine-readable medium comprising machine-implementable instructions for activities for scanning network traffic, comprising:
-
forwarding a first data packet from a first device to a second device based on an obtained encryption parameter shared by the first device, the second device, and a separate computer, wherein the encryption parameter is determined based upon a first security association between the first device and the separate computer and a second security association between the second device and the separate computer, and wherein the separate computer is adapted to calculate a first secret key associated with the first security association and a second secret key associated with the second security association; forwarding a copy of the first data packet to a predetermined portion of the separate computer that is restricted from access by operators of the separate computer; scanning the copy of the first data packet to determine compliance with a predetermined criterion associated with the separate computer; forwarding the first data packet and deleting the copy of the first data packet if the copy scanned is determined to be in compliance with the predetermined criterion; and discarding both the first data packet and the copy of the first data packet if the copy scanned is determined to be in non-compliance with the predetermine criterion.
-
Specification