Secure gateway with firewall and intrusion detection capabilities
First Claim
Patent Images
1. A method for detecting attacks on a network, comprising:
- receiving data at a gateway from a remote source, the data destined for a target;
discarding at least a portion of the data based on a predetermined set of rules utilizing a firewall associated with the gateway which is coupled to the remote source, wherein the firewall utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters selected from the group consisting of a source, a destination, and a port associated with the data;
passing that portion of the data not discarded to an intrusion detection system coupled to the firewall;
receiving the portion of data not discarded utilizing the intrusion detection system;
parsing the portion of data not discarded to identify data representing text therein utilizing the intrusion detection system;
comparing the portion of data not discarded representing text to a predetermined list of data representing text associated with attacks utilizing the intrusion detection system, wherein the data representing text of the predetermined list refers to different types of attacks selected from the group consisting of information gathering attacks, a web server denial of service attack, and a file server remote compromise;
identifying the portion of data not discarded representing text as hostile based on the comparison;
acting on the portion of data not discarded representing text identified as hostile in order to prevent an attack, wherein the portion of data not discarded representing text identified as hostile is acted upon differently based on the type of the attack by at least one of blocking the data, alerting an administrator, and disconnecting the remote source; and
updating the predetermined list of data representing text associated with attacks;
wherein the firewall and the intrusion detection system are included in a single device;
wherein the portion of data not discarded representing text identified as hostile is marked with an identifier from a table based on the comparison, the identifier being used to determine the manner in which the data representing text identified as hostile is acted upon;
wherein the text includes ASCII characters and UNICODE characters;
wherein the comparing, identifying, and acting further involves binary data, in order to identify binary data that is hostile;
wherein the portion of data not discarded is assembled utilizing the intrusion detection system using header information associated with one or more packets comprising the portion of data not discarded.
11 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product are provided. Initially, data is received from a remote source which is destined for a target. A portion of such data is discarded based on a predetermined set of rules utilizing a firewall. Further, the data is compared to a predetermined list of data associated with attacks utilizing an intrusion detection system. Based on the comparison, some of the data is marked as hostile. The data that is marked as hostile is then acted upon in order to prevent an attack.
103 Citations
20 Claims
-
1. A method for detecting attacks on a network, comprising:
-
receiving data at a gateway from a remote source, the data destined for a target; discarding at least a portion of the data based on a predetermined set of rules utilizing a firewall associated with the gateway which is coupled to the remote source, wherein the firewall utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters selected from the group consisting of a source, a destination, and a port associated with the data; passing that portion of the data not discarded to an intrusion detection system coupled to the firewall; receiving the portion of data not discarded utilizing the intrusion detection system; parsing the portion of data not discarded to identify data representing text therein utilizing the intrusion detection system; comparing the portion of data not discarded representing text to a predetermined list of data representing text associated with attacks utilizing the intrusion detection system, wherein the data representing text of the predetermined list refers to different types of attacks selected from the group consisting of information gathering attacks, a web server denial of service attack, and a file server remote compromise; identifying the portion of data not discarded representing text as hostile based on the comparison; acting on the portion of data not discarded representing text identified as hostile in order to prevent an attack, wherein the portion of data not discarded representing text identified as hostile is acted upon differently based on the type of the attack by at least one of blocking the data, alerting an administrator, and disconnecting the remote source; and updating the predetermined list of data representing text associated with attacks; wherein the firewall and the intrusion detection system are included in a single device; wherein the portion of data not discarded representing text identified as hostile is marked with an identifier from a table based on the comparison, the identifier being used to determine the manner in which the data representing text identified as hostile is acted upon; wherein the text includes ASCII characters and UNICODE characters; wherein the comparing, identifying, and acting further involves binary data, in order to identify binary data that is hostile; wherein the portion of data not discarded is assembled utilizing the intrusion detection system using header information associated with one or more packets comprising the portion of data not discarded. - View Dependent Claims (2, 3, 4, 5, 16, 17, 18, 19, 20)
-
-
6. A gateway system for detecting attacks on a network, comprising:
-
a firewall for receiving data from a remote source, the data destined for a target, and discarding at least a portion of the data based on a predetermined set of rules, wherein the firewall utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters selected from the group consisting of a source, a destination, and a port associated with the data; an intrusion detection system coupled to the firewall for receiving that portion of the data not discarded, parsing the portion of data not discarded to identify data representing text therein, and comparing the portion of data not discarded representing text to a predetermined list of data representing text associated with attacks, wherein the data representing text of the predetermined list refers to different types of attacks selected from the group consisting of information gathering attacks, a web server denial of service attack, and a file server remote compromise, the intrusion detection system further capable of identifying the portion of data not discarded representing text as hostile based on the comparison, and acting on the portion of data not discarded representing text identified as hostile in order to prevent an attack, wherein the portion of data not discarded representing text identified as hostile is acted upon differently based on the type of the attack by at least one of blocking the data, alerting an administrator, and disconnecting the remote source, the intrusion detection system further capable of updating the predetermined list of data representing text associated with attacks; wherein the firewall and the intrusion detection system are included in a single device; wherein the portion of data not discarded representing text identified as hostile is marked with an identifier from a table based on the comparison, the identifier being used to determine the manner in which the portion of data not discarded representing text identified as hostile is acted upon; wherein the text includes ASCII characters and UNICODE characters; wherein the comparing, identifying, and acting further involves binary data, in order to identify binary data that is hostile; wherein the portion of data not discarded is assembled utilizing the intrusion detection system using header information associated with one or more packets comprising the portion of data not discarded. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer program product embodied on a non-transitory computer readable medium for detecting attacks on a network, comprising:
-
firewall computer code for receiving data from a remote source, the data destined for a target, and discarding at least a portion of the data based on a predetermined set of rules, wherein the firewall computer code utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters selected from the group consisting of a source, a destination, and a port associated with the data; intrusion detection system computer code in communication with the firewall computer code for receiving that portion of the data not discarded, parsing the portion of data not discarded to identify data representing text therein, and comparing the portion of data not discarded representing text to a predetermined list of data representing text associated with attacks, wherein the data representing text of the predetermined list refers to different types of attacks selected from the group consisting of information gathering attacks, a web server denial of service attack, and a file server remote compromise, the intrusion detection system computer code further capable of identifying the portion of data not discarded representing text as hostile based on the comparison, and acting on the portion of data not discarded representing text identified as hostile in order to prevent an attack, wherein the portion of data not discarded representing text identified as hostile is acted upon differently based on the type of the attack by at least one of blocking the data, alerting an administrator, and disconnecting the remote source, the intrusion detection system computer code further capable of updating the predetermined list of data representing text associated with attacks; wherein the firewall and the intrusion detection system are included in a single device; wherein the portion of data not discarded representing text identified as hostile is marked with an identifier from a table based on the comparison, the identifier being used to determine the manner in which the portion of data not discarded representing text identified as hostile is acted upon; wherein the text includes ASCII characters and UNICODE characters; wherein the comparing, identifying, and acting further involves binary data, in order to identify binary data that is hostile; wherein the portion of data not discarded is assembled utilizing the intrusion detection system using header information associated with one or more packets comprising the portion of data not discarded. - View Dependent Claims (12, 13, 14, 15)
-
Specification