System and method for providing network and computer firewall protection with dynamic address isolation to a device

DC CAFC

US 8,365,272 B2
Filed: 05/30/2008
Issued: 01/29/2013
Est. Priority Date: 05/30/2007
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A computer, comprising:

a processor and memory;

an application associated with an application address;

a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network;

a network address translation engine configured to translate between the application address and a public address; and

a driver coupled to the network interface, the driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address;

the driver coupled to transmit the incoming data packets to a firewall configured to reject the incoming data packets if the incoming data packets include malicious content according to a mobile device security policy, and allow the incoming data packets to be forwarded to the application if the incoming data packets do not include malicious content according to the mobile device security policy.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.

69 Citations

View as Search Results

19 Claims

1. A computer, comprising:
- a processor and memory;
  
  an application associated with an application address;
  
  a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network;
  
  a network address translation engine configured to translate between the application address and a public address; and
  
  a driver coupled to the network interface, the driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address;
  
  the driver coupled to transmit the incoming data packets to a firewall configured to reject the incoming data packets if the incoming data packets include malicious content according to a mobile device security policy, and allow the incoming data packets to be forwarded to the application if the incoming data packets do not include malicious content according to the mobile device security policy.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer of claim 1, wherein the network address translation engine is part of the driver.
  - 3. The computer of claim 1, wherein the network address translation engine is part of the firewall.
  - 4. The computer of claim 3, wherein the firewall is located on a mobile security system configured to implement the mobile security policy.
  - 5. The computer of claim 1, wherein the network address translation engine is configured to use Dynamic Host Configuration Protocol to translate the application address to the public address and the public address to the application address.
  - 6. The computer of claim 1, wherein the computer is configured to send data packets identifying the application to a firewall, and the firewall is configured to handle both network-level security and application-level security.

7. A system, comprising:
- a network interface coupled to an external network;
  
  a firewall in communication with the network interface, the firewall configured to handle both network-level security and application-level security;
  
  a computer in communication with the firewall, the computer having one or more applications, each of the one or more applications associated with at least one application address, and the computer being configured to send to the firewall data packets identifying the one or more applications to the firewall; and
  
  a network address translation engine configured to translate the at least one application address of the one or more applications to a public address, thereby dynamically isolating the one or more applications from the external network;
  
  the firewall being configured to;
  
  reject the data packets if the data packets include malicious content according to a mobile device security policy; and
  
  allow the data packets to pass to the one or more applications if the data packets do not include malicious content according to the mobile device security policy.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein:
    - each data packet is associated with one of the one or more applications; and
      
      each data packet comprises data identifying the application associated with the data packet.
  - 9. The system of claim 8, wherein the firewall is configured to use the data identifying the application associated with the data packet to handle application-level security, to create a data packet subset by removing the data identifying the application from the data packet, and to send the data packet subset to an external network.
  - 10. The system of claim 7, wherein the network interface is configured to receive incoming data from an external network, and to route the incoming data to the firewall.
  - 11. The system of claim 7, wherein:
    - the firewall comprises the network address translation engine, thereby being configured to dynamically isolate the application address from the external network.
  - 12. The system of claim 11, wherein the firewall is configured to dynamically isolate the address from the external network through the use of Dynamic Host Configuration Protocol.

13. A method within a personal computer of processing incoming data associated with a public address, the method comprising:
- receiving the incoming data from an external network;
  
  translating the public address of the incoming data into an internal address associated with an application;
  
  providing the incoming data to a firewall on a mobile security device coupled to the personal computer;
  
  receiving an analysis, based on a mobile device security policy implemented on the firewall, of the incoming data for malicious code;
  
  routing the analyzed data to the application if the analyzed data does not comprise the malicious code;
  
  rejecting the analyzed data if the analyzed data includes the malicious code according to the mobile device security policy; and
  
  allowing the analyzed data to pass to the application if the analyzed data does not include the malicious code according to the mobile device security policy.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein the analyzing step comprises analyzing the data for malicious code at both the network level and the application level.
  - 15. The method of claim 13, wherein the translating step uses Dynamic Host Configuration Protocol.

16. A method within a computer of processing outgoing data, the method comprising:
- receiving the outgoing data from an application, the application being associated with an internal address;
  
  translating, using a network address translation engine within the computer, the internal address into a public address;
  
  routing, using a driver within the computer, at least a subset of the outgoing data to an external network using the public address, thereby dynamically isolating the internal address from the external network; and
  
  providing, using a network interface within the computer, the subset of the outgoing data to the external network.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the translating step uses Dynamic Host Configuration Protocol.
  - 18. The method of claim 16, further comprising:
    - configuring the outgoing data into one or more data packets;
      
      associating each of the one or more data packets with the application; and
      
      embedding application-identifying data in each of the one or more data packets.
  - 19. The method of claim 18,further comprising creating one or more data packet subsets by removing the application-identifying data from each of the one or more data packets,wherein the routing step comprises routing the one or more data packet subsets to the external network.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
CUPP Computing AS
Original Assignee
Yoggie Security Systems, Ltd. (CUPP Computing AS)
Inventors
Touboul, Shlomo
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Hailu, Teshome

Application Number

US12/130,914
Publication Number

US 20090126003A1
Time in Patent Office

1,705 Days
Field of Search

726/13
US Class Current

726/13
CPC Class Codes

H04L 61/25   of the same type

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/20   for managing network securi...

System and method for providing network and computer firewall protection with dynamic address isolation to a device

First Claim

2 Assignments

Litigations

1 Petition

Accused Products

Abstract

69 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing network and computer firewall protection with dynamic address isolation to a device

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links