Data protection system selectively altering an end portion of packets based on incomplete determination of whether a packet is valid or invalid

US 8,458,784 B2
Filed: 09/10/2010
Issued: 06/04/2013
Est. Priority Date: 07/07/2000
Status: Expired due to Fees

- Alert
- Pin

First Claim

Patent Images

1. A data protection system for filtering packets between at least an internet network and an internal network, wherein data is transmitted and received in the form of a plurality of packets, comprising:

a first interface circuit for coupling packets to and from the internet network;

a second interface circuit for coupling packets to and from the internal network;

a filtering circuit coupled between the first interface circuit and the second interface circuit;

wherein, as a packet is being received and transmitted between the first and second interface circuits, the packet is simultaneously subjected to one or more filtering criteria by the filtering circuit, wherein an end portion of the packet is selectively altered by the filtering circuit based on the filtering criteria, wherein the packet is selectively altered to be invalid if a determination has not been made as to whether the packet is valid or invalid by the time the end portion of the packet is received.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

Methods and systems for firewall/data protection that filters data packets in real time and without packet buffering are disclosed. A data packet filtering hub, which may be implemented as part of a switch or router, receives a packet on one link, reshapes the electrical signal, and transmits it to one or more other links. During this process, a number of filters checks are performed in parallel, resulting in a decision about whether each packet should or should not be invalidated by the time that the last bit is transmitted. To execute this task, the filtering hub performs rules-based filtering on several levels simultaneously, preferably with a programmable logic or other hardware device. Various methods for packet filtering in real time and without buffering with programmable logic are disclosed. The system may include constituent elements of a stateful packet filtering hub, such as microprocessors, controllers, and integrated circuits. The system may be reset, enabled, disabled, configured, and/or reconfigured with toggles or other physical switches. Audio and visual feedback may be provided regarding the operation and status of the system.

69 Citations

View as Search Results

36 Claims

1. A data protection system for filtering packets between at least an internet network and an internal network, wherein data is transmitted and received in the form of a plurality of packets, comprising:
- a first interface circuit for coupling packets to and from the internet network;
  
  a second interface circuit for coupling packets to and from the internal network;
  
  a filtering circuit coupled between the first interface circuit and the second interface circuit;
  
  wherein, as a packet is being received and transmitted between the first and second interface circuits, the packet is simultaneously subjected to one or more filtering criteria by the filtering circuit, wherein an end portion of the packet is selectively altered by the filtering circuit based on the filtering criteria, wherein the packet is selectively altered to be invalid if a determination has not been made as to whether the packet is valid or invalid by the time the end portion of the packet is received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 2. The system of claim 1, wherein the filtering criteria determine whether the packet is to be a valid packet or an invalid packet, wherein the packet is selectively altered to be invalid if it was determined that the packet should be an invalid packet.
  - 3. The system of claim 1, wherein the filtering circuit includes at least first logic for determining characteristics of the packet being received and transmitted between the first and second interface circuits and at least a filter portion that subjects the packet to the plurality of filtering criteria while the packet is being received and transmitted between the first and second interface circuits.
  - 4. The system of claim 3, wherein the filter portion includes at least a stateful filter portion and a non-stateful filter portion.
  - 5. The system of claim 4, wherein the stateful filter portion subjects the packet to one or more stateful filtering criterion and the non-stateful filter portion subjects the packet to one or more non-stateful filtering criterion.
  - 6. The system of claim 4, wherein the stateful filter portion subjects the packet to one or more stateful filtering criterion while the non-stateful filter portion subjects the packet to one or more non-stateful filtering criterion.
  - 7. The system of claim 6, wherein the stateful filtering criteria are dependent upon physical switch position, packet characteristics, clock time and/or user-specified criteria.
  - 8. The system of claim 7, wherein the user-specified criteria are entered via a physical input device.
  - 9. The system of claim 8, wherein the physical input device comprises one or more switches, an audio input device, or display input device.
  - 10. The system of claim 9, wherein the one or more switches comprise a toggle switch, button switch or multi-state switch.
  - 11. The system of claim 7, wherein the user specified criteria are entered via a configuration software.
  - 12. The system of claim 11, wherein the user specified criteria are transferred from the configuration software to the system using a network protocol, infrared port or cable attachment.
  - 13. The system of claim 4, wherein a result aggregator logic receives one or more signals from the stateful filter portion and the non-stateful filter portion, wherein based on the received signals the result aggregator logic controls whether the packet is selectively altered to be invalid.
  - 14. The system of claim 13, wherein the result aggregator logic receives a completion signal that indicates whether the stateful and/or non-stateful filter portions have subjected the packet to all of the filtering criteria.
  - 15. The system of claim 14, wherein the packet is selectively altered by the filtering circuit to be invalid in response to the completion signal not being received by the result aggregator logic by a time when the end portion of the packet has been received.
  - 16. The system of claim 1, wherein the packet is subjected to the plurality of filtering criteria in parallel with the packet being received and transmitted between the first and second interface circuits.
  - 17. The system of claim 1, wherein the packet is subjected to the plurality of filtering criteria in real time with the packet being received and transmitted between the first and second interface circuits.
  - 18. The system of claim 1, further comprising one or more physical switches, wherein the packet is selectively subjected to the filtering criteria based on the state of the one or more physical switches.
  - 19. The system of claim 18, wherein the state of the one or more physical switches selectively enable or disable a predetermined portion of the filtering criteria.
  - 20. The system of claim 18, wherein the state of the one or more physical switches selectively enable or disable a predetermined portion of the filtering criteria based on whether a computer coupled to the internal network is controlled to operate in a client mode or a server mode.
  - 21. The system of claim 18, wherein the state of the one or more physical switches selectively controls a configuration or reconfiguration operation of the filtering circuit.
  - 22. The system of claim 18, wherein the state of the one or more physical switches selectively controls a reset operation of the filtering circuit.
  - 23. The system of claim 1, further comprising one or more visual or audio feedback devices, wherein the one or more visual or audio feedback devices selectively provide visual or audio feedback of the operation or status of the system.
  - 24. The system of claim 23, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the system is powered or operational.
  - 25. The system of claim 23, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the system is subjecting a packet to the filtering criteria.
  - 26. The system of claim 23, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the system has rejected one or more packets.
  - 27. The system of claim 23, wherein the one or more visual or audio feedback devices provide visual or audio feedback that a computer coupled to the internal network is suspected to be under attack.
  - 28. The system of claim 27, wherein the one or more visual or audio feedback devices provide visual or audio feedback of an estimated severity of the attack.
  - 29. The system of claim 23, wherein the one or more visual or audio feedback devices provide visual or audio feedback of a state of the system until the one or more visual or audio feedback. devices are reset by a user.
  - 30. The system of claim 29, wherein the one or more visual or audio feedback devices are reset by the state of a physical switch.
  - 31. The system of claim 23, wherein the one or more visual or audio feedback devices comprise at least one light source, wherein the light source is selectively controlled to provide information indicative of the operation or status of the system.
  - 32. The system of claim 31, wherein the light source is controlled to have a first color or a second color depending on the operation or status of the system.
  - 33. The system of claim 31, wherein The light source is controlled to selectively blink depending on the operation or status of the system.
  - 34. The system of claim 33, wherein the light source is controlled to selectively blink at a rate that is indicative of a severity level of a suspected attack on a computer coupled to the internal network.
  - 35. The system of claim 31, wherein the at least one light source comprises an LED.
  - 36. The system of claim 23, wherein the one or more visual or audio feedback devices comprise a speaker.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
802 Systems Inc.
Original Assignee
802 Systems Inc.
Inventors
Krumel, Andrew K.
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US12/807,641
Publication Number

US 20110197273A1
Time in Patent Office

998 Days
Field of Search

713/154, 709/229, 726/11, 726/12, 726/13
US Class Current

726/13
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

Data protection system selectively altering an end portion of packets based on incomplete determination of whether a packet is valid or invalid

First Claim

1 Assignment

Litigations

1 Petition

Accused Products

Abstract

69 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Data protection system selectively altering an end portion of packets based on incomplete determination of whether a packet is valid or invalid

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links