Application gateway system and method for maintaining security in a packet-switched information network

US 8,566,920 B2
Filed: 09/30/2009
Issued: 10/22/2013
Est. Priority Date: 12/07/2001
Status: Expired due to Fees

First Claim

Patent Images

1. An electronic device for handling packets being exchanged between an untrusted network and a protected network, the electronic device comprising:

a plurality of gateway devices for processing packets associated with respective ones of a plurality of different communication protocols, each gateway device operating based upon a user mode; and

a packet processor device operating based upon a kernel mode and forintercepting a packet from the untrusted network and intended for delivery to the protected network, the packet comprising original values for source and destination information fields, the original value for the source information field comprising a source address, the original value for the destination information field comprising a destination address,replacing the original values for the source and destination information fields with replacement values, different from the original values, for the source and destination information fields,determining whether the packet is associated with at least one of the plurality of different communication protocols and if so, routing the packet to the respective gateway device based upon packet source information and an associated communication protocol of the packet so that the respective gateway device authenticates the routed packet based upon the at least one communication protocol, and otherwise processing the packet for delivery to the protected network,receiving from said plurality of gateway devices authenticated packets and processing the authenticated packets for delivery to the protected network, andrestoring processed packets from said plurality of gateway devices to include the original values for the source and destination information fields.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatuses are disclosed for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain. A packet processor part intercepts a packet that is in transit between the untrusted packet-switched information network and the protected domain. The packet is examined at the packet processor part in order to determine, whether the packet contains digital data that pertains to a certain protocol. If the packet is not found to contain such digital data, it is processed at the packet processor part. If the packet is found to contain digital data that pertains to said certain protocol, it gets redirected to an application gateway part that processes the packet according to a set of processing rules based on obedience to said certain protocol. The packet processor part is a kernel mode process running in a computer device and the application gateway part is a user mode process running in a computer device.

Citations

22 Claims

1. An electronic device for handling packets being exchanged between an untrusted network and a protected network, the electronic device comprising:
- a plurality of gateway devices for processing packets associated with respective ones of a plurality of different communication protocols, each gateway device operating based upon a user mode; and
  
  a packet processor device operating based upon a kernel mode and forintercepting a packet from the untrusted network and intended for delivery to the protected network, the packet comprising original values for source and destination information fields, the original value for the source information field comprising a source address, the original value for the destination information field comprising a destination address,replacing the original values for the source and destination information fields with replacement values, different from the original values, for the source and destination information fields,determining whether the packet is associated with at least one of the plurality of different communication protocols and if so, routing the packet to the respective gateway device based upon packet source information and an associated communication protocol of the packet so that the respective gateway device authenticates the routed packet based upon the at least one communication protocol, and otherwise processing the packet for delivery to the protected network,receiving from said plurality of gateway devices authenticated packets and processing the authenticated packets for delivery to the protected network, andrestoring processed packets from said plurality of gateway devices to include the original values for the source and destination information fields.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The electronic device according to claim 1 wherein said packet processor routes the packet by at least replacing the original value of the destination information field within the packet with a replacement value identifying the respective gateway device as the destination of the packet, and communicates to the respective gateway device the original value of the destination information field;
    - and wherein the respective gateway device uses the original value of the destination information field in processing the packet.
  - 3. The electronic device according to claim 2 wherein said packet processor replaces the original value of the source information field in the packet with a replacement value identifying said packet processor as a source of the packet, and communicates to the respective gateway device the original value of the source information field;
    - and wherein the respective gateway device uses the original value of the source information field for processing the packet.
  - 4. The electronic device according to claim 2 wherein said packet processor transmits the original value together with the routed packet.
  - 5. The electronic device according to claim 4 wherein said packet processor sets a value of a certain bit in the packet to indicate the presence of urgent information within the packet, inserts into a pointer field in the packet a pointer value that points at the end of urgent information within the packet, and inserts the original value as urgent information into the packet before the location pointed at by the pointer value;
    - and wherein the respective gateway device reads the original value from the location in the packet pointed at by the pointer value.
  - 6. The electronic device according to claim 4 wherein said packet processor sets a value of an options field in the packet to indicate the presence of optional information within the packet, and inserts the original value into the packet as optional information;
    - and wherein the respective gateway device reads the original value from the packet as optional information.
  - 7. The electronic device according to claim 2 wherein the communicating of the original value comprises transmitting the original value from the packet processor to the respective gateway device separately from the routed packet.
  - 8. The electronic device according to claim 7 wherein said packet processor composes a messaging packet that conforms to a messaging protocol, inserts the original value into the messaging packet together with the replacement value, and transmits the messaging packet to the respective gateway device;
    - and wherein the respective gateway device receives the messaging packet, and associates the original value read from the messaging packet with the replacement value found in the routed packet.
  - 9. The electronic device according to claim 8 wherein the messaging packet comprises a User Datagram Protocol (UDP) packet.
  - 10. The electronic device according to claim 8 wherein said packet processor transmits the messaging packet to the respective gateway device a plurality of times to transmit redundant copies of the messaging packet.
  - 11. The electronic device according to claim 7 wherein the respective gateway device transmits to said packet processor a query for original values of desired fields;
    - and wherein said packet processor only transmits the original values of the desired fields to the respective gateway device as a response to the query.
  - 12. The electronic device according to claim 7 wherein said packet processor transmits the original value to the respective gateway device, and if the respective gateway device has not received the transmitted original value within a certain time limit after the reception of a packet for which the original value is associated, the respective gateway device transmits to said packet processor a query for the original value so that said packet processor also transmits the original value to the respective gateway device as a response to the query.
  - 13. The electronic device according to claim 1 wherein said packet processor routes the packet by at least:
    - prepending a header to the packet comprising a value identifying the respective gateway device as the destination of the packet;
      
      stripping the prepended header from the packet at the respective gateway device; and
      
      using the original value of a destination information field in the packet at the respective gateway device in processing the packet.
  - 14. The electronic device according to claim 13 wherein the prepended header also includes a value that identifies the packet processor as the source of the packet.
  - 15. The electronic device according to claim 1 wherein said packet processor envelopes a packet to be rerouted to the respective gateway device into an enveloping packet;
    - and wherein the respective gateway device extracts the original packet from the enveloping packet.
  - 16. The electronic device according to claim 15 wherein the enveloping packet is based upon the Socks protocol.

17. A method for handling packets exchanged between an untrusted network and a protected network in a device comprising a plurality of gateways and a packet processor communicating therewith, the method comprising:
- using the plurality of gateway devices for processing packets associated with respective ones of a plurality of different communication protocols, each gateway device operating based upon a user mode; and
  
  operating the packet processor device based upon a kernel mode and forintercepting a packet from the untrusted network and intended for delivery to the protected network, the packet comprising original values for source and destination information fields, the original value for the source information field comprising a source address, the original value for the destination information field comprising a destination address,replacing the original values for the source and destination information fields with replacement values, different from the original values, for the source and destination information fields,determining whether the packet is associated with at least one of the plurality of different communication protocols and if so, routing the packet to the respective gateway device based upon packet source information and an associated communication protocol of the packet so that the respective gateway device authenticates the routed packet based upon the at least one communication protocol, and otherwise processing the packet for delivery to the protected network,receiving from the plurality of gateway devices authenticated packets and processing the authenticated packets for delivery to the protected network, andrestoring processed packets from the plurality of gateway devices to include the original values of the source and destination information fields.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method according to claim 17 further comprising:
    - routing the packet by at least replacing the original value of the destination information field within the packet with a replacement value identifying the respective gateway device as the destination of the packet, and communicating to the respective gateway device the original value of the destination information field; and
      
      using the respective gateway device to use the original value of the destination information field in processing the packet.
  - 19. The method according to claim 18 further comprising:
    - using the packet processor device to replace the original value of the source information field in the packet with a replacement value identifying the packet processor device as a source of the packet, and communicate to the respective gateway device the original value of the source information field; and
      
      using the respective gateway device to use the original value of the source information field for processing the packet.
  - 20. The method according to claim 18 wherein the communicating of the original value of the destination information field comprises transmitting the original value together with the routed packet.
  - 21. The method according to claim 20 further comprising:
    - using the packet processor device to set a value of a certain bit in the packet to indicate the presence of urgent information within the packet, insert into a pointer field in the packet a pointer value that points at the end of urgent information within the packet, and insert the original value as urgent information into the packet before the location pointed at by the pointer value; and
      
      using the respective gateway device to read the original value from the location in the packet pointed at by the pointer value.

22. An electronic device for handling packets being exchanged between an untrusted network and a protected network, the electronic device comprising:
- first and second network interfaces respectively communicating with the untrusted and protected networks;
  
  a plurality of gateway devices for processing packets associated with respective ones of a plurality of different communication protocols and received via the first network interface, each gateway device operating based upon a user mode; and
  
  a packet processor device operating based upon a kernel mode and forintercepting a packet from the untrusted network via the first network interface and intended for delivery to the protected network, the packet comprising original values for source and destination information fields, the original value for the source information field comprising a source address, the original value for the destination information field comprising a destination address,replacing the original values for the source and destination information fields with replacement values, different from the original values, for the source and destination information fields,determining whether the packet is associated with at least one of the plurality of different communication protocols and if so, internally routing the packet to the respective gateway device based upon packet source information and an associated communication protocol of the packet so that the respective gateway device authenticates the routed packet based upon the at least one communication protocol, and otherwise processing the packet for delivery to the protected network,receiving internally from said plurality of gateway devices authenticated packets and processing the authenticated packets for delivery to the protected network via the second network interface, andrestoring processed packets from said plurality of gateway devices to include the original values for the source and destination information fields;
  
  said first and second network interfaces, said plurality of gateway devices, and said packet processor device being integrated on a same device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rambus Inc.
Original Assignee
Inside Secure SA
Inventors
Kivinen, Tero, Levlin, Markus, Ylnen, Tatu
Primary Examiner(s)
Popham, Jeffrey D

Application Number

US12/586,965
Publication Number

US 20100024026A1
Time in Patent Office

1,483 Days
Field of Search

726 11- 14
US Class Current

726/13
CPC Class Codes

H04L 12/4604   LAN interconnection over a ...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

Application gateway system and method for maintaining security in a packet-switched information network

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Application gateway system and method for maintaining security in a packet-switched information network

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links