Application gateway system and method for maintaining security in a packet-switched information network
First Claim
1. An electronic device for handling packets being exchanged between an untrusted network and a protected network, the electronic device comprising:
- a plurality of gateway devices for processing packets associated with respective ones of a plurality of different communication protocols, each gateway device operating based upon a user mode; and
a packet processor device operating based upon a kernel mode and forintercepting a packet from the untrusted network and intended for delivery to the protected network, the packet comprising original values for source and destination information fields, the original value for the source information field comprising a source address, the original value for the destination information field comprising a destination address,replacing the original values for the source and destination information fields with replacement values, different from the original values, for the source and destination information fields,determining whether the packet is associated with at least one of the plurality of different communication protocols and if so, routing the packet to the respective gateway device based upon packet source information and an associated communication protocol of the packet so that the respective gateway device authenticates the routed packet based upon the at least one communication protocol, and otherwise processing the packet for delivery to the protected network,receiving from said plurality of gateway devices authenticated packets and processing the authenticated packets for delivery to the protected network, andrestoring processed packets from said plurality of gateway devices to include the original values for the source and destination information fields.
11 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatuses are disclosed for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain. A packet processor part intercepts a packet that is in transit between the untrusted packet-switched information network and the protected domain. The packet is examined at the packet processor part in order to determine, whether the packet contains digital data that pertains to a certain protocol. If the packet is not found to contain such digital data, it is processed at the packet processor part. If the packet is found to contain digital data that pertains to said certain protocol, it gets redirected to an application gateway part that processes the packet according to a set of processing rules based on obedience to said certain protocol. The packet processor part is a kernel mode process running in a computer device and the application gateway part is a user mode process running in a computer device.
-
Citations
22 Claims
-
1. An electronic device for handling packets being exchanged between an untrusted network and a protected network, the electronic device comprising:
-
a plurality of gateway devices for processing packets associated with respective ones of a plurality of different communication protocols, each gateway device operating based upon a user mode; and a packet processor device operating based upon a kernel mode and for intercepting a packet from the untrusted network and intended for delivery to the protected network, the packet comprising original values for source and destination information fields, the original value for the source information field comprising a source address, the original value for the destination information field comprising a destination address, replacing the original values for the source and destination information fields with replacement values, different from the original values, for the source and destination information fields, determining whether the packet is associated with at least one of the plurality of different communication protocols and if so, routing the packet to the respective gateway device based upon packet source information and an associated communication protocol of the packet so that the respective gateway device authenticates the routed packet based upon the at least one communication protocol, and otherwise processing the packet for delivery to the protected network, receiving from said plurality of gateway devices authenticated packets and processing the authenticated packets for delivery to the protected network, and restoring processed packets from said plurality of gateway devices to include the original values for the source and destination information fields. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for handling packets exchanged between an untrusted network and a protected network in a device comprising a plurality of gateways and a packet processor communicating therewith, the method comprising:
-
using the plurality of gateway devices for processing packets associated with respective ones of a plurality of different communication protocols, each gateway device operating based upon a user mode; and operating the packet processor device based upon a kernel mode and for intercepting a packet from the untrusted network and intended for delivery to the protected network, the packet comprising original values for source and destination information fields, the original value for the source information field comprising a source address, the original value for the destination information field comprising a destination address, replacing the original values for the source and destination information fields with replacement values, different from the original values, for the source and destination information fields, determining whether the packet is associated with at least one of the plurality of different communication protocols and if so, routing the packet to the respective gateway device based upon packet source information and an associated communication protocol of the packet so that the respective gateway device authenticates the routed packet based upon the at least one communication protocol, and otherwise processing the packet for delivery to the protected network, receiving from the plurality of gateway devices authenticated packets and processing the authenticated packets for delivery to the protected network, and restoring processed packets from the plurality of gateway devices to include the original values of the source and destination information fields. - View Dependent Claims (18, 19, 20, 21)
-
-
22. An electronic device for handling packets being exchanged between an untrusted network and a protected network, the electronic device comprising:
-
first and second network interfaces respectively communicating with the untrusted and protected networks; a plurality of gateway devices for processing packets associated with respective ones of a plurality of different communication protocols and received via the first network interface, each gateway device operating based upon a user mode; and a packet processor device operating based upon a kernel mode and for intercepting a packet from the untrusted network via the first network interface and intended for delivery to the protected network, the packet comprising original values for source and destination information fields, the original value for the source information field comprising a source address, the original value for the destination information field comprising a destination address, replacing the original values for the source and destination information fields with replacement values, different from the original values, for the source and destination information fields, determining whether the packet is associated with at least one of the plurality of different communication protocols and if so, internally routing the packet to the respective gateway device based upon packet source information and an associated communication protocol of the packet so that the respective gateway device authenticates the routed packet based upon the at least one communication protocol, and otherwise processing the packet for delivery to the protected network, receiving internally from said plurality of gateway devices authenticated packets and processing the authenticated packets for delivery to the protected network via the second network interface, and restoring processed packets from said plurality of gateway devices to include the original values for the source and destination information fields; said first and second network interfaces, said plurality of gateway devices, and said packet processor device being integrated on a same device.
-
Specification