Method to apply network encryption to firewall decisions
First Claim
1. A computer system for preventing backdoor vulnerability while handling network access requests, the computer system comprising:
- one or more processors, one or more computer-readable memories, one or more computer-readable storage devices, and program instructions, stored on the one or more storage devices and when executed by the one or more processors,responsive to detecting an incoming firewall trusted request from a first client device at a specified communications port, establishing a trusted network communication through a local firewall and a remote firewall by;
transmitting a firewall identification handshake response to the remote firewall upon receipt of a handshake identification request from the remote firewall;
transmitting a local firewall public encryption key to the remote firewall responsive to receipt of a remote firewall public encryption key;
responsive to receiving a signed trusted computer request from the remote firewall and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access, verifying that the trusted computer request is signed using the received remote firewall public encryption key; and
modifying local firewall rules to allow data communications to and from one or more addresses associated with the remote firewall to be transmitted and received, respectively, with the first client device through the local firewall responsive to determining that the first client device has been previously authorized to establish trusted access with the remote firewall;
wherein the handshake identification request and the firewall identification handshake response indicate a supported protocol version and an acceptable key algorithm, and wherein the trusted computer request comprises one or more identifiers selected from the group consisting of a name of a computer protected by the local firewall, a username of a user associated with a computer protected by the local firewall, and an electronic mail address of a user associated with a computer protected by the local firewall;
determining that network communications on the specified communications port comprise a wireless communication; and
applying a first security policy to establish the trusted network communication responsive to determining the network communications on the specified port comprises a wireless communication, and applying a second, different security policy to establish the trusted network communication responsive to determining the network communication on the specified port comprises a wired communication;
thereby allowing the first client device to use the local firewall as a wireless bridge according to the first security policy, and as a wired bridge according to the second security policy, wherein the first security policy and the second security policy include encryption.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and related methods for providing a handler for requests to access a wireless network, operable by or separate from an enhanced personal firewall system, which obtains connection-related information from the operating system, network interface drivers, or both, and then provides that information to a controller which determines to allow or deny access. By collecting certain connection-related information, new levels and granularities of control are allowed and enabled. The process is equally well suited for implementation by a wireless device which may be in range of multiple servers or networks, such that the device may allow different levels of access to the device by the different servers or networks according to the collected connection-related information.
67 Citations
7 Claims
-
1. A computer system for preventing backdoor vulnerability while handling network access requests, the computer system comprising:
-
one or more processors, one or more computer-readable memories, one or more computer-readable storage devices, and program instructions, stored on the one or more storage devices and when executed by the one or more processors, responsive to detecting an incoming firewall trusted request from a first client device at a specified communications port, establishing a trusted network communication through a local firewall and a remote firewall by; transmitting a firewall identification handshake response to the remote firewall upon receipt of a handshake identification request from the remote firewall; transmitting a local firewall public encryption key to the remote firewall responsive to receipt of a remote firewall public encryption key; responsive to receiving a signed trusted computer request from the remote firewall and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access, verifying that the trusted computer request is signed using the received remote firewall public encryption key; and modifying local firewall rules to allow data communications to and from one or more addresses associated with the remote firewall to be transmitted and received, respectively, with the first client device through the local firewall responsive to determining that the first client device has been previously authorized to establish trusted access with the remote firewall; wherein the handshake identification request and the firewall identification handshake response indicate a supported protocol version and an acceptable key algorithm, and wherein the trusted computer request comprises one or more identifiers selected from the group consisting of a name of a computer protected by the local firewall, a username of a user associated with a computer protected by the local firewall, and an electronic mail address of a user associated with a computer protected by the local firewall; determining that network communications on the specified communications port comprise a wireless communication; and applying a first security policy to establish the trusted network communication responsive to determining the network communications on the specified port comprises a wireless communication, and applying a second, different security policy to establish the trusted network communication responsive to determining the network communication on the specified port comprises a wired communication; thereby allowing the first client device to use the local firewall as a wireless bridge according to the first security policy, and as a wired bridge according to the second security policy, wherein the first security policy and the second security policy include encryption. - View Dependent Claims (2, 3)
-
-
4. A method for handling network access requests comprising:
- responsive to detecting an incoming firewall trusted request from a first client device at a specified communications port, establishing by a processor a trusted network connection through a local firewall and a remote firewall by;
transmitting a firewall identification handshake response to the remote firewall upon receipt of a handshake identification request from the remote firewall; transmitting a local firewall public encryption key to the remote firewall responsive to receipt of a remote firewall public encryption key; verifying that the trusted computer request is signed using the received remote firewall public encryption key responsive to receiving a signed trusted computer request from the remote firewall and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access; and modifying local firewall rules to allow data communications to and from one or more addresses associated with the remote firewall to be transmitted and received, respectively, with the first client device through the local firewall responsive to determining that the first client device has been previously authorized to establish trusted access with the remote firewall; wherein the handshake identification request and the firewall identification handshake response indicate a supported protocol version and an acceptable key algorithm, and wherein identification information in the generation of a trusted computer request comprises one or more identifiers selected from the group consisting of a name of a computer protected by the local firewall, a username of a user associated with a computer protected by the local firewall, and an electronic mail address of a user associated with a computer protected by the local firewall; determining by a processor that the network communication on the specified communications port comprises a wireless communication; and applying by a processor a first security policy to the trusted network communication responsive to determining the network communication on the specified port comprises a wireless communication, and applying a second, different security policy to the established trusted network communication responsive to determining the network communication on the specified port comprises a wired communication; thereby allowing the first client device to use the local firewall as a wireless bridge according to the first security policy, and as a wired bridge according to the second security policy, wherein the first security policy and the second security policy include encryption. - View Dependent Claims (5, 6)
- responsive to detecting an incoming firewall trusted request from a first client device at a specified communications port, establishing by a processor a trusted network connection through a local firewall and a remote firewall by;
-
7. A computer program product for handling network access requests comprising:
-
one or more computer-readable storage devices; program instructions stored by the computer-readable storage device to establish a trusted network connection through a local firewall and a remote firewall in response to a trusted computer request from a first client device at a specified communication port by; transmitting a firewall identification handshake response to the remote firewall upon receipt of a handshake identification request from the remote firewall; transmitting a local firewall public encryption key to the remote firewall responsive to receipt of a remote firewall public encryption key; verifying that the trusted computer request is signed using the received remote firewall public encryption key responsive to receiving a signed trusted computer request from the remote firewall and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access; and modifying local firewall rules to allow data communications to and from one or more addresses associated with the remote firewall to be transmitted and received, respectively, with the first client device through the local firewall responsive to determining that the first client device has been previously authorized to establish trusted access with the remote firewall; wherein the handshake identification request and the firewall handshake identification response indicate a supported protocol version and an acceptable key algorithm, and wherein identification information in the generation of a trusted computer request comprises one or more identifiers selected from the group consisting of a name of a computer protected by the local firewall, a username of a user associated with a computer protected by the local firewall, and an electronic mail address of a user associated with a computer protected by the local firewall; determining that the network communication on the specified communication port comprises a wireless network; and applying a first security policy to the established trusted network communication responsive to determining the network communication on the specified port comprises a wireless communication, and applying a second, different security policy to the established trusted network communication responsive to determining the network communication on the specified port comprises a wired communication; thereby allowing the first client device to use the local firewall as a wireless bridge according to the first security policy, and as a wired bridge according to the second security policy, wherein the first security policy and the second security policy include encryption.
-
Specification