Network access control system and method using adaptive proxies
First Claim
1. A method of providing security to a computer network, comprising:
- receiving a connection establishing packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the connection establishing packet is configured to establish a data connection between the computer network and the outside network and wherein packets of the data connection includes header information and content information;
determining whether the port number on which the connection establishing packet was received is a registered port based on ports specified to be registered in a configuration information file;
when the port number is registered;
providing attribute information of the connection establishing packet to a proxy, wherein the attribute information comprises the source address, the destination address, and the port number on which the connection establishing packet was received;
determining, using the proxy, whether to allow the data connection based on the attribute information;
in response to determining the data connection is to be allowed;
determining which one of at least two levels of security to apply based on the attribute information, the two levels of security comprising a first level of security which examines the content information of data packets at an application layer and a second level of security which examines the data packets excluding the content information therein at a network layer based on the attribute information of the connection establishing packet, thereby providing an appropriate level of security to the computer network; and
when the first level of security is determined to be applied, applying a filter of the first level of security at the application layer examining the content information of all additional data packets received from the data connection subsequent to the connection establishing packet;
when the port number is not registered;
determining whether to apply a filter of the first security level or a filter of the second security level to the connection establishing packet based on the attribute information of the connection establishing packet;
when the decision by the determining step is to apply the filter of the second level of security, then applying the filter of the second level of security to the connection establishing packet;
when the decision by the determining step is to apply the first filter of the second level of security, then applying the filter of the first level of security to the connection establishing packet; and
when neither filter is to be applied, then apply a transparency packet filter to the connection establishing packet to provide network security, wherein the transparency packet filter replaces an Internet Protocol (IP) address of a host on an internal protected network with another IP address for the connection establishing packet.
10 Assignments
0 Petitions
Accused Products
Abstract
A method, system and computer program for providing multilevel security to a computer network. The method comprises the step of receiving a first communication packet on at least one network interface port from an outside network. The method further includes the steps of filtering the first packet in one of at least two levels of security comprising a first level of security which examines the content information of the packet and a second level of security which examines the first packet excluding the content information of the packet. The system includes a first packet filter configured to filter its input packets by examining content information of its packets and a second packet filter configured to filter its input packets by examining the header information without examining the content information of its packets. The system further includes a third filter which is configured to forward a number of packets to one of the first and second filters, thereby providing security to the computer network. The computer program includes a first module located in an application layer, a second module located in a network layer, and a third module located in a kernel space and configured to examine a number of packets received by the computer network from at least one outside network and to forward the number of packets to one of the first and second modules after examining the number of packets.
-
Citations
18 Claims
-
1. A method of providing security to a computer network, comprising:
-
receiving a connection establishing packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the connection establishing packet is configured to establish a data connection between the computer network and the outside network and wherein packets of the data connection includes header information and content information; determining whether the port number on which the connection establishing packet was received is a registered port based on ports specified to be registered in a configuration information file; when the port number is registered; providing attribute information of the connection establishing packet to a proxy, wherein the attribute information comprises the source address, the destination address, and the port number on which the connection establishing packet was received; determining, using the proxy, whether to allow the data connection based on the attribute information; in response to determining the data connection is to be allowed; determining which one of at least two levels of security to apply based on the attribute information, the two levels of security comprising a first level of security which examines the content information of data packets at an application layer and a second level of security which examines the data packets excluding the content information therein at a network layer based on the attribute information of the connection establishing packet, thereby providing an appropriate level of security to the computer network; and when the first level of security is determined to be applied, applying a filter of the first level of security at the application layer examining the content information of all additional data packets received from the data connection subsequent to the connection establishing packet; when the port number is not registered; determining whether to apply a filter of the first security level or a filter of the second security level to the connection establishing packet based on the attribute information of the connection establishing packet; when the decision by the determining step is to apply the filter of the second level of security, then applying the filter of the second level of security to the connection establishing packet; when the decision by the determining step is to apply the first filter of the second level of security, then applying the filter of the first level of security to the connection establishing packet; and when neither filter is to be applied, then apply a transparency packet filter to the connection establishing packet to provide network security, wherein the transparency packet filter replaces an Internet Protocol (IP) address of a host on an internal protected network with another IP address for the connection establishing packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. One or more non-transitory computer-readable media comprising one or more instructions for a computer security program configured to provide security to a computer network, that when the instructions are executed by a processor operable to perform operations comprising:
-
receiving a connection establishing packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the connection establishing packet is configured to establish a data connection between the computer network and the outside network and wherein packets of the data connection includes header information and content information; determining whether the port number on which the connection establishing packet was received is a registered port based on ports specified to be registered in a configuration information file; when the port number is registered; providing attribute information of the connection establishing packet to a proxy, wherein the attribute information comprises the source address, the destination address, and the port number on which the connection establishing packet was received; determining, using the proxy, whether to allow the data connection based on the attribute information; in response to determining the data connection is to be allowed; determining which one of at least two levels of security to apply based on the attribution information, the two levels of security comprising a first level of security which examines the content information of data packets at an application layer and a second level of security which examines the data packets excluding the content information therein at a network layer based on the attribute information of the connection establishing packet, thereby providing an appropriate level of security to the computer network; and when the first level of security is determined to be applied, applying a filter of the first level of security at the application layer examining the content information of all additional data packets received from the data connection subsequent to the connection establishing packet; when the port number is not registered; determining whether to apply a filter of the first security level or a filter of the second security level to the connection establishing packet based on the attribute information of the connection establishing packet; when the decision by the determining step is to apply the filter of the second level of security, then applying the filter of the second level of security to the connection establishing packet; when the decision by the determining step is to apply the first filter of the second level of security, then applying the filter of the first level of security to the connection establishing packet; and when neither filter is to be applied, then apply a transparency packet filter to the connection establishing packet to provide network security, wherein the transparency packet filter replaces an Internet Protocol (IP) address of a host on an internal protected network with another IP address for the connection establishing packet. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A firewall for providing security to a computer network by filtering packets including header information and content information, comprising:
-
a processor; a first filter in an application layer configured to filter its input packets by examining content information therein; a second filter in a network layer configured to filter its input packets by examining the header information without examining the content information therein; and a third filter coupled to the first and second filters and configured to receive a plurality of packets arriving at the firewall, wherein the third filter is further configured to; forward the plurality of packets to one of the first and second filters, thereby providing security to the computer network; receive a connection establishing packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the connection establishing packet is configured to establish a data connection between the computer network and the outside network; determine whether the port number on which the connection establishing packet was received is a registered port based on ports specified to be registered in a configuration information file; when the port number is registered; forward attribute information of the connection establishing packet, wherein the attribute information comprises the source address, the destination address, and the port number on which the connection establishing packet was received; determine whether to allow the data connection based on the attribute information; in response to determining the data connection is to be allowed; determine which one of at least two levels of security to apply based on the attribution information, the two levels of security comprising a first level of security which examines the content information of data packets at the application layer and a second level of security which examines the data packets excluding the content information therein, the network layer based on the attribute information of the connection establishing packet, thereby providing an appropriate level of security to the computer network; and when the first level of security is determined to be applied, apply a filter at the application layer examining the content information of all additional data packets received from the data connection subsequent to the connection establishing packet; when the port number is not registered; determining whether to apply a filter of the first security level or a filter of the second security level to the connection establishing packet based on the attribute information of the connection establishing packet; when the decision by the determining step is to apply the filter of the second level of security, then applying the filter of the second level of security to the connection establishing packet; when the decision by the determining step is to apply the first filter of the second level of security, then applying the filter of the first level of security to the connection establishing packet; and when neither filter is to be applied, then apply a transparency packet filter to the connection establishing packet to provide network security, wherein the transparency packet filter replaces an Internet Protocol (IP) address of a host on an internal protected network with another IP address for the connection establishing packet.
-
Specification