Network access control system and method using adaptive proxies

US 8,782,260 B2
Filed: 09/14/2007
Issued: 07/15/2014
Est. Priority Date: 10/09/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing security to a computer network, comprising:

receiving a connection establishing packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the connection establishing packet is configured to establish a data connection between the computer network and the outside network and wherein packets of the data connection includes header information and content information;

determining whether the port number on which the connection establishing packet was received is a registered port based on ports specified to be registered in a configuration information file;

when the port number is registered;

providing attribute information of the connection establishing packet to a proxy, wherein the attribute information comprises the source address, the destination address, and the port number on which the connection establishing packet was received;

determining, using the proxy, whether to allow the data connection based on the attribute information;

in response to determining the data connection is to be allowed;

determining which one of at least two levels of security to apply based on the attribute information, the two levels of security comprising a first level of security which examines the content information of data packets at an application layer and a second level of security which examines the data packets excluding the content information therein at a network layer based on the attribute information of the connection establishing packet, thereby providing an appropriate level of security to the computer network; and

when the first level of security is determined to be applied, applying a filter of the first level of security at the application layer examining the content information of all additional data packets received from the data connection subsequent to the connection establishing packet;

when the port number is not registered;

determining whether to apply a filter of the first security level or a filter of the second security level to the connection establishing packet based on the attribute information of the connection establishing packet;

when the decision by the determining step is to apply the filter of the second level of security, then applying the filter of the second level of security to the connection establishing packet;

when the decision by the determining step is to apply the first filter of the second level of security, then applying the filter of the first level of security to the connection establishing packet; and

when neither filter is to be applied, then apply a transparency packet filter to the connection establishing packet to provide network security, wherein the transparency packet filter replaces an Internet Protocol (IP) address of a host on an internal protected network with another IP address for the connection establishing packet.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer program for providing multilevel security to a computer network. The method comprises the step of receiving a first communication packet on at least one network interface port from an outside network. The method further includes the steps of filtering the first packet in one of at least two levels of security comprising a first level of security which examines the content information of the packet and a second level of security which examines the first packet excluding the content information of the packet. The system includes a first packet filter configured to filter its input packets by examining content information of its packets and a second packet filter configured to filter its input packets by examining the header information without examining the content information of its packets. The system further includes a third filter which is configured to forward a number of packets to one of the first and second filters, thereby providing security to the computer network. The computer program includes a first module located in an application layer, a second module located in a network layer, and a third module located in a kernel space and configured to examine a number of packets received by the computer network from at least one outside network and to forward the number of packets to one of the first and second modules after examining the number of packets.

Citations

18 Claims

1. A method of providing security to a computer network, comprising:
- receiving a connection establishing packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the connection establishing packet is configured to establish a data connection between the computer network and the outside network and wherein packets of the data connection includes header information and content information;
  
  determining whether the port number on which the connection establishing packet was received is a registered port based on ports specified to be registered in a configuration information file;
  
  when the port number is registered;
  
  providing attribute information of the connection establishing packet to a proxy, wherein the attribute information comprises the source address, the destination address, and the port number on which the connection establishing packet was received;
  
  determining, using the proxy, whether to allow the data connection based on the attribute information;
  
  in response to determining the data connection is to be allowed;
  
  determining which one of at least two levels of security to apply based on the attribute information, the two levels of security comprising a first level of security which examines the content information of data packets at an application layer and a second level of security which examines the data packets excluding the content information therein at a network layer based on the attribute information of the connection establishing packet, thereby providing an appropriate level of security to the computer network; and
  
  when the first level of security is determined to be applied, applying a filter of the first level of security at the application layer examining the content information of all additional data packets received from the data connection subsequent to the connection establishing packet;
  
  when the port number is not registered;
  
  determining whether to apply a filter of the first security level or a filter of the second security level to the connection establishing packet based on the attribute information of the connection establishing packet;
  
  when the decision by the determining step is to apply the filter of the second level of security, then applying the filter of the second level of security to the connection establishing packet;
  
  when the decision by the determining step is to apply the first filter of the second level of security, then applying the filter of the first level of security to the connection establishing packet; and
  
  when neither filter is to be applied, then apply a transparency packet filter to the connection establishing packet to provide network security, wherein the transparency packet filter replaces an Internet Protocol (IP) address of a host on an internal protected network with another IP address for the connection establishing packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - determining whether the port number on which the connection establishing packet was received is a registered port based on ports specified to be registered in a configuration information file;
      
      wherein the providing of the attribute information to the proxy is performed when the physical connection through which the connection establishing packet was received is registered.
  - 3. The method of claim 2 further comprising:
    - when the data communication connection is determined to be allowed, thenestablishing a data communication connection between the computer network and the outside network.
  - 4. The method of claim 3 further comprising:
    - when the second level of security is determined to be applied, applying a filter of the second level of security to any additional packet received through the data connection subsequent to the connection establishing packet.
  - 5. The method of claim 3 further comprising:
    - disconnecting the data communication connection when a packet configured to disconnect the connection is received through the physical connection.
  - 6. The method of claim 2 further comprising:
    - discarding the connection establishing packet when the connection is not approved.
  - 7. The method of claim 1 further comprising:
    - receiving a further packet that is not a packet configured to establish a communication connection between the computer network and the outside network,if the physical connection through which the further packet was received has established a data communication therethrough, thendetermining whether to apply a filter of the first level of security or a filter of the second level of security to the further packet based on attribute information of the physical connection, wherein the attribute information of the physical connection includes an interface port on which the further packet was received, a destination address, and a source address of the further packet.
  - 8. The method of claim 7 further comprising:
    - if the decision by the determining step is to apply the filter of the first level of security, then applying the filter of the first level of security to the further packet;
      
      if the decision by the determining step is to apply the filter of the second level of security, then applying the filter of the second level of security to the further packet; and
      
      if the decision by the determining step is not to apply the filter of the first level of security and not to apply the filter of the second level of security, then forwarding the further packet to its destination.
  - 9. The method of claim 1 further comprising:
    - receiving a further packet that is not a packet configured to establish a communication connection between the computer network and the outside network, andif the physical connection through which the further packet was received has not established a data communication therethrough, thendetermining whether to apply a filter of the first level of security or a filter of the second level of security to the further packet based on attribute information of the physical connection, wherein the attribute information of the physical connection includes an interface port on which the further packet was received, a destination address, and a source address of the further packet.
  - 10. The method of claim 9 further comprising:
    - if the decision by the determining step is to apply the filter of the second level of security, then applying the filter of the second level of security to the further packet;
      
      if the decision by the determining step is to apply the filter of the first level of security, then applying the filter of the first level of security to the further packet; and
      
      if neither filter is to be applied, then apply a transparency packet filter to the further packet to provide network security.

11. One or more non-transitory computer-readable media comprising one or more instructions for a computer security program configured to provide security to a computer network, that when the instructions are executed by a processor operable to perform operations comprising:
- receiving a connection establishing packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the connection establishing packet is configured to establish a data connection between the computer network and the outside network and wherein packets of the data connection includes header information and content information;
  
  determining whether the port number on which the connection establishing packet was received is a registered port based on ports specified to be registered in a configuration information file;
  
  when the port number is registered;
  
  providing attribute information of the connection establishing packet to a proxy, wherein the attribute information comprises the source address, the destination address, and the port number on which the connection establishing packet was received;
  
  determining, using the proxy, whether to allow the data connection based on the attribute information;
  
  in response to determining the data connection is to be allowed;
  
  determining which one of at least two levels of security to apply based on the attribution information, the two levels of security comprising a first level of security which examines the content information of data packets at an application layer and a second level of security which examines the data packets excluding the content information therein at a network layer based on the attribute information of the connection establishing packet, thereby providing an appropriate level of security to the computer network; and
  
  when the first level of security is determined to be applied, applying a filter of the first level of security at the application layer examining the content information of all additional data packets received from the data connection subsequent to the connection establishing packet;
  
  when the port number is not registered;
  
  determining whether to apply a filter of the first security level or a filter of the second security level to the connection establishing packet based on the attribute information of the connection establishing packet;
  
  when the decision by the determining step is to apply the filter of the second level of security, then applying the filter of the second level of security to the connection establishing packet;
  
  when the decision by the determining step is to apply the first filter of the second level of security, then applying the filter of the first level of security to the connection establishing packet; and
  
  when neither filter is to be applied, then apply a transparency packet filter to the connection establishing packet to provide network security, wherein the transparency packet filter replaces an Internet Protocol (IP) address of a host on an internal protected network with another IP address for the connection establishing packet.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The one or more non-transitory computer-readable media of claim 11 wherein the operations further comprises communicating between the application layer and the network layer through a socket interface configured to send information therebetween.
  - 13. The one or more non-transitory computer-readable media of claim 12 wherein the operations further include providing a bind function for registering the application layer to a physical connection between the computer network and the at least one outside network.
  - 14. The one or more non-transitory computer-readable media of claim 13 wherein the operations further include providing a listen function for looking, in the kernel space, for the connection establishing packet configured to establish the data communication through the registered physical connection.
  - 15. The one or more non-transitory computer-readable media of claim 14 wherein the operations further include providing an accept function for forwarding, in the kernel space, the attribute information of the connection establishing packet configured to establish the data communication through the registered physical connection.
  - 16. The one or more non-transitory computer-readable media of claim 15 wherein the operations further include providing a connect function for establishing a data communication connection between the computer network and at least one of outside networks based on the attribute information compared with a configuration information file.
  - 17. The one or more non-transitory computer-readable media of claim 16 wherein the operations further include providing a close socket function for disconnecting the data communication connection when a packet configured to disconnect the data connection is received therethrough.

18. A firewall for providing security to a computer network by filtering packets including header information and content information, comprising:
- a processor;
  
  a first filter in an application layer configured to filter its input packets by examining content information therein;
  
  a second filter in a network layer configured to filter its input packets by examining the header information without examining the content information therein; and
  
  a third filter coupled to the first and second filters and configured to receive a plurality of packets arriving at the firewall, wherein the third filter is further configured to;
  
  forward the plurality of packets to one of the first and second filters, thereby providing security to the computer network;
  
  receive a connection establishing packet from an outside network through a physical communication connection between the computer network and the outside network, wherein the connection establishing packet is configured to establish a data connection between the computer network and the outside network;
  
  determine whether the port number on which the connection establishing packet was received is a registered port based on ports specified to be registered in a configuration information file;
  
  when the port number is registered;
  
  forward attribute information of the connection establishing packet, wherein the attribute information comprises the source address, the destination address, and the port number on which the connection establishing packet was received;
  
  determine whether to allow the data connection based on the attribute information;
  
  in response to determining the data connection is to be allowed;
  
  determine which one of at least two levels of security to apply based on the attribution information, the two levels of security comprising a first level of security which examines the content information of data packets at the application layer and a second level of security which examines the data packets excluding the content information therein, the network layer based on the attribute information of the connection establishing packet, thereby providing an appropriate level of security to the computer network; and
  
  when the first level of security is determined to be applied, apply a filter at the application layer examining the content information of all additional data packets received from the data connection subsequent to the connection establishing packet;
  
  when the port number is not registered;
  
  determining whether to apply a filter of the first security level or a filter of the second security level to the connection establishing packet based on the attribute information of the connection establishing packet;
  
  when the decision by the determining step is to apply the filter of the second level of security, then applying the filter of the second level of security to the connection establishing packet;
  
  when the decision by the determining step is to apply the first filter of the second level of security, then applying the filter of the first level of security to the connection establishing packet; and
  
  when neither filter is to be applied, then apply a transparency packet filter to the connection establishing packet to provide network security, wherein the transparency packet filter replaces an Internet Protocol (IP) address of a host on an internal protected network with another IP address for the connection establishing packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Taylor, Kevin R., Murugesan, Ganesh, Tajalli, Homayoon
Primary Examiner(s)
Dharia, Rupal
Assistant Examiner(s)
Ma, Wing

Application Number

US11/855,954
Publication Number

US 20130246627A1
Time in Patent Office

2,496 Days
Field of Search

709/203, 709/227, 709/229, 370/389, 370/401, 370/400, 370/428, 370/392, 370/390, 370/351, 370/356, 370/352, 726/1, 726/11, 726/13
US Class Current

709/229
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/104   Grouping of entities

Network access control system and method using adaptive proxies

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Network access control system and method using adaptive proxies

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links