Internet privacy protection device

US 20040162992A1
Filed: 02/19/2003
Published: 08/19/2004
Est. Priority Date: 02/19/2003
Status: Abandoned Application

First Claim

Patent Images

1. A privacy protection device to provide secure access to a computer network, comprising:

a) a host port connected to one of;

a computer, and a network of computers;

b) a network port connected to said computer network;

c) a communications controller connecting said host port to said network port, said communications controller generating a single IP access list for monitoring and controlling communication between said host port and said network port;

d) active memory coupled to said communications controller, said active memory storing said IP access list; and

e) program memory coupled to said communications controller, said program memory storing an operating system (OS) and a TCP/IP stack with a rules set for said communications controller to monitor and control communications, wherein said privacy protection device has a logical disconnection mode which allows said computer to maintain its IP address while being otherwise disconnected from said computer network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention consists of a standalone broadband plug and play Internet privacy protection device that provides complete computer or network security for always-on high speed connections by means of combining a real-time packet inspection process in conjunction with computer or network IP address concealment and implementing a seamless network disconnection upon detection of Internet inactivity by the client.

182 Citations

54 Claims

1. A privacy protection device to provide secure access to a computer network, comprising:
- a) a host port connected to one of;
  
  a computer, and a network of computers;
  
  b) a network port connected to said computer network;
  
  c) a communications controller connecting said host port to said network port, said communications controller generating a single IP access list for monitoring and controlling communication between said host port and said network port;
  
  d) active memory coupled to said communications controller, said active memory storing said IP access list; and
  
  e) program memory coupled to said communications controller, said program memory storing an operating system (OS) and a TCP/IP stack with a rules set for said communications controller to monitor and control communications, wherein said privacy protection device has a logical disconnection mode which allows said computer to maintain its IP address while being otherwise disconnected from said computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 2. The privacy protection device according to claim 1, wherein said computer network is the Internet.
  - 3. The privacy protection device according to claim 1, wherein said privacy protection device also has a physical disconnection mode which provides for a complete disconnection from said computer network which does not preserve said IP address of said computer and prohibits all communication between said host port and said network port.
  - 4. The privacy protection device according to claim 3, wherein said physical disconnection mode is selected by a user-controlled switch on said privacy protection device.
  - 5. The privacy protection device according to claim 3, wherein said privacy protection device can be switched between said logical disconnection mode and said physical disconnection mode by a user-controlled mode switch on said privacy protection device.
  - 6. The privacy protection device according to claim 5, wherein said privacy protection device can be switched to a non-disconnection mode via said user-controlled mode switch.
  - 7. The privacy protection device according to claim 1, further comprising an auxiliary port coupled to said network port, said auxiliary port providing for unmonitored communication between a device coupled to said auxiliary port and said computer network.
  - 8. The privacy protection device according to claim 1, wherein said privacy protection device automatically enters said logical disconnection mode if there is no communication received from said host port after a preset time period.
  - 9. The privacy protection device according to claim 8, wherein said logical disconnection mode only allows TCP UDP ports 67 and 68 to be active on said TCP/IP stack to pass DHCP communication messages between said host port and said network port.
  - 10. The privacy protection device according to claim 1, further including a status display that displays link status, connection/disconnection status and intrusion status.
  - 11. The privacy protection device according to claim 3, wherein said privacy protection device automatically enters one of said logical disconnection mode and said physical disconnection mode if there is no communication received from said host port after a preset time period.
  - 12. The privacy protection device according to claim 11, wherein said device provides a warning indication on said device when said preset time period is about to expire.
  - 13. The privacy protection device according to claim 12, wherein said preset time period can be reset and restarted by a user-controlled button on said device.
  - 14. The privacy protection device according to claim 1, wherein said logical disconnection mode can be activated immediately by a user-controlled button.
  - 15. The privacy protection device according to claim 3, wherein one of said logical disconnection mode and said physical disconnection mode can be activated immediately by a user-controlled button.
  - 16. The privacy protection device according to claim 11, wherein said preset time period can be reset and restarted by the extraction, filtration and detection of communication intended for said computer network entering said host port.
  - 17. The privacy protection device according to claim 1, wherein said logical disconnection is seamless, such that no Physical Layer 1 media alarms indications are triggered on said computer and on said computer network.
  - 18. The privacy protection device according to claim 1, wherein said privacy protection device includes one or more of the following security features:
    - (a) no local console interface port;
      
      (b) no web browser access for configuration, administration and maintenance;
      
      (c) no Telnet access to said host port;
      
      (d) no Telnet access to said network port;
      
      (e) no logical IP address associated with said host port;
      
      (f) no logical IP address associated with said network port;
      
      (g) no physical MAC address associated with said host port;
      
      (h) no physical MAC address associated with said network port; and
      
      (i) said privacy protection device is a plug-and-play device requiring no configuration, programming, and administration.
  - 19. The privacy protection device according to claim 3, wherein said physical disconnection is seamless, such that no Physical Layer 1 media alarms indications are triggered on said computer and on said computer network.
  - 20. The privacy protection device according to claim 3, further including a user-controlled connection button that must be activated to re-establish communication between said host port and said network port after one of said logical disconnection mode and said physical disconnection mode is activated.
  - 21. The privacy protection device according to claim 20, wherein said user-controlled connection button is the sole means of re-establishing communication between said host port and said network port.
  - 22. The privacy protection device according to claim 1, wherein said TCP/IP stack is prohibited from acknowledging and responding to any ICMP requests from said computer network.
  - 23. The privacy protection device according to claim 1, wherein said privacy protection device detects continuous and repetitive messages and automatically applies rate control in order to mitigate port flooding and denial of service attacks.
  - 24. The privacy protection device according to claim 1, wherein said communications controller extracts header information from an IP session to generate said IP access list, said header information including one or more of the following:
    - (a) layer 3 header information, 16-bit source and 16-bit destination IP addresses;
      
      (b) layer 2 header information, 16-bit source and 16-bit destination port addresses;
      
      (c) a 32-bit layer 2 sequence number;
      
      (d) protocol type; and
      
      (e) other protocol-dependent fields found within said header information.
  - 25. The privacy protection device according to claim 24, wherein said IP access list can support a plurality of public IP addresses from a plurality of computers without using Network Address Translation.
  - 26. The privacy protection device according to claim 24, wherein said IP session is encrypted using IPsec.
  - 27. The privacy protection device according to claim 3, wherein said IP access list no longer receives new entries during a logical disconnection and during a physical disconnection.
  - 28. The privacy protection device according to claim 10, wherein said status display uses dual color indicators to show current connection status between said host port and said network port.
  - 29. The privacy protection device according to claim 28, wherein said status display further includes a warning indicator to show an ongoing intrusion attempt.
  - 30. The privacy protection device according to claim 1, further including an access timer to monitor individual entries on said IP access list.
  - 31. The privacy protection device according to claim 30, wherein the value of said access timer is dynamically controlled according to the number of entries on said IP access list.
  - 32. The privacy protection device according to claim 30, wherein one of said individual entries on said IP access list is deleted when said access timer reaches a pre-determined value with respect to said one individual entry and a response corresponding to said one individual entry has not been received.
  - 33. The privacy protection device according to claim 31, wherein said access timer can be reset by a request from said computer associated with an IP session on said IP access list.
  - 34. The privacy protection device according to claim 1, wherein one or both of said host port and said network port are coupled to an internetworking device, said internetworking device operating at layer 1, layer 2, layer 3 and a combination thereof.
  - 35. The privacy protection device according to claim 1, wherein said device is located in the digital baseband path between said computer and said computer network.
  - 36. The privacy protection device according to claim 1, wherein said device is independent of an operating system running on said computer and said network of computers.
  - 37. The privacy protection device according to claim 1 or 3, wherein said device distinguishes and allows static and dynamic IP address assignment.
  - 38. The privacy protection device according to claim 1, wherein said device only permits communications from said computer network which have been initiated by said computer connected to said host port.
  - 39. The privacy protection device according to claim 1, wherein said program memory resides as non-volatile firmware within said communications controller.
  - 40. The privacy protection device according to claim 1, wherein said rules set prohibits certain protocols deemed untrustworthy from passing between said host port and said network port.
  - 41. The privacy protection device according to claim 1, wherein said device reports all ports on said TCP/IP stack as blocked regardless on any port permission settings on any computer connected to said host port.
  - 42. The privacy protection device according to claim 25, wherein said device permits virtual private network (VPN) connections.
  - 43. The privacy protection device according to claim 1, wherein said IP access list can be manually purged at any time by a user-controlled button.
  - 44. The privacy protection device according to claim 1, wherein said communications controller and said IP access table use only said host port, such that routing algorithms and switching algorithms are not used.

45. A method of controlling communications between a computer and a computer network via a privacy protection device, comprising the steps of:
- a) passing a URL request datagram from said computer to a destination on said computer network through a communications controller within said privacy protection device;
  
  b) extracting IP header information from said URL request datagram, said IP header information including said computer'"'"'s IP address, said destination'"'"'s IP address, associated port addresses, sequence number and protocol type;
  
  c) storing said IP header information on an IP access list;
  
  d) forwarding said URL request datagram to said destination to receive a response;
  
  e) passing said response from said destination through said communications controller;
  
  f) extracting IP header information from said response;
  
  g) comparing said IP header information from said response with said IP header information stored on said IP access list;
  
  h) forwarding said response to said computer if said IP header information from said response matches said IP header information stored on said IP access list; and
  
  i) rejecting said response if said IP header information from said response does not match said IP header information stored on said IP access list.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 46. The method according to claim 45, wherein said comparing step incorporates a packet inspection algorithm that allows for detection and rejection of spoofed and redirected responses.
  - 47. The method according to claim 45, wherein said method allows said computer to maintain its IP address while rejecting all communications between said computer and said computer network.
  - 48. The method according to claim 47, wherein said communications controller allows TCP UDP ports 67 and 68 to be active and pass DCHP communication messages between said computer and said computer network while rejecting all other communications between said computer and said computer network.
  - 49. The method according to claim 45, wherein rules for extracting and comparing said IP header information are stored in program memory coupled to said communications controller.
  - 50. The method according to claim 45, wherein said IP header information includes one or more of:
    - (a) layer 3 header information, 16-bit source and 16-bit destination IP addresses;
      
      (b) layer 2 header information, 16-bit source and 16-bit destination port addresses;
      
      (c) a 32-bit layer 2 sequence number;
      
      (d) protocol type; and
      
      (e) other protocol-dependent fields found within said header information.
  - 51. The method according to claim 45, wherein said communications controller rejects all ICMP requests without subjecting said ICMP request to said comparing step.
  - 52. The method according to claim 45, wherein said communications controller detects continuous and repetitive messages and automatically applies rate control to mitigate port flooding and denial of service attacks.
  - 53. The method according to claim 45, wherein said IP access list is monitored by a timer and said IP header information is removed from said IP access list when said timer reaches a pre-determined value with respect to said IP header information and a response corresponding to said IP header information has not been received.
  - 54. The method according to claim 53, wherein said timer can be reset and restarted with respect to any IP header information stored on said IP access list for a particular IP session by a fresh request from said computer using said IP header information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Saafnet Canada Incorporated
Original Assignee
Saafnet Canada Incorporated
Inventors
Sami, Vikash Krishna, Paraskake, Michael

Application Number

US10/364,322
Publication Number

US 20040162992A1
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/50   Address allocation

H04L 63/02   for separating internal fro...

Internet privacy protection device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

182 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Internet privacy protection device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

182 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links