Network security bridge and associated method

US 5,548,649 A
Filed: 03/28/1995
Issued: 08/20/1996
Est. Priority Date: 03/28/1995
Status: Expired due to Term

First Claim

Patent Images

1. A network local security bridge that bridges a first side of a network and a second side of the network, the first side of the network including local secure zone host devices within a local secure zone established by the network local security bridge, the second side of the network including network remote security bridges that each establish a remote secure zone and remote secure zone host devices within the remote secure zones, the network local security bridge comprising:

a first interface controller to receive from the first side of the network a first data packet that contains a source address, a destination address, and a data frame;

a second interface controller to receive from the second side of the network a second data packet that contains a source address, a destination address, and a data frame;

a data packet processor coupled to the first and second interface controllers to process the first and second data packets by encrypting the data frame of the received first data packet when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, and by decrypting the data frame of the received second data packet when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices;

the second interface controller transmitting the processed first data packet to the second side of the network; and

the first interface controller transmitting the processed second data packet to the first side of the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network local security bridge and corresponding method for bridging a first side of a network and a second side of the network. The first side includes local secure zone host devices within a local secure zone established by the network local security bridge. The second side includes remote secure zone host devices within remote secure zones established by network remote security bridges. The network local security bridge processes a first side data packet received from the first side of the network and a second side data packet received from the second side of the network. In doing so, the network local security bridge encrypts the data frame of the first side data packet when its source and destination addresses respectively specify one of the local secure zone host devices and one of the remote secure zone host devices and leaves the data frame of the first side data packet unchanged when its source and destination addresses respectively specify one of the local secure zone host devices and one of the unsecure host devices. In addition, the network local security bridge decrypts the data frame of the second side data packet when its source and destination addresses respectively specify one of the remote secure zone host devices and one of the local secure zone host devices and leaves the data frame of the second side data packet unchanged when its source and destination addresses respectively specify one of the unsecure host devices and one of the local secure zone host devices. It then transmits the processed first side data packet to the second side and the processed second side data packet to the first side.

118 Citations

12 Claims

1. A network local security bridge that bridges a first side of a network and a second side of the network, the first side of the network including local secure zone host devices within a local secure zone established by the network local security bridge, the second side of the network including network remote security bridges that each establish a remote secure zone and remote secure zone host devices within the remote secure zones, the network local security bridge comprising:
- a first interface controller to receive from the first side of the network a first data packet that contains a source address, a destination address, and a data frame;
  
  a second interface controller to receive from the second side of the network a second data packet that contains a source address, a destination address, and a data frame;
  
  a data packet processor coupled to the first and second interface controllers to process the first and second data packets by encrypting the data frame of the received first data packet when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, and by decrypting the data frame of the received second data packet when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices;
  
  the second interface controller transmitting the processed first data packet to the second side of the network; and
  
  the first interface controller transmitting the processed second data packet to the first side of the network.
- View Dependent Claims (2, 3)
- - 2. A network local security bridge as recited in claim 1 wherein the data packet processor includes:
    - a data library containing, for each remote secure zone host device, information identifying the network remote security bridge that establishes the remote secure zone within which it is contained, and containing keys that each correspond to one of the network remote security bridges;
      
      a data packet forwarder to select one of the keys from the library for use in encrypting when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, the key selected for use in encrypting corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the destination address of the received first data packet, and to select one of the keys from the library for use in decrypting when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices, the key selected for use in decrypting corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the source address of the received second data packet; and
      
      an encryptor/decryptor to encrypt the data frame of the first side data packet with the key selected for use in encrypting, and to decrypt the data frame of the second data packet with the key selected for use in decrypting.
  - 3. A network local security bridge as recited in claim 1 wherein the data packet processor includes:
    - a data library containing, for each remote secure zone host device, information identifying the network remote security bridge that establishes the remote secure zone within which it is contained, and containing, for each network remote security bridge, a corresponding destination key and a corresponding source key;
      
      a data packet forwarder to select one of the destination keys from the library when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, the selected destination key corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the destination address of the received first data packet, and to select one of the source keys from the library when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices, the selected source key corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the source address of the received second data packet; and
      
      an encryptor/decryptor to encrypt the data frame of the received first data packet with the selected destination key, and to decrypt the data frame of the received second data packet with the selected source key.

4. A network local security bridge that bridges a first side of a network and a second side of the network, the first side of the network including local secure zone host devices within a local secure zone established by the network local security bridge, the second side of the network including unsecure host devices, network remote security bridges that each establish a remote secure zone, and remote secure zone host devices within the remote secure zones, the network local security bridge comprising:
- a first interface controller to receive from the first side of the network a first data packet that contains a source address, a destination address, and a data frame;
  
  a second interface controller to receive from the second side of the network a second data packet that contains a source address, a destination address, and a data frame;
  
  a data packet processor coupled to the first and second interfaces to process the received first and second side data packets by encrypting the data frame of the received first data packet when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, by leaving unchanged the data frame of the received first data packet when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the unsecure host devices, by decrypting the data frame of the received second data packet when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices, and by leaving unchanged the data frame of the received second data packet when the source address of the received second data packet specifies one of the unsecure host devices and the destination address of the received second data packet specifies one of the local secure zone host devices;
  
  the second interface controller transmitting the processed first data packet to the second side of the network; and
  
  the first interface controller transmitting the processed second data packet to the first side of the network.
- View Dependent Claims (5, 6)
- - 5. A network local security bridge as recited in claim 4 wherein the data packet processor includes:
    - a data library containing, for each remote secure zone host device, information identifying the network remote security bridge that establishes the remote secure zone within which it is contained, and containing keys that each correspond to one of the network remote security bridges;
      
      a data packet forwarder to select one of the keys from the library for use in encrypting when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, the key selected for use in encrypting corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the destination address of the received first data packet, and to select one of the keys from the library for use in decrypting when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices, the key selected for use in decrypting corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device having the predefined address specified by the source address of the received second data packet; and
      
      an encryptor/decryptor to encrypt the data frame of the first data packet with the key selected for use in encrypting, and to decrypt the data frame of the second data packet with the key selected for use in decrypting.
  - 6. A network local security bridge as recited in claim 4 wherein the data packet processor includes:
    - a data library containing, for each remote secure zone host device, information identifying the network remote security bridge that establishes the remote secure zone within which it is contained, and containing for each network remote security bridge, a corresponding destination key and a corresponding source key;
      
      a data packet forwarder to select one of the destination keys from the library when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, the selected destination key corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the destination address of the received first data packet, and to select one of the source keys from the library when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices, the selected source key corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the source address of the received second data packet; and
      
      an encryptor/decryptor to encrypt the data frame of the received first data packet with the selected destination key, and to decrypt the data frame of the received second data packet with the selected source key.

7. A method of bridging a first side of a network and a second side of the network to establish a local secure zone, the first side of the network including local secure zone host devices within the local secure zone, the second side of the network including network remote security bridges that each establish a remote secure zone and remote secure zone host devices within the remote secure zones, the method comprising the steps of:
- receiving from the first of the network a first data packet that contains a source address, a destination address, and a data frame;
  
  receiving from the second of the network a second data packet that contains a source address, a destination address, and a data frame;
  
  processing the received first and second data packets including the steps of;
  
  encrypting the data frame of the received first data packet when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices; and
  
  decrypting the data frame of the received second data packet when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices;
  
  transmitting the processed first data packet to the second side; and
  
  transmitting the processed second data packet to the first side.
- View Dependent Claims (8, 9)
- - 8. A method as recited in claim 7 further comprising the steps of:
    - providing a data library containing, for each remote secure zone host device, information identifying the network remote security bridge that establishes the remote secure zone within which it is contained, and keys that each correspond to one of the network remote security bridges;
      
      the processing step further including the steps of;
      
      selecting one of the keys from the library for encrypting when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, the key selected for encrypting corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the destination address of the received first data packet; and
      
      selecting one of the keys from the library for decrypting when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices, the key selected for decrypting corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the source address of the received second data packet;
      
      the encrypting step including the step of encrypting the data frame of the first data packet with the key selected for encrypting; and
      
      the decrypting step including the step of decrypting the data frame of the second data packet with the key selected for decrypting.
  - 9. A method as recited in claim 7 further comprising the steps of:
    - providing a data library containing., for each remote secure zone host device, information identifying the network remote security bridge that establishes the remote secure zone within which it is contained, and containing, for each network remote security bridge, a corresponding destination key and a corresponding source key;
      
      the processing step further including the steps of;
      
      selecting one of the destination keys from the library when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, the selected destination key corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the destination address of the received first data packet; and
      
      selecting one of the source keys from the library when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices, the selected source key corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the source address of the received second data packet; and
      
      the encrypting step including the step of encrypting the data frame of the first data packet with the selected destination key; and
      
      the decrypting step including the step of decrypting the data frame of the second data packet with the selected source key.

10. A method of bridging a first side of a network and a second side of the network to establish a local secure zone, the first side of the network including local secure zone host devices within the local secure zone, the second side of the network including unsecure host devices, network remote security bridges that each establish a remote secure zone, and remote secure zone host devices within the remote secure zones, the method comprising the steps of:
- receiving from the first side of the network a first data packet that contains a source address, a destination address, and a data frame;
  
  receiving from the second side of the network a second data packet that contains a source address, a destination address, and a data frame;
  
  processing the received first and second data packets including the steps of;
  
  encrypting the data frame of the received first data packet when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices; and
  
  leaving unchanged the data frame of the received first data packet when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the unsecure host devices;
  
  decrypting the data frame of the received second data packet when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices; and
  
  leaving unchanged the data frame of the received second data packet when the source address of the received second data packet specifies one of the unsecure host devices and the destination address of the received second data packet specifies one of the local secure zone host devicestransmitting the processed first data packet to the second side; and
  
  transmitting the processed second data packet to the first side.
- View Dependent Claims (11, 12)
- - 11. A method as recited in claim 10 further comprising the steps of:
    - providing a data library containing, for each remote secure zone host device, information identifying the network remote security bridge that establishes the remote secure zone within which it is contained, and containing keys that each correspond to one of the network remote security bridges;
      
      the processing step including the steps of;
      
      selecting one of the keys from the library for use in encrypting when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, the key selected for use in encrypting corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the destination address of the received first data packet; and
      
      selecting one of the keys from the library for use in decrypting when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices, the key selected for use in decrypting corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the source address of the received second data packet; and
      
      the encrypting step including the step of encrypting the data frame of the first data packet with the key selected for use in encrypting; and
      
      the decrypting step including the step of decrypting the data frame of the second data packet with the key selected for use in decrypting.
  - 12. A method as recited in claim 10 further comprising the steps of:
    - providing a library containing, for each remote secure zone host device, information identifying the network remote security bridge that establishes the remote secure zone within which it is contained, and containing, for each network remote security bridge, a corresponding destination key and a corresponding source key;
      
      the processing step including the steps of;
      
      selecting one of the destination keys from the library when the source address of the received first data packet specifies one of the local secure zone host devices and the destination address of the received first data packet specifies one of the remote secure zone host devices, the selected destination key corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the destination address of the received first data packet; and
      
      selecting one of the source keys from the library when the source address of the received second data packet specifies one of the remote secure zone host devices and the destination address of the received second data packet specifies one of the local secure zone host devices, the selected source key corresponding to the network remote security bridge that according to the information in the library establishes the remote secure zone containing the remote secure zone host device specified by the source address of the received second data packet; and
      
      the encrypting step including the step of encrypting the data frame of the first data packet with the selected destination key; and
      
      the decrypting step including the step of decrypting the data frame of the second data packet with the selected source key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Iowa State University Research Foundation Incorporated (Iowa State University)
Original Assignee
Iowa State University Research Foundation Incorporated (Iowa State University)
Inventors
Jacobson, Douglas W.
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US08/412,164
Time in Patent Office

511 Days
Field of Search

380/4, 380/9, 380/21, 380/23, 380/25, 380/49, 380/50
US Class Current

713/153
CPC Class Codes

H04L 63/0464 using hop-by-hop encryption...

H04L 63/08 for authentication of entit...

Network security bridge and associated method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

Network security bridge and associated method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others