Apparatus and method for providing multi-level security for communication among computers and terminals on a network
First Claim
1. A multi-level network security apparatus for a computer network having at least one user coupled thereto, the at least one user selected from a group consisting of a host computer and at least a second network, comprising:
- a secure network interface unit (SINU) coupled between said at least one user and the computer network which operates at a user layer communications protocol, said SINU comprising;
a user interface for providing an interface between the user and SNIU, said user interface being operative for translating data received from the user into a format used by said SNIU,a session manager for identifying a user requesting access to the network at the session level and verifying if the identified user is authorized for access to the network, managing functions of communications sessions permitted by said network security apparatus and maintaining a session audit,a dialogue manager for controlling a data path established in the SNIU,and an association manager which operates to establish and control a user session at a session layer of interconnection between the user and the network through said SNIU if said identified user is verified for access,whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter; and
a security management architecture, including a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the network, said SM capable of implementing a security policy selected from the group consisting of discretionary access control, mandatory access control, object reuse, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection, said SM further providing inter-network administration.
2 Assignments
0 Petitions
Accused Products
Abstract
A multi-level security apparatus and method for a network employs a secure network interface unit (SNIU) coupled between each host or user computer unit and a network, and a security management (SM) architecture, including a security manager (SM) coupled to the network, for controlling the operation and configuration of the SNIUs coupled to the network. Each SNIU is operative at a session level of interconnection which occurs when a user on the network is identified and a communication session is to commence. When an SNIU is implemented at each computer unit on the network, a global security perimeter is provided. In a preferred embodiment, the SNIU is configured to perform a defined session level protocol (SLP), including the core functions of user interface, session manager, dialog manager, association manager and data sealer, and network interface. The SM architecture is implemented to ensure user accountability, configuration management, security administration, and validation key management on the network. The SM functions are distributed over three platforms, i.e., a SNIU security manager (SSM), an area security manager (ASM), and a network security manager (NSM).
452 Citations
20 Claims
-
1. A multi-level network security apparatus for a computer network having at least one user coupled thereto, the at least one user selected from a group consisting of a host computer and at least a second network, comprising:
-
a secure network interface unit (SINU) coupled between said at least one user and the computer network which operates at a user layer communications protocol, said SINU comprising; a user interface for providing an interface between the user and SNIU, said user interface being operative for translating data received from the user into a format used by said SNIU, a session manager for identifying a user requesting access to the network at the session level and verifying if the identified user is authorized for access to the network, managing functions of communications sessions permitted by said network security apparatus and maintaining a session audit, a dialogue manager for controlling a data path established in the SNIU, and an association manager which operates to establish and control a user session at a session layer of interconnection between the user and the network through said SNIU if said identified user is verified for access, whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter; and a security management architecture, including a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the network, said SM capable of implementing a security policy selected from the group consisting of discretionary access control, mandatory access control, object reuse, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection, said SM further providing inter-network administration. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of providing multi-level network security for a computer network having at least one user coupled thereto, the at least one user selected from the group consisting of a host computer and at least a second computer network, comprising the steps of:
-
coupling a secure network interface unit (SINU) between the user and the network, said SNIU performing a plurality of security management functions including; identifying a user requesting access to the network and providing an interface between the user and said SNIU, said user interface being operative for translating data received from the at least one user into a format used by the SNIU, verifying if the identified user is authorized for access to the network, managing functions of communications sessions permitted by said network security apparatus and maintaining a session audit, controlling a data path established in the SNIU, and establishing a user session at a session layer of interconnection between the user and the network through said SNIU if said identified user is verified for access; whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter; and providing a security management architecture, including a security manager (SM) connected to said SNIU, for performing the functions of controlling the operation and configuration of said SNIU in order to protect the security communications transmitted through said SNIU between the user and the network, said SM being capable of implementing a security policy selected from the group consisting of discretionary access control, mandatory access control, object reuse, labeling, denial of service detection, data type integrity, cascading control and covert channel use detection, said SM further providing inter-network administration. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification