Distributed firewall system and method

US 7,536,715 B2
Filed: 11/25/2002
Issued: 05/19/2009
Est. Priority Date: 05/25/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method of restricting packet transfer to a computer across a network, wherein the computer includes a network interface device coupled to the network and wherein the network interface device includes a packet filter, the method comprising:

providing a security server connected to the network;

receiving a packet at the network interface device;

determining, at the network interface device, whether the packet is a previously authorized transaction;

if the packet is not a previously authorized transaction, routing the packet to the security server;

determining, at the security server, whether the packet is an authorized transaction; and

if the security server determines that the packet is an authorized transaction, configuring the network interface device to accept similar transactions.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for restricting packet transfer to a computer across a network, wherein the computer includes a network interface device coupled to the network and wherein the network interface device includes a packet filter. A security server is connected to the network. A packet is received at the network interface device and the network interface device determines if the packet is an authorized transaction. If the packet is not an authorized transaction, the packet is routed to the security server, where the security server determines whether the packet is an authorized transaction. If the security server determines that the packet is an authorized transaction, the network interface device is configured to accept similar transactions.

134 Citations

View as Search Results

45 Claims

1. A method of restricting packet transfer to a computer across a network, wherein the computer includes a network interface device coupled to the network and wherein the network interface device includes a packet filter, the method comprising:
- providing a security server connected to the network;
  
  receiving a packet at the network interface device;
  
  determining, at the network interface device, whether the packet is a previously authorized transaction;
  
  if the packet is not a previously authorized transaction, routing the packet to the security server;
  
  determining, at the security server, whether the packet is an authorized transaction; and
  
  if the security server determines that the packet is an authorized transaction, configuring the network interface device to accept similar transactions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein determining whether the packet is an authorized transaction at the security server includes authenticating the source of the packet.
  - 3. The method according to claim 1, wherein configuring includes filtering the packet using a packet filter.
  - 4. The method according to claim 3, wherein filtering includes applying quality of service policies to the packet.
  - 5. The method according to claim 1, wherein configuring includes initiating end-to-end IPSEC for similar transactions.
  - 6. The method according to claim 1, wherein configuring includes encrypting a packet to be transferred to the network interface device, transferring the encrypted packet to the network interface device, decrypting the encrypted packet at the network interface device, and configuring the network interface device as a function of the decrypted packet.
  - 7. The method according to claim 1, wherein determining whether the packet is an authorized transaction at the security server includes configuring the network interface device to reject similar transactions if the packet is not an authorized transaction.
  - 8. The method according to claim 1, wherein determining whether the packet is an authorized transaction at the security server further includes configuring other network interface devices to reject similar transactions if the packet is not an authorized transaction.
  - 9. An article comprising a computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method of claim 1.

10. A method of restricting packet transfer from a computer across a network, wherein the computer includes a network interface device coupled to the network and wherein the network interface device includes a packet filter, the method comprising:
- providing a security server connected to the network;
  
  receiving a packet at the network interface device;
  
  determining, at the network interface device, whether the packet is a previously authorized transaction;
  
  if the packet is not a previously authorized transaction, routing the packet to the security server;
  
  determining, at the security server, whether the packet is an authorized transaction; and
  
  if the security server determines that the packet is an authorized transaction, configuring the network interface device to permit similar transactions.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method according to claim 10, wherein determining, at the network interface device, whether the packet is a previously authorized transaction includes comparing the source address to the host address.
  - 12. The method according to claim 10, wherein determining whether the packet is an authorized transaction at the security server includes authenticating the source of the packet.
  - 13. The method according to claim 10, wherein configuring includes filtering the packet using a packet filter.
  - 14. The method according to claim 13, wherein filtering includes applying quality of service policy to the packet.
  - 15. The method according to claim 10, wherein configuring includes initiating end-to-end IPSEC for similar transactions.
  - 16. The method according to claim 10, wherein configuring includes encrypting a packet to be transferred to the network interface device, transferring the encrypted packet to the network interface device, decrypting the encrypted packet at the network interface device, and configuring the network interface device as a function of the decrypted packet.
  - 17. The method according to claim 10, wherein determining whether the packet is an authorized transaction at the security server includes configuring the network interface device to reject similar transactions if the packet is not an authorized transaction.
  - 18. The method according to claim 10, wherein determining whether the packet is an authorized transaction at the security server further includes configuring other network interface devices to reject similar transactions if the packet is not an authorized transaction.
  - 19. An article comprising a computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method of claim 10.

20. A method of limiting source spoofing in the transfer of packets from a computer across a network, wherein the computer includes a processor and a network interface device coupled between the processor and the network, wherein the computer has a computer address and wherein the network interface device includes a packet filter, the method comprising:
- preparing a packet having a source address and a destination;
  
  transferring the packet from the processor to the network interface device;
  
  examining the packet within the network interface device, wherein examining includes comparing the source address to the computer address;
  
  if the source address matches the computer address, transferring the packet across the network to the destination;
  
  if the source address does not match the computer address, preventing the packet from being transferred across the network to the destination and, instead, forwarding the packet to a security server;
  
  receiving, at the network interface device, a message from the security server, wherein the message includes authorization information corresponding to a packet previously sent from the network interface device to the security server; and
  
  wherein the authorization information configures the network interface device to accept transactions similar to the packet previously sent from the network interface device to the security server.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20, wherein forwarding includes encrypting the packet and transferring the encrypted packet to the security server.
  - 22. An article comprising a computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method of claim 20.

23. A computer system, comprising:
- a network;
  
  a computer connected to the network through a network interface device; and
  
  a security server;
  
  wherein the network interface device includes logic for transmitting information from the network interface device to the security server independent of the computer and wherein the security server configures the network interface device as a function of the transmitted information.
- View Dependent Claims (24, 25, 26)
- - 24. The system of claim 23, wherein the logic includes an encryption circuit for encrypting data to be transferred from the network interface device to the security server.
  - 25. The system of claim 23, wherein the security server includes means for authenticating a user to the system.
  - 26. The system of claim 23, wherein the security server includes audit analysis.

27. A computer system, comprising:
- a network;
  
  a computer connected to the network;
  
  a router connected to the network, wherein the router includes a packet filter; and
  
  a security server connected to the router over the network;
  
  wherein the router receives packets from the network, filters the packets using the packet filter to detect unauthorized packets and transmits unauthorized packets over the network to the security server independent of the computer; and
  
  wherein the security server configures the router packet filter after analysis of the unauthorized packets.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The system of claim 27, wherein the router includes an encryption circuit for decrypting encrypted packets and for encrypting the decrypted packets before forwarding them to their destination.
  - 29. The system of claim 28, wherein the security server includes an encryption circuit and wherein communication from the security server to the router can be encrypted by the security server'"'"'s encryption circuit.
  - 30. The system of claim 27, wherein the security server includes means for authenticating a user to the system.
  - 31. The system of claim 27, wherein the security server includes audit analysis.

32. A computer system, comprising:
- a network;
  
  a computer connected to the network through a network interface device; and
  
  a security server capable of communicating with the network interface device;
  
  wherein the network interface device includes a packet filter, wherein the packet filter includes quality of service control for managing traffic flowing through the network interface device; and
  
  wherein the security server transfers configuration information to the network interface device to modify quality of service parameters on the network interface device as a function of changing security conditions within the computer system.
- View Dependent Claims (33, 34, 35)
- - 33. The system of claim 32, wherein the network interface device further includes an encryption circuit for encrypting data to be transferred from the network interface device to the security server.
  - 34. The system of claim 32, wherein the security server includes means for authenticating a user to the system.
  - 35. The system of claim 32, wherein the computer system further comprises a router having a packet filter, wherein the packet filter includes quality of service control for managing traffic flowing through the router and wherein the security server transfers configuration information to the router to modify quality of service parameters on the router as a function of changing security conditions within the computer system.

36. A distributed firewall system, comprising:
- a plurality of computers, including a first computer, wherein the plurality of computers are connected through network interface cards to a network; and
  
  a security server connected to the network;
  
  wherein the network interface card for the first computer includes logic which selectively forwards packets addressed to the first computer from the network interface card to the security server;
  
  wherein the security server determines whether the packet is an authorized transaction; and
  
  wherein if the server determines that the packet is an authorized transaction, the security server configures the network interface device to accept similar transactions.
- View Dependent Claims (37, 38, 39, 40)
- - 37. The system according to claim 36, wherein the network interface card for the first computer includes encryption and decryption logic.
  - 38. The system according to claim 37, wherein the security server includes encryption and decryption logic, wherein the encryption and decryption logic encrypts packets to be transferred to the network interface card for the first computer.
  - 39. The system according to claim 36, wherein the network interface card for the first computer includes a packet filter and wherein the packet filter detects packets to be forwarded to the security server.
  - 40. The system according to claim 36, wherein the network interface card for the first computer includes encryption and decryption logic and wherein the packets to be forwarded to the security server are encrypted on the network interface card before being transmitted to the security server.

41. A method of providing computer security services to the computer of a remote user, comprising:
- providing a security server;
  
  installing a network interface device in the computer, wherein the network interface device includes logic for transmitting information from the network interface device to the security server independent of the computer;
  
  transmitting information from the network interface device to the security server; and
  
  configuring the network interface device as a function of the information transmitted from the network interface device to restrict packet transfer through the network interface device.
- View Dependent Claims (42, 43, 44, 45)
- - 42. The method of claim 41, wherein transmitting includes initiating a session, wherein initiating a session includes authenticating the user to the security server;
    - andwherein configuring the network interface device includes restricting packet transfer as a function of the user.
  - 43. The method of claim 41, wherein the network interface device includes a packet filter and wherein configuring the network interface device includes transferring packet filtering rules from the security server to the network interface device, wherein transferring includes modifying the packet filtering rules as a function of changing security conditions.
  - 44. The method of claim 41, wherein the network interface device includes a packet filter, wherein the packet filter includes quality of service control for managing traffic flowing through the network interface device;
    - andwherein configuring the network interface device includes transferring information from the security server to the network interface device modifying quality of service parameters on the network interface device as a function of changing security conditions.
  - 45. An article comprising a computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method of claim 41.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Markham, Thomas R.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Tran; Tongoc

Application Number

US10/304,469
Publication Number

US 20030126468A1
Time in Patent Office

2,367 Days
Field of Search

713151-155, 726 11- 13, 709/238, 370/351
US Class Current

726/11
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Distributed firewall system and method

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

134 Citations

45 Claims

Specification

Use Cases

Quick Links

Others

Distributed firewall system and method

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

45 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others