Mixed enclave operation in a computer network

US 7,624,180 B2
Filed: 09/28/2005
Issued: 11/24/2009
Est. Priority Date: 07/30/1996
Status: Expired due to Fees

First Claim

Patent Images

1. A system for communicating over a network having a plurality of secured users utilizing at least two multi-level network security devices and a plurality of unsecured users employing no network security devices, the system comprising:

a first multi-level network security device associated with a first secure network configured to;

intercept a message sent from a first user to a second user;

discard the message if the message violates security parameters; and

if the message is not discarded for violation of security parameters, the first multi-level security device is configured to dynamically determine whether the second user is secured or unsecured by contacting a second multi-level security device associated with a second secured network to determine whether the second user is associated with the second secure network;

wherein in a first mode, the first multi-level network security device is configured to send the message to the second user over an unsecured network in an unsecured manner when the first multi-level security device does not receive a response from the second multi-level network security device, andwherein in a second mode, the first multi-level network security device comprises an encryptor configured to encrypt the message and send the encrypted message securely over the unsecured network when the first security device receives a response from second multi-level network security device that the second user is associated with the second secure network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for mixed enclave operation of a computer network with users employing a multi-level network security interface and users without any network security interface. Either the network security user selects or the network security interface automatically selects whether communications are permissible with other unsecured users. Where a mixed enclave operation is selected, the network security user identifies when communications are being undertaken with another secured user or a non-secured user. Communications with a non-secured user at a lower security level entail securing the data residing with the secured user from transmission back to the non-secured user.

100 Citations

View as Search Results

20 Claims

1. A system for communicating over a network having a plurality of secured users utilizing at least two multi-level network security devices and a plurality of unsecured users employing no network security devices, the system comprising:
- a first multi-level network security device associated with a first secure network configured to;
  
  intercept a message sent from a first user to a second user;
  
  discard the message if the message violates security parameters; and
  
  if the message is not discarded for violation of security parameters, the first multi-level security device is configured to dynamically determine whether the second user is secured or unsecured by contacting a second multi-level security device associated with a second secured network to determine whether the second user is associated with the second secure network;
  
  wherein in a first mode, the first multi-level network security device is configured to send the message to the second user over an unsecured network in an unsecured manner when the first multi-level security device does not receive a response from the second multi-level network security device, andwherein in a second mode, the first multi-level network security device comprises an encryptor configured to encrypt the message and send the encrypted message securely over the unsecured network when the first security device receives a response from second multi-level network security device that the second user is associated with the second secure network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1 further comprising an interface unit configured to send the message from the first user.
  - 3. The system of claim 1 wherein in the second mode, the second multi-level network security device comprises a decryptor configured to decrypt the message and send the decrypted message to a third user selected from a plurality of secured users.
  - 4. The system of claim 1, further comprising a third multi-level network security device configured to intercept the encrypted message, validate a signature of the first multi-level network security interface, and send the encrypted message from the third multi-level network security device to the second multi-level network security device.
  - 5. The system of claim 1, wherein each multi-level network security device is configured to use association establishment messages for authenticating other multi-level network security devices.
  - 6. The system of claim 1, wherein each multi-level network security device is configured to use association establishment messages for exchanging security parameters between the multi-level network security devices.
  - 7. The system of claim 1 wherein the message comprises a datagram.

8. A system for mixed enclave communications over a network having both secured and unsecured users, the system comprising:
- a first network security device associated with a first secured network, the first network security device configured to permit communication over the network among secured users and unsecured users, and further configured to dynamically determine whether a user is one of the secured users or one of the unsecured users;
  
  wherein the first network security device is configured to use association establishment messages to communicate over an unsecured network with a second network device associated with a second secured network, the first network security device configured to confirm the authenticity of one of the secured users based on a response from the second network security device; and
  
  wherein the first network security device is further configured to identify the unsecured users based on a lack of response to the association establishment messages and to send messages over the unsecured network from the secured users to the unsecured users.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the first network security device is configured to examine Internet Protocol (IP) addresses for identifying the secured and unsecured users.
  - 10. The system of claim 8, wherein the first network security device comprises an encryptor configured to encrypt information residing with one of the secured users.
  - 11. The system of claim 8 wherein the message comprises a datagram.
  - 12. The system of claim 8 wherein the first network security device is configured to create an entry in an association table indicative of a source of a received message.

13. A method for establishing association over a network between a plurality of secured users utilizing at least two security devices and a plurality of unsecured users, the method comprising:
- receiving and storing at a first security device associated with a first secure network a first message from a source user to an unsecured destination user;
  
  transmitting from the first security device an association request message to the unsecured destination user upon receipt of the first message, wherein the association request message is sent over an unsecured network;
  
  sending the first message over the unsecured network when the first security device does not receive a response to the association request message;
  
  receiving and storing at the first security device a second message from the source user to a secured destination user associated with a second secure network;
  
  receiving an association grant message in response to the association request message from a second security device associated with a second secure network to the first secure network, wherein the second security device sends the association grant message after the second security device has determined that an association between the source user and the secured destination user is permitted, wherein no other security devices exist between the destination user and the second security device;
  
  encrypting and sending over the unsecured network, the second message from the first security device associated with the first secure network to the second security device associated with the second secured network.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13 further comprising determining at the second security device whether security parameters are violated.
  - 15. The method of claim 13 wherein the second security device transmits the association grant message when no security parameters are violated.
  - 16. The method of claim 13 further comprising sending the second message from the second security device to the secure destination user when the source user and the secure destination user have the same security level.
  - 17. The method of claim 13 further comprising predicting and storing a destination user response at the second security device prior to sending the message from the second security device to the secure destination user when the source user has a lower security level than the secure destination user.
  - 18. The method of claim 13 further comprising sending the second message from the second security device to the secure destination user when the second security device retrieves a predicted destination user response and the source user has a higher security level than the secure destination user.
  - 19. The method of claim 13 further comprising erasing the message when no predicted destination user response exists and the source user has a higher security level than the secure destination user.
  - 20. The method of claim 13 wherein receiving a message comprises receiving a datagram.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Micron Technology, Inc.
Inventors
Snow, legal representative, Snow, David W., Levin, Stephen E., Wrench, Edwin H., Holden, James M.
Primary Examiner(s)
VU, VIET DUY

Application Number

US11/236,957
Publication Number

US 20060020800A1
Time in Patent Office

1,518 Days
Field of Search

709/217, 709/219, 709/223, 709/224, 709/225, 709/250
US Class Current

709/225
CPC Class Codes

G06F 21/31   User authentication

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/0218   Distributed architectures, ...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/126   the source of the received ...

H04L 9/40   Network security protocols

Mixed enclave operation in a computer network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Mixed enclave operation in a computer network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others