Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1999-12-30
2003-06-24
Lim, Krisna (Department: 2153)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S227000, C709S228000, C709S225000, C709S232000, C713S152000, C713S152000
Reexamination Certificate
active
06584508
ABSTRACT:
BACKGROUND
1. Field of the Invention
The present invention relates generally to network security, and more particularly, to systems and methods for increasing the security of network guard systems.
2. Discussion of the Related Art
Firewalls are an essential ingredient in a corporate entity's network security plan. Firewalls represent a security enforcement point that separates a trusted network from an untrusted network.
FIG. 1
illustrates a generic example of a network security plan that incorporates a firewall system. In this generic example, firewall system
120
is operative to screen all connections between private network
110
and untrusted system
140
. These connections are facilitated by Internet network
130
. In the screening process, firewall system
120
determines which traffic should be allowed and which traffic should be disallowed based on a predetermined security policy.
One type of firewall system is an application-level gateway or proxy server, which acts as a relay of application-level traffic. Proxy servers tend to be more secure than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the transmission control protocol (TCP) and Internet protocol (IP) level, the proxy server need only scrutinize a few allowable applications (e.g., Telnet, file transfer protocol (FTP), simple mail transfer protocol (SMTP), hypertext transfer protocol (HTTP)). Generally, if the proxy server does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall. Further, the proxy server can be configured to support only specific features of an application that the network administrator considers acceptable while denying all other features.
Traditional proxies typically allow unlimited communication from the inside network to the outside network, and limited communication from the outside network to the inside network. Any flaw in the proxy (including subversion) can cause the proxy to provide direct communication from the outside network to the inside network.
This traditional proxy is not suitable for highly classified or proprietary networks (e.g., military/defense organization, law firm, financial institution, etc.). These types of organizations often require access to public “open source” news and weather information (e.g., CNN). Additionally, these types of organizations need to allow limited subsets of users on the outside to access resources inside the classified or proprietary networks, especially in coalition environments.
Connecting such networks together historically required a guard, a special purpose device designed to prevent information flowing from the inside network (the more highly classified side) to the outside network (the less highly classified side). Guards differ from firewalls in their primary intent. A firewall is mostly concerned with keeping unauthorized users out, while a guard has the additional goal of preventing information on the inside from being sent to the outside.
Conventional guards suffer from several key problems. First, some guards were either built on special purpose operating systems to maximize their resistance to attack (which made them both expensive to obtain and manage), or they were built on weak commercial off-the-shelf (COTS) operating systems (which made them vulnerable to attack). An example of a COTS operating system guard is the ISEE guard, which is built on the Solaris operating system. The ISSE guard is described in “Imagery Support Server Environment (ISSE) Guard System Description,” http://www.itd.sterling.com/rome/projects/products/isse/ISSE_SD.html. An example of a special purpose operating system guard is the C
2
Guard described in Thomas Fiorino et al., “Lessons Learned During the Life Cycle of an MLS Guard Deployed at Multiple Sites”, Proceedings of the Eleventh Annual Computer Security Applications Conference, New Orleans, La., December 1995.
The C
2
Guard consists of three computers: a Sun Solaris system that queues files from the inside and passes them over a serial line to a Wang XTS-3.00; the XTS-300 that runs the content-based filters; and a second Sun Solaris system that accepts the files over a serial line from the XTS-300 and transfers them to the outside. (The process is equivalent for files being transferred from the outside to the inside.) The queuing and dequeuing computers are required to be dedicated to that purpose; they accept (and send) files using NFS and FTP. In environments where protocols such as the Internet Inter-ORB protocol (IIOP) are required, another pair of computers (shown as the protocol/file translators) is required to translate from the native protocol to file format and back.
The special purpose nature of the C
2
Guard is indicative of a second problem with conventional guards. In particular, guards that are built for particular applications are generally hard to extend to other uses. For example, a Defense Information Systems Agency sponsored study (“Security Guard Study”, Defense Information Systems Agency, August 1995) found that of the approximately 50 different guards that were built by the US Department of Defense, none of these guards had the capability to deal with modern middleware protocols such as IIOP used by the Common Object Request Broker Architecture (CORBA).
A third limitation of conventional guards is that they require a human to “certify” each piece of data (e.g., E-mail message) to be released from the inside to the outside. This functionality is difficult to be done accurately. In general, the certification occurs inside the enclave, using trusted software that puts a digital signature on the data to be released. The signature is then verified by the guard before release. This technique relies on the correct operation of the user's approval software (i.e., the correct functioning of the user's workstation). For example, Secure Computing's Standard Mail Guard (SMG), described in R. Smith, “Constructing a High Assurance Mail Guard,” Proceedings of the 17th National Computer security Conference, Baltimore, Md., October 1994, requires that the user invoke a Fortezza card to perform signing of each message to be released, without any assurance that the Fortezza card is signing what the user intended. The SMG can verify that the signature was applied correctly, but cannot determine whether the signed data is in fact appropriate for release, or even if it is what the user intended to release. Even aside from assurance issues, this scheme is inappropriate for connections involving lower-level protocols (e.g., IIOP), since users cannot realistically approve each object invocation.
As special purpose devices, guards lack integration with other security devices, such as intrusion detection systems. They require a separate set of management capabilities, and cannot be managed along with the rest of the network. What is needed therefore is a next generation guard that can be readily integrated within a modem network security framework.
SUMMARY OF THE INVENTION
The present invention meets the aforementioned needs by generating a flexible data guard using existing network security products. It is a feature of the present invention that the flexible data guard is based on a multi-part proxy. The multi-part proxy includes a first proxy agent that communicates with an inside computer network region, a second proxy agent that communicates with an outside computer network region, and a content-based filter application that reviews information that is passed between the first proxy agent and the second proxy agent. Both the first and second proxy agents can be based on existing firewall proxies. The proxy agents listen for protocol operations (e.g., IIOP requests or replies) and translate those protocol operations into protocol-independent data. The protocol independent data is then analyzed by a protocol-independent content-based filter.
It is a further feature of the present invention that the behavior of the multi-p
Epstein Jeremy
Thomas Linda
Choudhary Anita
Hamaty Christopher J.
Lim Krisna
Networks Associates Technology Inc.
Silicon Valley IP Group, LLC
LandOfFree
Advanced data guard having independently wrapped components does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Advanced data guard having independently wrapped components, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Advanced data guard having independently wrapped components will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3094050