Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-01-20
2001-05-08
Le, Dieu-Minh T. (Department: 2184)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000
Reexamination Certificate
active
06230271
ABSTRACT:
COPYRIGHT NOTICE
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the xerographic reproduction by anyone of the patent document or the patent disclosure in exactly the form it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
BACKGROUND OF THE INVENTION
This invention relates to internetwork communications and data exchanges, and in particular to the security of information exchange between computer networks to inhibit and detect attempts at vandalism, espionage, sabotage or inadvertent destruction of data.
Computer networks connect multiple computer systems together, allowing them to share information. Initially, the computers were in one, secure location. As the utility of networks grew, it became more and more desirable to connect networks at different locations to allow information to flow between the computer systems at all sites. As the number of computer systems grew beyond the point where each user of the network was well known to all other users, the need for a mechanism to describe and enforce a policy for access, known as a “security policy”, became apparent.
Two major techniques developed for security policy enforcement. The first is packet filtering, in which a security policy specifies what types of connections are allowed and permits or denies passage of TCP/IP packets of specific types through a router. The second technique is application filtering, which operates at a higher level, examining the specific transactions that pass through a TCP/IP connection, and allowing them or denying them based on the specific action being attempted, or the identity of the requester.
When combined, these two techniques comprise a firewall, whose purpose is to implement and enforce the security policy of an organization regarding connections between two or more networks. Historically, there have been two major types of firewalls: custom and commercial. A custom firewall is a device or collection of devices designed, purchased, assembled, configured and operated by an organization for the purposes of guarding a network interconnection. A commercial firewall collects many of the components of a custom firewall into a single device, and is sold (and sometimes configured) by a company to make the installation of a firewall easier and more cost effective.
Custom firewalls have many potential drawbacks. For one, because they are designed and constructed by a single organization that may not have extensive experience in the problems of firewall design, they may not account for many known problems. Because they are designed and built for a specific purpose, they are typically very difficult to adapt to new policies. This often requires a significant redesign effort, and additional hardware. Because they are built in a unique manner, each custom firewall requires special software, special training, and special expertise in modifications that does not translate into other firewall installations.
Commercial firewalls are designed to consolidate as many services as possible into a single box. That box is then used as the focus of a customer-specific firewall. Because some services, such as packet filtering, are often done better in routers, commercial firewalls are rarely used by themselves. Additional devices, and a design for their use, is often required, which returns the customer to many of the problems inherent in a custom firewall.
In addition, commercial firewalls are configured by the user, who may be unaware of many of the issues and problems of security policy design. It is estimated that more than 30% of all firewall penetrations happen through a commercial or custom firewall. This is typically because of poorly thought out configuration.
Because much of the functionality of a commercial firewall is concentrated in a single box, these devices also invite other problems. If the device fails, all communication between networks is cut off. There is no ability to gracefully degrade service. If the security of one service of the box is compromised, this can open a path for an attacker to compromise other services and widen their access. Also, the design of the single-box firewall very strongly affects the types of policies available to the customer. If a box is designed primarily as an applications gateway device, it is very difficult to configure it in a firewall that will permit some services to be performed via packet-filtering only.
One problem that is shared by both types of firewalls is that of scalability. Because each type of firewall has strong hardware/software/configuration customizations for each specific customer, managing the firewalls of more than one customer is very difficult. Making significant policy changes in multiple customer firewalls is also extremely difficult.
Because of these scalability problems, it has been quite difficult for a company to offer managed firewall services to many customers, since the scaling problems escalate with each new customer.
SUMMARY OF THE INVENTION
An improved security handler is provided by virtue of the present invention. In one embodiment of a security handler according to the present invention, a security handler includes means for obtaining customer security policies, a plurality of packet processing components with communications paths therebetween and configurable policy enforcement means, for enforcing a packet policy over the communications paths.
One advantage of the present invention is that a single configuration of physical components can be configured to provide a wide range of security policy choices while remaining capable of solving the foregoing problems of the prior art.
REFERENCES:
patent: 5265221 (1993-11-01), Miller
patent: 5515376 (1996-05-01), Murthy et al.
patent: 5577209 (1996-11-01), Boyle et al.
patent: 5606668 (1997-02-01), Shwed
patent: 5610905 (1997-03-01), Murthy et al.
patent: 5623601 (1997-04-01), Vu
patent: 5781550 (1998-07-01), Templin et al.
patent: 5787253 (1998-07-01), McCreery et al.
patent: 5832211 (1998-11-01), Blakley, III et al.
patent: 5835726 (1998-11-01), Shwed et al.
patent: 5864683 (1999-01-01), Boebert et al.
patent: 5884024 (1999-03-01), Lim et al.
Kevin Joseph P.
Wadlow Thomas A.
Albert Philip H.
Le Dieu-Minh T.
Pilot Network Services, Inc.
Townsend and Townsend / and Crew LLP
LandOfFree
Dynamic policy-based apparatus for wide-range configurable... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Dynamic policy-based apparatus for wide-range configurable..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Dynamic policy-based apparatus for wide-range configurable... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2485646