Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Statutory Invention Registration
1998-03-24
2001-02-06
Pihulic, Daniel T. (Department: 3662)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Statutory Invention Registration
active
H0001944
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to network security and, more particularly, to a firewall security technique employed in computer networks.
BACKGROUND OF THE INVENTION
Advances in communications technology and the availability of powerful desktop computer hardware has increased the use of computers to access a variety of publicly available computer networks. For example, the speed of modems, which are well-known communication devices used for transforming a digital bit stream into an analog signal, has significantly increased thereby providing for the high-speed exchange of information across, e.g., the public switched telephone network (PSTN.) Today, a tremendous amount of information is exchanged between individual users located around the world via public computer networks, e.g., the Internet. One class of users includes private individuals and professional users interconnected via a private network, e.g., a corporate intranet.
The exchange of information between private and public computer networks has presented a variety of critical security issues for the protection of information on the private computer networks and the overall functionality of the private computer network itself. Numerous well publicized accounts exist of individuals known as “hackers” who have improperly breached the security of private computer networks and caused severe damage. In particular, some of the most sophisticated types of security threats are posed by programs which exploit certain vulnerabilities within network computing systems. To name a few, these program-related security threats include well-known logic bombs, trapdoors, trojan horses, viruses and worms, as described, e.g., by W. Stallings,
Network and Internetwork Security Principles and Practice
, Prentice-Hall, Inc., Englewood Cliffs, N.J., 1995. Such well-known software program threats either work independently (e.g., worms) to achieve their desired security breach, or require the invocation of a host program to be invoked to perform the desired disruptive actions (e.g., trapdoors, logic bombs, trojan horses or viruses.) Such damage has included the destruction of electronic files, alteration of databases, or the introduction of computer viruses which affect the operability of the private computer network or computer hardware connected to the private network.
Computer network security, at a minimum, is directed to ensuring the reliable operation of computing and networking resources, and protecting information within the private network from unauthorized disclosure or access. Network administrators responsible for the operation of private computer networks employ a variety of security measures to protect the network from external security breaches by unauthorized users. One well-known technique uses so-called “firewalls”. This security scheme essentially places a separate computer system, i.e., the firewall, between the private network and the public network, e.g., the Internet. Commonly, these firewalls are software-based gateways that are typically installed on a separate server to protect computers on a local area network (“LAN”) within a private network from attacks by outsiders, i.e., unauthorized users.
In particular, the firewall server maintains control over communications from and to the private network. Essentially, the firewall server imposes certain security measures on all users employing the private network. For example, firewalls may block access to new Internet services or sites on the well-known World Wide Web (“WWW”) because the security consequences are unknown or not accounted for by the present firewall configuration. One potential installation configuration of a firewall is that WWW clients can no longer directly contact WWW servers. Typically, this proves too restrictive, and network administrators employ so-called “proxy servers”. Proxy servers are designed with certain features which provide for the forwarding of requests from WWW clients through the firewall thereby providing communication flow to and from servers on the Internet.
FIG. 1
shows such a prior art network configuration
100
employing separate servers, e.g., firewall server
120
and proxy server
140
, for delivering firewall security to, e.g., private network
130
. As shown in
FIG. 1
, firewall server
120
is a separate computer system situated between public network
110
and private network
130
for delivering network security measures to the communications exchanged between the networks. As will be appreciated, the investment in delivering the server-based firewall of
FIG. 1
from a hardware, facilities management and network management perspective is significant. Of course, for very large private networks the cost of installing and maintaining such a dedicated server-based firewall is justified in view of the potential damage which network security breaches can inflict inside the private network. However, for small/medium sized networks and individual computer users, the cost of a server-based firewall security configuration can be prohibitive.
A need exists therefore for a client-based firewall technique which provides for network security within e.g., a private network.
SUMMARY OF THE INVENTION
The present invention provides a technique for delivering a client-based firewall. In accordance with the invention, a firewall security device is configured for connection to individual clients, e.g., personal computers, for providing firewall security measures directly to the client. The firewall security device, in accordance with the preferred embodiment of the invention, is configured as a electronic dongle which is attached to a communications port of the client, e.g., the parallel communications port. In accordance with the invention, the incoming communications stream to the client from, e.g., public networks, is passed through the firewall security device. In this way, the firewall security device applies and delivers a set of standard security routines thereby protecting the client from security breaches triggered by the communications traffic received from the public network. Illustratively, the set of security routines define at least one security level to which all communications exchanged by the client must comply thereby insuring that the integrity of the private network in which the client is interconnected. Advantageously, in accordance with the invention, the firewall is delivered directly by the client without intervention, use, or connection to a separate firewall server.
Electronic dongle devices are not new. Dongles have been used previously for the protection and control of individual software programs. Such dongles are described in, for example, U.S. Pat. No. 5,668,419, issued to O. Oktay, entitled “Reconfigurable Connector” which describes a reconfigurable connector for a peripheral device, and U.S. Pat. No. 5,568,552, issued to D. L. Davis, entitled “Method For Providing A Roving Software License From One Node To Another Node” which describes a device for enforcing certain software licensing restrictions. One conventional use of dongles was the packing of such devices along with a particular software package purchased or licensed by an individual user. Typically, the dongle was coupled to the parallel port of the user's personal computer. Thereafter, at various times during the execution of the software by the user, the software program transmits an authorization message to the computer's external communications port. Upon receipt of such a message, the dongle (if present) generates a unique identifier, e.g., a token, for transmission back to the executing software program. If the dongle is not present, the software program terminates. Otherwise, the software program compares the token to an internally stored identifier and permits further execution only if the responses match.
Thus, dongles are well-known devices for controlling access to and execution of individual programs by authorized users. It has, however, remained for the inventors herein to recognize that such devices pro
Cheswick William Roberts
Whitten Edward G.
Dinella Donald P.
Lucent Technologies - Inc.
Pihulic Daniel T.
LandOfFree
Firewall security method and apparatus does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Firewall security method and apparatus, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Firewall security method and apparatus will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2577187