Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-09-01
2001-11-13
Choules, Jack (Department: 2177)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S225000, C709S249000, C713S152000, C707S793000
Reexamination Certificate
active
06317837
ABSTRACT:
TECHNICAL FIELD
The present invention relates generally to dedicated security for a network attached device in a computer network environment. In particular, the present invention relates to a management system for providing access to and security for data on network attached devices.
BACKGROUND OF THE INVENTION
A network attached device (NAD) may be any type of hardware unit that is connected to a computer network. Exemplary NADs include, but are not limited to: CD-ROM drives, DVD drives, optical drives, tape drives, hard disk drives, ZIP drives, JAZ drives, routers, printers, facsimile machines, audio devices and video devices. NADs are generally connected to a local area network (LAN) via a NAD server. A NAD server provides the users of the LAN with access to the resources of the network.
A NAD server generally refers to a node (computer) on the LAN that permits other nodes on the LAN to access one or more NADs. A NAD server processes NAD-access requests and provides the appropriate access to a NAD. The NAD server may send incoming data from the requesting node to the NAD, or may retrieve data from the NAD and send the retrieved data back to the requesting node. NAD servers are generally dedicated servers, meaning that their sole purpose is to provide access to NADs. NAD servers often support multiple network protocols, which allow them to accept NAD-access requests from various nodes in a heterogeneous network environment.
Most LANs are, or should be, protected by a bastion firewall. Bastion firewalls restrict access between an internal network, such as a LAN, and an external network, such as the Internet. Bastion firewalls are considered to be uni-directional, i.e. protecting the internal network from unauthorized traffic in-coming from the external network. Bastion firewalls are designed to run as few applications as possible, in order to reduce the number of potential security risks. As such, bastion firewalls do not perform data management tasks. Bastion firewalls are typically the only layer of security for NADs attached to a LAN. NAD servers are not equipped with a second layer of security because it is generally accepted that such a second layer of security is redundant of the bastion firewall. Therefore, once a bastion firewall is penetrated, whether by an authorized or unauthorized user, the user typically gains unrestricted access to all resources of the LAN, including any NADs. However, the level of security provided by a bastion firewall may not always supply adequate protection for the NADs of a LAN. For example, it may be desirable to establish varying levels of security clearance, such that only certain authorized users of the LAN are permitted to access a particular NAD server. Also, if a NAD server provides access to valuable or sensitive data stored on a NAD, it may be desirable to implement extra security measures to prevent an unauthorized user of the LAN, who happens to penetrate the bastion firewall, from gaining access to the NADs.
Accordingly, there remains a need for a NAD server having an integrated firewall, which provides an additional layer of security for a NAD beyond that provided by a bastion firewall.
SUMMARY OF THE INVENTION
The present invention fulfills the need in the art by providing a network attached device server having integrated firewall security. A NAD server is provided for implementing a network attached device and firewall management system (NADFW-MS). The NADFW-MS comprises a firewall component for determining whether requests for NAD-access are authorized and a data management component for accepting an authorized request from the firewall component and providing the requested access to the NAD. NAD-access requests are sent to the NAD server by a network node, such as a network client. The NAD-access requests are contained in data packets having headers. The firewall component accepts the data packets and determines whether the data packets are authorized based on information included in the data packet headers.
The firewall component implements a series of tests to determine whether a data packet is valid. For example, the firewall component may determine that a data packet is authorized by: determining that the information in the data packet header is complete; determining that the information in the data packet header indicates that the data packet arrived at the NAD server via an authorized network interface; determining that the data packet header contains a valid source address; determining that the data packet header contains a valid destination address; and determining that the data packet header contains proper information to access a proper port of the NAD server. If a data packet fails any one of the firewall component's filtering tests, the data packet is discarded. Whenever a data packet is discarded, the reason for discarding the data packet may be recorded in a log file for future reference.
An authorized data packet is passed from the firewall component to the data management component. The data management component comprises one or more network protocol programs that are compatible with authorized data packets sent by various heterogeneous network nodes. The data management component also comprises one or more interface mechanisms, such as ODE. SCSO. EODE, Fiber Channel, etc., that allow the NADFW-MS to communicate with various types of associated NADs. The data management component provides access to an appropriate NAD by using a network protocol program to communicate a NAD-access request to an interface mechanism, which in turn communicates with the NAD. Alternatively, the data management component may provide access to the appropriate NAD by acting as a proxy server. In the capacity of a proxy server, the data management component generates a new data packet, based on the NAD-access request, and sends the new data packets to a second NAD server.
REFERENCES:
patent: 5247670 (1993-09-01), Matsunaga
patent: 5416842 (1995-05-01), Aziz
patent: 5548721 (1996-08-01), Denslow
patent: 5577209 (1996-11-01), Boyle et al.
patent: 5642337 (1997-06-01), Oskay et al.
patent: 5652908 (1997-07-01), Douglas et al.
patent: 5655077 (1997-08-01), Jones et al.
patent: 5692124 (1997-11-01), Holden et al.
patent: 5719786 (1998-02-01), Nelson et al.
patent: 6009475 (1999-12-01), Shrader
patent: 6047322 (2000-04-01), Vaid et al.
patent: 6088796 (2000-07-01), Cianfrocca et al.
patent: 6105027 (2000-08-01), Schneider et al.
patent: Wo 98/32077 (1998-07-01), None
patent: Wo 98/31124 (1998-07-01), None
Caulfield, Brian, “Data General Enters Crowded Thin-Server Market” internet.com WEBWEEK, 8 Sep. 1997, [Retrieved on Mar. 19, 1998]. Retrieved from Internet at: <URL:http://.internetworld.com/print/1997/09/08
ews/19970908-thin.html> (1 page) only.
Mateyaschuk, Jennifer, “Network Power & Light to Ship Thin File Server” CMPnet. The Technology Network, Sep. 12, 1997, [Retrieved on Mar. 19, 1998]. Retrieved from Internet at: <URL:http://.techweb.cmp.com/iw
ewsflash
f647/0912_st3.htm> pp. 1-2.
Catapult, Inc. ISBN 1-57231-744-2 “Understanding Thin-Client/Server Computing”[Retrieved on Mar. 19, 1998]. Retrieved from Internet at <URL:http://mspress.microsoft.com/prod/books/sampchap/1518.htm> pp. 1-12.
Real World Solutions, “Thin Client/Server Computing” CITRIX..[Retrieved on Mar. 19, 1998]. Retrieved from Internet at <URL:http://www.cplus.net/citrix.html> pp.1-3.
CITRIX Thin-Client/Server Computing, Citrix WinFrame Thin-Client/Server Software Receives Computer Aware for Excellence, Oct. 2, 1997, [Retrieved on Mar. 19, 1998]. Retrieved from Internet at: <URL:http://www.citrix.com
ews/releases/prOct01.htm> pp. 1-2.
CITRIX Thin-Client/Server Computing, “Citrix Takes Thin-Client/Server Computing to Next Level with Enhancements to Winframe” Jun. 17, 1997, [Retrieved on Mar. 19, 1998]. Retrieved from Internet at: <URL:http://www.eu.citrix.com
ews/releases/prJun.06.htm> pp. 1-2.
White Paper, Thin Client/NC (Network Computer), Thin Client Comput
Applianceware, LLC
Channavajjala Srirama
Choules Jack
LandOfFree
Internal network node with dedicated firewall does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Internal network node with dedicated firewall, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Internal network node with dedicated firewall will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2577779