Electrical computers and digital processing systems: multicomput – Remote data accessing – Using interconnected networks
Reexamination Certificate
2000-06-01
2004-08-10
Harvey, Jack B. (Department: 2142)
Electrical computers and digital processing systems: multicomput
Remote data accessing
Using interconnected networks
C709S217000, C709S238000, C709S239000, C345S215000, C345S215000, C345S215000, C345S215000, C345S960000, C715S252000
Reexamination Certificate
active
06775694
ABSTRACT:
TECHNICAL FIELD
The field of the invention is that of interconnected computer networks.
BACKGROUND
The openness of computer networks according to the internet protocol affords many opportunities. However, it also implies a share of hazards, network intrusion risks, protection problems. There is hardware and software available for performing packet filtering using the internet protocol. However, controlling this filtering for the application of demanding security policies is difficult and complicated.
The invention relates to a method of simply and automatically generating filters, using the internet protocol, intended to avoid the risks of intrusion of interconnected computer networks.
The terms that will be used hereafter to outline the technical solution according to the invention are defined as follows:
“network” designates one or more closed address spaces (according to the topological meaning of the term) of the internet protocol.
“Objects” designate a network's component. Thus, without this enumeration being exhaustive, objects as understood by this invention are: computers, computer equipment, servers, printers, (physical or logical) networks, (physical or logical) sub-networks, filter equipment, fire-walls, users or user groups, computer applications. An object is characterized by its type and name. E.g., a filtering router is an object type, just like a set of networks is an object type. An object has one or several addresses or one or several closed address spaces.
A “protocol” designates a convention stating the rules and technical specifications to follow in the telecommunication field in order to provide object interoperability.
A “communication protocol” designates a protocol, such as for instance the internet protocol, defining a data transfer technique.
An “application protocol” or “service” designates a protocol defining a data or command exchange technique for a given application.
A “class” designates all addresses having the same laws of communication. A class can gather other classes. Classes are objects as understood by the present specification of the invention.
A “law of communication” designates a law, which, for the application protocol involved, enables or disables communication between a pair of objects, a pair of classes or a mixed (class, object) pair.
A “security domain” designates a set of interconnected objects to which apply the laws of communication peculiar to each object of else generic ones.
A “link” or “connection” designates physical connections (e.g. network cables) linking objects together. A network is a set of interconnected objects.
A “router” designates equipment enabling the interconnection of separate objects.
A “filter” designates the technical means allowing to implement the laws of communication. E.g., programming a router allows to control the possibility of communicating between two separate networks. By extension, a filtering router designates an equipment enabling internet protocol filtering.
The objectives this invention aims at, i.e. simply and automatically generating filters intended to avoid the risks of intrusion of interconnected computer networks, are achieved through a method consisting in iteratively using a graphical interface for:
creating and viewing objects and classes of the security domain,
selecting and viewing the application protocols for which filters are to be created,
drawing at the graphical interface, by means of arrow curves, the laws of communication for each previously selected application protocol.
Drawing such arrow curves representing the laws of communication makes it possible to create simultaneously and instantly the creation of filters associated with the filtering routers and applicable to the objects involved. Therefore, and according to a further step of the method:
the graphical data representing the laws of communication are converted into programming data of the filtering routers.
The inventive method allows the graphical interface to be used for viewing the security policy of the security domain and modifying it if required. Preferably, the laws of communication between objects or classes are modified at the graphical interface by selecting predetermined application protocols.
This invention also relates to a system for simply and automatically generating filters, according to the internet protocol, intended to avoid the risks of intrusion of interconnected computer networks. Said system consists in using a graphical interface associated with a computing terminal and control means interacting with the graphical interface, for:
creating and viewing objects and classes of the security domain,
selecting and viewing the application protocols for which filters are to be created,
drawing at the graphical interface, by means of arrow curves, the laws of communication for each previously selected application protocol.
Drawing such arrow curves representing the laws of communication makes it possible to create simultaneously and instantly the creation of filters associated with the filtering routers and applicable to the objects involved. Therefore, and according to a further step of the method:
the graphical data representing the laws of communication are converted into programming data of the filtering routers.
The inventive method allows the graphical interface to be used for viewing the security policy of the security domain and modifying it if required. Preferably, for the modification of the laws of communication between objects or classes at the graphical interface, the control means comprises means for selecting predetermined application protocols.
REFERENCES:
Heydon, Allan; Maimone, Mark; Tygar, J.D.; Jeanette; Zaremski, Amy Moormann;Miro: Visual Specification of Security;vol. 16, No. 10, Oct. 1990; p. 1185-1197.
Bellovin, Steven; Cheswick; William;Network Firewalls;IEEE Communications Magazine, 32 (1994) Sep., No. 9, p. 50-57.
Bachman, David; Segal, Mark; Srinivasan, Mandyam; Teorey, Toby;The Network Modeling Tool: A Design Aid for Large-Scale Campus Networks;IEEE (1990) p. 560-567.
Harvey Jack B.
Le Hieu
Merchant & Gould P.C.
Solsoft
LandOfFree
Method for generating filters designed to avoid risks of... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for generating filters designed to avoid risks of..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for generating filters designed to avoid risks of... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3353052