Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2001-06-29
2003-01-28
Hua, Ly V. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C713S188000
Reexamination Certificate
active
06513122
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to firewalls, and more particularly to firewalls having security capabilities.
BACKGROUND OF THE INVENTION
Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capability in order to cause denial of service; and so forth.
Network security risk-assessment tools, i.e. “scanners,” may be used by a network manager to simulate an attack against computer systems via a remote connection. Such scanners can probe for network weaknesses by simulating certain types of security events that make up an attack. Such tools can also test user passwords for suitability and security. Moreover, scanners can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses.
Prior art
FIG. 1
illustrates a network architecture
100
in which a scanner may be implemented, in accordance with the prior art. As shown, a remote source
102
is provided which is coupled to a network such as the Internet
104
for scanning purposes. Also included is a plurality of target devices
106
, i.e. computers, coupled to another network such as a virtual local area network (VLAN)
108
, or some other type of “switched” network. In use, it is very difficult for the remote source
102
to access the target devices
106
due to a firewall
110
coupled between the Internet
104
and the LAN
108
, thus frustrating the scanning procedure.
The firewall
110
is adapted for isolating the VLAN
108
and the target devices
106
from access through the Internet
104
attached thereto. The purpose of the firewall
110
is to allow the VLAN
108
and the target devices
106
to be attached to, and thereby access, the Internet
104
without rendering them susceptible to hostile access from the Internet
104
. If successful, the firewall
110
allows for the VLAN
108
and the target devices
106
to communicate and transact with the Internet
104
without rendering them susceptible to attack or unauthorized inquiry over the Internet
104
. One technique that may be used by the firewall
110
to protect the target devices
106
is known as an “access control list”. An access control list investigates address information contained in a data packet to determine whether the remote source
102
, from which the packet originated, is on a list of disallowed addresses. If the address is on the list, the packet is not allowed to pass. Yet another method of restricting access involves “packet filtering”. Packet filtering examines data traversing the firewall
110
to determine if the port or protocol in use is subject to various restrictions that may be specified by the user. If the port or protocol in use is restricted, the packet is not allowed to pass.
The firewall
110
also may use an application gateway, or proxy system. Such systems operate on the basis of an application, or a computing platform's operating system (OS), monitoring “ports” receiving incoming connection requests. A port is a numerically designated element contained in the overhead of a packet. A port number indicates the nature of a service associated with a packet. For example, a packet associated with the Telnet service has a port number of 23, and the HTTP service is assigned port number
80
. These port number designations are merely industry suggested. A packet containing a port designation of 23 need not necessarily be associated with Telnet services. When the OS or monitoring application receives a request on a particular port, a connection is opened on that port. A program for managing the connection is then initiated, and the firewall
110
starts a gateway application, or proxy, that validates the connection request.
Firewalls
110
typically restrict access based only on address/port/protocol information. Further, proxying firewalls
110
validate communications merely to ensure that requests conform to known standards (e.g. HTTP/1.x). Unfortunately, firewalls
110
do not typically examine content of communications for security purposes. There is thus a need for a firewall
110
that validates conforming communications to determine if the content of such communications could be part of an attempt to carry out an attack.
DISCLOSURE OF THE INVENTION
A system, method and computer program product are provided for detecting attacks on a network. Initially, data is received from a remote source which is destined for a target. A portion of such data is then discarded based on a predetermined set of rules utilizing a firewall which is coupled to the remote source. Remaining data is subsequently passed to an intrusion detection system coupled between the firewall and the target. Such data is parsed to identify data representing text (i.e. ASCII or UNICODE text) therein utilizing the intrusion detection system. Thereafter, the data representing text is compared to a predetermined list of data representing text associated with attacks utilizing the intrusion detection system. Based on the comparison, some of the data representing text is marked as hostile. This data representing text that is marked as hostile is then acted upon in order to prevent an attack.
In one embodiment, the firewall may utilize the predetermined set of rules to discard the data as a function of a plurality of parameters such as a source, a destination, and/or a port associated with the data. As an option, the predetermined list of data representing text associated with attacks may be updated.
In another embodiment, the data representing text of the predetermined list may refer to different types of attacks. For example, the types of attacks may include an information gathering attack, a web server denial of service attack, and/or a file server remote compromise.
In still another embodiment, the data representing text marked as hostile may be acted upon differently based on the type of the attack. In particular, the data representing text marked as hostile may be acted upon by alerting an administrator, blocking the data, and/or disconnecting the remote source.
In still yet another embodiment, the data may be parsed to identify binary data representing protocol field values. As such, the binary data may be compared to a predetermined list of patterns of binary data associated with attacks.
As an option, the firewall may include a proxying firewall. Still yet, the firewall may include an application gateway.
REFERENCES:
patent: 5319776 (1994-06-01), Hile et al.
patent: 5414650 (1995-05-01), Hkhuis
patent: 5623601 (1997-04-01), Vu
patent: 5649095 (1997-07-01), Cozza
patent: 5835726 (1998-11-01), Shwed et al.
patent: 6052788 (2000-04-01), Wesinger, Jr. et al.
patent: 6061798 (2000-05-01), Coley et al.
patent: 6098172 (2000-08-01), Coss et al.
patent: 6119165 (2000-09-01), Li et al.
patent: 6182226 (2001-01-01), Reid et al.
patent: 6205551 (2001-03-01), Grosse
patent: 6263444 (2001-07-01), Fujita
patent: 6279113 (2001-08-01), Vaidya
patent: 6321336 (2001-11-01), Applegate et al.
patent: 01/16664 (2001-03-01), None
Herath Nishad P.
Magdych James S.
McDonald John R.
Osborne Anthony C.
Rahmanovic Tarik
Hamaty Christopher J.
Hua Ly V.
Networks Associates Technology Inc.
Silicon Valley IP Group, LLC
Zilka Kevin J.
LandOfFree
Secure gateway for analyzing textual content to identify a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Secure gateway for analyzing textual content to identify a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Secure gateway for analyzing textual content to identify a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3045344