Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1999-11-18
2004-01-27
Maung, Zarni (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C713S152000
Reexamination Certificate
active
06684253
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to segregation of data transmitted through a channel, and more particularly to segregation of data of two or more domains or trust realms transmitted through a common data channel. Even more particularly, the present invention relates to secure segregation of data of two or more domains or trust realms transmitted through a common data channel, without encryption.
Maintaining security within a distributed computer system or network has historically been a problem. Security in such systems has several aspects, including: (1) authentication of the identities of users and systems involved in a communication, (2) secure transmission of information, and (3) requiring the system and user, which receive secure communications, to follow predefined protocols so as to preserve the confidentiality of the transmitted information. Of these, the second is the focus of the attention of the present invention, and particularly the segregation or separation of information transmitted through a common data channel into at least two separate domains or trust realms.
In many military computer systems, security is ensured by verifying that all the computer hardware, including communications lines used to interconnect computers, is physically secure. As a result, physical security of the communications channels between components of such systems is generally considered secure. However, data traveling through such systems, even though physically secure, is to be distributed only to those users belonging to particular domains or trust realms. Transmission of data between trust realms is undesirable and represents a breach of security.
Both military and commercial computer systems use the concept of “levels” of security. A number of distinct security levels (domains or trust realms) are needed in many systems because some information is more confidential than other information, and each set of confidential information has an associated set of authorized recipients. Each set of confidential information must therefore be kept separate from other sets of confidential information.
Secure communications require that the computer operating system and network support segregation of information traveling from one user's terminal to other user terminals in a particular domain.
The present invention helps to provide secure communications between systems by providing a mechanism for ensuring that communications occur within “domains” or “trust realms” of systems, and by authenticating the systems, which are participating in a communication as members of particular domains or trust realms.
The present invention advantageously addresses the above and other needs.
SUMMARY OF THE INVENTION
The present invention advantageously addresses the needs above, as well as other needs by providing an approach for segregation of data transmitted through a channel, and more particularly to segregation of data of two or more domains or trust realms transmitted through a common data channel.
In one embodiment, the invention can be characterized as a system for segregating data. The system employs a common channel carrying data of a plurality of domains; a first switch through which data enters the common channel; a second switch through which data exits the channel; a first filter for filtering data traveling between the first switch and the second switch based on a first filtering criteria; a first set of routers coupled to the first switch, each router being for a respective one of the plurality of domains; a second filter for filtering data traveling through each of the first set of routers based on a second filtering criteria, the second filtering criteria being different from the first filtering criteria; a second set of routers coupled to the second switch, each router being for a respective one of the plurality of domains; a third filter for filtering data traveling through each of the second set of routers based on a third filtering criteria, the third filtering criteria being different from the first filtering criteria; a first terminal coupled to one of the first set of routers and being of a first of the plurality of domains; a second terminal coupled to one of the second set of routers and being of the first of the plurality of domains, wherein data transmitted by the first terminal passes through the one of the first set of routers to the first switch, through the first switch to the common channel, through the common channel to the second switch, through the second switch to the one of the second set of routers, and through the one of the second set of routers to the second terminal; a third terminal coupled to another of the first set of routers and being of a second of the plurality of domains; and a fourth terminal coupled to another of the second set of routers and being of a second of the plurality of domains, wherein data transmitted by the third terminal passes through the other of the first set of routers to the first switch, through the first switch to the common channel, through the common channel to the second switch, through the second switch to the other of the second set of routers, and through the other of the second set of routers to the fourth terminal, the first filter, the second filter and the third filter preventing data transmitted by the first terminal from reaching the third terminal and the fourth terminal.
REFERENCES:
patent: 4621188 (1986-11-01), Stockburger et al.
patent: 4677604 (1987-06-01), Selby, III et al.
patent: 4891504 (1990-01-01), Gupta
patent: 5204961 (1993-04-01), Barlow
patent: 5208853 (1993-05-01), Armbruster et al.
patent: 5239648 (1993-08-01), Nukui
patent: 5483596 (1996-01-01), Rosenow et al.
patent: 5544322 (1996-08-01), Cheng et al.
patent: 5706266 (1998-01-01), Brownstein et al.
patent: 5757924 (1998-05-01), Friedman et al.
patent: 5805820 (1998-09-01), Bellovin et al.
patent: 5813010 (1998-09-01), Kurano et al.
patent: 5828832 (1998-10-01), Holden et al.
patent: 5918018 (1999-06-01), Gooderum et al.
patent: 5930239 (1999-07-01), Turcotte
patent: 5940591 (1999-08-01), Boyle et al.
patent: 5968176 (1999-10-01), Nessett et al.
patent: 6330610 (2001-12-01), Docter et al.
patent: 6421321 (2002-07-01), Sakagawa et al.
patent: 6473763 (2002-10-01), Corl, Jr. et al.
patent: 6487664 (2002-11-01), Kellum
Anspach Jonathan Paul
Whitaker David James
Chang Jung-won
Maung Zarni
Wachovia Bank, N.A., As Administrative Agent
LandOfFree
Secure segregation of data of two or more domains or trust... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Secure segregation of data of two or more domains or trust..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Secure segregation of data of two or more domains or trust... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3265156