Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Packet header designating cryptographically protected data
Reexamination Certificate
2000-03-07
2004-09-21
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Packet header designating cryptographically protected data
C713S165000, C713S167000, C713S182000, C713S152000, C713S152000
Reexamination Certificate
active
06795918
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates generally to computer security and, more particularly, to security apparatus and methods for use with computers connected to a computer network, such as the Internet or an intranet.
The growth of the Internet has provided an enormous information resource to the millions of computer users around the world. The Internet permits a user from practically anywhere in the world to access another computer anywhere else in the world without much effort by utilizing easy to remember computer domain names. It is just as easy for a computer hacker to access an innocent computer user's hardware, software, and information. Especially, with the fast connection services provided by today's Internet service providers (ISPs), the hackers have an even easier time breaking into home and small office computers.
The ease in hacking is partly possible because of the increasing availability of high-speed Internet digital subscriber line (DSL) and its varieties such as asynchronous DSL (ADSL) and high-bit-rate DSL (HDSL), and cable modem. These services provide not only a much faster connection but also a service that is always on. Additionally, a more mature broadband Internet service, called integrated services digital network (ISDN), continues to pose a similar threat. Accordingly, hackers can break into unsecured systems faster because of the higher speeds, and whenever they want to because of the always-on services. Additionally, because of already available tools, hackers have an even easier task. See, for example, the article entitled “Tools of the Trade” by Edward Skoudis, in the March 1999 issue of Information Security Magazine, which is hereby incorporated herein by reference for all purposes. With these types of tools, someone can remotely control or clandestinely observe all activity on the targeted machine. Moreover, hackers can get access to even a basic PC or Mac through a variety of methods, such as e-mailing a program that inserts a hidden back door or exploiting openings designed for file or printer sharing. Also, since computers are becoming easier to use and cheaper to own, more and more computer users are utilizing their computers for keeping track of their finances, personal communications, remote access to their office systems, and maintaining other types of confidential information. Hackers love this vast amount of information readily available on a personal computer.
Generally, each computer connected to the Internet has a unique Internet protocol (IP) address. Hackers often flood a target computer network with many IP address requests to identify potential targets on that network. Once hackers learn the IP address of a target, they flood that computer with many requests to determine through which “door” they can enter the target. The doors for computers are called service ports. Each service is assigned its own port number. For example, port
23
is for Telnet services, which allows a remote user to login to a computer and access information on its hard drive. Hackers will probe all the known ports they can, until they find an open port. Once in the system, hackers can do as they wish, including open other service ports or even crash the system.
There are currently 65,663 service ports available for transmission control protocol/Internet protocol (TCP/IP) communications, which is the general communication protocol for the Internet. There are two types of service ports: privileged and unprivileged. The server service ports generally have a port number below 1,024, which are known as privileged ports and can be assigned to specific services. Conversely, the client service ports have a port number at least 1,024. Most of the service ports on computers are not used today. Consequently, if a hacker can use one of these unused service ports to access information, the unauthorized use will most likely not interfere with the authorized services already in use. Another risk is that some of these service ports can give direct access to computers' storage devices.
There are numerous hardware and software solutions (called “firewalls”) already available on the market for securing computers. The hardware-based solutions, however, are generally designed to protect a corporate intranet or a network segment, and are often impractical and too complex for implementation at home, for a small business, or for users on the road. These systems are generally designed to manage the security of multiple network addresses and log all network activity through a given device. At a minimum, these systems require a knowledgeable information systems (IS) personnel to install and/or maintain, who come at a fairly significant cost.
Similarly, present software solutions are often cumbersome to use because they must often be installed on a computer system to be protective. These solutions may pose conflicts with other software installed on that computer system. Another issue is that when installing new software or upgrading old software, the firewall software may be accidentally disabled or overwritten, leaving an open door for the hackers. Also, like other software solutions, software-only security is inherently easier to break into because the security software can reside on a remotely accessible computer.
These firewalls can also be very complex. For example, they can block certain IP addresses from accessing a target system based on a certain number of connection attempts. Other solutions incorporate features such as virtual private networking (VPN) which utilizes encryption. Yet others use association to permit a connection or use sophisticated knowledge databases. Accordingly, these firewalls often far exceed the needs of a single client workstation or a small office/home office (SOHO) environment.
No matter how sophisticated a computer security system, most experts agree that it can still be breached. Every year, computer hackers cost computer users millions of dollars in lost data, man-hours, and lost trade secrets. With hacking on the rise, as indicated by a study conducted by International Computer Security Association (ICSA) and Global Integrity Corporation, along with the growth of high speed networking to the home, the hacking of home-based and notebook computers can be a starting point for novice hackers, and quite possibly a stepping-stone into corporate networks.
Additionally, the present security solutions often have their own IP addresses which readily allows these security solutions to be identified as targets. In the case of software solutions, the loophole IP address would be the same as the computer on which it is installed. In case of the hardware solutions, the IP address is often provided so that the firewall can be configured via, for example, a remote terminal on the secured network.
Therefore, what is needed is a simple to implement, inexpensive, relatively fast, efficient, and non-user configurable solution for a computer user at home, on the road, or in a small office, to be able to protect itself from computer hackers.
SUMMARY OF THE INVENTION
According to the present invention, a technique is disclosed for filtering data packets using novel apparatus and methods by providing authorization data. In an embodiment, the authorization data is non-user configurable. In a specific embodiment, the term non-configurable generally means that the user does not have to adjust settings on the present device and/or the computer on the protected local area network, wide area network, or private network. The invention provides an efficient, quick, secure, and simple to implement technique for secure computer communication, in part, by utilizing service level filtering of data packets.
In a preferred embodiment, a method for filtering a plurality of data packets is provided. The method includes receiving a data packet. The received data packet comprises source, destination, and protocol information. The method extracts the source, destination, and protocol information from the received data packet and provides the extracte
LandOfFree
Service level computer security does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Service level computer security, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Service level computer security will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3193931