Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
1999-01-19
2001-04-17
Rinehart, Mark H. (Department: 2152)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C709S229000, C709S235000, C713S152000
Reexamination Certificate
active
06219707
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to computer security, and more particularly, to an apparatus and method for providing increased computer security by assigning processes to regions and restricting communication between regions.
2. Background Information
There has been an explosion in the growth of computer networks as organizations realize the benefits of networking their personal computers and workstations. Increasingly, these networks are falling prey to malicious outsiders who hack into the network, reading and sometimes destroying sensitive information. Exposure to such attacks has increased as companies connect to outside systems such as the Internet.
To protect themselves from attacks by malicious outsiders, organizations are turning to mechanisms for increasing network security. One such mechanism is described in “SYSTEM AND METHOD FOR PROVIDING SECURE INTERNETWORK SERVICES”, U.S. patent application Ser. No. 08/322,078 filed Oct. 12, 1994 by Boebert et al., the discussion of which is hereby incorporated by reference. Boebert teaches that modifications can be made to the kernel of the operating system in order to add type enforcement protections to the operating system kernel. This protection mechanism can be added to any other program by modifications to the program code made prior to compiling. It cannot, however, be used to add type enforcement protection to program code after that program code has been compiled.
Type enforcement is a file level mechanism for which provides con What is needed is a way of adding computer security protection to compiled program code to increase secure operation of such code.
SUMMARY OF THE INVENTION
The present invention is a system and method of achieving network separation within a computing system having a plurality of network interfaces. A plurality of burbs or regions is defined, wherein the plurality of burbs includes a first and a second burb and wherein each burb includes a protocol stack. Each of the plurality of network interfaces is assigned to one of the plurality of burbs and more than one network interface can be assigned to a particular burb. Processes are bound to specific burbs when they try to access that burb's protocol stack and communication between processes assigned to different burbs is restricted.
According to another aspect of the present invention, a secure server is described which includes an operating system kernel, a plurality of network interfaces which communicate with the operating system kernel and a plurality of burbs, including a first and a second burb. Each network interface is assigned to one burb from the plurality of burbs and each burb includes its own protocol stack for handling communication across the network interfaces assigned to that burb. Each protocol stack is associated with only one burb. Finally, communication between a process bound to one burb must pass through a proxy before being sent to a different burb.
REFERENCES:
patent: 3956615 (1976-05-01), Anderson et al.
patent: 4104721 (1978-08-01), Markstein et al.
patent: 4177510 (1979-12-01), Appell et al.
patent: 4442484 (1984-04-01), Childs, Jr. et al.
patent: 4584639 (1986-04-01), Hardy
patent: 4621321 (1986-11-01), Boebert et al.
patent: 4648031 (1987-03-01), Jenner
patent: 4701840 (1987-10-01), Boebert et al.
patent: 4713753 (1987-12-01), Boebert et al.
patent: 4870571 (1989-09-01), Frink
patent: 4885789 (1989-12-01), Burger et al.
patent: 4914568 (1990-04-01), Kodosky et al.
patent: 5077658 (1991-12-01), Bendert et al.
patent: 5093914 (1992-03-01), Coplien et al.
patent: 5124984 (1992-06-01), Engel
patent: 5153918 (1992-10-01), Tuai
patent: 5204961 (1993-04-01), Barlow
patent: 5228083 (1993-07-01), Lozowick et al.
patent: 5251131 (1993-10-01), Masand et al.
patent: 5263147 (1993-11-01), Francisco et al.
patent: 5272754 (1993-12-01), Boebert
patent: 5276735 (1994-01-01), Boebert et al.
patent: 5276789 (1994-01-01), Besaw et al.
patent: 5303303 (1994-04-01), White
patent: 5305385 (1994-04-01), Schanning et al.
patent: 5311593 (1994-05-01), Carmi
patent: 5329623 (1994-07-01), Smith et al.
patent: 5333266 (1994-07-01), Boaz et al.
patent: 5355474 (1994-10-01), Thuraisngham et al.
patent: 5414833 (1995-05-01), Hershey et al.
patent: 5455828 (1995-10-01), Zisapel
patent: 5485460 (1996-01-01), Schrier et al.
patent: 5511122 (1996-04-01), Atkinson
patent: 5530758 (1996-06-01), Marino, Jr. et al.
patent: 5548507 (1996-08-01), Martino et al.
patent: 5548646 (1996-08-01), Aziz et al.
patent: 5550984 (1996-08-01), Gelb
patent: 5555346 (1996-09-01), Gross et al.
patent: 5566170 (1996-10-01), Bakke et al.
patent: 5583940 (1996-12-01), Vidrascu et al.
patent: 5586260 (1996-12-01), Hu
patent: 5604490 (1997-02-01), Blakley, III et al.
patent: 5606668 (1997-02-01), Shwed
patent: 5615340 (1997-03-01), Dai et al.
patent: 5619648 (1997-04-01), Canale et al.
patent: 5623601 (1997-04-01), Vu
patent: 5632011 (1997-05-01), Landfield et al.
patent: 5636371 (1997-06-01), Yu
patent: 5644571 (1997-07-01), Seaman
patent: 5671279 (1997-09-01), Elgamal
patent: 5673322 (1997-09-01), Pepe et al.
patent: 5684951 (1997-11-01), Goldman et al.
patent: 5689566 (1997-11-01), Nguyen
patent: 5699513 (1997-12-01), Feigen et al.
patent: 5706507 (1998-01-01), Schloss
patent: 5720035 (1998-02-01), Allegre et al.
patent: 5781550 (1998-07-01), Templin et al.
patent: 5828833 (1998-10-01), Belville et al.
patent: 5828893 (1998-10-01), Wied et al.
patent: 5864683 (1999-01-01), Boebert et al.
patent: 5896499 (1999-04-01), McKelvey
patent: 5898830 (1999-04-01), Wesinger, Jr. et al.
patent: 5918018 (1999-06-01), Gooderum et al.
patent: 5950195 (1999-09-01), Stockwell et al.
patent: 5958016 (1999-09-01), Chang et al.
patent: 5968176 (1999-10-01), Nessett et al.
patent: 0420779 (1991-04-01), None
patent: 0 554 182 A1 (1993-04-01), None
patent: 0653862 (1995-05-01), None
patent: 0 743 777 A2 (1996-11-01), None
patent: 2287619 (1995-09-01), None
patent: 96/13113 (1996-05-01), None
patent: 96/31035 (1996-10-01), None
patent: 96/35994 (1996-11-01), None
patent: 97/13340 (1997-04-01), None
patent: 97/26731 (1997-07-01), None
patent: 97/26734 (1997-07-01), None
patent: 97/26735 (1997-07-01), None
patent: 97/29413 (1997-08-01), None
International Search Report, PCT Application No. PCT/US 95/12681, 8 p., (mailed Apr. 9, 1996).
News Release: “100% of Hackers Failed to Breack Into One Internet Site Protected by Sidewinder(tm)”, Secure Computing Corporation, (Feb. 16, 1995).
News Release: “Internet Security System Given ‘Product of the Year’ Award”, Secure Computing Corporation, (Mar. 28, 1995).
News Release: “SATAN No Threat to Sidewinder(tm)”, Secure Computing Corporation, (Apr. 26, 1995).
“Answers to Frequently Asked Questions About Network Security”,Secure Computing Corporation, p. 1-41 & p. 1-16, (Sep. 25, 1994).
“Sidewinder Internals”, Product information, Secure Computing Corporation, 16 p., (Oct. 1994).
“Special Report; Secure Computing Corporation and Network Security”,Computer Select, 13 p., (Dec. 1995).
Adam, J.A., “Meta-Matrices”,IEEE Spectrum, pp. 26-27, (Oct. 1992).
Adam, J.A., “Playing on the Net”,IEEE Spectrum, p. 29, (Oct. 1992).
Ancilotti, P., et al., “Language Features for Access Control”,IEEE Transactions on Software Engineering, SE-9, 16-25, (Jan. 1983).
Badger, L., et al., “Practical Domain and Type Enforcement for UNIX”, Proceedings of the 1995 IEEE Symposium on Security and Privacy, pp. 66-67, (May 1995).
Belkin, N.J., et al., “Information Filtering and Information Retrieval: Two Sides of the Same Coin?”,Communications of the ACM, 35, 29-38, (Dec. 1992).
Bellovin, S.M., et al., “Network Firewalls”,IEEE Communications Magazine, 32, 50-57, (Sep. 1994).
Bevier, W.R., et al., “Connection Policies and Controlled Interference”, Proceedings of the Eighth IEEE Computer Security Foundations Workshop, Kenmare, Ireland, pp. 167-176, (Jun. 13-15, 1995).
Bowen, T.F., et al., “The Datacycle Architecture”,Communications of the ACM, 35, 71-81, (Dec. 1992).
Bryan, J., “Firewalls For Sale”,BYTE, 99-100, 102, 104-105, (Apr. 1
Andreas Glenn
Gooderum Mark P.
Vu Trinh Q.
Kang Paul
Rinehart Mark H.
Schwegman Lundberg Woessner & Kluth P.A.
Secure Computing Corporation
LandOfFree
System and method for achieving network separation does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for achieving network separation, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for achieving network separation will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2552414