Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-03-18
2001-01-30
Beausoliel, Jr., Robert W. (Department: 2785)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S225000, C709S229000
Reexamination Certificate
active
06182226
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates generally to network security, and more particularly to a system and method of grouping networks to enforce a security policy.
BACKGROUND OF THE INVENTION
Recent developments in technology have made access easier to publicly available computer networks, such as the Internet. Organizations are increasingly turning to external networks such as the Internet to foster communication between employees, suppliers and clients. With this increased access comes an increased vulnerability to malicious activities on the part of both people inside and outside the organization. Firewalls have become a key tool in controlling the flow of data between internal networks and these external networks.
A firewall is a system which enforces a security policy on communication traffic entering and leaving an internal network. Firewalls are generally developed on one or more of three models: the screening router, the bastion host, and the dual homed gateway. These models are described in U.S. Pat. No. 5,623,601 to Vu, issued Apr. 22, 1997 and entitled APPARATUS AND METHOD FOR PROVIDING A SECURE GATEWAY FOR COMMUNICATION AND DATA EXCHANGES BETWEEN NETWORKS (Vu), which is hereby incorporated herein by reference.
Vu describes packet filters as a more sophisticated type of screening that operates on the protocol level. Packet filters are generally host-based applications which permit certain communications over predefined ports. Packet filters may have associated rule bases and operate on the principle of that which is not expressly permitted is prohibited. Public networks such as the Internet operate in TCP/IP protocol. A UNIX operating system running TCP/IP has a capacity of 64 K communication ports. It is therefore generally considered impractical to construct and maintain a comprehensive rule base for a packet filter application. Besides, packet filtering is implemented using the simple Internet Protocol (IP) packet filtering mechanisms which are not regarded as being robust enough to permit the implementation of an adequate level of protection. The principal drawback of packet filters, according to Vu, is that they are executed by the operating system kernel and there is a limited capacity at that level to perform screening functions. As noted above, protocols may be piggybacked to either bypass or fool packet filtering mechanisms and may permit skilled intruders to access the private network.
Accordingly, it is an object of this invention is to provide a method for controlling interactions between networks by the use of firewalls with defined regions.
SUMMARY OF THE INVENTION
The present invention is directed to a system and method of achieving network separation within a computing system having a plurality of network interfaces. One aspect of the invention is a method comprising the steps of defining a plurality of regions; configuring a set of policies for each of the plurality of regions; assigning each of the plurality of network interfaces to only one of the plurality of regions, wherein at least one of the plurality of network interfaces is assigned to a particular region; and restricting communication to and from each of the plurality of network interfaces in accordance with the set of policies configured for the one of the plurality of regions to which the one of the plurality of network interfaces has been assigned.
Another aspect of the invention is a secure server comprising an operating system kernel; a plurality of network interfaces which communicate with the operating system kernel; and a firewall comprising a plurality of regions, wherein a set of policies have been configured for each of the plurality of regions; wherein each of the plurality of network interfaces is assigned to only one of the plurality of regions; wherein at least one of the plurality of network interfaces is assigned to a particular region; and wherein communication to and from each of the plurality of network interfaces is restricted in accordance with the set of policies configured for the one of the plurality of regions to which the one of the plurality of network interfaces has been assigned.
A feature of the present invention is the application level approach to security enforcement, wherein type enforcement is integral to the operating system. Still another feature is protection against attacks including intruders into the computer system. Yet another feature is a new graphical user interface (GUI) in effective Access Control Language (ACL). A further feature of the present invention is a visual access control system. Another feature is embedded support for Virtual Private Networking (VPN).
REFERENCES:
patent: 3956615 (1976-05-01), Anderson et al.
patent: 4104721 (1978-08-01), Markstein et al.
patent: 4177510 (1979-12-01), Appell et al.
patent: 4442484 (1984-04-01), Childs, Jr. et al.
patent: 4584639 (1986-04-01), Hardy
patent: 4621321 (1986-11-01), Boebert et al.
patent: 4648031 (1987-03-01), Jenner
patent: 4701840 (1987-10-01), Boebert et al.
patent: 4713753 (1987-12-01), Boebert et al.
patent: 4870571 (1989-09-01), Frink
patent: 4885789 (1989-12-01), Burger et al.
patent: 4914568 (1990-04-01), Kodosky et al.
patent: 5093914 (1992-03-01), Coplien et al.
patent: 5124984 (1992-06-01), Engel
patent: 5153918 (1992-10-01), Tuai
patent: 5204961 (1993-04-01), Barlow
patent: 5228083 (1993-07-01), Lozowick et al.
patent: 5263147 (1993-11-01), Francisco et al.
patent: 5272754 (1993-12-01), Boebert
patent: 5276735 (1994-01-01), Boebert et al.
patent: 5303303 (1994-04-01), White
patent: 5305385 (1994-04-01), Schanning et al.
patent: 5311593 (1994-05-01), Carmi
patent: 5329623 (1994-07-01), Smith et al.
patent: 5333266 (1994-07-01), Boaz et al.
patent: 5355474 (1994-10-01), Thuraisngham et al.
patent: 5414833 (1995-05-01), Hershey et al.
patent: 5416842 (1995-05-01), Aziz
patent: 5455828 (1995-10-01), Zisapel
patent: 5485460 (1996-01-01), Schrier et al.
patent: 5511122 (1996-04-01), Atkinson
patent: 5548646 (1996-08-01), Aziz et al.
patent: 5550984 (1996-08-01), Gelb
patent: 5566170 (1996-10-01), Bakke et al.
patent: 5583940 (1996-12-01), Vidrascu et al.
patent: 5586260 (1996-12-01), Hu
patent: 5604490 (1997-02-01), Blakley, III et al.
patent: 5606668 (1997-02-01), Shwed
patent: 5615340 (1997-03-01), Dai et al.
patent: 5619648 (1997-04-01), Canale et al.
patent: 5623601 (1997-04-01), Vu
patent: 5636371 (1997-06-01), Yu
patent: 5644571 (1997-07-01), Seaman
patent: 5671279 (1997-09-01), Elgamal
patent: 5673322 (1997-09-01), Pepe et al.
patent: 5684951 (1997-11-01), Goldman et al.
patent: 5689566 (1997-11-01), Nguyen
patent: 5699513 (1997-12-01), Feigen et al.
patent: 5706507 (1998-01-01), Schloss
patent: 5708780 (1998-01-01), Levergood et al.
patent: 5864683 (1999-01-01), Boerbert et al.
patent: 5918018 (1999-06-01), Gooderum et al.
patent: 5968176 (1999-10-01), Nessett et al.
patent: 5983350 (1999-11-01), Minear et al.
patent: 0 554 182 A1 (1993-04-01), None
patent: 0 743 777 A2 (1996-11-01), None
patent: 2287619 (1995-09-01), None
patent: 96/13113 (1996-05-01), None
patent: 96/35994 (1996-11-01), None
patent: 97/13340 (1997-04-01), None
patent: 97/26731 (1997-07-01), None
patent: 97/26734 (1997-07-01), None
patent: 97/26735 (1997-07-01), None
patent: 97/29413 (1997-08-01), None
Boebert, W.E., et al., “Secure Ada Target: Issues, System Design, and Verification”,Proceedings of the Symposium on Security and Privacy,Oakland, California, pp. 59-66, (1985).
Boebert, W.E., et al., “Secure Computing: The Secure Ada Target Approach”,Sci. Honeyweller,6(2), 17 pages, (1985).
International Search Report, PCT Application No. PCT/US 95/12681, 8 p. (mailed Apr. 9, 1996).
News Release: “100% of Hackers Failed to Break Into One Internet Site Protected by Sidewinder™”, Secure Computing Corporation (Feb. 16, 1995).
News Release: “Internet Security System Given ‘Product of the Year’ Award”, Secure Computing Corporation (Mar. 28, 1995).
News Release: “SATAN No Threat to Sidewinder™”, Secure Computing Corporation (Apr. 26, 1995).
“Answers to Frequently Asked Questions About Network Se
Minear Spencer
Reid Irving
Beausoliel, Jr. Robert W.
Revak Christopher
Schwegman Lundberg Woessner & Kluth P.A.
Secure Computing Corporation
LandOfFree
System and method for controlling interactions between networks does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for controlling interactions between networks, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for controlling interactions between networks will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2443346