Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-03-18
2002-09-17
Trammell, James P. (Department: 2161)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06453419
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention is related to computer network security, and more particularly to a system and method for representing and implementing a security policy.
2. Background Information
Recent developments in technology have made access easier to publicly available computer networks, such as the Internet. Organizations are increasingly turning to external networks such as the Internet to foster communication between employees, suppliers and clients. With this increased access comes an increased vulnerability to malicious activities on the part of both people inside and outside the organization. Firewalls have become an essential tool in controlling the flow of data between internal networks and these external networks.
A firewall is a system which enforces a security policy on communication traffic entering and leaving an internal network. An overview of firewall technology is provided in “Firewalls fend off invasions from the Net” published February 1998 in
IEEE Spectrum
, the discussion of which is hereby incorporated by reference. Access Control Lists (ACLs) are a very important part of a firewall design. These lists are used to both restrict access to servers and to define the required filters for those services. Almost every connection to or through the firewall will use the ACL to determine whether the connection is allowed and what the conditions of the connections are.
Secure Computing Corporation currently manufactures two firewall products: Sidewinder™ and BorderWare™ Firewall Server™ (BFS). Both Sidewinder and BorderWare have an ACL mechanism. On BFS, the ACL checks are performed in the kernel. The advantage of this is that each process can access the data even from its own chroot(
2
) area. Each process simply does a system call. There is no place in BFS' ACL system calls to block and the code required in the proxies/servers is easy to implement and is unobtrusive. The ACLs themselves, however, are very difficult for the user to understand. The end result is a nice mechanism that is difficult to use.
On Sidewinder there is a process called ACLd which resolves the ACL checks. In order to make the ACLs work properly, ACLd is a non-blocking process. Proxies must open a connection to ACLd, make the request, and come back later to get the result. Thus, the ACL part of the proxy code itself is more complex and pervasive. Further, ACLd can be a bottleneck since that one process is serving many other processes. Sidewinder can, however, support a much more flexible and comprehensive ACL system than is found on BFS.
What is needed is an ACL mechanism which provides quick access to the ACL mechanism while at the same time maintaining the complex functionality of the Sidewinder system.
In addition, although ACLs are a convenient, centrally located, way of storing access control rules, they do tend to become complex as the number of networks and users increase. This increased complexity makes them cumbersome and unwieldy to apply, and difficult to manage. Rules get out of date, often leaving dangerous access rules in place for users who no longer are supposed to have access to the system (e.g., ex-employees).
What is needed is a method of presenting and managing access control rules which can easily respond to changes in the number of networks and users.
SUMMARY OF THE INVENTION
The present invention is a system and method of implementing a security policy, comprising the steps of providing a plurality of access policies, defining a process and connecting the access policies and the process to form a security policy.
According to another aspect of the present invention, an access control mechanism is described in a computer network having a plurality of separate networks. The access control mechanism includes a plurality of regions, including a first and a second region, one or more services bridging said first and second region, access control rules which define a security policy, wherein the access control rules limit data transfer by the one or more services bridging the first and second regions, wherein the access control rules are defined as a decision tree, wherein the decision tree includes a decision node and a first and a second branch and wherein the decision node includes a true and a false destination path, wherein the true destination path leads to the first branch and the false destination path leads to the second branch and access control logic, wherein the access control logic operates with the access control rules to enforce the security policy.
According to yet another aspect of the present invention, a system and method for limiting transfers between networks comprises the steps of defining a to-from set, wherein the to-from set lists a source network and a destination network, associating the to-from set with the first service, defining a path, wherein the path includes desired options for limiting transfer from the source network to the destination network via the first service, storing information regarding the to-from set, the first service and the path as an access control rule, receiving a request to set up said first service between the source network and the destination network, comparing the request to the access control rule to determine access and, if access is allowed, establishing the service between the source and destination networks.
REFERENCES:
patent: 3956615 (1976-05-01), Anderson et al.
patent: 4104721 (1978-08-01), Markstein et al.
patent: 4177510 (1979-12-01), Appell et al.
patent: 4442484 (1984-04-01), Childs, Jr. et al.
patent: 4584639 (1986-04-01), Hardy
patent: 4621321 (1986-11-01), Boebert et al.
patent: 4648031 (1987-03-01), Jenner
patent: 4701840 (1987-10-01), Boebert et al.
patent: 4710763 (1987-12-01), Franke et al.
patent: 4713753 (1987-12-01), Boebert et al.
patent: 4870571 (1989-09-01), Frink
patent: 4885789 (1989-12-01), Burger et al.
patent: 4914568 (1990-04-01), Kodosky et al.
patent: 5093914 (1992-03-01), Coplien et al.
patent: 5124984 (1992-06-01), Engel
patent: 5153918 (1992-10-01), Tuai
patent: 5204961 (1993-04-01), Barlow
patent: 5228083 (1993-07-01), Lozowick et al.
patent: 5263147 (1993-11-01), Francisco et al.
patent: 5272754 (1993-12-01), Boebert
patent: 5276735 (1994-01-01), Boebert et al.
patent: 5303303 (1994-04-01), White
patent: 5305385 (1994-04-01), Schanning et al.
patent: 5311593 (1994-05-01), Carmi
patent: 5315657 (1994-05-01), Abadi et al.
patent: 5329623 (1994-07-01), Smith et al.
patent: 5333266 (1994-07-01), Boaz et al.
patent: 5355474 (1994-10-01), Thuraisngham et al.
patent: 5388189 (1995-02-01), Kung
patent: 5414833 (1995-05-01), Hershey et al.
patent: 5416842 (1995-05-01), Aziz
patent: 5455828 (1995-10-01), Zisapel
patent: 5485460 (1996-01-01), Schrier et al.
patent: 5511122 (1996-04-01), Atkinson
patent: 5548646 (1996-08-01), Aziz et al.
patent: 5550984 (1996-08-01), Gelb
patent: 5566170 (1996-10-01), Bakke et al.
patent: 5583940 (1996-12-01), Vidrascu et al.
patent: 5586260 (1996-12-01), Hu
patent: 5604490 (1997-02-01), Blakley, III et al.
patent: 5606668 (1997-02-01), Shwed
patent: 5615340 (1997-03-01), Dai et al.
patent: 5619648 (1997-04-01), Canale et al.
patent: 5623601 (1997-04-01), Vu
patent: 5636371 (1997-06-01), Yu
patent: 5644571 (1997-07-01), Seaman
patent: 5671279 (1997-09-01), Elgamal
patent: 5673322 (1997-09-01), Pepe et al.
patent: 5684951 (1997-11-01), Goldman et al.
patent: 5689566 (1997-11-01), Nguyen
patent: 5699513 (1997-12-01), Feigen et al.
patent: 5706507 (1998-01-01), Schloss
patent: 5708780 (1998-01-01), Levergood et al.
patent: 5828893 (1998-10-01), Wied et al.
patent: 5835758 (1998-11-01), Nochur et al.
patent: 5859966 (1999-01-01), Hayman et al.
patent: 5907620 (1999-05-01), Klemba
patent: 5987606 (1999-11-01), Cirasole et al.
patent: 5991807 (1999-11-01), Schmidt et al.
patent: 5991879 (1999-11-01), Johnston et al.
patent: 5996011 (1999-11-01), Humes
patent: 5996077 (1999-11-01), Williams
patent: 6182226 (2001-01-01), Irving et al.
patent: 0 554 182 (1993-04-01), None
patent: 0 743 777 (1996-11-01), None
Amdur Gene
Flint Andrew
Reid Irving
Elisca Pierre E.
Schwegman - Lundberg Woessner - Kluth
Secure Computing Corporation
Trammell James P.
LandOfFree
System and method for implementing a security policy does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for implementing a security policy, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for implementing a security policy will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2913618