Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-10-08
2004-04-27
Barron, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S238000, C709S249000
Reexamination Certificate
active
06728885
ABSTRACT:
FIELD OF INVENTION
This invention relates to providing security in communication networks. In particular, the invention relates to firewall technology in packet switched networks for adaptively providing a plurality of security levels.
BACKGROUND OF THE INVENTION
Referring to
FIG. 1
, a typical firewall
101
is placed between a Local Area Network (LAN)
103
and outside networks
111
,
115
. LAN
103
may include a plurality of internal hosts
105
,
107
,
109
. Outside networks
111
can be networked through the Internet
117
. Outside network
115
may also include its own firewall
117
. Internal hosts
105
,
107
,
109
and remote hosts
119
,
121
are computers, e.g., personal computers (PC) or computer workstations. Firewall
101
includes a combination of computer hardware and software components configured to protect LAN
103
, i.e., preventing unwanted intrusions from outside networks
111
,
115
.
In order to exchange information, e.g., sending a message from remote host
119
to internal host
105
, a connection
125
is established by sending a plurality of packets therebetween. A packet is a basic message unit routed between a source computer and a destination computer, e.g., remote host
119
and internal host
105
, respectively, in a packet-switched network depicted in FIG.
1
. For example, when a file, e.g., an e-mail message, HTML file, or other similar message, is sent from a source computer to a destination computer, the file is broken into a plurality of packets. (Here, HTML, Hypertext Markup Language, is a set of “markup” symbols or codes, which instructs a Web browser how to display a Web page's words and images.)
More specifically, a Transport Control Protocol (TCP) module of a TCP/IP layer in a source computer divides the file into packets of an efficient size for transmitting over the network. Each packet includes header information, e.g., a destination address and a source address, and content information, i.e., the broken up message file. Further, the plurality of packets from the file includes a plurality of connection control packets and data transfer packets. The connection control packets include at least one connection establishing packet, e.g., a SYN packet, and at least one connection disconnection packet, e.g., RST, FIN, FIN-ACK packets. The data transfer packets include the pieces of the broken up file. Individual packets for a given file may travel different routes through the packet switching network. When the packets from one file have all arrived at their destination computer, they are reassembled into the original file by a TCP module in the destination computer.
Here, the TCP module is a communication protocol used along with the Internet Protocol (IP) to send data in the form of packets between a source and destination computers. While the IP module performs the actual delivery of the data, the TCP module keeps track of the individual packets that a file is divided into for efficient routing through the Internet.
OSI (Open Systems Interconnection) is briefly described here to provide the context in which the present invention is discussed later. OSI is a reference model for the layer of common functions in a communications system. Although many existing hardware and software products have been developed on a slightly different model, the OSI model is often used as a guideline when new products are designed and serves as a common reference for understanding any particular design or comparing it with others.
OSI includes seven layers:
The application layer (layer
7
) is a layer at which a user interacts with a computer to view messages or send data requests or responses.
The presentation layer (layer
6
) is a layer, usually part of an operating system, that converts incoming and outgoing data from one presentation format to another (e.g., converting a text stream into a popup window with a newly arrived text string).
The session layer (layer
5
) manages the establishment of a continuing series of requests and responses between the applications at each end of a communication connection.
The transport layer (layer
4
) manages the end-to-end control (e.g., determining whether all packets have arrived) and error-checking.
The network layer (layer
3
) handles the routing of the data (sending it in the right direction to the right destination on outgoing transmissions and receiving incoming transmissions at the packet level).
The link (or data-link) layer (layer
2
) provides error control and synchronization for the physical level and does bit-stuffing for strings of 1's in excess of 5.
The physical layer (layer
1
) conveys the bit stream through the network at the electrical and mechanical level.
Referring back to
FIG. 1
, the basic task of firewall
101
is to separate internal network
103
from outside networks
117
,
115
and enforce security policies with a set of rules. The most common firewall features include: securing internal network
103
access with a perimeter defense, controlling all connections into and out of internal network
103
, filtering packets according to previously defined rules, “authenticating” or making sure users and applications are permitted to access resources, logging of activities, and actively notifying the appropriate people when suspicious events occur.
Conventional firewalls include only one of a packet filter, an application proxy and a stateful inspection.
A packet filter examines each incoming packet and decides what actions to take by checking against a table of access control rules. The packet filter, in its simpler embodiments, examines the header information of each incoming packet and makes pass/fail decisions based on their source and destination addresses. A weakness of such a firewall is that the content information of the packets is unknown to the firewall. More specifically, because packet filters perform their checking at the network access layer, there is no real knowledge of application level vulnerabilities. As a result, direct connections are allowed between a source and destination computers through firewall
101
, exposing internal hosts
105
,
107
,
109
to direct attacks.
An application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer—meaning the application proxies understand the destination and contents of packets. Such a firewall, for example, distinguishes between “FTP Put” and “Get” commands. A typical application proxy includes a built-in proxy function also known as a transparency function. The transparency function replaces the IP address of a host on the internal protected network with its own IP address for all traffic passing through. The transparency function provides added security, because it hides the addresses of internal hosts. This makes it more difficult for hackers on the outside to target specific devices inside such a firewall. For this higher security, however, the application proxy requires large amounts of processing power and a corresponding loss of performance.
Finally, a stateful packet filter examines packets without examining the packets as well as that of an application proxy. After a packet filter firewall or stateful inspection firewall has decided to allow a connection to be made, it allows data to travel directly between the networks without further inspection. Once a session is opened, the nature of the session can be changed without being detected. This allows for more speed, but also creates potential security risks as well. Again, making internal hosts
105
,
107
,
109
vulnerable to attacks from outside.
Accordingly, there exists a need for a firewall method which makes it possible to dynamically select the best procedures from existing firewall methods to achieve the required level of security while meeting performance constraints.
Further, the definitions of network communication terms and phases can be found in Andrew S. Tannenbaum, “Computer Networks ” 2
nd
ed., (1989), the content
Murugesan Ganesh
Tajalli Homayoon
Taylor Kevin R.
Barron Gilberto
Hamaty Christopher J.
Networks Associates Technology Inc.
Nobahar A.
Silicon Valley IP Group PC
LandOfFree
System and method for network access control using adaptive... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for network access control using adaptive..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for network access control using adaptive... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3217595