Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1997-11-26
2002-02-12
Burgess, Glenton B. (Department: 2153)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S244000, C709S245000, C709S246000, C713S163000, C713S152000, C713S152000
Reexamination Certificate
active
06347338
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to computers and computer networks and more specifically to a system for providing distributed security and protection in a computer network.
Data communications is of great importance to businesses today. A principal function of computers is to perform communications functions over various computer networks such as local area networks (LANs), wide area networks (WANs) and the Internet. Given the critical nature of much of the information that is transmitted on networks, security has become a great concern to users of such networks. The magnitude of the concern has been increased by the popularity of the Internet with the advent of the World-Wide Web (WWW) which has provided user-friendly access to thousands of users to a global network of computers and smaller networks all linked together.
Thus, it is becoming increasingly important to provide network access that is reliable and has a higher degree of security. It is also desirable to provide control over the granting of “permission” to utilize the network. It is also important to provide protection against overutilization and unfair utilization of network resources and from the growing number and various types of “Denial of Service” attacks.
One common solution to the security problem in networks has been to provide one large, complex, centralized firewall, that often has to deal with a very large amount of traffic coming through it from all the various paths from many networks. These firewall units are generally large computers having the means to filter information coming into the protected network and to limit access to the protected network.
FIG. 1
is a block diagram of a data network
10
having a conventional centralized firewall node
12
at a gateway station. The firewall node
12
protects communications between an unprotected public network
14
(e.g., the Internet) and a private protected network
16
. The network
16
can be any of various private networks and it may be comprised of various computers, servers, systems, etc.
18
-
24
. As the size of each network increases so do the demands upon firewall unit
12
which must process all incoming and outgoing data traffic possibly from a vast global network.
Routes in a network are provided to indicate reachability to destinations. They inform where to send to reach destinations. Currently, general networking practice is to send routes to every router in a network, to the entire (inter) corporate net or autonomous system and then at run time try to have built a firewall that is syntactically correct and fast enough to keep undesired traffic out. This is very difficult to begin with and does not even prevent all problems such as denial of service attacks and attacks which simply overwhelm the network links and/or the firewall devices and intermediate routers and bridges with more packets than they can filter per unit time, therefore effectively blocking out desired traffic and preventing legitimate users from using the system.
U.S. Pat. No. 5,416,842 relates to a method and apparatus for a key-management scheme for use with internet protocols at site firewalls. It requires encryption and is very processor intensive. It is a centralized approach to the network security problem that is vulnerable to attacks that can overwhelm the unit.
U.S. Pat. No. 5,623,601 relates to an apparatus and method for providing a secure gateway for communication and data exchanges between networks. This discusses a network security system that requires every communication to go through a single gateway that must perform all the processing and is vulnerable to overloading.
U.S. Pat. No. 5,548,646 requires the use of encryption for every secure transmission and every transmission must undergo examination to determine if additional security is needed. Thus, every packet requiring security must undergo additional computing steps to encrypt it at the sender's site. Additional computation is required to encapsulate the transmission at the sender side. Additional time consumption occurs at the receiving side which must decrypt (and in many cases, decapsulate) secure messages. The system described in this patent could become a performance bottleneck under a heavy load and appears vulnerable to “denial of service attacks”.
Most known network security systems depend on one centralized unit to handle communications for each network. One method seems to briefly recognize this as a significant limitation but does not really suggest a good solution and is a limited method anyway that is still subject to denial of service attacks. Publications IDP (rfc 1479) and IDRP mention some methods that could increase security.
Most need a device that has enough capacity to handle all traffic going into and out of the network. Most need complex setup protocols and/or security keys. Many require encryption. Most are not distributed and typically require higher level processing for each communication which is processor intensive and time consuming.
SUMMARY OF THE INVENTION
Briefly, in accordance with the invention, the present situation can be improved upon by limiting access to nodes, routes and other networking devices. Routers, firewalls, ingress nodes, and switches could be informed which destination networks and routes should be allowed to which source nodes or networks. A security filtering system enables distributed granting of admission to transmission of signals on to the network, and means for providing distributed admission control, and for providing a distributed firewall. The distributed security system provides a protocol for transmitting to a node location and a list of nodes or networks that are allowed access to the various nodes and services.
REFERENCES:
patent: 5416842 (1995-05-01), Azia
patent: 5548646 (1996-08-01), Aziz
patent: 5623601 (1997-04-01), Vu
patent: 5748736 (1998-05-01), Mittra
patent: 5828893 (1998-10-01), Wied et al.
patent: 5835726 (1998-11-01), Shwed et al.
Bellovin, S.M “Network firewalls,” IEEE communications magazines, p. 50-57, Sep. 1994.*
U.S. application No. 08/979,037, Segal., filed Nov. 26, 1997.
U.S. application No. 08/979,863, Segal., filed Nov. 26, 1997.
U.S. application No. 08/977,768, Segal., filed Nov. 26, 1997
August Casey P.
Buchenhorner Michael J.
Burgess Glenton B.
Fleit, Kain, Gibbons, Gutman & Bongini P.L
International Business Machines - Corporation
LandOfFree
Precomputed and distributed security system for a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Precomputed and distributed security system for a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Precomputed and distributed security system for a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2937510