EP1118056A1 - Method and system for protecting operations of trusted internal networks - Google Patents
Method and system for protecting operations of trusted internal networksInfo
- Publication number
- EP1118056A1 EP1118056A1 EP98942989A EP98942989A EP1118056A1 EP 1118056 A1 EP1118056 A1 EP 1118056A1 EP 98942989 A EP98942989 A EP 98942989A EP 98942989 A EP98942989 A EP 98942989A EP 1118056 A1 EP1118056 A1 EP 1118056A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- message
- simplified
- external
- internal
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Definitions
- the present invention pertains to methods and systems for preventing
- firewalls Some of the primary existing solutions such as firewalls are
- a web server or application server operating on an internal For example, a web server or application server operating on an internal,
- trusted network is very often connected to external networks such as the Internet in a
- the server may have bugs in its operating system or its
- protocol stacks may have peculiarities that invite mischievous interference.
- -a particular application that is using the server to communicate with the outside world may be a legacy application or one that is simply not well designed for operation in the hostile on-line environment. This one application may make the rest of the operations in that protected environment vulnerable.
- the protective measures currently made available for blocking -such outside interference and assuring internal operational integrity fall short of that goal both in theory and in practice.
- These conventional measures as described briefly below, include dual-homed firewalls, bastions, filtering, hardened operating systems, and access servers. Dual-homed firewalls perform network address translation and filtering on data packets at the network level, e.g., TCP/IP packets.
- These networks also translate the server-based addresses, addresses made available by the internal network as its domain name system for use by incoming data packets, into addresses internal to an organization's internal network. Only the data packets that have passed inspection by the packet filter's access control list (ACL) receive the internal addresses. For instance, the ACL may permit file transfer protocol (FTP) traffic to pass only if it is addressed to a certain part ofthe trusted environment.
- FTP file transfer protocol
- Application level proxy operations or bastions are types of firewalls that separate external client applications, which may be hostile, from the internal server's operations. This operational separation is achieved by the proxy's simulating a server side application to an independent client, while simulating the client side application to an independent server. Application data is passed between these two simulated proxy halves. Context filtering involves accumulating a table of data related to incoming packets and authorizing a session only if the data for these packets is consistent with session criteria for that data.
- Hardened operating systems reinforce the application server against exploitation and against bugs affecting the operating system.
- the separation ofthe client and server within a bastion server can be enhanced by disabling the forwarding of incoming messages using their native protocol.
- Disabling all TCP/IP forwarding assures that the message forwarded is in a format different from its native TCP/IP format.
- Barricaded operating systems are further hardened by stripping away all but a severely-limited set of functions, so that the processors respond to incoming messages only as daemons, as discussed in U.S. Patent No. 5,778,174.
- Access servers are used to enhance application level security within a network by performing access-control filtering tasks on specially-secured machines, in addition to access control at the network level.
- Bastion servers act at the higher, application-level of the open systems interconnection model as proxies for the internal server.
- These proxy servers screen the data payload of incoming packets using rules specific to each application. These rules bar given formats, syntaxes, or combinations of these from being passed through the proxy. However, these rules may hide valuable data from the internal system.
- proxies have been seen as bottlenecks, which makes the use of "cut-through” strategies attractive, because they use proxies only intermittently.
- Application-leveling filtering has also been seen as a security architecture that is not readily scaled up to meet increased volume and diversity in the data stream.
- New opportunities for unauthorized access are added each time new functions are added to an internal system. For example when a bank opens up bank-at-home access for customers, it creates an opening through a firewall that provides a TCP/IP filter and an authorization proxy into the bank's very private network (VPN). If the design of the legacy accounting software formerly used only by bank employees still permits administrative correction of accounts, the accounts are vulnerable to hackers despite the firewall and the private network. In another example, if a publisher adds "guest account" access to a list of book previews to the its server's functions, the list of the books previously available in full text only to authorized employee and customer accounts may become vulnerable to hacking.
- VPN very private network
- a security gateway system positioned between an external, untrusted computing environment and an internal, trusted computing environment that converts messages received from the external environment into simplified messages and converts the simplified messages into messages suitable for use on the internal environment.
- the conversion involves the removal of external environment transfer protocols and the reduction of the content of the messages left after removing the protocols into a simplified representation of the content to create a simplified message.
- the simplified representation is then converted to an internal message by converting the simplified representation to a representation appropriate to the internal environment, including to applications operating on the internal environment, and adding internal environment protocols, including application protocols, to the converted message.
- Simplified representations exist for some but not necessarily all types of content which may be received from the external environment, thus limiting the content which may be passed from the external to the internal
- the security gateway system protects a computer, a computer resource,— a network or sub-network from computer security policy breaches and from attacks such as intrusions that exploit an operating system to damage files, flood buffers, or activate an application-program bug that compromises the confidentiality or performance of the application.
- the gateway system is a robust, thorough, effective, and elegant solution to the problem of protecting the security and integrity of a trusted network, computer and the applications executing on them. Furthermore, the gateway system has an architecture which is conducive to simpler verification, improving the robustness ofthe system and the protection afforded to the trusted environment.
- the security gateway system includes independently-controlled complementary computer processing entities that
- the robots are implemented in two independent computers.
- the security gateway resides within a single computer that is linked to both external and internal environments, such as a network including terminals accessible to unauthorized persons or simply a less-secure resource in the same computer.
- the gateway system may include a monitor program to create a protected, virtual machine on a single processor and insure the separation of the two robots' resources and their operational independence.
- the robots may be two independent computer processes that execute in alternate time slices on a single CPU. Alternatively, one of these processes executes on an add-in CPU processor.
- the robot processes isolate the internal and external environments from each other, so that the single computer itself separates the trusted environment from an untrusted environment.
- the robots pass messages to each other over a dedicated communication link using a transport protocol internal to the security unit. Because the communication link connects only the two robots, the transfer protocol may be very simple, having meta data about the content of the simplified message such as length and number of data items, but need not have any routing information.
- the message format and the format of the payload or content of the message is translated and then re-translated by the robots using a translator and interpreter for an internal application protocol specific to the application protocol ofthe message received by the security system.
- the second robot converts the data from the respective internal protocol, interpreting it as data compliant with the original application or transfer protocol, respectively and the security policy of the trusted environment. Spurious data is thus eliminated by this methodology. Because the security gateway system only transmits compliant data, and the data is transmitted and received only in non-standard protocol formats, even if the external robot is compromised it cannot pass harmful commands to the internal robot. —
- compliant data may also be verified by acceptance tests.
- the acceptance test is an access-control test in which the data must also be compliant with a list of valid users and the actions that are authorized for those users.
- a context-sensitive acceptance test is used to provide privileged access to graphical or audio devices.
- the internal robot receives only safe inputs, the internal robot can be relatively simple. Because it is relatively simple, it can be formally verified with relative simplicity. Since the reliability of this internal robot is critical to the security of the trusted environment, the confidence level for the trusted environment is extremely high. Furthermore, the gateway system only transmits compliant data across the communications link between robots, and the data is transmitted and received only in the non-standard ART protocol formats not implemented outside the security gateway. Thus, even if the external robot is compromised it cannot pass harmful commands to the internal robot. As a result, formal verification of the internal robot serves as formal verification ofthe gateway system as a whole.
- the delineation of a trusted internal computing environment is an arbitrary one that can be applied to a specific computer resource, such as a disk drive, memory space or add-in card, or expanded to include an entire computer or network.
- the untrusted external environment can be thought of as including everything that is not a part of the trusted environment or only focus on particularly problematic areas such as the Internet.
- protecting a company's internal network as its trusted environment includes protecting it from any security breach or attack incident " to information exchanges with the networks operated by vendors and suppliers who access the company's inventory data, and with company employees dialing in from remote locations or using Internet connections, and so on.
- Fig. 1 a is a block diagram of a gateway system connected between an internal and external computing environment of one preferred embodiment of the present invention
- Fig. lb is a block diagram showing an alternative architecture for a gateway system connected between an internal computing environment connected to the Internet in accordance with the present invention
- Figs. 2a and 2b are block diagrams of the external and internal robots, respectively, shown in Figs, la and lb;
- Fig. 3a is a flow chart showing a process of processing incoming data performed by the apparatus of Fig. la in accordance with an embodiments of the
- Fig. 3b is a flow chart showing the process shown in Fig. 3 in greater detail, referring to elements ofthe block diagrams shown in Figs. 2a and 2b; —
- Fig. 4a is a flow chart showing a process of processing outgoing data performed by the apparatus of Fig. la in accordance with an embodiment of the present invention
- Fig. 4b is a flow chart showing the process shown in Fig. 4 in greater detail, referring to elements ofthe block diagrams shown in Figs. 2a and 2b;
- Fig. 5 is a flow diagram of the Protocol Manager module shown in Figs. 2a and 2b;
- Fig. 6 is a block diagram of the object repository and a session sub-module for the apparatus shown in Fig. 5;
- Fig. 7 is a flow diagram showing a process for converting data from an application protocol to a simplified internal protocol in accordance with one embodiment ofthe present invention;
- Fig. 8 is a flow diagram showing a process for converting data from a simplified internal protocol to an application protocol in accordance with one embodiment ofthe present invention.
- Fig. 9 is a sample of a protocol entity table shown in the apparatus of
- a network security gateway 10 is connected between an internal computing environment 12 and an external computing environment—
- the internal computing environment contains a web server 13, which may belong to a web subnet, and a sensitive system server 14.
- the external environment 16 may be any environment external to the web and system servers 13, 14, but typically includes the Internet.
- the gateway 10 is connected to the internal system server 14 via communication bus 20a, to the web server 13 via bus 20b, and to the external environment via bus 22. These buses may be implemented as
- Ethernet connections using conventional network interface cards such as Ethernet PCI cards, or may be implemented as serial connections using a V.35 interface. Other connection methods may be used as known to those of skill in the art.
- the buses 20a, 20b, and 22 may use the same or different types of connections.
- the security gateway 10 contains two separate and distinct processing entities 24, 26, referred to herein as robots, connected via a dedicated, secure communication bus 28.
- the internal robot 24 is connected to the web server 13 and system server 14 via the buses 20b, 20a, respectively, and the external robot 26 is connected to the Internet or other external environment 16 via the bus 22.
- each robot is capable of translating or reducing a communication or message received from the respective environment to a simplified message using a simplified protocol format referred to herein as a clear inter-protocol or CIP, transmitting the CIP message to the other robot using the inter-robot bus 28 using an inter-robot transfer protocol or IRP, and translating such CIP messages received from the other robot into messages formatted for the respective environment.
- CIP clear inter-protocol
- the security gateway 10 is connected to an organization's internal networks in the following manner.
- An application proxy is connected through bus 20a to the internal system server 14, and a web proxy 4s connected through bus 20b to the web subnet wherein the web-server 13 resides.
- the embodiment described with reference to Fig. la services a single internal environment with a single server running a single application, and a single web-server in a single web-subnet, for reasons of simplicity and ease of implementation.
- the principle of replication and extension of the gateway system 10 is a system design parameter understood by those of skill in the art.
- Fig. lb illustrates an alternative architecture which may be used for the internal environment 12a.
- a LAN server 13a is connected to the internal robot 24 via several interfaces 20a, 20b, 20c.
- the LAN server 13a services communications for a number of internal application servers 14a-14f, including for example an SQL database server 14a and a banking server 14b having its own additional server security process 11 that provides access control and other security measures.
- the three interfaces 20a, 20b, and 20c provide for a variety of communication protocols to be used, including one 20a for issuing SQL commands to the SQL database server 14a, one 20b for transmitting email and web communication protocols including CGI calls within HTML data, and one 20c for high security financial communication protocols specific to the banking server 14b.
- Corresponding multiple interfaces 22a-22c may be provided between the external robot 26 and external environment 16 to receive message having various communication protocols. There may be a separate processing module for each message protocoi or this combination may be streamlined to provide one module for the "gateway" transfer protocols implemented in the security gateway, one for "middleware" protocols that bypass the web server, perhaps also one for encryption protocols and one for applications protocols.
- the streamlined alternative does away with the system overhead incurred by the double-filtering of HTTP-protocol messages that otherwise occurs to less than that of a linear addition, while being free of obvious security flaws or leaks and still blocking tapping.
- a very "strong" machine with advanced operating system performance and features, such as a SUN SPARC station is required to run it, adding to its overall cost for low-end users.
- the advantage of the modular design is the economies of being able to selectively implement additional protocols by adding individual modules specific to the tasks at hand.
- the internal communications bus 28 connects the respective robots 24, 26 in accordance with the serial bus, parallel bus or universal serial bus standard.
- the internal bus 28 linking the two robots may, alternatively, be a SCSI bus, fiber-optic, a network interface link or even a radio link, where the robots must operate over a greater distance, VMM-protected shared memory, or the like.
- the robots 24, 26 are two separate and independent logical processes that execute routines defined by respective security gateway software packages.
- the robots 24, 26 may be installed on two separate processing devices or one a single processing device operating the one or both ofthe robots 24, 26 in protected mode.
- the respective software packages are installed on two or more respective separate CPUs, for the sake of simplicity and off-the-shelf component availability.
- each robot runs on a single independent computer processor with non-shared resources assigned to it (for example, disk space, memory address, network adapter, various peripherals, and the like).
- the only shared resource in this approach is the communication bus 28.
- Several configurations may be used to implement this approach.
- One such configuration is different independent computers (PCs) connected by a communication bus like a serial line, SCSI line and the like, with each PC having at least another network adapter for communicating with the internal network or the rest of the external world.
- PCs independent computers
- one robot program may run on a computer (PC) and the other on an add-on card, which may be a dedicated card or device, or a standard card (like Intel 80x86 add-on card), installed in one slot of the PC, with this slot serving as the communication bus 28.
- Both the PC and the add-on card have at least one additional network adapter for communicating with the internal network or the rest of the external environment.
- the two robot programs may also be run on different independent processors implemented on a standard (e.g., dual Intel 80x86 processors card) or a dedicated add-on card. These two processors are connected by a communication bus like a SCSI line, IDE bus, PCI bus, and the like.
- Each robot also includes at least another network adapter for communicating with the internal environment 12 or the external environment 16.
- This add-on card is installed in a standard or dedicated network communications device like a router, bridge, communication server, and the like.
- the two robots 24, 26 are implemented on a single CPU using a protected mode such as the VM86 mode provided by VMM and
- Pentium technology For example, in a single CPU running the Windows NT TI (WLNNT) operating system, each robot, or at least the external robot 26, is operated in protected mode under the supervision of a monitor program or "mediator" which prevents each robot from affecting the operation of the other and the rest of the CPU's environment.
- the monitor program also negotiates the communication of data between them, implementing the communication channel 28 between them using shared memory resources and a special API for each protected mode.
- the two software robots 24, 26 are separated by the CPU under the control of the VMM program in a way that each robot is assigned some resources of the computer (such as disk space, memory address range, peripheral devices like floppy disks or tape drives) which are not shared with the other robot, and the policy of separation is enforced by the VMM program.
- resources of the computer such as disk space, memory address range, peripheral devices like floppy disks or tape drives
- the communication bus 28 is shared by the two robots 24, 26, and this bus 28 may be implemented, for example, by a dedicated memory address space.
- the VMM and the robots running in their private environments may be executed on a dedicated computer. They may also run on a non-dedicated computer, in which case certain modification to the standard OS (e.g., Windows) might be necessary in order to force it to run in a protected mode.
- the VMM program controls all the events at the CPU level, and enforces the two virtual processing entities on a single CPU machine by hardware interrupts. Structure and Operation ofthe External and Internal Robots
- the external robot 26 contains a channel manager 4a for wrapping outgoing CIP messages to the internal robot 24 in the inter-robot protocol or IRP and removing the IRP from incoming messages.
- the external robot also contains a network proxy 4e which wraps messages in TCP/IP or other transfer protocols used in the external environment 16. These protocols may include TCP/IP, UDP, SPX/IPX, HTTP, SNA, NCP, CORBA, RMI, RPC, or communications transfer protocols.
- the CIP is also specific to the application protocol used, such as SMTP, POP3, SQL, CGI, and applications-specific protocols such as those used in banking.
- the protected environment 12 may use the secure hypertext translation protocol (S-HTTP) over TCP/IP (or likewise security scheme, e.g. SSL) and structured query language (SQL) over TCP/IP, as well as a specialized financial communication protocol and application protocol, the robots may need respective complementary sets of at least three CIP protocol stacks.
- SSL secure hypertext translation protocol
- SQL structured query language
- the external robot further contains a routing manager 4b for routing CIP or application format messages between the various elements ofthe external robot 26, a protocol manager 4c connected to the routing manager 4b for reducing a message from the application format received from the external environment 16 to the CIP in accordance with procedures described further below, and a Communication Layer Security (CLS) routine 4d which provides decryption and authentication services for the security gateway 10 under the direction of the routing manager 4b.
- the routing manager 4b for routing CIP or application format messages between the various elements ofthe external robot 26, a protocol manager 4c connected to the routing manager 4b for reducing a message from the application format received from the external environment 16 to the CIP in accordance with procedures described further below, and a Communication Layer Security (CLS) routine 4d which provides decryption and authentication services for the security gateway 10 under the direction of the routing manager 4b.
- CLS Communication Layer Security
- the protocol manager 4c reduces the native-application protocols it receives from the untrusted environment into a respective CIP format for its particular native protocol(s).
- the channel manager 4a in the external robot 26 then moves the CIP formatted data onto the inter-robot communication bus 28.
- the internal robot 24 has an architecture similar to the external robot 26.
- the internal robot 24 thus contains a channel manager 2a similar to channel manager 4a ofthe external robot 26, a routing manager 2b, a protocol manager 2c, and a number of proxies depending upon the architecture of the internal environment.
- the proxies include an application proxy 2e and a web proxy 2f.
- Data received by the channel manager 2a of the internal robot 24 is forwarded to its protocol manager 2c under the direction of its routing manager 2b to be retranslated from the CIP format back into respective native application protocols, and then the retranslated result is sent to the internal environment 12 through the application proxy 2e and the bus 20a or through the web proxy 2f to the web-server 13 which responds in a data stream which is sent back to the gateway 10 through the bus 20b to the web-proxy 2f and then re-directed into the protected system server 14.
- the communication between the external robot and the internal robot is carried out solely through a dedicated simple inter-robot protocol or IRP, over the dedicated inter-robot bus 28.
- the data is translated using a security protocol specific to- the applications protocol of the data received and internal to the security gateway operation.
- Applications within the trusted environment can configure the robots to authorize data flows using selected communications transfer protocols (CTP), such as the simple mail transfer protocol (SMTP), file transfer protocol (FTP) and secure electronic transfer (SET) protocol.
- CTP communications transfer protocols
- SMTP simple mail transfer protocol
- FTP file transfer protocol
- SET secure electronic transfer
- the CIP assigned to a communication is specific to the CTP in use.
- any breach of the permitted flow sequences by disorderly operating system calls or looping will be trapped and logged.
- FTP file transfer protocol
- a GET command cannot be recognized unless preceded by a successful login sequence including the USER command, followed by a PASS command. Violation of the required flow order will cause an alarm to be logged and terminate the FTP session.
- the gateway 10 further enforces data flow requirements, since each translator and interpreter pair is a pair of ad hoc transforms derivative of the protocol used in the incoming message and the types of data flow permitted by the security administrator. For example, if an external SMTP user issues the "MAIL FROM" command, the external server will send the ART equivalent of a "MAIL FROM" command, only when it follows a "HELO" command.
- Figs. 3a and 3b show the data flow implemented by the apparatus shown in Figs, la, 2a and 2b.
- communications packets received from the external environment 16 are time stamped and logged by the external robot 26, step 50, followed by the data-security processing functions such as decryption to plain data.
- Logging is initiated by a synchronous API module within the security gateway on a "write once" media (e.g. CDW).
- the logging process performs sparse notations of program state changes, time-stamped message- IDs, system errors, access and flow violation attempts, rule firing for each packet, etc.
- Each service module is automatically periodically polled to maintain a complete audit trail of every administrator action, user login/logout, database error, simplified network management protocol trap or alarm.
- a database of known intrusion patterns is provided and habitual usage patterns of groups within the trusted environment are monitored and the administrator notified of incidents that diverge from that pattern.
- the log is accessed locally only through the internal, trusted terminal.
- external logs are securely copied to the internal record using the internal CIP protocol corresponding to the external log's native protocol and interpreted into an item format distinct from that used by internal entries, to further frustrate counterfeiting.
- the external logs may be written to a separate system to decrease the overhead imposed on the internal robot by the logging process.
- a "dual Channel Manager structure" wherein there is an additional Channel Manager in each robot, dedicated for logging messages, may also be used.
- the software to handle the logging may use the ACE package or any other commercial product for the implementation.
- the internal and external logs are recorded asynchronously, using a logger daemon, so that logged items go immediately to the written record without waiting in vulnerable queues during thread lockouts or I/O busy states.
- This can be implemented by an asynchronous wrapper using generic OS logging, such as UNIX's Syslogd & MSEventLogger for errors and violations, and an ODBC-standard file structure for the transactional information concerning program state and messages.
- the open data base convention (ODBC) logger has" some asynchronous behavior options, but they are not directly applicable, so it may not represent a realistic alternative.
- step 60 the plain data is edited to reduce it to clear data and then translated into CIP format, after which the CIP format is sent over the security gateway's internal communication bus 28 to the internal robot 24.
- step 70 the internal robot 24 retranslates, and perhaps also reconstructs, the data from its CIP format back to the format native to the application it is addressed to, perhaps introducing some further editorial changes.
- step 90 if the data belongs to a web-session (HTTP) it is first sent to the web-server 12, the web-server 12 may then initiate an application request, sending a response back to the Internet source of the data the web server received, back through that network-security gateway 10, while the data proceeds to its destination, as noted in step 100. If, on the other hand, the data does not belong to a web-session, such as data communicated directly to the application server, then the internal robot simply sends that data to the application proxy 2e and over the bus 20a to the internal environment 14, comprising step 100 and finishing the security gateway's security-assurance process at step 104.
- HTTP web-session
- a TCP/IP packet or some other basic unit of data associated with a suitable communications protocol for the media available, is received by a security gateway proxy 4e corresponding to that protocol, through the external bus 22, it is logged in by the external robot at step 51.
- This records the packet's ID number and operational state codes representing the transfer steps completed for the packet.
- this robot is barricaded, detailed logs
- the security gateway proxy 4e after having removed the encapsulation provided by TCP/IP or by some other transport protocol used for communicating the data to the security gateway, sends the data to the routing manager 4b which forwards it to the Communication Layer Security (CLS) module at step 53.
- CLS Communication Layer Security
- the CLS module decrypts the SSL format , if such encryption is present (or any other security scheme, e.g. S-HTTP), of the message and interfaces with and mediates information required by "mechanisms" that authenticate the identity of the sender, if such authentication is needed, thus providing plain application-format data to the routing manager 4b.
- the public key infrastructure is used for the decryption.
- the routing manager 4b then sends the plain application-format data to the protocol manager 4c which edits the application data into clear data and translates it into CIP format at step 61.
- the protocol manager 4c then moves the CIP data back to the routing manager 4b at step 62.
- the routing manager 4b sends the CIP data on to the channel manager 4a at step 63, which encapsulates the CIP data using the IRP, transmitting this IRP-encapsulated CIP-format data to the internal robot 24 over the internal communication bus 28 in step 64.
- the IRP transport protocol may encapsulate CIP data originating from different native application and transport protocols.
- the CIP-format data, encapsulated in accordance with the internal IRP transport protocol, is received from the internal-communication bus 28 by the channel manager 2a in step 71.
- the channel manager 2a removes the IRP encapsulation and sends the CIP-format data to the routing manager 2b in step 72, which sends the CIP-format data to the protocol manager 2c in step 73.
- the plain application-format data decrypted by the external robot 26 from communications received through the external bus may not be identical to the clear data in native application format that is supplied to the trusted environment 14 by the network-security gateway 10 over the internal communication bus 20a.
- Some additional acceptance test may be applied to the data at this point in order to further verify the legitimacy of the data.
- Koni is made in the architecture of the present invention to allow for third party integration of processing modules, to enhance to adaptivity and flexibility of the system.
- These modules hereinafter referred to as "Plug-In 's," are callable at various places in the process flow ofthe apparatus, both in the external and the internal robots.
- An example of a useful such plug-in is the access-control as described immediately below, applied at the internal robot after the CIP is interpreted, possibly at the Protocol Entity level as described later with reference to Figs. 5-7.
- the protocol manager controls access control through editing its rules.
- the protocol manager invokes access control by sending it four query parameters: actor, action, resource and attributes.
- Context-sensitive testing may be used to identify redundant messages that are received more than three times from the same source.
- the access-control plug-in must then also have reading access to the transactions log maintained by the security gateway 10 in order to make such context-sensitive determinations. For this reason, intrusion detection may also use the access-control interface to the log.
- the access control logie- (ACL) may be extracted from monitoring network activity or by extracting rules from the responses of the network administrator to packets parsed under the control of the administrator.
- the concept of automatic and/or guided, semi-automatic recognition of flow, access-rules, access-lists and valid/invalid data is intended to supply, along with the apparatus itself, a utility which will intercept all the traffic to and from the secured servers, analyze this traffic and produce a list of users, their allowed activities, and other relevant parameters (time and date of the action, etc.). It is also intended to provide a utility which will extract access information from the server itself, be it a Windows/NT server (registry, etc.) or a UNIX station (/etc/passwd, etc.).
- ACL data is imported into the gateway 10, partly in off-time (initialization), and partly on-line (updates).
- Security standards implemented may include RADIUS and TACACS RAS standards, the TSS mainframe standard, or the modern alternatives: NIS, NT domain.
- the protocol manager 2c sends the application-format data back to the routing manager 2b which determines its destination. If the data is to be sent directly to the application, it proceeds to step 101. If the data was addressed to the web-server, e.g., if its application format is HTTP, the routing manager 2b sends the application format data to the web proxy 2f at step 91, which re-encapsulates it as a TCP/IP packet, or whatever other suitable transfer protocol is in the protocol stacks being used by the web-server. At step 92 the web proxy 2f finally forwards the re-encapsulated data to the bus 20b.
- the web-server 12 in step 93 processes the data. It is expected that the web server 12 translates the data to some application format before transferring it back to the apparatus.
- the web-server 12 transmits the application format back (e.g. SQL query, banking command) to the network-security gateway 10, where the web proxy 2f receives it and removes the TCP/IP encapsulation of the application data in step 94, before sending the application data to the routing manager 2b.
- an application format e.g. SQL or banking
- the web-server 12 transmits the application format back (e.g. SQL query, banking command) to the network-security gateway 10, where the web proxy 2f receives it and removes the TCP/IP encapsulation of the application data in step 94, before sending the application data to the routing manager 2b.
- step 101 the routing manager 2b sends the application-format data to the application proxy 2e.
- the application proxy 2e re-encapsulates the application data in TCP/IP, or whatever protocol was used for communicating the data to the network-security gateway 10, and sends the data to the application server 14 in the internal environment 12 in step 102, whereupon the security-assurance processing in accordance with present invention, for that data, ends at step 104.
- processing by the gateway 10 of outgoing data begins at step 110.
- the internal robot 24 receives application data from the internal system 12.
- the destination of the data is determined: if it is originated from an indirect session (i.e., a session that involves a gateway, such as a web-server 13), then the data is relayed to the gateway (web-server), whereas if the data originated from a direct session (user client communicating directly with the internal system server 14), then the processing of the
- step 140 the data is translated and restructured by the web-server 13 in order to be presented in a web format (e.g., HTML- page over HTTP protocol), and then sent back to the gateway 10, to be further processed.
- a web format e.g., HTML- page over HTTP protocol
- step 150 the data is reduced into CIP format, possibly with some alterations, possibly with some filtering pertaining to the nature ofthe information, e.g., a "Top-Secret" titled article may not be allowed to pass out of the internal zone. Then the data is transmitted over the communication bus 28 into the external robot 26.
- the external robot 26 re-composes the CIP format data back into application format, possibly with some changes to the data, step 160. It then proceeds to perform some communication security tasks associated with the data, such as encrypting it and/or affixing it with authentication data, and finally, the secure data is sent to the external zone 5, step 170, which completes the process, step 180.
- step 110 application data arrives from the internal system 12 to the application proxy 2e, step 121.
- the application proxy 2e removes the TCP/IP encapsulation (or whichever protocol used to communicate with the internal system's network) and sends the data (which is in application format) to the routing manager 2b.
- the Routing Manager 2b determines the destination ofthe data, step 130, according to its association with a session. If the data belongs to a direct session, that is, a session in which the client communicates directly with the internal system 14, the routing manager proceeds immediately to step 151.
- the routing manager 2b sends the data to the web proxy 2f, step 141.
- the web proxy 2f encapsulates the data in TCP/IP (or whichever — protocol is used to communicate with the web-server 13 or any other gateways employed), and sends it to the web-server 13, step 142.
- the web-server 13 then processes the data, which is typically a reply to a previous query sent from the web-server 13 to the internal system 14 via the apparatus 10, and represents it in a web-format (e.g., typically, an HTML data "page" over HTTP protocol, all encapsulated in TCP/IP), and sends this data to the web proxy 2f, step 143.
- the web proxy 2f removes the TCP/IP (or any other protocol used for communication with the web-server) encapsulation, step 144, and sends the application data to the routing manager 2b.
- the routing manager 2b sends the application data to the protocol manager 2c.
- the protocol manager processes the data, step 152.
- This process may include performing several tests and/or modifications, in order to further protect the internal system 12 and carry out the security policy exercised in the internal domain. For example, it may refuse to forward documents or pages according to the information they carry, or it may remove or conceal some information or all based on its content.
- the protocol manager translates the data into CIP, which may be a different coding scheme than that ofthe incoming direction.
- the CIP data is sent to the routing manager 2b.
- the routing manager 2b at step 153 sends the data to the channel manager 2a.
- the channel manager 2a encapsulates the CIP data with the IRP protocol used for the bus communications, and transmits the data over the communication bus 28 to the external robot 26.
- step 161 the data arrives through the communication bus 28 to the external robot 26, where it is handled by the external robot's channel manager 4a, step 162.
- the channel manager 4a removes the IRP encapsulation and sends the CIP data to— the routing manager 4b.
- the routing manager 4b at step 163 sends the data to the external robot's protocol manager 4c.
- the protocol manager 4c translates the data from CIP format into application format, step 164, possibly with some alterations to the data.
- the data is then sent back to the routing manager 4b.
- the Routing Manager 4b sends the application data to the CLS module 4d, which performs several communication security duties, step 172, such as encryption and affixing authentication information to the data, according to the security model employed (e.g.
- the CLS module 4d then sends the secure data back to the routing manager 4b.
- the routing manager 4b finally sends the data to the network proxy, step 173, where the application or secure data is encapsulated with TCP/IP (or whichever protocol used for communication with the client in the external zone 16), and sent to the external zone 16 using the NIC, step 174.
- TCP/IP or whichever protocol used for communication with the client in the external zone 16
- the flow of information from the internal zone 12 to the external zone 16 is thus completed, step 180.
- Structure and Operation ofthe Protocol Managers The core of the robot operation is the protocol manager, denoted 2c and
- the protocol managers provide translation between the various application formats used by application protocols that are authorized for use by and implemented through respective CIP protocols in the security gateway 10 and the CIP formats used internally by security gateway 10.
- the protocol managers 2c, 4c may also perform various other tasks, pertaining to the content of the data, such as
- the protocol managers2b and 4b have respective input queues 210, 410, and output queues 250, 450, several analogous processing entities between them, and two common objects.
- the internal input queue 210 holds- data coming from a routing manager 2b, 4b that is in native application protocol format
- the external input queue 410 holds data from the routing manager, which is in CIP application format.
- the internal output queue 250 holds data going to a routing manager 2b or 4b in CIP application format after having been translated from the native application format into CIP
- the external output queue 450 holds data that was translated from CIP and is going to a routing manager 2b, 4b in native application format 50.
- the processing objects between the input and output queues of the respective protocol managers 2c, 4c are session managers 220, 420, which provide workload balancing for their respective sets of session handlers 230, 430, each session handler handling a single session object 240, 440 at a time.
- the session handler 230, 430 determines where incoming data belongs, which "session", and if no such session is active the handler initiates one.
- the respective sets of session objects 240, 440 comprise generic session processors.
- each element in the respective sets of session objects 240, 440 processes a respective session, that is, a respective communication stream received by the security gateway as multiple, not necessarily contiguous packets.
- a respective session that is, a respective communication stream received by the security gateway as multiple, not necessarily contiguous packets.
- two sessions are usually combined into a single entity, a "twin-session", whenever there are two coupled sessions pertaining to the same circuit of information flow, namely that one session handles incoming data and the other handles outgoing data.
- the coupling is necessary in order for both the sessions to be synchronized in the state of the server and the context of the whole circuit.
- Each session object 240, 440 may also write data back to the object repository 300.
- the session objects 240, 440 also consult a protocol entities table (PET) 310, as described further below, to determine the sequence order prescribed by the applicable protocol for processing data received by the session object in a format prescribed by that protocol.
- PET protocol entities table
- the session objects each write the output of their respective translations and editing processes to a respective one of the output queues 250, 450.
- the information in the object repository 300 is either global to the whole security gateway 10, or at least global for-each user or for each session, or session-wide, that is, global to a whole session as opposed to local information used in a single protocol layer or information used in a single packet.
- a user-name entry in the object repository 300 is global to all the communications transmitted between the user and the server.
- the PET 310 is global in that it is used to enforce the rules by which a particular session object chooses which protocol entity to employ to reduce the data or
- FIG. 6 A block diagram of one of the session objects is shown in Fig. 6.
- session object 240, 440 employs various protocol entities 710 for handling the — different protocols encountered within the data within a session.
- the session object 240, 440 consults the PET 310 in order to determine which protocol entity 710 to use next.
- the protocol entities 710 deposit information to and retrieve information from the object repository 300. That done, the session object 240, 440 then calls packers/unpackers 720 corresponding to those same protocols reflected in the selection ofthe protocol entities 710, in order to streamline the required information deposited in the object repository 300 into a sequence of bytes to be output by the session object 240, 440.
- the flow of data coming in to the security gateway 10 in application format through the protocol manager 2c and 4c is shown in Fig. 7.
- the data arrives in its native application format at step 500 and is read by the protocol manager 2c and 4c from the queue 210 containing data coming from the routing managers 2b, 4b.
- This application-format data is then transferred to the session manager 220 at step 510.
- the session manager 220 locates an available session handler 230, and sends the data buffer to that session hander.
- the session handler 230 scans the sessions currently active or "open", to determine which session the data belongs to before sending the data to the corresponding session object 240 for processing. If the data does not belong to one of the open sessions, the session handler 230 initiates a new session object 240 and sends the data, all this comprising step 530.
- the session object 240 begins by storing the data buffer in the object repository (OR) 300, step 540.
- the session object 240 then consults the PET 310 to get the identity of the next protocol entity 710 that should be used to process the data, reducing it to clear data in CIP format at step 550. If other protocol entities are needed to process the data, then the data is handed on to the next protocol entity 710 for processing in step 560, that protocol entity 710 retrieves the data from the buffer in the OR 300 and deposits the processed result there in step 570 when its process is complete.
- the session object repeats step 550 to check whether more protocol entities are needed for the data. Should the data provided in the buffer stored in the OR 300 end before the protocol is satisfied, the data is assumed to be incomplete at step 580. If the data is incomplete, the protocol entity 710 and the session object 240, 440 cannot complete their respective tasks, so another buffer is read from the input channel, repeating step 510, and the session object waits until further data for this session is sent to it by the session manager.
- the session object 240 uses the packers 720 corresponding to the protocol entities used by the session object to pack the data from the buffer in the OR 300 into a serial stream of bytes, at step 590.
- This CIP-formatted stream of bytes is transferred to the output queue 250 going to the routing manager.
- the processing cycle is complete, step 600.
- the process of converting content data from CIP to application format is described and starts at step 700.
- the protocol manager 2c and 4c reads data from the input queue 410 and sends the data to the session manager 420, step 710.
- the session manager 420 sends the data buffer to one of the available session handlers 430, step 720.
- the available session handler checks whether the data belongs to an existing session or whether a new session needs to be created.
- the session handler then sends the data to the appropriate session object 440, step 730.
- the session object 440 uses various unpackers 720 to unpack th-rCIP information included in the data and stores the individual data items in the OR 300, step 740.
- the session object 440 at step 750, consults the PET 310 and information in the OR 300 for the identity of the next Protocol Entity that should process the data which is now in the Object Repository 300. If there is such a Protocol Entity 710, step 760, the control passes to it, and that Protocol Entity 710 reconstruct its application layer data from the data in the OR 300, step 770.
- the Protocol Entity 710 determines if the operation is completed, upon which case execution resumes at step 750 by determining the next Protocol Entity. Otherwise, execution proceeds at the beginning, where more data is awaited, step 710.
- the reconstructed data (which is deposited in the Object Repository 310) is sent to the "Queue To Routing in Application" 450, and the process cycle is complete 790.
- a sample PET 310 is shown in Fig. 9.
- the PET 310 indicates which Protocol Entities are selected at given points, such as the start of the processing (when the TCP/IP Protocol entity is used), and thereafter.
- the PET 310 also indicates what rules and conditions are required to trigger use ofthe given Protocol Entity.
- the session handlers consult the PET 310 to determine which Protocol Entities are to be employed at given stages in the conversion process.
- the CIP and IRP Protocols In accordance with the present invention, the security gateway's internal CIP and IRP protocols replace a message's native protocols in the link between the robots. In this way, data transfer is implemented only for specified data content within a given protocol.
- the external robot's CIP translator for that protocol- may encode only the image information that provides the application's GUI.
- the internal robot's translator may implement CIP encoding only for the user's mouse and keyboard input responding to those graphics. In this instance, command codes are not passed.
- the process that defines permissible sub-set of the syntax and the functional suite of a given protocol that is to be allowed to pass into the trusted environment, as well as defining its representation in CIP, is carried out in several separate steps, occurring at different times in the robot processes.
- the user identifies the set of protocols or protocol characteristics that will be allowed to pass into the trusted environment. This can be conveniently done in a fourth generation language (4GL) referred to as protocol-definition language (“PeDaL”), which handles string literals, and provides a binary virtual machine language (VML) to replacing "C" as the target language.
- 4GL fourth generation language
- Selected command codes may also be passed, by being either explicitly or implicitly coded by the translator.
- a bill-viewing application can be
- the user may choose to issue one of three commands: PRINT, VIEW or
- username+password first 8 bytes represent the 8 characters of the username, in ASCII code, and the last 8 bytes represent the password in ASCII code) pair come first in this format.
- LOGIN can be implicitly passed and reinserted by the complementary interpreter in the other robot, because at the time when the sixteen character string is received, no command other than LOGIN can be processed by the interpreter, nor is LOGIN processed under any other circumstances. Therefore there is no point in explicitly providing a command-identifier value for LOGIN or other such "constant strings".
- Numbers are accompanied by a logically associated "sanity range" for consistency checking, except for dates. Only a single date format is allowed from any one given CIP translator or interpreter. Similarly, unknown, unstructured strings are provided a "sanity check" value stating an expected length limit for the string. The elements ofthe string are preferably mapped to a sequential range of characters.
- the IRP is a simplified transfer protocol adapted for use in a point-to-point communication link such as between the internal and external robots. Since the communication is point-to-point, no routing information is needed in the— transfer protocol.
- the IRP consists of a header to the CIP data having twelve bytes, of which four are used as follows, with the remaining bytes being made available for reserved uses:
- the second byte contains a packet ID, i.e., a number from 0 to 127, for which a static variable is used to track and increment assigned packet IDs;
- verifying the internal robot amounts to verifying each module against its output channel properties, assuming the correctness of its input channels. Then, one may proceed to proving each individual module, again by decomposing it to its sub-modules.
- the process of decomposition repeats itself down to the level of "atomic" code pieces, e.g. functions and procedures, where the decomposition can no longer be applied. However, these code pieces are usually small, therefore are verifiable by "direct” methods. These methods may include manual arguments, as well as mechanised methods such as theorem provers (NQTHM, ACL2, PVS) and model checkers (SPIN, STeP, etc.).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IL1998/000439 WO2000016206A1 (en) | 1998-09-10 | 1998-09-10 | Method and system for protecting operations of trusted internal networks |
Publications (2)
Publication Number | Publication Date |
---|---|
EP1118056A1 true EP1118056A1 (en) | 2001-07-25 |
EP1118056A4 EP1118056A4 (en) | 2003-11-05 |
Family
ID=11062357
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP98942989A Withdrawn EP1118056A4 (en) | 1998-09-10 | 1998-09-10 | Method and system for protecting operations of trusted internal networks |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1118056A4 (en) |
JP (1) | JP2002533792A (en) |
AU (1) | AU9093798A (en) |
WO (1) | WO2000016206A1 (en) |
Families Citing this family (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6311278B1 (en) | 1998-09-09 | 2001-10-30 | Sanctum Ltd. | Method and system for extracting application protocol characteristics |
JP3764016B2 (en) | 1999-05-10 | 2006-04-05 | 財団法人流通システム開発センタ− | Integrated IP transfer network |
IL151455A0 (en) | 2000-03-03 | 2003-04-10 | Sanctum Ltd | System for determining web application vulnerabilities |
US7301952B2 (en) | 2000-04-06 | 2007-11-27 | The Distribution Systems Research Institute | Terminal-to-terminal communication connection control method using IP transfer network |
SG101985A1 (en) | 2000-07-12 | 2004-02-27 | Distribution Systems Res Inst | Integrated information communication system |
CA2433192A1 (en) * | 2000-09-29 | 2002-04-04 | Electronic Data Systems Corporation | Computer program for maintaining persistent firewall-compliant connections |
US7028051B1 (en) * | 2000-09-29 | 2006-04-11 | Ugs Corp. | Method of real-time business collaboration |
US7882555B2 (en) | 2001-03-16 | 2011-02-01 | Kavado, Inc. | Application layer security method and system |
US7313822B2 (en) | 2001-03-16 | 2007-12-25 | Protegrity Corporation | Application-layer security method and system |
CN100356349C (en) * | 2001-04-27 | 2007-12-19 | 邵通 | Device and method for changing state of computing equipment |
CA2388938C (en) | 2001-06-08 | 2010-05-04 | The Distributions Systems Research Institute | Terminal-to-terminal communication connection control system for ip full service |
US20030177387A1 (en) * | 2002-03-15 | 2003-09-18 | Cyrill Osterwalder | Secured web entry server |
IL149583A0 (en) | 2002-05-09 | 2003-07-06 | Kavado Israel Ltd | Method for automatic setting and updating of a security policy |
US8072979B2 (en) | 2002-06-07 | 2011-12-06 | The Distribution Systems Research Institute | Terminal-to-terminal communication control system for IP full service |
US8260593B2 (en) | 2002-09-18 | 2012-09-04 | Siemens Product Lifecycle Management Software Inc. | System and method for simulating human movement |
FR2940566B1 (en) | 2008-12-18 | 2011-03-18 | Electricite De France | METHOD AND DEVICE FOR SECURE TRANSFER OF DIGITAL DATA |
US11188652B2 (en) | 2012-10-02 | 2021-11-30 | Mordecai Barkan | Access management and credential protection |
US9342695B2 (en) | 2012-10-02 | 2016-05-17 | Mordecai Barkan | Secured automated or semi-automated systems |
US9672360B2 (en) | 2012-10-02 | 2017-06-06 | Mordecai Barkan | Secure computer architectures, systems, and applications |
US9092628B2 (en) * | 2012-10-02 | 2015-07-28 | Mordecai Barkan | Secure computer architectures, systems, and applications |
CN103944814B (en) * | 2014-04-29 | 2017-10-20 | 天维尔信息科技股份有限公司 | A kind of method for interchanging data and system and a kind of gateway server |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH03162154A (en) * | 1989-11-21 | 1991-07-12 | Nec Software Ltd | Communication gateway system and its communication method |
WO1994015294A1 (en) * | 1992-12-23 | 1994-07-07 | Surefind Corporation | Interactive computer system with multi-protocol capability |
US5392390A (en) * | 1992-04-10 | 1995-02-21 | Intellilink Corp. | Method for mapping, translating, and dynamically reconciling data between disparate computer platforms |
US5550984A (en) * | 1994-12-07 | 1996-08-27 | Matsushita Electric Corporation Of America | Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information |
US5692124A (en) * | 1996-08-30 | 1997-11-25 | Itt Industries, Inc. | Support of limited write downs through trustworthy predictions in multilevel security of computer network communications |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5257369A (en) * | 1990-10-22 | 1993-10-26 | Skeen Marion D | Apparatus and method for providing decoupling of data exchange details for providing high performance communication between software processes |
US5557798A (en) * | 1989-07-27 | 1996-09-17 | Tibco, Inc. | Apparatus and method for providing decoupling of data exchange details for providing high performance communication between software processes |
US5237693A (en) * | 1990-04-04 | 1993-08-17 | Sharp Kabushiki Kaisha | System for accessing peripheral devices connected in network |
US5828893A (en) * | 1992-12-24 | 1998-10-27 | Motorola, Inc. | System and method of communicating between trusted and untrusted computer systems |
US5699518A (en) * | 1993-11-29 | 1997-12-16 | Microsoft Corporation | System for selectively setting a server node, evaluating to determine server node for executing server code, and downloading server code prior to executing if necessary |
US5701451A (en) * | 1995-06-07 | 1997-12-23 | International Business Machines Corporation | Method for fulfilling requests of a web browser |
US5805823A (en) * | 1996-01-30 | 1998-09-08 | Wayfarer Communications, Inc. | System and method for optimal multiplexed message aggregation between client applications in client-server networks |
US5673322A (en) * | 1996-03-22 | 1997-09-30 | Bell Communications Research, Inc. | System and method for providing protocol translation and filtering to access the world wide web from wireless or low-bandwidth networks |
US5715453A (en) * | 1996-05-31 | 1998-02-03 | International Business Machines Corporation | Web server mechanism for processing function calls for dynamic data queries in a web page |
US5881232A (en) * | 1996-07-23 | 1999-03-09 | International Business Machines Corporation | Generic SQL query agent |
-
1998
- 1998-09-10 AU AU90937/98A patent/AU9093798A/en not_active Abandoned
- 1998-09-10 EP EP98942989A patent/EP1118056A4/en not_active Withdrawn
- 1998-09-10 JP JP2000570676A patent/JP2002533792A/en not_active Abandoned
- 1998-09-10 WO PCT/IL1998/000439 patent/WO2000016206A1/en not_active Application Discontinuation
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH03162154A (en) * | 1989-11-21 | 1991-07-12 | Nec Software Ltd | Communication gateway system and its communication method |
US5392390A (en) * | 1992-04-10 | 1995-02-21 | Intellilink Corp. | Method for mapping, translating, and dynamically reconciling data between disparate computer platforms |
WO1994015294A1 (en) * | 1992-12-23 | 1994-07-07 | Surefind Corporation | Interactive computer system with multi-protocol capability |
US5550984A (en) * | 1994-12-07 | 1996-08-27 | Matsushita Electric Corporation Of America | Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information |
US5692124A (en) * | 1996-08-30 | 1997-11-25 | Itt Industries, Inc. | Support of limited write downs through trustworthy predictions in multilevel security of computer network communications |
Non-Patent Citations (2)
Title |
---|
ANDREW S TANENBAUM: "Computer Networks" COMPUTER NETWORKS, ENGLEWOOD CLIFFS, PRENTICE HALL, US, pages 141-148,320-35-350, XP002084334 * |
See also references of WO0016206A1 * |
Also Published As
Publication number | Publication date |
---|---|
AU9093798A (en) | 2000-04-03 |
JP2002533792A (en) | 2002-10-08 |
EP1118056A4 (en) | 2003-11-05 |
WO2000016206A1 (en) | 2000-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6321337B1 (en) | Method and system for protecting operations of trusted internal networks | |
WO2000016206A1 (en) | Method and system for protecting operations of trusted internal networks | |
US8769127B2 (en) | Cross-domain solution (CDS) collaborate-access-browse (CAB) and assured file transfer (AFT) | |
Paxson | Bro: a system for detecting network intruders in real-time | |
Wang et al. | Shield: Vulnerability-driven network filters for preventing known vulnerability exploits | |
KR102368170B1 (en) | Automated runtime detection of malware | |
US7225467B2 (en) | Active intrusion resistant environment of layered object and compartment keys (airelock) | |
US6584508B1 (en) | Advanced data guard having independently wrapped components | |
EP1634175B1 (en) | Multilayer access control security system | |
Almgren et al. | Application-integrated data collection for security monitoring | |
US6684329B1 (en) | System and method for increasing the resiliency of firewall systems | |
US20030177387A1 (en) | Secured web entry server | |
Liang et al. | Automatic generation of buffer overflow attack signatures: An approach based on program behavior models | |
AU2002324631A1 (en) | Active intrusion resistant environment of layered object and compartment keys | |
WO2001001259A1 (en) | Self-contained and secured access to remote servers | |
EP1127314A1 (en) | Method and system for maintaining restricted operating environments for application programs or operating systems | |
Shaheed et al. | Web application firewall using machine learning and features engineering | |
Stempel | IpAccess-an internet service access system for firewall installations | |
Wang et al. | TVIDS: Trusted virtual IDS with SGX | |
Christey | PLOVER: Preliminary list of vulnerability examples for researchers | |
Jaeger et al. | Leveraging IPSec for mandatory access control of linux network communications | |
CN112087294A (en) | Portable security computer architecture based on secret hash label protection | |
Burmester | A trusted computing architecture for critical infrastructure protection | |
Kim et al. | Multi-channel transmission method for improving TCP reliability and transmission efficiency in UNIWAY | |
Pan et al. | Efficient and Transparent Method for Large‐Scale TLS Traffic Analysis of Browsers and Analogous Programs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20010406 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: 7H 04L 29/06 B Ipc: 7G 06F 13/38 A |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20030918 |
|
17Q | First examination report despatched |
Effective date: 20050216 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: SANCTUM LTD. |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: WATCHFIRE CORPORATION |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20060331 |