Ulllted States Patent [19] [11] Patent Number: 6 003 084 (I S
Total Page:16
File Type:pdf, Size:1020Kb
US006003084A Ulllted States Patent [19] [11] Patent Number: 6 9 003 9 084 Green et al. [45] Date of Patent: *Dec. 14 a 1999 [54] SECURE NETWORK PROXY FOR FOREIGN PATENT DOCUMENTS CONNECTING ENTITIES 0 554 182 A1 4/1993 European Pat. Off. ...... .. H04L 29/06 _ . _ . 96/13113 5/1996 European Pat. Off. ...... .. H04L 29/06 [75] Inventors‘ Mlchael W‘ Green’ shorevlew’ Rlcky 0 743 777A2 11/1996 European Pat. Off. ...... .. H04L 29/06 R9nald Kruse> Ham Lake> both of 97/13340 4/1997 European Pat. Off. ........ .. H04L 9/00 Mmn' 97/16911 5/1997 European Pat. Off. ...... .. H04L 29/06 _ _ _ 97/26731 7/1997 European Pat. Off. ........ .. H04L 9/00 [73] Asslgneez Secure Computlng Corporatlon, 96/31035 10/1996 WIPO .......................... .. H04L 12/24 ROSGVillG, Minn. 97/29413 8/1997 WIPO . [*l NOIiCeI This patent issued on a continued pros- OTHER PUBLICATIONS $22183 25311122111131? tltllrédgeiz C52}; “100% of Hackers Failed to Break Into One Internet Site éltent ’Ierm rovlisions of 35 6 g C Protected by Sidewinder”, News release, Secure Computing I1)54(a)(2) p ' ' ' Corporation (Feb. 16, 1995). ' “Internet Security System Given ‘Product of the Year’ Award”, News Release, Secure Computing Coporation [21] Appl. NO.Z 08/713,424 (Mal-I 28, 1995)' [22] Flled: Sep' 13’ 1996 (List continued on next page.) [51] Int. Cl.6 .................................................... .. G06F 13/00 I I I [52] US. Cl. ......................... .. 709/227; 709/203; 709/230 Primary Exammer—larnl Maung [58] Field of Search ....................... .. 395/18701 18801- Assistant Examiner—David M Ovedovitz 709/224, 225, 227, 228, 230, 503, 219’ Attorney, Agent, or Firm—Schwegman, Lundberg, Woessner and Kluth [56] References Cited [57] ABSTRACT U.S. PATENT DOCUMENTS A proxy which is part of a ?rewall program controls 3,956,615 5/1976 Anderson et al. ............... .. 235/61.7 B exchanges of_ information between two application_ entities._ 471047721 8/1978 Markstein et a1_ 364/200 The proxy interrogates attempts to establish a communica 4,177,510 12/1979 Appell et a1, ,,,,,, __ 364/200 tion session by requesting entities with a server entity in 4,442,484 4/1984 Childs, Jr. et al. .. 364/200 lower layers in accordance with de?ned authentication pro 4,584,639 4/1986 Hardy ----------------- ~~ 364/200 cedures. The proxy interfaces with networking software to 4,621,321 11/1986 Boebert ct a1~ ~~ 364/200 direct a communication stack to monitor connection requests 476487031 3/1987 Jenner et al' 364/200 to any address on speci?c ports. The requestor’s address, and 4’7O1’84O 10/1987 Boebert et a1‘ " 364000 the server’s address are checked against an access control 4,713,753 12/1987 Boebert et al. .. 364/200 1. If . h dd . rd h 1 h 4,870,571 9/1989 Frink .......... .. 364/200 15L, 6“ er a fess ,15 “Na 1 > t 6 Foxy. C 0565 t 6 Con‘ 478857789 12/1989 Burger CI a1_ 38O/25 nection. If both are valid, a new connection is setup such that 570937914 3/1992 coplien et a1_ __ 395 /700 both the requestor and server are transparently connected to 5,124,984 6/1992 Engel ,,,,,,,,,,,,, ,, 370/230 the proxy with variable higher levels being connected in a 5,153,918 10/1992 Tuai . .. 380/25 relay mode. Protocol data units are interrogated for con 5,204,961 4/1993 Barlow .................................. .. 395/725 formanoe to a protocol Session, and optionally further 5,228,083 7/1993 Lozowick et al. ........................ .. 380/9 decoded to add additional application Speci?c ?ltering In 572637147 11/1993 Franclsco et a1‘ 395/425 one embodiment, an OSI architecture comprises the levels. 5,272,754 12/1993 Boebert ................................... .. 380/25 (List continued on next page.) 29 Claims, 4 Drawing Sheets 234 230 212 216 (I S F ‘ _ _ _ _ __1 ‘OSI X.500 DAP REPLY—— 'I I I I I I I I II II ‘OSI X500 DAP R P @ ' _ _ _ — “‘ I x.5oo . : OSI UN-ENCODING I E LY X500 I I §|-_|El"_ (PHAZI' _ OSI x.5o0 DAP BIND __ r ROUTINES (TRANSPORT r _ OSI x500 DAP BIND __ ‘SERVER (050' I. _ _ _ _ _ _ _ _I SRC: DUA DEST: DSA : SESSION, PRESENT., : SRC: DUA DEST: DSA I_ I I I I I I I I . I ACSE/ROSE I 1 I ACSE/ROSE I @ I 1 I ACSE/ROSE } : os| PRESENTAT: ‘ OSI T_C0NNECT_REPLY— ; 1 ‘ os| T_C0NNECT_REPLY— { OSI PRESENTATI' I I I X500 I I I | 05' SESSION r @909 LCONNECLREOUEST I PROXY I @osl T_CONNECT_REQUEST | 05' SESSION I I OSI TRANSPORTI SRQPIUA P551 P? 1 { SRQPPA 95.51- P?‘ " : OSI TRANSPORT: \_ _ _ _ _ _ __J //’ \\ t- . _ _ _ _ _ _ _ _ ___| //’ ‘ \_ _ _ _ _ _ ___1 TCP/IP ,’ ‘ TCP_C0NNECT_REPLY@— l\ TCP/IP TCP/IPIl ‘ TCP_CONNECT_REPLY ®\\ T(IF/IF’ ‘r ®TCP_CONNECT_REQUEST /' \ @TCP_CONNECT_REQUEST /' \? SRC: DUA DEST: DSA f/ \f SRC: SWDER DEST: osA-y/ 6,003,084 Page 2 US. PATENT DOCUMENTS Fine, T., et al., “Assuring Distributed Trusted Mach”, Pro ceedings of the IEEE Computer Society Symposium on 5,276,735 1/1994 Boebert et al. ......................... .. 380/21 research in Security and Privacy, 206—218 (1993). 5,303,303 4/1994 White . .. 380/49 5,305,385 4/1994 Schanning et al. 380/49 Foltz, P.W., et al., “Personalized Information Delivery: An Analysis of Information Filtering Methods”, Communica 5,311,593 5/1994 Carmi . .. 380/23 5,329,623 7/1994 Smith etal. .. 395/275 tioin of the ACIVI, 35, 51—60 (Dec. 1992). 5,333,266 7/1994 Boaz et al. .......... .. 395/200 Goldberg, D., et al., “Using Collaborative Filtering to Weave 5,355,474 10/1994 Thuraisngham et al. ............. .. 395/600 an Information Tapestry”, Communications of theACll/I, 35, 5,414,833 5/1995 Hershey et al. ...................... .. 395/575 61—70 (Dec. 1992). 5,416,842 5/1995 Aziz . .. 380/30 Grampp, F.T., “UNIX Operating System Security”, AT&T 5,485,460 1/1996 Schrier et al. .. 370/94.1 Bell Laboratories Technical Journal, 63, 1649—1672 (Oct. 5,511,122 4/1996 Atkinson . .. 380/25 5,530,758 6/1996 Marino, Jr. et al. .................... .. 380/49 1984). 5,548,646 8/1996 Aziz et al. .............................. .. 380/23 Haigh, J .t., et al., “Extending the Non—Interference Version 5,550,984 8/1996 Gelb ............ .. 395/200.17 of MLS for SA ”, Proceedings of the 1986 IEEE Sympo 5,566,170 10/1996 Bakke et al. .... .. 370/392 sium on Security and Privacy, Oakland, CA, 232—239 (Apr. 5,583,940 12/1996 Vidrascu et al. ....... .. 380/49 7—9, 1986). 5,604,490 2/1997 Blakely, III et al. .. 340/825.31 Kent, S.T., “Internet Privacy Enhanced Mail”, Communica 5,606,668 2/1997 Shwed ............. .. 395/200.11 5,608,720 3/1997 Biegel et al. ..... .. 370/249 tions of the ACM, 48—60 (Apr. 1993). 5,615,340 3/1997 Dai et al. .... .. .. 395/200.17 Lampson. B.W., “dynamic Protection Structures”, AFIPS 5,619,648 4/1997 Canale et al. .. 395/200.01 Conference Proceedings, vol. 35, 1969 Fall Joint Computer 5,623,601 4/1997 Vu ............... .. 395/187.01 ConferenceLas Vegas, NV, 27—38 (Nov. 18—20, 1969). 5,636,371 6/1997 Yu .... .. 395/500 Lee, K—C., et al., “A Framework for Controlling Coopera 5,644,571 7/1997 Seaman . 370/401 tive Agents”, Computer, 8—16 (Jul. 1993). 5,671,279 9/1997 Elgamal .... .. 380/23 5,673,322 9/1997 Pepe et al. 380/49 Loeb, S., “Architecting Personalized Delivery of Multime 5,684,951 11/1997 Goldman et al. .... .. 395/188.01 dia Information”, Communications of the ACM, 35, 39—50 5,699,513 12/1997 Feigen et al. .... .. 395/187.01 (Dec. 1992). 5,720,035 2/1998 Allegre et al. .. 395/200.06 Loeb, S., et al., “Information ?ltering,” Communications of 5,781,550 7/1998 Templin et al. ...................... .. 370/401 the ACM, 35, 26—28 (Dec. 1992). OTHER PUBLICATIONS Merenbloom, P., “Network ‘Fire Walls’ safeguard LAN Data from Outside Intrusion”, Infoworld, p. 69 (Jul. 25, 1994). “SATAN No Threat to SidewinderTM”, News Release Com Obraczka, K., et al., “Internet Resource Discovery Ser puting Corporation (Apr. 26, 1995). vices”, Computer, 26, 8—22 (Sep. 1993). “Answers to Frequently Asked Questions About Network Press, L., “The Net: Progress and opportunity”, Communi Security”, Secure Computing Corporatin, 41 p. (1994). cations of the ACM, 35, 21—25 (Dec. 1992. Adam, J .A., “Meta—matrices”, IEEE Spectrum, 26—27 (Oct. Schroeder, M.D., et al., “A Hardware Architecture for Imple 1992). menting Protection Rings”, Communications of the ACM, Adam, J .A., “Playing on the Net”, IEEE Spectrum, 29 (Oct. 15, 157—170 (Mar. 1972). 1992). Schwartz, M.F., “Internet Resouirces Discovery at the Uni Ancilotti, P., et al., “Language Features for Access Control”, IEEE Transactions on Software Engineering, SE—9, 16—25 versity of Colorado”, Computer, 26, 25—35 (Sep. 1993). (Jan. 1983). Smith, R.E., “Sidewinder: Defense in Depth Using Type Badger, L., et al., “Practical Domain and Type Enforcement Enforcement”, Internationa Journal of Network Manage for UNIX”, Proceedings of the 1995 IEEE Symposium on ment, 219—229, (Jul.—Aug. 1995). Security and Privacy, Oakland, CA, 66—77 (May 8—10, Thomsen, D., “type Enforcement: The New Security 1995). Model”, Proceedings of the SPIE, Multimedia: F ull—Service Belkin, N.J., et al., “Information Filtering and Information Impact on Businnes, Education and the Home, vol. 2617, Retrieval: Two Sides of the Same Coin?”, Communications Philadelphia, PA, 143—150 (Oct. 23—24 1995).