CA2182777C - Security system for interconnected computer networks - Google Patents
Security system for interconnected computer networks Download PDFInfo
- Publication number
- CA2182777C CA2182777C CA002182777A CA2182777A CA2182777C CA 2182777 C CA2182777 C CA 2182777C CA 002182777 A CA002182777 A CA 002182777A CA 2182777 A CA2182777 A CA 2182777A CA 2182777 C CA2182777 C CA 2182777C
- Authority
- CA
- Canada
- Prior art keywords
- network
- motherboard
- communications
- communication
- computers
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- A—HUMAN NECESSITIES
- A61—MEDICAL OR VETERINARY SCIENCE; HYGIENE
- A61F—FILTERS IMPLANTABLE INTO BLOOD VESSELS; PROSTHESES; DEVICES PROVIDING PATENCY TO, OR PREVENTING COLLAPSING OF, TUBULAR STRUCTURES OF THE BODY, e.g. STENTS; ORTHOPAEDIC, NURSING OR CONTRACEPTIVE DEVICES; FOMENTATION; TREATMENT OR PROTECTION OF EYES OR EARS; BANDAGES, DRESSINGS OR ABSORBENT PADS; FIRST-AID KITS
- A61F9/00—Methods or devices for treatment of the eyes; Devices for putting-in contact lenses; Devices to correct squinting; Apparatus to guide the blind; Protective devices for the eyes, carried on the body or in the hand
- A61F9/0008—Introducing ophthalmic products into the ocular cavity or retaining products therein
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
- H04L69/085—Protocols for interworking; Protocol conversion specially adapted for interworking of IP-based networks with other networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Heart & Thoracic Surgery (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Ophthalmology & Optometry (AREA)
- Biomedical Technology (AREA)
- Computer Hardware Design (AREA)
- Vascular Medicine (AREA)
- Life Sciences & Earth Sciences (AREA)
- Animal Behavior & Ethology (AREA)
- General Engineering & Computer Science (AREA)
- Public Health (AREA)
- Veterinary Medicine (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
- Alarm Systems (AREA)
- Burglar Alarm Systems (AREA)
Abstract
A security system for connecting a first computer network (10) to a second computer network (26) is provided. The security device has a pair of computer motherboards (12, 20), each of which has a network interface adapter (14 or 22) for receiving and tranferring communications from a computer network (10) to a transfer adapter (16) to be transmitted to the other computer network (24) through a transfer adapter (18) and network interface adapter (22) provided on the other computer motherboard (20). Each motherboard (12 or 20) provides protocol translation from a first protocol to a second protocol and removes source and destination address information from communications transferred to the other computer motherboard (20). Application program interface shim software or dynamic link library software provides control of communications between the two motherboards (12, 20) for passing code necessary to request and receive services from the other computer network.
Description
wo ~nszs3 rcr~s9sio~zss SECURITY SYSTEM FOR
T~TFUrnNNFrTED COMPUTER NETWORKS
~~,~LD OF THE :LNVENTION
The present invention relates to a security system for preventing unauthorized communications between one computer network and another computer network and more specifically for preventing unauthorized access to a private computer network f rom a public computer network sucih as the Internet.
$ACKGROUND OF THE INVENTION
Recent developments i:n technology have made access easier to publicly available computer networks, such as the Internet. The exchange of information between private computer networks and users attached to the Internet presents a challenge to protect information located on such private networks from 1~~ unauthorized access by outside Internet users, and from unauthorized export by private users to the outside. For example, a group of private users who work for the same entity may need to have access to common data but desire to shield such information from disclosure to outsiders. Recently, accounts have publicized the vulnerability of even the Pentagon's computer system to break-ins by public Internet users known as "crackers." In breaking into private computer networks, crackers Yuave been able to erase Z5 files or disks, cancel programs, retrieve sensitive information and even introduce computer viruses, Trojan horses and/or worms into those private networks.
Another related probllem is security among related private computer nei:works. For example, many wo 96nsas3 ~ 1 8 2 7 7 7 rcr~s9sronss companies have branches located in various parts of the country. Each branch may contain a computer network and each of these local computer networks are interconnected in a company-wide computer network. It is desirable in the use of such computer networks to prevent unauthorized access to one of the local computer networks from another of the local computer networks.
For communication on the Internet, the protocol suite Transmission Control Protocol/Internet Protocol (TCP/IP) provides a standardized communication format between nodes on a computer network and between computer networks. This protocol suite is used inside and among private computer networks, as well. Private computer networks are often linked to other private computer networks, such as in a company where multiple user groups exist in the organization With corresponding multiple computer networks. The risk of break-ins and computer misuse 2(1 by one such private network by users of another private network is also present. For example, a disgruntled employee working from a local area network (LAN) in one organization of the company may break into the private computer network of another organization with the company and cause files to be altered or erased or place viruses, Trojan horses, or worms into nodes contained in that network.
Private computer networks come in all forms and are put to many purposes. There are credit card computer networks which direct network traffic to banks for authorizations and transaction posting, there are university computer networks which maintain student or scientific research information, and there are private company computer networks which contain a variety of proprietary information. The future promises to bring everL more connectivity to computer rcrms9sro~zss networks through such mechanisms as computerized home television and multimedia services. Providing a security system against breach by so-called crackers will be equally important to the home computer user.
Presently known security systems have often proven either to be ineffective in preventing breach of the private computer network, or have severely limited access to communication services for communicating with other networks. In general, existing security systems disable certain critical communication services between the computer networks.
For example, in connection with the Internet, such important communications services as file transfer applications such as File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and HTTP, and terminal emulation services such as Telnet applications have been disabled for the sake of security.- However, when such services are disabled, most of the power to communicate with other comguter networks is lost, leaving the private network with only basic electronic mail (E-mail) services to the public Internet, such as provides by Simple Mail Transfer Protocol (SMTP) and POP3 applications. Even with such file transfer and emulation services disabled, private networks have not been immune to breach by crackers from the public Internet or other private networks. An outsider can obtain headers from the sendmail and postscript files used in E-mail, including critical data, to enable entrance into privileged files by mimicking a legitimate user.
Such security systems have been implemented in several ways. For example, screening routers have been used to limit transmission into and out of a private network to specific sites or to specific types of transmissions. However, these limitations by their nature also severely re.,strict access to communication wo 96nsu~ 2 ~ $ 2 ~ 7 ~ rcr~rs9sro~zss services with the public Internet or other networks.
Host-based firewalls, also known as dual-homed firewalls, provide an additional level of security by interposing a separate computer system between the private network and the public Internet network. In some dual-homed firewalls, Internet Protocol (IP) packet forwarding is disabled, preventing the firewall from routing IP packets automatically according to the addresses provided. Such dual-homed firewalls also provide a special set of Transmission Control Protocol (TCP) applications to act as prosy agents to communicate with users outside of the private network. In this Way, the firewall maintains control over the communications which enter and exit the 1~~ private network. For example, a user on the private network may use an application such as Telnet to log on to the host-based firewall system. The private network user is then prompted for the Internet address of the end-point. The firewall then sets up a pipe between the private network user and the end-point and monitors the connection between the points. A
disadvantage identified with host-based firewalls has been the continual need to increase the size of the firewall system to support increased traffic between the private network and the public Internet network.
Another disadvantage of host-based firewalls is that crackers need only to overcome the security defenses of a single computer system in order to gain access to the private network.
Another firewall system is known as bastion hosts, also known as an application level firewall, overcomes these disadvantages of host-based firewal.ls by providing a subnetwork of hosts to control traffic in and out of the private network. The subnetwork can be expanded by adding hosts as capacity need increases. With bastion hosts the public network is wo 96nsa~ 2 1 8 2 7 7 7 rcr~s9sro~zss permitted to access only up to an exterior router R2, while the private network is permitted to access only up to an interior router R1. Between the routers a group of proxy hosts are provided which control access 5 to various applications available for communication with the private and public networks. A disadvantage of this system is that code must be specially written to specify each application ito be allowed through the subnetwork, making changes in application availability costly and time-consuming. Another 'disadvantage is the cost and complexity of maintaining a separate subnet and multiple computer systems as hosts for the system.
Accordingly, it is an object of the present invention to provide a security system for connecting a private computer network to another private or public computer network which provides full availability of services to the computer networks while maintaining the private computer network secure from unauthorized access by crackers from the public computer network or other private computer network.
Another object of the present invention is to provide a security system which can be constructed of available standard hardware and software components without requiring costly special coding or hardware.
Another object of the invention is to provide a security system contained entirely within one unit and controllable therefrom.
A further object of the present invention is to provide a security system which protects Unix and MVS hosts connected to the private computer network from unauthorized access by private network users connected to the private local area network (LAN) or wide area network (WAN).
A still further object of the present invention is to provide a security system having two computer motherboards fir backing up critical network wo 96ns~ 4 rcrms9sio~zss communication information from one computer motherboard to the other.
Still another object of the invention is to provide the use of unrestricted TCP/IP addresses in a private network which are not limited to the registration procedures of the public Internet, thereby allowing domain names, subnetwork masks, and TCP/IP network/host name addresses to be determined independently in the private networks.
Another object of the present invention is to provide a communication link between a first and second computer network in which the subnetwork mask which is used for communication inside the first computer network is established independently from the subnetwork mask which is presented at the interface to the second network.
SUMMARY OF INVENTION
These and other objects of the present invention are accordingly provided by a security device for preventing unauthorized communications between first computer network and a second computer network. We have discovered that internetwork security can be achieved by providing a security system which includes a first network motherboard and Z5 a second network motherboard with each motherboard having a network interface adapter for communicating with the first and second computer networks, respectively. Each network motherboard also has a transfer adapter for transferring communications received at its own network interface adapter to a transfer adapter on the other network motherboard.
The transfer adapters must be matched and identical.
All of the necessary hardware and software to implement this security system is readily available from multiple sources and no special hardware or software need be designed to implement this system.
~_ ~ 212777 Communications received by the network interface adapters connected to the first and second computer network motherboariis in Transmission Control Protocol/Internet Protocol ('.CCP/IP) format or Internet Protocol encapsulated in Internet Packet Exchange, IP(IPX), are translated into Internet Packet Exchange (IPX) format communications for further transmission to the network motherboard connected to the other public or private computer network, respectively. This translation process removes the upper TCP protocol layer, the subnetwork mask and prevents the original IP datagram header containing IP
header information, an IP destination address, and an IP source address from being further transmitted to the other network. Routing services: IP packet forwarding, and the TCP/IP :layers Routing Information Protocol (RIP), Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) are disabled from being transmitted between the network interface ~0 adapter and the transfer adapter of each network motherboard. Removal of the original IP datagram headers and disabling of routing services inhibits an unauthorized user of the first or second computer network from obtaining the IP addresses and the corresponding physical addresses which are necessary for direct communication with nodes on the other network.
The second network motherboard further provides API shim software, a:nd client/server software for permitting communication services to and from the second computer network by requesting nodes of the first network. Alternatively, Dynamic Link Library software can be used in place of, or in addition to API shim software for permitting such communications.
The second network motherboard further sets up a domain name, IP add Less, and a subnetwork mask to WO 96/18253 ~ ~ ~ 7 PGT/US95I07285 allow users of the second network to find and connect to the second network motherboard. The domain name.
IP address, and subnetwork mask are independent from the original domain name, IP address and subnetwork mask which were used at the network interface adapter into the first network motherboard. The independence of the subnetwork masks permits a private network linked to the security system of the present invention to contain as many nodes as desired independently of the subnetwork mask which is presented to the public network side by the second network motherboard.
BRTEF DESCRIPTION OF THE DRAWING
FIG. 1 shows a block diagram of the security system of the present invention and its connection to private and public Internet computer networks.
DETATLED DESCRIPTION OF THE PREFERRED EMBODIMENT
An embodiment of the present invention is shown in FIG. 1. In FIG. 1 two motherboards 12 and 20 are shown sharing a common power supply 28.
2~ Motherboard 20 is connected to a public network, e.g.
Internet. 26, while motherboard 12 is connected to a private network 10. Alternatively, motherboard 20 can be connected to another private computer network, 26 e.g. at another branch of the same company. In addition, multiple private .and/or public networks can be interconnected in accordance with the invention.
Each public or private network is a set of interconnected nodes, the nodes being any common addressable or connectable devices, which can be computers, e.g. Workstations, file servers, Unix or MVS mainframes or other digital devices, e.g. routers, printers, controllers, peripherals etc.
Motherboards 12, 20 each have a pair of network adapters 14, 16 and 18, 22, respectively.
Network adapters 14 and 22 are network interface adapters used to receive and transmit communications to and from private and public networks 10 and 26, respectively. Network adapters 16 and 18 are transfer adapters used to communicate between motherboards 12 and 20. Transfer adapters 1.6 and 18 can be any Ethernet type or ARCnet type cards, so long as they are identical and matched. Transfer adapters 16 and 18 cannot reside on the same motherboard.
Each motherboard has standard components such as a microprocessor or a hard disk, a random access memory, preferably 32 MB RAM or higher, ROMBIOS, and a video card. Further, each motherboard has its own separate network operating :software, which may be, for example, Novell Netware (R) or Microsoft Windows NT (TM).
The use of two motherboards 12 and 20 in conjunction with each other reduces congestion, CPU usage and isolates the private and public networks.
Alternatively, the two motherboards can be separate free-standing computer systems which contain at minimum the components described for motherboards 12 and 20, except for common power supply 28.
Network interface adapter 22 of motherboard 20 is preferably a token-ring card which connects through router 24 to common access provider lines 56K, T1 or T3 or to other such lines (indicated by dashed lines) to the Internet 26 or other private network. The software used to bind network interface adapter 22 to the Internet or other priv ate network provides Domain Name Server information, an Internet TCP/IP address, and a subnetwork mask that allows public network users to find and attach to the front end of the security system. For ezample, Novell Netware (R) Version 3.12 or 4.X and Novell Netware IP (R) or Microsoft Windows NT
3.5+ (TM) can be utilized to establish a native (distinct) TCP/IP connection to the Internet. The network operating software provides services of User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) ,~~.a:
l0 218777 for communications to and from the Internet or other private network 26. UDP provides a connectionless delivery service to send and receive packets from specific processes between sending and receiving nodes of the Internet. TCP adds reliable stream delivery in addition to the Internet Protocol's connectionless packet delivery service. -The network interface adapter 14 of motherboard 12 may be a token-ring card, an Ethernet Card, or an ARCnet card which connects to the private network 10, which may be either a local area network (LAN) or wide area network (WAN). The software which binds network interface adapter 14 to the private network 10 provides Transmission Control Protocol/Internet Protocol (TCP/IP) services or IP
tunnel/encapsulated IPX IP(IPX) services for communication with private network 10. Appropriate network software for network: interface adapter 14 can be Novell Netware (R) Multiprotocol Router (MPR) software or Novell Netware (R) Version 3.12 or 9.g used in conjunction with Novell Netware IP (R).
Alternatively, other software file server packages such as Microsoft Windows NTAS 3.5+ can be used. Such software provides a Domain Name Server, a TCP/IP
z5 address, and a subnetwork mask which are independent and distinct from the Domain Name Server, TCP/IP
address and subnetwork mark used by the network interface adapter on the public side motherboard 20 and which also allows private network users to find and attach to motherboard 20 of the public network side.
Communications received by network interface adapter 14 from private nei~work 10 in Transmission Control Protocol/Internet Control Protocol (TCP/IP) format or IP tunnel/encapsu:lated IPX format IP(IPX) are translated into Internet Packet Exchange (IPX) wo msa~ 2 1 8 2 7 7 7 p~'f~°S~ro'~ss communications for transmission by transfer adapter 16 to transfer adapter 18 of motherboard 20 on the public network side. Likewise, communications received by network interface adapter 22 from public network 26 in Transmission Control Protocol/Internet Control Protocol (TCP/IP) format are also translated into Internet Packet Exchange (IPX) communications for transmission by transfer adapter 18 to transfer adapter 16 of motherboard 12 on the private network side. Translation into IPX format removes the upper TCP protocol layer, and 'the original IP datagram headers which contain header information, source IP
address and destination IP address information from the communications transferred between the network interface adapters and the transfer adapters on each motherboard.
Binding commands provided by the network operating- software on each motherboard are used to disable all routing services such as Address Resolution Protocol (ARP), Routing Information Protocol (RIP) and Internet Control Message Protocol (ICMP) between network interface adapters 19, 22 and transfer adapters 16 and 18, respectively. Removal of the IP datagram headers and disabling the routing 2~~ services inhibits transmission of the physical addresses (also known as Media Access Control"
addresses for use with Ethernet cards) of devices connected to the private network.
Preferably, the network operating software used by network interface adapter 22 on public network motherboard 20 provides the ability to identify each user entering motherboard ;t0 with a node address specific to the user's physical location and/or the node address of the computer being used to attach.
38 When Ethernet cards are used for the transfer adapters, this information would be preserved. Use 'Z ~ a 2 ? ~ ~ rcr~s9sro~zss wo 96ns~
of the Ethernet cards would allow use of a node address as another security feature to inhibit multiple private network users from accessing motherboard 20 from other than their specific workstations. However, when ARCnet cards are used as the transfer adapters this function would not be available as the node address information would not be preserved.
Application program interface shims (API
shims) or Dynamic Link Libraries (DLL's) are used to permit users from private network '10 to link to motherboard 20 for further communication with the Internet. API shims and DLL's provide an alternative mechanism for passing executable code between the private network device known as a client workstation to motherboard 20 which functions as a server for applications or files communicating with the Internet.
Use of commercial API shims and DLL's such as Winsock Complaint Version l.lx (TM) series and the IPX ODI
connection between the transfer adapters 16 and 18 allows transfer of executable code required to execute the applications from motherboard 20.
In addition to the API shim or DLL used to pass executable code to motherboard 20, further client/server software is used such as NCSA Mosaic (TM), Cornell University CELLO (TM), Ameritech/NOTIS
WINGOPHER (TM), Pegasus EMAIL (TM) to provide Internet services to private network users by the public network motherboard 20. This allows users on the private network to use full Internet services such as the emulation protocols Telnet, Telnet 3270, Telnet 5250, and the transfer protocols HTTP, FTP, TFTP, anonymous FTP, SMTP, and POP3, to view the public Internet. However, such client/server software on motherboard 20 would not permit the unauthorized private network user on a LAN or WAN to access Unix wo ~ns~ rcr~s9sro~ZSs (R), or MVS (R) or VM (R) mainframe hosts on the private network because higher level emulation services such as Telnet whiclh are necessary to access them are disabled between transfer adapters 16 and 18.
Preferably, additional software is provided on motherboard 20 which includes virus screening and examination software; password software, which identifies potential holes in network security by scanning user and supervisor accounts for known weak passwords and allows encryption; auto logout software for inactive workstations; security and access auditing software, which allows auditing of specific users and workstations as well as directory and file access on the public network side, and also provides encryption between similarly configured security services on user workstations. Preferably, software that allows simultaneous encryption and nonencryption sessions such as PGP would also be installed on motherboard 20.
ZO For interconnection of multiple private or public computer networks a security system according to the present invention should be provided at the interface between each pair of computer networks. For example, When three computer networks are to be interconnected, a security system as embodied in FIG.
1 can be placed between private network 10 and each of the second and third computer networks.
An example of how the present invention can be used to direct communications between the private network and the public Internet while preventing public Internet users from obtaining critical addressing information necessary to communicate directly with workstations o:f the private network is as follows. Network interface adapter 19 of private network motherboard 12 receives a communication in TCP/IP format from ar, workstation on the private wo ~nszs3 2 ~ a 2 ~ ~ ?
network 10 requesting Internet access services.
Internet access services such as Telnet emulation protocols, file transfer protocols such as FTP, TFTP, and E-mail services, e.g. SMTP are provided by motherboard 20 to workstations connected to the private network through an API shim or DLL which is callable by motherboard 12 through the interface between transfer adapters 16 and 18.
The outgoing communication has an IP source address which identifies the workstation which originated the communication and an IP destination address which identifies network interface adapter 14. The communication is translated into Internet Packet Exchange (IPX) format for transmission to the 1~~ transfer adapter 16 on motherboard 12 for further transmission to transfer adapter 18 of public network motherboard 20. Translation of the communication into IPX format removes the original IP source and destination addresses from the communication. In addition, all routing services such as ARP, RIP and ICMP are disabled between the two motherboards, preventing the transmission of routing updates which link IP addresses of workstations connected to the private network with their corresponding physical z~~ addresses. In this Way, the outgoing communication from the private network does not provide addressing information which would enable public Internet users to communicate directly with workstations on the private network.
Motherboard 20 receives the IPX communication through transfer adapter 18 and retranslates it into a TCP/IP format communication having a TCP/IP source address, a subnetwork mask and a Domain Name which identifies network interface adapter 22 as the origin of the communication. The communication, prior to exiting motherboard 20 must pass through additional wo mszs3 rcrios9sro~zss 2~a2~~~
security software, e.g. password control, or security and access software. The communication is then transmitted to the Internet network and the response is awaited by motherboard 20. When a response is 5 received, motherboard 20 translates the response from TCP/IP format back into IPX format and transmits it through transfer adapter 18 to transfer adapter 16 back to motherboard 12. Motherboard 12 further translates the response back into TCP/IP format for 10 communication back to private network 10. The original IP source and destination addresses from the public network response are likewise removed in this translation process. Routing services are also disabled for inbound communications, thus preventing 15 the transmission of routing updates which link IP
addresses of devices connected to the public network With their corresponding physical addresses. Thus, the inbound communication from the public network does not provide addressing information to enable private network users to communicate directly With workstations on the private network. In this way, private network users are also prevented from obtaining addressing information for devices connected to the public network which would enable direct communication with them for the unauthorized exporting of data from the private network.
While the invention has been described in detail herein in accordance with certain preferred embodiments thereof, many modit:ications and changes therein may be effected by those skilled in the art.
Accordingly, it is intended by the appended claims to cover all such modification:. and changes as fall within the true spirit and scope of the invention.
T~TFUrnNNFrTED COMPUTER NETWORKS
~~,~LD OF THE :LNVENTION
The present invention relates to a security system for preventing unauthorized communications between one computer network and another computer network and more specifically for preventing unauthorized access to a private computer network f rom a public computer network sucih as the Internet.
$ACKGROUND OF THE INVENTION
Recent developments i:n technology have made access easier to publicly available computer networks, such as the Internet. The exchange of information between private computer networks and users attached to the Internet presents a challenge to protect information located on such private networks from 1~~ unauthorized access by outside Internet users, and from unauthorized export by private users to the outside. For example, a group of private users who work for the same entity may need to have access to common data but desire to shield such information from disclosure to outsiders. Recently, accounts have publicized the vulnerability of even the Pentagon's computer system to break-ins by public Internet users known as "crackers." In breaking into private computer networks, crackers Yuave been able to erase Z5 files or disks, cancel programs, retrieve sensitive information and even introduce computer viruses, Trojan horses and/or worms into those private networks.
Another related probllem is security among related private computer nei:works. For example, many wo 96nsas3 ~ 1 8 2 7 7 7 rcr~s9sronss companies have branches located in various parts of the country. Each branch may contain a computer network and each of these local computer networks are interconnected in a company-wide computer network. It is desirable in the use of such computer networks to prevent unauthorized access to one of the local computer networks from another of the local computer networks.
For communication on the Internet, the protocol suite Transmission Control Protocol/Internet Protocol (TCP/IP) provides a standardized communication format between nodes on a computer network and between computer networks. This protocol suite is used inside and among private computer networks, as well. Private computer networks are often linked to other private computer networks, such as in a company where multiple user groups exist in the organization With corresponding multiple computer networks. The risk of break-ins and computer misuse 2(1 by one such private network by users of another private network is also present. For example, a disgruntled employee working from a local area network (LAN) in one organization of the company may break into the private computer network of another organization with the company and cause files to be altered or erased or place viruses, Trojan horses, or worms into nodes contained in that network.
Private computer networks come in all forms and are put to many purposes. There are credit card computer networks which direct network traffic to banks for authorizations and transaction posting, there are university computer networks which maintain student or scientific research information, and there are private company computer networks which contain a variety of proprietary information. The future promises to bring everL more connectivity to computer rcrms9sro~zss networks through such mechanisms as computerized home television and multimedia services. Providing a security system against breach by so-called crackers will be equally important to the home computer user.
Presently known security systems have often proven either to be ineffective in preventing breach of the private computer network, or have severely limited access to communication services for communicating with other networks. In general, existing security systems disable certain critical communication services between the computer networks.
For example, in connection with the Internet, such important communications services as file transfer applications such as File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and HTTP, and terminal emulation services such as Telnet applications have been disabled for the sake of security.- However, when such services are disabled, most of the power to communicate with other comguter networks is lost, leaving the private network with only basic electronic mail (E-mail) services to the public Internet, such as provides by Simple Mail Transfer Protocol (SMTP) and POP3 applications. Even with such file transfer and emulation services disabled, private networks have not been immune to breach by crackers from the public Internet or other private networks. An outsider can obtain headers from the sendmail and postscript files used in E-mail, including critical data, to enable entrance into privileged files by mimicking a legitimate user.
Such security systems have been implemented in several ways. For example, screening routers have been used to limit transmission into and out of a private network to specific sites or to specific types of transmissions. However, these limitations by their nature also severely re.,strict access to communication wo 96nsu~ 2 ~ $ 2 ~ 7 ~ rcr~rs9sro~zss services with the public Internet or other networks.
Host-based firewalls, also known as dual-homed firewalls, provide an additional level of security by interposing a separate computer system between the private network and the public Internet network. In some dual-homed firewalls, Internet Protocol (IP) packet forwarding is disabled, preventing the firewall from routing IP packets automatically according to the addresses provided. Such dual-homed firewalls also provide a special set of Transmission Control Protocol (TCP) applications to act as prosy agents to communicate with users outside of the private network. In this Way, the firewall maintains control over the communications which enter and exit the 1~~ private network. For example, a user on the private network may use an application such as Telnet to log on to the host-based firewall system. The private network user is then prompted for the Internet address of the end-point. The firewall then sets up a pipe between the private network user and the end-point and monitors the connection between the points. A
disadvantage identified with host-based firewalls has been the continual need to increase the size of the firewall system to support increased traffic between the private network and the public Internet network.
Another disadvantage of host-based firewalls is that crackers need only to overcome the security defenses of a single computer system in order to gain access to the private network.
Another firewall system is known as bastion hosts, also known as an application level firewall, overcomes these disadvantages of host-based firewal.ls by providing a subnetwork of hosts to control traffic in and out of the private network. The subnetwork can be expanded by adding hosts as capacity need increases. With bastion hosts the public network is wo 96nsa~ 2 1 8 2 7 7 7 rcr~s9sro~zss permitted to access only up to an exterior router R2, while the private network is permitted to access only up to an interior router R1. Between the routers a group of proxy hosts are provided which control access 5 to various applications available for communication with the private and public networks. A disadvantage of this system is that code must be specially written to specify each application ito be allowed through the subnetwork, making changes in application availability costly and time-consuming. Another 'disadvantage is the cost and complexity of maintaining a separate subnet and multiple computer systems as hosts for the system.
Accordingly, it is an object of the present invention to provide a security system for connecting a private computer network to another private or public computer network which provides full availability of services to the computer networks while maintaining the private computer network secure from unauthorized access by crackers from the public computer network or other private computer network.
Another object of the present invention is to provide a security system which can be constructed of available standard hardware and software components without requiring costly special coding or hardware.
Another object of the invention is to provide a security system contained entirely within one unit and controllable therefrom.
A further object of the present invention is to provide a security system which protects Unix and MVS hosts connected to the private computer network from unauthorized access by private network users connected to the private local area network (LAN) or wide area network (WAN).
A still further object of the present invention is to provide a security system having two computer motherboards fir backing up critical network wo 96ns~ 4 rcrms9sio~zss communication information from one computer motherboard to the other.
Still another object of the invention is to provide the use of unrestricted TCP/IP addresses in a private network which are not limited to the registration procedures of the public Internet, thereby allowing domain names, subnetwork masks, and TCP/IP network/host name addresses to be determined independently in the private networks.
Another object of the present invention is to provide a communication link between a first and second computer network in which the subnetwork mask which is used for communication inside the first computer network is established independently from the subnetwork mask which is presented at the interface to the second network.
SUMMARY OF INVENTION
These and other objects of the present invention are accordingly provided by a security device for preventing unauthorized communications between first computer network and a second computer network. We have discovered that internetwork security can be achieved by providing a security system which includes a first network motherboard and Z5 a second network motherboard with each motherboard having a network interface adapter for communicating with the first and second computer networks, respectively. Each network motherboard also has a transfer adapter for transferring communications received at its own network interface adapter to a transfer adapter on the other network motherboard.
The transfer adapters must be matched and identical.
All of the necessary hardware and software to implement this security system is readily available from multiple sources and no special hardware or software need be designed to implement this system.
~_ ~ 212777 Communications received by the network interface adapters connected to the first and second computer network motherboariis in Transmission Control Protocol/Internet Protocol ('.CCP/IP) format or Internet Protocol encapsulated in Internet Packet Exchange, IP(IPX), are translated into Internet Packet Exchange (IPX) format communications for further transmission to the network motherboard connected to the other public or private computer network, respectively. This translation process removes the upper TCP protocol layer, the subnetwork mask and prevents the original IP datagram header containing IP
header information, an IP destination address, and an IP source address from being further transmitted to the other network. Routing services: IP packet forwarding, and the TCP/IP :layers Routing Information Protocol (RIP), Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) are disabled from being transmitted between the network interface ~0 adapter and the transfer adapter of each network motherboard. Removal of the original IP datagram headers and disabling of routing services inhibits an unauthorized user of the first or second computer network from obtaining the IP addresses and the corresponding physical addresses which are necessary for direct communication with nodes on the other network.
The second network motherboard further provides API shim software, a:nd client/server software for permitting communication services to and from the second computer network by requesting nodes of the first network. Alternatively, Dynamic Link Library software can be used in place of, or in addition to API shim software for permitting such communications.
The second network motherboard further sets up a domain name, IP add Less, and a subnetwork mask to WO 96/18253 ~ ~ ~ 7 PGT/US95I07285 allow users of the second network to find and connect to the second network motherboard. The domain name.
IP address, and subnetwork mask are independent from the original domain name, IP address and subnetwork mask which were used at the network interface adapter into the first network motherboard. The independence of the subnetwork masks permits a private network linked to the security system of the present invention to contain as many nodes as desired independently of the subnetwork mask which is presented to the public network side by the second network motherboard.
BRTEF DESCRIPTION OF THE DRAWING
FIG. 1 shows a block diagram of the security system of the present invention and its connection to private and public Internet computer networks.
DETATLED DESCRIPTION OF THE PREFERRED EMBODIMENT
An embodiment of the present invention is shown in FIG. 1. In FIG. 1 two motherboards 12 and 20 are shown sharing a common power supply 28.
2~ Motherboard 20 is connected to a public network, e.g.
Internet. 26, while motherboard 12 is connected to a private network 10. Alternatively, motherboard 20 can be connected to another private computer network, 26 e.g. at another branch of the same company. In addition, multiple private .and/or public networks can be interconnected in accordance with the invention.
Each public or private network is a set of interconnected nodes, the nodes being any common addressable or connectable devices, which can be computers, e.g. Workstations, file servers, Unix or MVS mainframes or other digital devices, e.g. routers, printers, controllers, peripherals etc.
Motherboards 12, 20 each have a pair of network adapters 14, 16 and 18, 22, respectively.
Network adapters 14 and 22 are network interface adapters used to receive and transmit communications to and from private and public networks 10 and 26, respectively. Network adapters 16 and 18 are transfer adapters used to communicate between motherboards 12 and 20. Transfer adapters 1.6 and 18 can be any Ethernet type or ARCnet type cards, so long as they are identical and matched. Transfer adapters 16 and 18 cannot reside on the same motherboard.
Each motherboard has standard components such as a microprocessor or a hard disk, a random access memory, preferably 32 MB RAM or higher, ROMBIOS, and a video card. Further, each motherboard has its own separate network operating :software, which may be, for example, Novell Netware (R) or Microsoft Windows NT (TM).
The use of two motherboards 12 and 20 in conjunction with each other reduces congestion, CPU usage and isolates the private and public networks.
Alternatively, the two motherboards can be separate free-standing computer systems which contain at minimum the components described for motherboards 12 and 20, except for common power supply 28.
Network interface adapter 22 of motherboard 20 is preferably a token-ring card which connects through router 24 to common access provider lines 56K, T1 or T3 or to other such lines (indicated by dashed lines) to the Internet 26 or other private network. The software used to bind network interface adapter 22 to the Internet or other priv ate network provides Domain Name Server information, an Internet TCP/IP address, and a subnetwork mask that allows public network users to find and attach to the front end of the security system. For ezample, Novell Netware (R) Version 3.12 or 4.X and Novell Netware IP (R) or Microsoft Windows NT
3.5+ (TM) can be utilized to establish a native (distinct) TCP/IP connection to the Internet. The network operating software provides services of User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) ,~~.a:
l0 218777 for communications to and from the Internet or other private network 26. UDP provides a connectionless delivery service to send and receive packets from specific processes between sending and receiving nodes of the Internet. TCP adds reliable stream delivery in addition to the Internet Protocol's connectionless packet delivery service. -The network interface adapter 14 of motherboard 12 may be a token-ring card, an Ethernet Card, or an ARCnet card which connects to the private network 10, which may be either a local area network (LAN) or wide area network (WAN). The software which binds network interface adapter 14 to the private network 10 provides Transmission Control Protocol/Internet Protocol (TCP/IP) services or IP
tunnel/encapsulated IPX IP(IPX) services for communication with private network 10. Appropriate network software for network: interface adapter 14 can be Novell Netware (R) Multiprotocol Router (MPR) software or Novell Netware (R) Version 3.12 or 9.g used in conjunction with Novell Netware IP (R).
Alternatively, other software file server packages such as Microsoft Windows NTAS 3.5+ can be used. Such software provides a Domain Name Server, a TCP/IP
z5 address, and a subnetwork mask which are independent and distinct from the Domain Name Server, TCP/IP
address and subnetwork mark used by the network interface adapter on the public side motherboard 20 and which also allows private network users to find and attach to motherboard 20 of the public network side.
Communications received by network interface adapter 14 from private nei~work 10 in Transmission Control Protocol/Internet Control Protocol (TCP/IP) format or IP tunnel/encapsu:lated IPX format IP(IPX) are translated into Internet Packet Exchange (IPX) wo msa~ 2 1 8 2 7 7 7 p~'f~°S~ro'~ss communications for transmission by transfer adapter 16 to transfer adapter 18 of motherboard 20 on the public network side. Likewise, communications received by network interface adapter 22 from public network 26 in Transmission Control Protocol/Internet Control Protocol (TCP/IP) format are also translated into Internet Packet Exchange (IPX) communications for transmission by transfer adapter 18 to transfer adapter 16 of motherboard 12 on the private network side. Translation into IPX format removes the upper TCP protocol layer, and 'the original IP datagram headers which contain header information, source IP
address and destination IP address information from the communications transferred between the network interface adapters and the transfer adapters on each motherboard.
Binding commands provided by the network operating- software on each motherboard are used to disable all routing services such as Address Resolution Protocol (ARP), Routing Information Protocol (RIP) and Internet Control Message Protocol (ICMP) between network interface adapters 19, 22 and transfer adapters 16 and 18, respectively. Removal of the IP datagram headers and disabling the routing 2~~ services inhibits transmission of the physical addresses (also known as Media Access Control"
addresses for use with Ethernet cards) of devices connected to the private network.
Preferably, the network operating software used by network interface adapter 22 on public network motherboard 20 provides the ability to identify each user entering motherboard ;t0 with a node address specific to the user's physical location and/or the node address of the computer being used to attach.
38 When Ethernet cards are used for the transfer adapters, this information would be preserved. Use 'Z ~ a 2 ? ~ ~ rcr~s9sro~zss wo 96ns~
of the Ethernet cards would allow use of a node address as another security feature to inhibit multiple private network users from accessing motherboard 20 from other than their specific workstations. However, when ARCnet cards are used as the transfer adapters this function would not be available as the node address information would not be preserved.
Application program interface shims (API
shims) or Dynamic Link Libraries (DLL's) are used to permit users from private network '10 to link to motherboard 20 for further communication with the Internet. API shims and DLL's provide an alternative mechanism for passing executable code between the private network device known as a client workstation to motherboard 20 which functions as a server for applications or files communicating with the Internet.
Use of commercial API shims and DLL's such as Winsock Complaint Version l.lx (TM) series and the IPX ODI
connection between the transfer adapters 16 and 18 allows transfer of executable code required to execute the applications from motherboard 20.
In addition to the API shim or DLL used to pass executable code to motherboard 20, further client/server software is used such as NCSA Mosaic (TM), Cornell University CELLO (TM), Ameritech/NOTIS
WINGOPHER (TM), Pegasus EMAIL (TM) to provide Internet services to private network users by the public network motherboard 20. This allows users on the private network to use full Internet services such as the emulation protocols Telnet, Telnet 3270, Telnet 5250, and the transfer protocols HTTP, FTP, TFTP, anonymous FTP, SMTP, and POP3, to view the public Internet. However, such client/server software on motherboard 20 would not permit the unauthorized private network user on a LAN or WAN to access Unix wo ~ns~ rcr~s9sro~ZSs (R), or MVS (R) or VM (R) mainframe hosts on the private network because higher level emulation services such as Telnet whiclh are necessary to access them are disabled between transfer adapters 16 and 18.
Preferably, additional software is provided on motherboard 20 which includes virus screening and examination software; password software, which identifies potential holes in network security by scanning user and supervisor accounts for known weak passwords and allows encryption; auto logout software for inactive workstations; security and access auditing software, which allows auditing of specific users and workstations as well as directory and file access on the public network side, and also provides encryption between similarly configured security services on user workstations. Preferably, software that allows simultaneous encryption and nonencryption sessions such as PGP would also be installed on motherboard 20.
ZO For interconnection of multiple private or public computer networks a security system according to the present invention should be provided at the interface between each pair of computer networks. For example, When three computer networks are to be interconnected, a security system as embodied in FIG.
1 can be placed between private network 10 and each of the second and third computer networks.
An example of how the present invention can be used to direct communications between the private network and the public Internet while preventing public Internet users from obtaining critical addressing information necessary to communicate directly with workstations o:f the private network is as follows. Network interface adapter 19 of private network motherboard 12 receives a communication in TCP/IP format from ar, workstation on the private wo ~nszs3 2 ~ a 2 ~ ~ ?
network 10 requesting Internet access services.
Internet access services such as Telnet emulation protocols, file transfer protocols such as FTP, TFTP, and E-mail services, e.g. SMTP are provided by motherboard 20 to workstations connected to the private network through an API shim or DLL which is callable by motherboard 12 through the interface between transfer adapters 16 and 18.
The outgoing communication has an IP source address which identifies the workstation which originated the communication and an IP destination address which identifies network interface adapter 14. The communication is translated into Internet Packet Exchange (IPX) format for transmission to the 1~~ transfer adapter 16 on motherboard 12 for further transmission to transfer adapter 18 of public network motherboard 20. Translation of the communication into IPX format removes the original IP source and destination addresses from the communication. In addition, all routing services such as ARP, RIP and ICMP are disabled between the two motherboards, preventing the transmission of routing updates which link IP addresses of workstations connected to the private network with their corresponding physical z~~ addresses. In this Way, the outgoing communication from the private network does not provide addressing information which would enable public Internet users to communicate directly with workstations on the private network.
Motherboard 20 receives the IPX communication through transfer adapter 18 and retranslates it into a TCP/IP format communication having a TCP/IP source address, a subnetwork mask and a Domain Name which identifies network interface adapter 22 as the origin of the communication. The communication, prior to exiting motherboard 20 must pass through additional wo mszs3 rcrios9sro~zss 2~a2~~~
security software, e.g. password control, or security and access software. The communication is then transmitted to the Internet network and the response is awaited by motherboard 20. When a response is 5 received, motherboard 20 translates the response from TCP/IP format back into IPX format and transmits it through transfer adapter 18 to transfer adapter 16 back to motherboard 12. Motherboard 12 further translates the response back into TCP/IP format for 10 communication back to private network 10. The original IP source and destination addresses from the public network response are likewise removed in this translation process. Routing services are also disabled for inbound communications, thus preventing 15 the transmission of routing updates which link IP
addresses of devices connected to the public network With their corresponding physical addresses. Thus, the inbound communication from the public network does not provide addressing information to enable private network users to communicate directly With workstations on the private network. In this way, private network users are also prevented from obtaining addressing information for devices connected to the public network which would enable direct communication with them for the unauthorized exporting of data from the private network.
While the invention has been described in detail herein in accordance with certain preferred embodiments thereof, many modit:ications and changes therein may be effected by those skilled in the art.
Accordingly, it is intended by the appended claims to cover all such modification:. and changes as fall within the true spirit and scope of the invention.
Claims (13)
1. A security system for preventing unauthorized communications between a first network of computers interconnected for Internet Protocol (IP) communications and a second network of computers interconnected for IP
communications, while permitting application level communication services between computers connected to said first and said second networks, comprising:
a first network motherboard and a second network motherboard, said first and second network motherboards each having a network interface adapter for communication with said first and said second networks of computers, and for establishing a distinct subnetwork mask, respectively;
each of said network motherboards further having a transfer adapter for communication with said transfer adapter of said other network motherboard, said transfer adapters being identical and matched, each of said network motherboards having network operating software to assign a source address for IP protocol communication in accordance with a subnetwork mask established for one of said network motherboards which is different from the subnetwork mask established for the other of said network motherboards, said network operating software further including protocol conversion software to translate communications received by each said network interface adapter from said first or said second networks of computers, respectively, in IP
protocol format to non-IP protocol format for transmission between the transfer adapters of said first and said second network motherboards, whereby upper level layer protocol information and originating source and destination address information are removed from said communication and routing services communications from said first and second computer networks are prevented from being passed between said network interface adapter and said transfer adapter of each said network motherboard, and thence preventing unauthorized communications between computers connected to said first and said second computer networks; and at least one of said network motherboards having application programming interface (API) shim software for providing application level communication services to the computers connected to said at least one network motherboard notwithstanding the removal of said original source and destination address information, and the preventing of said routing services communications.
communications, while permitting application level communication services between computers connected to said first and said second networks, comprising:
a first network motherboard and a second network motherboard, said first and second network motherboards each having a network interface adapter for communication with said first and said second networks of computers, and for establishing a distinct subnetwork mask, respectively;
each of said network motherboards further having a transfer adapter for communication with said transfer adapter of said other network motherboard, said transfer adapters being identical and matched, each of said network motherboards having network operating software to assign a source address for IP protocol communication in accordance with a subnetwork mask established for one of said network motherboards which is different from the subnetwork mask established for the other of said network motherboards, said network operating software further including protocol conversion software to translate communications received by each said network interface adapter from said first or said second networks of computers, respectively, in IP
protocol format to non-IP protocol format for transmission between the transfer adapters of said first and said second network motherboards, whereby upper level layer protocol information and originating source and destination address information are removed from said communication and routing services communications from said first and second computer networks are prevented from being passed between said network interface adapter and said transfer adapter of each said network motherboard, and thence preventing unauthorized communications between computers connected to said first and said second computer networks; and at least one of said network motherboards having application programming interface (API) shim software for providing application level communication services to the computers connected to said at least one network motherboard notwithstanding the removal of said original source and destination address information, and the preventing of said routing services communications.
2. The security system of Claim 1 wherein said second computer network is public, and said second network motherboard has API shim software for providing application level communication services to the computers connected to said network interface adapter of said second network motherboard.
3. The security system of Claim 1 wherein each of said first and said second computer networks are private, and each of said network motherboards have API shim software for providing application level communication services to the computers connected to said network interface adapter of each said network motherboard.
4. The security system of Claim 1 wherein each of said network motherboards are located within a common unit and share a common power supply.
5. The security system of Claim 1 wherein each of said network motherboards includes a magnetic storage device and means for periodically backing up information from each said magnetic storage device to each other said magnetic storage device.
6. The security system of claim 5 wherein said magnetic storage devices are of equal capacity.
7. The security system of claim 1 wherein each of said network motherboards independently establishes a distinct Domain Name.
8. The security system of Claim 7 wherein each of said network motherboards independently establishes a distinct transport layer protocol TCP/IP address.
9. A method of preventing unauthorized communications between a first network of computers interconnected for Internet Protocol (IP) communications and a second network of computers interconnected for IP
communications, while permitting application level communication services between computers connected to said first and said second networks, comprising the steps of:
receiving, at a first motherboard from a first network of computers, a communication in IP protocol format;
translating said communication into non-IP
protocol format, whereby original source and destination address information are removed from said communication and routing services communications from said first computer network are prevented;
providing application programming interface (API) shim software to permit application level communications between said first and said second networks of computers, notwithstanding the removal of said original source and destination address information, and the preventing of said routing services communications;
transmitting said communication to a second motherboard;
retranslating, at said second motherboard, said communication into IP protocol format and assigning a source address to said communication in accordance with a subnetwork mask established by said second motherboard which is different from the subnetwork mask established for the IP protocol format communication as received by said first motherboard;
transmitting said retranslated communication to said second computer network;
whereby application level communications are permitted between computers connected to said first and said second computer networks, while users connected to said first or said second computer networks are prevented from obtaining routing services information and original source and destination address information pertaining to communications between computers connected to said first and said second computer networks, and thence unauthorized communications between computers connected to said first and said second computer networks are prevented.
communications, while permitting application level communication services between computers connected to said first and said second networks, comprising the steps of:
receiving, at a first motherboard from a first network of computers, a communication in IP protocol format;
translating said communication into non-IP
protocol format, whereby original source and destination address information are removed from said communication and routing services communications from said first computer network are prevented;
providing application programming interface (API) shim software to permit application level communications between said first and said second networks of computers, notwithstanding the removal of said original source and destination address information, and the preventing of said routing services communications;
transmitting said communication to a second motherboard;
retranslating, at said second motherboard, said communication into IP protocol format and assigning a source address to said communication in accordance with a subnetwork mask established by said second motherboard which is different from the subnetwork mask established for the IP protocol format communication as received by said first motherboard;
transmitting said retranslated communication to said second computer network;
whereby application level communications are permitted between computers connected to said first and said second computer networks, while users connected to said first or said second computer networks are prevented from obtaining routing services information and original source and destination address information pertaining to communications between computers connected to said first and said second computer networks, and thence unauthorized communications between computers connected to said first and said second computer networks are prevented.
10. The method of claim 9 further including the step of controlling, at said second network motherboard, access to said second computer network by devices connected to said first network motherboard.
11. The security system in accordance with Claim 1 wherein said application programming interface (API) shim software includes dynamic link library (DLL) software.
12. A security interconnection module for use in combination with a second interconnection module for providing application level communication services between a first network of computers interconnected for Internet Protocol (IP) communications and a second network of computers interconnected for IP
communications, while preventing unauthorized communications between computers of said first and second networks, comprising:
a network motherboard connected to said first network, said second interconnection module being connected for communication with said second network, said network motherboard including a network interface adapter for communication with said first network of computers, and for establishing a subnetwork mask distinct from the subnetwork mask established by said second interconnection module;
a first transfer adapter for communication with a second transfer adapter included in said second interconnection module, said first transfer adapter and said second transfer adapter being a matched pair;
said network motherboard having network operating software to assign a source address for IP
protocol communication in accordance with a subnetwork mask established for said network motherboard which is different from the subnetwork mask established for said other network motherboard, said network operating software further including protocol conversion software to translate communications received from said first network by said network interface adapter from IP
protocol format to non-IP protocol format for transmission to said second transfer adapter, thereby removing upper level layer protocol information, originating source and destination address information from said communication and routing services communications are prevented from being transmitted by said first transfer adapter to said second transfer adapter, and thence unauthorized communications between computers connected to said first and said second computer networks; and said network motherboard having application programming interface (API shim) software for providing application level communication services between the computers of said first and said second networks notwithstanding the removal of raid original source and destination address information, and the preventing of said routing services communications.
communications, while preventing unauthorized communications between computers of said first and second networks, comprising:
a network motherboard connected to said first network, said second interconnection module being connected for communication with said second network, said network motherboard including a network interface adapter for communication with said first network of computers, and for establishing a subnetwork mask distinct from the subnetwork mask established by said second interconnection module;
a first transfer adapter for communication with a second transfer adapter included in said second interconnection module, said first transfer adapter and said second transfer adapter being a matched pair;
said network motherboard having network operating software to assign a source address for IP
protocol communication in accordance with a subnetwork mask established for said network motherboard which is different from the subnetwork mask established for said other network motherboard, said network operating software further including protocol conversion software to translate communications received from said first network by said network interface adapter from IP
protocol format to non-IP protocol format for transmission to said second transfer adapter, thereby removing upper level layer protocol information, originating source and destination address information from said communication and routing services communications are prevented from being transmitted by said first transfer adapter to said second transfer adapter, and thence unauthorized communications between computers connected to said first and said second computer networks; and said network motherboard having application programming interface (API shim) software for providing application level communication services between the computers of said first and said second networks notwithstanding the removal of raid original source and destination address information, and the preventing of said routing services communications.
13. The security interconnection module in accordance with Claim 12 wherein said application programming interface (API) shim software includes Dynamic Link Library (DLL) software.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US08/350,541 US5550984A (en) | 1994-12-07 | 1994-12-07 | Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information |
US08/350,541 | 1994-12-07 | ||
PCT/US1995/007285 WO1996018253A1 (en) | 1994-12-07 | 1995-06-08 | Security system for interconnected computer networks |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2182777A1 CA2182777A1 (en) | 1996-06-13 |
CA2182777C true CA2182777C (en) | 2000-07-18 |
Family
ID=23377168
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002182777A Expired - Fee Related CA2182777C (en) | 1994-12-07 | 1995-06-08 | Security system for interconnected computer networks |
Country Status (11)
Country | Link |
---|---|
US (1) | US5550984A (en) |
EP (1) | EP0744107A4 (en) |
JP (1) | JP3009737B2 (en) |
KR (1) | KR100225574B1 (en) |
CN (1) | CN1086086C (en) |
AU (1) | AU687575B2 (en) |
CA (1) | CA2182777C (en) |
IL (1) | IL114178A (en) |
RU (1) | RU2152691C1 (en) |
TW (1) | TW279292B (en) |
WO (1) | WO1996018253A1 (en) |
Families Citing this family (404)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5870474A (en) * | 1995-12-04 | 1999-02-09 | Scientific-Atlanta, Inc. | Method and apparatus for providing conditional access in connection-oriented, interactive networks with a multiplicity of service providers |
US5577209A (en) * | 1991-07-11 | 1996-11-19 | Itt Corporation | Apparatus and method for providing multi-level security for communication among computers and terminals on a network |
DE69331064T2 (en) * | 1992-12-14 | 2002-07-18 | Commw Of Australia Canberra | SECURITY OF AN ELECTRONIC MESSAGE |
US5864683A (en) | 1994-10-12 | 1999-01-26 | Secure Computing Corporartion | System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights |
US5675741A (en) * | 1994-10-25 | 1997-10-07 | Cabletron Systems, Inc. | Method and apparatus for determining a communications path between two nodes in an Internet Protocol (IP) network |
FR2727269B1 (en) * | 1994-11-21 | 1997-01-17 | Allegre Francois | ACCESS CONTROL SYSTEM FOR COMPUTER MACHINES CONNECTED IN A PRIVATE NETWORK |
US5819091A (en) * | 1994-12-22 | 1998-10-06 | Arendt; James Wendell | User level control of degree of client-side processing |
US5822324A (en) * | 1995-03-16 | 1998-10-13 | Bell Atlantic Network Services, Inc. | Simulcasting digital video programs for broadcast and interactive services |
US5651010A (en) * | 1995-03-16 | 1997-07-22 | Bell Atlantic Network Services, Inc. | Simultaneous overlapping broadcasting of digital programs |
US6246767B1 (en) | 1995-04-03 | 2001-06-12 | Scientific-Atlanta, Inc. | Source authentication of download information in a conditional access system |
US7224798B2 (en) * | 1995-04-03 | 2007-05-29 | Scientific-Atlanta, Inc. | Methods and apparatus for providing a partial dual-encrypted stream in a conditional access overlay system |
US20040136532A1 (en) * | 1995-04-03 | 2004-07-15 | Pinder Howard G. | Partial dual-encrypted stream utilizing program map tables |
US6937729B2 (en) * | 1995-04-03 | 2005-08-30 | Scientific-Atlanta, Inc. | Representing entitlements to service in a conditional access system |
US8548166B2 (en) | 1995-04-03 | 2013-10-01 | Anthony J. Wasilewski | Method for partially encrypting program data |
US6252964B1 (en) | 1995-04-03 | 2001-06-26 | Scientific-Atlanta, Inc. | Authorization of services in a conditional access system |
US5674003A (en) * | 1995-04-28 | 1997-10-07 | Andersen; David B. | Mechanisms for accessing unique features of telephony networks from a protocol-Independent data transport interface |
US5867660A (en) * | 1995-05-11 | 1999-02-02 | Bay Networks, Inc. | Method and apparatus for communicating between a network workstation and an internet |
US5802320A (en) * | 1995-05-18 | 1998-09-01 | Sun Microsystems, Inc. | System for packet filtering of data packets at a computer network interface |
JP3262689B2 (en) | 1995-05-19 | 2002-03-04 | 富士通株式会社 | Remote control system |
US5696898A (en) * | 1995-06-06 | 1997-12-09 | Lucent Technologies Inc. | System and method for database access control |
US7272639B1 (en) | 1995-06-07 | 2007-09-18 | Soverain Software Llc | Internet server access control and monitoring systems |
US6901433B2 (en) * | 1995-06-07 | 2005-05-31 | Microsoft Corporation | System for providing users with a filtered view of interactive network directory obtains from remote properties cache that provided by an on-line service |
US5742845A (en) | 1995-06-22 | 1998-04-21 | Datascape, Inc. | System for extending present open network communication protocols to communicate with non-standard I/O devices directly coupled to an open network |
US5657390A (en) * | 1995-08-25 | 1997-08-12 | Netscape Communications Corporation | Secure socket layer application program apparatus and method |
US5757924A (en) * | 1995-09-18 | 1998-05-26 | Digital Secured Networks Techolognies, Inc. | Network security device which performs MAC address translation without affecting the IP address |
US5889943A (en) * | 1995-09-26 | 1999-03-30 | Trend Micro Incorporated | Apparatus and method for electronic mail virus detection and elimination |
US5774670A (en) | 1995-10-06 | 1998-06-30 | Netscape Communications Corporation | Persistent client state in a hypertext transfer protocol based client-server system |
JP3982848B2 (en) * | 1995-10-19 | 2007-09-26 | 富士通株式会社 | Security level control device and network communication system |
US5724355A (en) * | 1995-10-24 | 1998-03-03 | At&T Corp | Network access to internet and stored multimedia services from a terminal supporting the H.320 protocol |
WO1997015885A1 (en) * | 1995-10-25 | 1997-05-01 | Open Market, Inc. | Managing transfers of information in a communications network |
US5680461A (en) * | 1995-10-26 | 1997-10-21 | Sun Microsystems, Inc. | Secure network protocol system and method |
US5793763A (en) * | 1995-11-03 | 1998-08-11 | Cisco Technology, Inc. | Security system for network address translation systems |
US7113508B1 (en) * | 1995-11-03 | 2006-09-26 | Cisco Technology, Inc. | Security system for network address translation systems |
US6571338B1 (en) * | 1995-12-20 | 2003-05-27 | Sun Microsystems Inc. | Maintaining packet security in a computer network |
JPH09186723A (en) * | 1995-12-29 | 1997-07-15 | Hitachi Ltd | Network communication processing system |
WO1997026734A1 (en) * | 1996-01-16 | 1997-07-24 | Raptor Systems, Inc. | Transferring encrypted packets over a public network |
WO1997026735A1 (en) * | 1996-01-16 | 1997-07-24 | Raptor Systems, Inc. | Key management for network communication |
US5781550A (en) * | 1996-02-02 | 1998-07-14 | Digital Equipment Corporation | Transparent and secure network gateway |
US5898830A (en) | 1996-10-17 | 1999-04-27 | Network Engineering Software | Firewall providing enhanced network security and user transparency |
US5826014A (en) * | 1996-02-06 | 1998-10-20 | Network Engineering Software | Firewall system for protecting network elements connected to a public network |
US5913024A (en) | 1996-02-09 | 1999-06-15 | Secure Computing Corporation | Secure server utilizing separate protocol stacks |
US5918018A (en) | 1996-02-09 | 1999-06-29 | Secure Computing Corporation | System and method for achieving network separation |
US5684951A (en) * | 1996-03-20 | 1997-11-04 | Synopsys, Inc. | Method and system for user authorization over a multi-user computer system |
US5740361A (en) * | 1996-06-03 | 1998-04-14 | Compuserve Incorporated | System for remote pass-phrase authentication |
US8229844B2 (en) | 1996-06-05 | 2012-07-24 | Fraud Control Systems.Com Corporation | Method of billing a purchase made over a computer network |
US7555458B1 (en) | 1996-06-05 | 2009-06-30 | Fraud Control System.Com Corporation | Method of billing a purchase made over a computer network |
US20030195847A1 (en) | 1996-06-05 | 2003-10-16 | David Felger | Method of billing a purchase made over a computer network |
US5812398A (en) * | 1996-06-10 | 1998-09-22 | Sun Microsystems, Inc. | Method and system for escrowed backup of hotelled world wide web sites |
US5894551A (en) * | 1996-06-14 | 1999-04-13 | Huggins; Frank | Single computer system having multiple security levels |
US5812668A (en) * | 1996-06-17 | 1998-09-22 | Verifone, Inc. | System, method and article of manufacture for verifying the operation of a remote transaction clearance system utilizing a multichannel, extensible, flexible architecture |
US5798706A (en) * | 1996-06-18 | 1998-08-25 | Raptor Systems, Inc. | Detecting unauthorized network communication |
US5903732A (en) * | 1996-07-03 | 1999-05-11 | Hewlett-Packard Company | Trusted gateway agent for web server programs |
US5805820A (en) * | 1996-07-15 | 1998-09-08 | At&T Corp. | Method and apparatus for restricting access to private information in domain name systems by redirecting query requests |
US5872847A (en) * | 1996-07-30 | 1999-02-16 | Itt Industries, Inc. | Using trusted associations to establish trust in a computer network |
US6993582B2 (en) * | 1996-07-30 | 2006-01-31 | Micron Technology Inc. | Mixed enclave operation in a computer network |
US6272538B1 (en) * | 1996-07-30 | 2001-08-07 | Micron Technology, Inc. | Method and system for establishing a security perimeter in computer networks |
CA2212121C (en) | 1996-08-02 | 2010-03-30 | Symbol Technologies, Inc. | Improvements in data retrieval |
US5828833A (en) * | 1996-08-15 | 1998-10-27 | Electronic Data Systems Corporation | Method and system for allowing remote procedure calls through a network firewall |
US6003084A (en) * | 1996-09-13 | 1999-12-14 | Secure Computing Corporation | Secure network proxy for connecting entities |
US5983350A (en) * | 1996-09-18 | 1999-11-09 | Secure Computing Corporation | Secure firewall supporting different levels of authentication based on address or encryption status |
US6072942A (en) * | 1996-09-18 | 2000-06-06 | Secure Computing Corporation | System and method of electronic mail filtering using interconnected nodes |
US5950195A (en) * | 1996-09-18 | 1999-09-07 | Secure Computing Corporation | Generalized security policy management system and method |
US5951698A (en) * | 1996-10-02 | 1999-09-14 | Trend Micro, Incorporated | System, apparatus and method for the detection and removal of viruses in macros |
US6968319B1 (en) * | 1996-10-18 | 2005-11-22 | Microsoft Corporation | Electronic bill presentment and payment system with bill dispute capabilities |
US6192407B1 (en) * | 1996-10-24 | 2001-02-20 | Tumbleweed Communications Corp. | Private, trackable URLs for directed document delivery |
US6502191B1 (en) | 1997-02-14 | 2002-12-31 | Tumbleweed Communications Corp. | Method and system for binary data firewall delivery |
US6385655B1 (en) | 1996-10-24 | 2002-05-07 | Tumbleweed Communications Corp. | Method and apparatus for delivering documents over an electronic network |
US5958015A (en) * | 1996-10-29 | 1999-09-28 | Abirnet Ltd. | Network session wall passively listening to communication session, with use of access rules, stops further communication between network devices by emulating messages to the devices |
US6690669B1 (en) * | 1996-11-01 | 2004-02-10 | Hitachi, Ltd. | Communicating method between IPv4 terminal and IPv6 terminal and IPv4-IPv6 converting apparatus |
CA2271687A1 (en) * | 1996-11-12 | 1998-05-22 | Paul W. Donahue | High bandwidth broadcast system having localized multicast access to broadcast content |
US6101180A (en) * | 1996-11-12 | 2000-08-08 | Starguide Digital Networks, Inc. | High bandwidth broadcast system having localized multicast access to broadcast content |
AU752757B2 (en) * | 1996-11-12 | 2002-09-26 | Starguide Digital Networks, Inc. | High bandwidth broadcast system having localized multicast access to boardcast content |
US5970149A (en) * | 1996-11-19 | 1999-10-19 | Johnson; R. Brent | Combined remote access and security system |
US6578146B2 (en) | 1996-11-19 | 2003-06-10 | R. Brent Johnson | System, method and article of manufacture to remotely configure and utilize an emulated device controller via an encrypted validation communication protocol |
US6499108B1 (en) | 1996-11-19 | 2002-12-24 | R. Brent Johnson | Secure electronic mail system |
US5878417A (en) * | 1996-11-20 | 1999-03-02 | International Business Machines Corporation | Method and apparatus for network security in browser based interfaces |
US7926097B2 (en) * | 1996-11-29 | 2011-04-12 | Ellis Iii Frampton E | Computer or microchip protected from the internet by internal hardware |
US7506020B2 (en) | 1996-11-29 | 2009-03-17 | Frampton E Ellis | Global network computers |
US7035906B1 (en) | 1996-11-29 | 2006-04-25 | Ellis Iii Frampton E | Global network computers |
US7805756B2 (en) | 1996-11-29 | 2010-09-28 | Frampton E Ellis | Microchips with inner firewalls, faraday cages, and/or photovoltaic cells |
US7634529B2 (en) * | 1996-11-29 | 2009-12-15 | Ellis Iii Frampton E | Personal and server computers having microchips with multiple processing units and internal firewalls |
US8312529B2 (en) | 1996-11-29 | 2012-11-13 | Ellis Frampton E | Global network computers |
US6732141B2 (en) * | 1996-11-29 | 2004-05-04 | Frampton Erroll Ellis | Commercial distributed processing by personal computers over the internet |
US6725250B1 (en) * | 1996-11-29 | 2004-04-20 | Ellis, Iii Frampton E. | Global network computers |
US20050180095A1 (en) * | 1996-11-29 | 2005-08-18 | Ellis Frampton E. | Global network computers |
US7024449B1 (en) | 1996-11-29 | 2006-04-04 | Ellis Iii Frampton E | Global network computers |
US6167428A (en) * | 1996-11-29 | 2000-12-26 | Ellis; Frampton E. | Personal computer microprocessor firewalls for internet distributed processing |
US8225003B2 (en) | 1996-11-29 | 2012-07-17 | Ellis Iii Frampton E | Computers and microchips with a portion protected by an internal hardware firewall |
US5778174A (en) * | 1996-12-10 | 1998-07-07 | U S West, Inc. | Method and system for providing secured access to a server connected to a private computer network |
US5915087A (en) * | 1996-12-12 | 1999-06-22 | Secure Computing Corporation | Transparent security proxy for unreliable message exchange protocols |
US5898831A (en) * | 1996-12-16 | 1999-04-27 | Motorola, Inc. | Interactive appliance security system and method |
US5864666A (en) * | 1996-12-23 | 1999-01-26 | International Business Machines Corporation | Web-based administration of IP tunneling on internet firewalls |
US6041355A (en) | 1996-12-27 | 2000-03-21 | Intel Corporation | Method for transferring data between a network of computers dynamically based on tag information |
US6832256B1 (en) * | 1996-12-27 | 2004-12-14 | Intel Corporation | Firewalls that filter based upon protocol commands |
IL130774A0 (en) | 1997-01-03 | 2001-01-28 | Fortress Technologies Inc | Improved network security device |
WO1998031124A1 (en) * | 1997-01-10 | 1998-07-16 | Hanson Gordon L | Reverse proxy server |
US5961593A (en) * | 1997-01-22 | 1999-10-05 | Lucent Technologies, Inc. | System and method for providing anonymous personalized browsing by a proxy system in a network |
US6055575A (en) * | 1997-01-28 | 2000-04-25 | Ascend Communications, Inc. | Virtual private network system and method |
US6549952B1 (en) | 1997-01-28 | 2003-04-15 | International Business Machines Corporation | Passing environment variables from an hypertext protocol server application programming interface |
US5896499A (en) * | 1997-02-21 | 1999-04-20 | International Business Machines Corporation | Embedded security processor |
US6169805B1 (en) | 1997-02-28 | 2001-01-02 | International Business Machines Corporation | System and method of operation for providing user's security on-demand over insecure networks |
EP0968596B1 (en) | 1997-03-12 | 2007-07-18 | Nomadix, Inc. | Nomadic translator or router |
GB2323246B (en) | 1997-03-15 | 2002-03-20 | Ibm | Internet telephony signal conversion |
US6075796A (en) | 1997-03-17 | 2000-06-13 | At&T | Methods and apparatus for providing improved quality of packet transmission in applications such as internet telephony |
US6032193A (en) * | 1997-03-20 | 2000-02-29 | Niobrara Research And Development Corporation | Computer system having virtual circuit address altered by local computer to switch to different physical data link to increase data transmission bandwidth |
US6154843A (en) * | 1997-03-21 | 2000-11-28 | Microsoft Corporation | Secure remote access computing system |
US6061448A (en) * | 1997-04-01 | 2000-05-09 | Tumbleweed Communications Corp. | Method and system for dynamic server document encryption |
US6260148B1 (en) | 1997-04-04 | 2001-07-10 | Microsoft Corporation | Methods and systems for message forwarding and property notifications using electronic subscriptions |
US5943478A (en) | 1997-04-04 | 1999-08-24 | Flash Communications, Inc. | System for immediate popup messaging across the internet |
US6067579A (en) * | 1997-04-22 | 2000-05-23 | Bull Hn Information Systems Inc. | Method for reducing message translation and traffic through intermediate applications and systems in an internet application |
US6108786A (en) * | 1997-04-25 | 2000-08-22 | Intel Corporation | Monitor network bindings for computer security |
US6205489B1 (en) | 1999-01-05 | 2001-03-20 | Whowhere, Inc. | Method for providing an internet protocol address with a domain name server |
US5805803A (en) * | 1997-05-13 | 1998-09-08 | Digital Equipment Corporation | Secure web tunnel |
US5861883A (en) * | 1997-05-13 | 1999-01-19 | International Business Machines Corp. | Method and system for portably enabling awareness, touring, and conferencing over the world-wide web using proxies and shared-state servers |
US6172986B1 (en) * | 1997-05-13 | 2001-01-09 | Hitachi, Ltd. | Mobile node, mobile agent and network system |
US6868089B1 (en) * | 1997-05-13 | 2005-03-15 | Hitachi, Ltd. | Mobile node, mobile agent-and network system |
DE19722915A1 (en) * | 1997-05-31 | 1998-12-03 | Alsthom Cge Alcatel | Digital decoder of a transmission system |
US5982783A (en) * | 1997-06-16 | 1999-11-09 | Lucent Technologies Inc. | Switch distribution via an intermediary switching network |
US7515712B2 (en) * | 1997-08-01 | 2009-04-07 | Cisco Technology, Inc. | Mechanism and apparatus for encapsulation of entitlement authorization in conditional access system |
US6061796A (en) * | 1997-08-26 | 2000-05-09 | V-One Corporation | Multi-access virtual private network |
NO305420B1 (en) * | 1997-09-02 | 1999-05-25 | Ericsson Telefon Ab L M | Device by computer communication system, especially by communication through firewalls |
US6128603A (en) * | 1997-09-09 | 2000-10-03 | Dent; Warren T. | Consumer-based system and method for managing and paying electronic billing statements |
IL126149A (en) | 1997-09-09 | 2003-07-31 | Sanctum Ltd | Method and system for protecting operations of trusted internal networks |
US7143438B1 (en) * | 1997-09-12 | 2006-11-28 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with multiple domain support |
US6671810B1 (en) | 1997-09-18 | 2003-12-30 | Intel Corporation | Method and system for establishing secure communication over computer networks |
US6651166B1 (en) | 1998-04-09 | 2003-11-18 | Tumbleweed Software Corp. | Sender driven certification enrollment system |
WO1999023538A1 (en) * | 1997-10-28 | 1999-05-14 | Georgia Tech Research Corporation | Adaptive data security system and method |
US6275855B1 (en) | 1997-11-02 | 2001-08-14 | R. Brent Johnson | System, method and article of manufacture to enhance computerized alert system information awareness and facilitate real-time intervention services |
US6321374B1 (en) | 1997-11-07 | 2001-11-20 | International Business Machines Corporation | Application-independent generator to generate a database transaction manager in heterogeneous information systems |
US6061739A (en) * | 1997-11-26 | 2000-05-09 | International Business Machines Corp. | Network address assignment using physical address resolution protocols |
CN1282427A (en) * | 1997-12-19 | 2001-01-31 | 弗兰普顿·E·埃利斯三世 | Firewall security protection of parallel processing in global computer networking environment |
US9900305B2 (en) | 1998-01-12 | 2018-02-20 | Soverain Ip, Llc | Internet server access control and monitoring systems |
US6205551B1 (en) | 1998-01-29 | 2001-03-20 | Lucent Technologies Inc. | Computer security using virus probing |
US6353614B1 (en) | 1998-03-05 | 2002-03-05 | 3Com Corporation | Method and protocol for distributed network address translation |
US7032242B1 (en) | 1998-03-05 | 2006-04-18 | 3Com Corporation | Method and system for distributed network address translation with network security features |
US7450560B1 (en) | 1998-03-05 | 2008-11-11 | 3Com Corporation | Method for address mapping in a network access system and a network access device for use therewith |
US6055236A (en) * | 1998-03-05 | 2000-04-25 | 3Com Corporation | Method and system for locating network services with distributed network address translation |
US6321336B1 (en) | 1998-03-13 | 2001-11-20 | Secure Computing Corporation | System and method for redirecting network traffic to provide secure communication |
US6453419B1 (en) | 1998-03-18 | 2002-09-17 | Secure Computing Corporation | System and method for implementing a security policy |
US6182226B1 (en) | 1998-03-18 | 2001-01-30 | Secure Computing Corporation | System and method for controlling interactions between networks |
US6141755A (en) * | 1998-04-13 | 2000-10-31 | The United States Of America As Represented By The Director Of The National Security Agency | Firewall security apparatus for high-speed circuit switched networks |
US6865672B1 (en) | 1998-05-18 | 2005-03-08 | Spearhead Technologies, Ltd. | System and method for securing a computer communication network |
US6411604B1 (en) | 1998-06-05 | 2002-06-25 | Inet Technologies, Inc. | System and method for correlating transaction messages in a communications network |
US6614894B1 (en) | 1998-06-05 | 2003-09-02 | Inet Technologies, Inc. | System and method for mass call onset detection in a communications network |
US6529594B1 (en) | 1998-06-05 | 2003-03-04 | Inet Technologies, Inc. | System and method for generating quality of service statistics for an international communications network |
US20050197957A1 (en) * | 1998-06-08 | 2005-09-08 | Microsoft Corporation | Parcel manager for distributed electronic billing system |
US6249572B1 (en) | 1998-06-08 | 2001-06-19 | Inet Technologies, Inc. | Transaction control application part (TCAP) call detail record generation in a communications network |
US6381306B1 (en) | 1998-06-08 | 2002-04-30 | Inet Technologies, Inc. | System and method for monitoring service quality in a communications network |
US6359976B1 (en) | 1998-06-08 | 2002-03-19 | Inet Technologies, Inc. | System and method for monitoring service quality in a communications network |
US20020065772A1 (en) * | 1998-06-08 | 2002-05-30 | Saliba Bassam A. | System, method and program for network user access |
WO1999066383A2 (en) * | 1998-06-15 | 1999-12-23 | Dmw Worldwide, Inc. | Method and apparatus for assessing the security of a computer system |
US6311269B2 (en) | 1998-06-15 | 2001-10-30 | Lockheed Martin Corporation | Trusted services broker for web page fine-grained security labeling |
US6182227B1 (en) | 1998-06-22 | 2001-01-30 | International Business Machines Corporation | Lightweight authentication system and method for validating a server access request |
DE19929515A1 (en) * | 1998-07-01 | 2000-01-05 | Nat Semiconductor Corp | Network device for achieving secure connection access to equipment in local network |
US6269099B1 (en) | 1998-07-01 | 2001-07-31 | 3Com Corporation | Protocol and method for peer network device discovery |
DE19831190C1 (en) * | 1998-07-11 | 1999-10-28 | Tracto Technik | Appliance for dividing subterranean pipes and laying of new ones etc. |
US6151675A (en) * | 1998-07-23 | 2000-11-21 | Tumbleweed Software Corporation | Method and apparatus for effecting secure document format conversion |
FR2781952B1 (en) * | 1998-07-28 | 2000-09-08 | Cegelec | METHOD FOR ALLOCATING COMPUTER ADDRESSES BETWEEN UNITS OF AN INDUSTRIAL INSTALLATION CONDUCT SYSTEM |
US6771597B2 (en) | 1998-07-31 | 2004-08-03 | International Business Machines Corporation | Method and apparatus for transmitting messages |
US6483912B1 (en) * | 1998-08-04 | 2002-11-19 | At&T Corp. | Method for allocating network resources |
US6553417B1 (en) | 1998-08-05 | 2003-04-22 | International Business Machines Corporation | Internet data access acknowledgment applet and method |
US6088796A (en) * | 1998-08-06 | 2000-07-11 | Cianfrocca; Francis | Secure middleware and server control system for querying through a network firewall |
US6717949B1 (en) | 1998-08-31 | 2004-04-06 | International Business Machines Corporation | System and method for IP network address translation using selective masquerade |
WO2000016206A1 (en) * | 1998-09-10 | 2000-03-23 | Sanctum Ltd. | Method and system for protecting operations of trusted internal networks |
US6378074B1 (en) | 1998-10-05 | 2002-04-23 | Sentry Technologies Pte Ltd | Method for security partitioning of a computer system |
US6675226B1 (en) * | 1998-11-17 | 2004-01-06 | Rockwell Automation Technologies, Inc. | Network interface for industrial controller providing application programmer interface |
US7194554B1 (en) | 1998-12-08 | 2007-03-20 | Nomadix, Inc. | Systems and methods for providing dynamic network authorization authentication and accounting |
US8713641B1 (en) | 1998-12-08 | 2014-04-29 | Nomadix, Inc. | Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device |
US8266266B2 (en) | 1998-12-08 | 2012-09-11 | Nomadix, Inc. | Systems and methods for providing dynamic network authorization, authentication and accounting |
US7107614B1 (en) | 1999-01-29 | 2006-09-12 | International Business Machines Corporation | System and method for network address translation integration with IP security |
US6615357B1 (en) | 1999-01-29 | 2003-09-02 | International Business Machines Corporation | System and method for network address translation integration with IP security |
US7917744B2 (en) * | 1999-02-03 | 2011-03-29 | Cybersoft, Inc. | Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer in instant messaging and peer-to-peer applications |
US6763467B1 (en) | 1999-02-03 | 2004-07-13 | Cybersoft, Inc. | Network traffic intercepting method and system |
US7389540B2 (en) * | 1999-02-03 | 2008-06-17 | Cybersoft, Inc. | Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer |
EP1159816B1 (en) * | 1999-03-10 | 2003-11-12 | Inet Technologies, Inc. | System and method for protecting networks from inadvertent, fraudulent and/or malicious signaling |
US6434627B1 (en) | 1999-03-15 | 2002-08-13 | Cisco Technology, Inc. | IP network for accomodating mobile users with incompatible network addressing |
US7904951B1 (en) | 1999-03-16 | 2011-03-08 | Novell, Inc. | Techniques for securely accelerating external domains locally |
US6081900A (en) | 1999-03-16 | 2000-06-27 | Novell, Inc. | Secure intranet access |
US8060926B1 (en) | 1999-03-16 | 2011-11-15 | Novell, Inc. | Techniques for securely managing and accelerating data delivery |
SE521144C2 (en) * | 1999-03-17 | 2003-10-07 | Ericsson Telefon Ab L M | Device and method connecting the Internet with one or more intranets and / or extranets |
US7349391B2 (en) * | 1999-03-19 | 2008-03-25 | F5 Networks, Inc. | Tunneling between a bus and a network |
US7505455B1 (en) | 1999-03-19 | 2009-03-17 | F5 Networks, Inc. | Optimizations for tunneling between a bus and a network |
US6393484B1 (en) * | 1999-04-12 | 2002-05-21 | International Business Machines Corp. | System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks |
US6731642B1 (en) | 1999-05-03 | 2004-05-04 | 3Com Corporation | Internet telephony using network address translation |
JP3136140B2 (en) * | 1999-06-03 | 2001-02-19 | 松下電送システム株式会社 | Internet-connected SOHO gateway device |
US6957346B1 (en) * | 1999-06-15 | 2005-10-18 | Ssh Communications Security Ltd. | Method and arrangement for providing security through network address translations using tunneling and compensations |
US6584508B1 (en) * | 1999-07-13 | 2003-06-24 | Networks Associates Technology, Inc. | Advanced data guard having independently wrapped components |
US7339690B2 (en) * | 1999-07-14 | 2008-03-04 | Fargo Electronics, Inc. | Identification card printer with client/server |
US8520068B2 (en) * | 1999-07-20 | 2013-08-27 | Comcast Cable Communications, Llc | Video security system |
US6690411B2 (en) | 1999-07-20 | 2004-02-10 | @Security Broadband Corp. | Security system |
US9300921B2 (en) | 1999-07-20 | 2016-03-29 | Comcast Cable Communications, Llc | Video security systems and methods |
US7015806B2 (en) * | 1999-07-20 | 2006-03-21 | @Security Broadband Corporation | Distributed monitoring for a video security system |
KR20010011667A (en) * | 1999-07-29 | 2001-02-15 | 이종우 | Keyboard having secure function and system using the same |
US6356529B1 (en) * | 1999-08-12 | 2002-03-12 | Converse, Ltd. | System and method for rapid wireless application protocol translation |
US6523068B1 (en) | 1999-08-27 | 2003-02-18 | 3Com Corporation | Method for encapsulating and transmitting a message includes private and forwarding network addresses with payload to an end of a tunneling association |
US6496867B1 (en) | 1999-08-27 | 2002-12-17 | 3Com Corporation | System and method to negotiate private network addresses for initiating tunneling associations through private and/or public networks |
GB2354847A (en) | 1999-09-28 | 2001-04-04 | Ibm | Publish/subscribe data processing with subscription points for customised message processing |
US7454791B1 (en) * | 1999-09-23 | 2008-11-18 | International Business Machines Corporation | Method and system for checking the security on a distributed computing environment |
US8190708B1 (en) | 1999-10-22 | 2012-05-29 | Nomadix, Inc. | Gateway device having an XML interface and associated method |
US6781982B1 (en) * | 1999-10-26 | 2004-08-24 | 3Com Corporation | Method and system for allocating persistent private network addresses between private networks |
US6768743B1 (en) | 1999-10-26 | 2004-07-27 | 3Com Corporation | Method and system for address server redirection for multiple address networks |
US6708219B1 (en) | 1999-10-26 | 2004-03-16 | 3Com Corporation | Method and system for dual-network address utilization |
US6675193B1 (en) | 1999-10-29 | 2004-01-06 | Invensys Software Systems | Method and system for remote control of a local system |
IL133116A0 (en) * | 1999-11-24 | 2001-03-19 | Net Safe Comm Ltd | Method and apparatus for providing secure multiple-network access at a single workstation |
US6728886B1 (en) * | 1999-12-01 | 2004-04-27 | Trend Micro Incorporated | Distributed virus scanning arrangements and methods therefor |
US6996621B1 (en) | 1999-12-07 | 2006-02-07 | 3Com Corporation | Method for supporting secondary address delivery on remote access servers |
US20010025377A1 (en) * | 1999-12-30 | 2001-09-27 | Hinderks Larry W. | High bandwidth transmission system and method having local insertion, delay play and demand play |
AU2758201A (en) * | 2000-01-04 | 2001-07-16 | Ma'at | System and method for anonymous observation and use of premium content |
US7324948B2 (en) * | 2000-01-14 | 2008-01-29 | Carl Teo Balbach | Context-specific contact information |
US7089588B2 (en) * | 2000-01-19 | 2006-08-08 | Reynolds And Reynolds Holdings, Inc. | Performance path method and apparatus for exchanging data among systems using different data formats |
US7822683B2 (en) * | 2000-01-21 | 2010-10-26 | Microsoft Corporation | System and method for secure third-party development and hosting within a financial services network |
US7171492B1 (en) | 2000-02-24 | 2007-01-30 | Utstarcom, Inc. | Method and application programming interface for assigning multiple network addresses |
US6990481B1 (en) * | 2000-02-25 | 2006-01-24 | Coraid, Inc. | System and method for content management over network storage devices |
US6948074B1 (en) | 2000-03-09 | 2005-09-20 | 3Com Corporation | Method and system for distributed generation of unique random numbers for digital tokens |
US7127526B1 (en) * | 2000-03-20 | 2006-10-24 | Nortel Networks Limited | Method and apparatus for dynamically loading and managing software services on a network device |
US6353891B1 (en) | 2000-03-20 | 2002-03-05 | 3Com Corporation | Control channel security for realm specific internet protocol |
US6631417B1 (en) | 2000-03-29 | 2003-10-07 | Iona Technologies Plc | Methods and apparatus for securing access to a computer |
US7814208B2 (en) * | 2000-04-11 | 2010-10-12 | Science Applications International Corporation | System and method for projecting content beyond firewalls |
US6578140B1 (en) * | 2000-04-13 | 2003-06-10 | Claude M Policard | Personal computer having a master computer system and an internet computer system and monitoring a condition of said master and internet computer systems |
US7146422B1 (en) | 2000-05-01 | 2006-12-05 | Intel Corporation | Method and apparatus for validating documents based on a validation template |
US6732175B1 (en) | 2000-04-13 | 2004-05-04 | Intel Corporation | Network apparatus for switching based on content of application data |
US6718385B1 (en) * | 2000-05-19 | 2004-04-06 | Galaxy Computer Services, Inc. | System for controlling movement of information using an information diode between a source network and a destination network |
US20040073617A1 (en) | 2000-06-19 | 2004-04-15 | Milliken Walter Clark | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
US7441270B1 (en) | 2000-07-06 | 2008-10-21 | Intel Corporation | Connectivity in the presence of barriers |
AU2001273489A1 (en) * | 2000-07-28 | 2002-02-13 | Dialpad Communications, Inc. | Data exchange with computers within a secure network |
US6668282B1 (en) | 2000-08-02 | 2003-12-23 | International Business Machines Corporation | System and method to monitor and determine if an active IPSec tunnel has become disabled |
US6915436B1 (en) | 2000-08-02 | 2005-07-05 | International Business Machines Corporation | System and method to verify availability of a back-up secure tunnel |
US20020032871A1 (en) * | 2000-09-08 | 2002-03-14 | The Regents Of The University Of Michigan | Method and system for detecting, tracking and blocking denial of service attacks over a computer network |
US20020035698A1 (en) * | 2000-09-08 | 2002-03-21 | The Regents Of The University Of Michigan | Method and system for protecting publicly accessible network computer services from undesirable network traffic in real-time |
CA2433192A1 (en) * | 2000-09-29 | 2002-04-04 | Electronic Data Systems Corporation | Computer program for maintaining persistent firewall-compliant connections |
US7028051B1 (en) * | 2000-09-29 | 2006-04-11 | Ugs Corp. | Method of real-time business collaboration |
US7218634B1 (en) * | 2000-10-10 | 2007-05-15 | Nortel Networks Limited | Assisted power-up and hand-off system and method |
US6993506B2 (en) | 2000-12-05 | 2006-01-31 | Jgr Acquisition, Inc. | Method and device utilizing polymorphic data in e-commerce |
JP2002197051A (en) * | 2000-12-11 | 2002-07-12 | Internatl Business Mach Corp <Ibm> | Selection method for communication adapter for determining communication destination, setting method for communication adapter, computer system, portable information device, and storage medium |
US6980564B1 (en) * | 2001-01-02 | 2005-12-27 | Nortel Networks Limited | Modular data communication equipment system |
US8510476B2 (en) * | 2001-02-15 | 2013-08-13 | Brooks Automation, Inc. | Secure remote diagnostic customer support network |
US7404212B2 (en) * | 2001-03-06 | 2008-07-22 | Cybersoft, Inc. | Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer |
US7512407B2 (en) * | 2001-03-26 | 2009-03-31 | Tencent (Bvi) Limited | Instant messaging system and method |
US7730528B2 (en) * | 2001-06-01 | 2010-06-01 | Symantec Corporation | Intelligent secure data manipulation apparatus and method |
WO2003009563A1 (en) * | 2001-07-20 | 2003-01-30 | Cyberdfnz Inc. | Processes and systems for secured information exchange using computer hardware |
US7293179B2 (en) * | 2001-08-01 | 2007-11-06 | Johnson R Brent | System and method for virtual tape management with remote archival and retrieval via an encrypted validation communication protocol |
US7308710B2 (en) * | 2001-09-28 | 2007-12-11 | Jp Morgan Chase Bank | Secured FTP architecture |
US20030105830A1 (en) * | 2001-12-03 | 2003-06-05 | Duc Pham | Scalable network media access controller and methods |
EP1320239B1 (en) * | 2001-12-13 | 2007-02-07 | Sony Corporation | System and method for access control in storage area networks |
US7986937B2 (en) * | 2001-12-20 | 2011-07-26 | Microsoft Corporation | Public access point |
US7188364B2 (en) * | 2001-12-20 | 2007-03-06 | Cranite Systems, Inc. | Personal virtual bridged local area networks |
US7120791B2 (en) * | 2002-01-25 | 2006-10-10 | Cranite Systems, Inc. | Bridged cryptographic VLAN |
US7334049B1 (en) * | 2001-12-21 | 2008-02-19 | Cisco Technology, Inc. | Apparatus and methods for performing network address translation (NAT) in a fully connected mesh with NAT virtual interface (NVI) |
US6658091B1 (en) * | 2002-02-01 | 2003-12-02 | @Security Broadband Corp. | LIfestyle multimedia security system |
US7430762B2 (en) | 2002-03-01 | 2008-09-30 | Fargo Electronics, Inc. | Identification card manufacturing security |
US7693947B2 (en) | 2002-03-08 | 2010-04-06 | Mcafee, Inc. | Systems and methods for graphically displaying messaging traffic |
US6941467B2 (en) | 2002-03-08 | 2005-09-06 | Ciphertrust, Inc. | Systems and methods for adaptive message interrogation through multiple queues |
US7458098B2 (en) | 2002-03-08 | 2008-11-25 | Secure Computing Corporation | Systems and methods for enhancing electronic communication security |
US8132250B2 (en) | 2002-03-08 | 2012-03-06 | Mcafee, Inc. | Message profiling systems and methods |
US7870203B2 (en) | 2002-03-08 | 2011-01-11 | Mcafee, Inc. | Methods and systems for exposing messaging reputation to an end user |
US20060015942A1 (en) | 2002-03-08 | 2006-01-19 | Ciphertrust, Inc. | Systems and methods for classification of messaging entities |
US7694128B2 (en) | 2002-03-08 | 2010-04-06 | Mcafee, Inc. | Systems and methods for secure communication delivery |
US8561167B2 (en) | 2002-03-08 | 2013-10-15 | Mcafee, Inc. | Web reputation scoring |
US7903549B2 (en) | 2002-03-08 | 2011-03-08 | Secure Computing Corporation | Content-based policy compliance systems and methods |
US7124438B2 (en) * | 2002-03-08 | 2006-10-17 | Ciphertrust, Inc. | Systems and methods for anomaly detection in patterns of monitored communications |
US8578480B2 (en) | 2002-03-08 | 2013-11-05 | Mcafee, Inc. | Systems and methods for identifying potentially malicious messages |
US20030172291A1 (en) | 2002-03-08 | 2003-09-11 | Paul Judge | Systems and methods for automated whitelisting in monitored communications |
US6868493B2 (en) * | 2002-03-13 | 2005-03-15 | Honeywell International, Inc. | System and method for panel linking in a security system |
US20030177387A1 (en) * | 2002-03-15 | 2003-09-18 | Cyrill Osterwalder | Secured web entry server |
JP4848130B2 (en) * | 2002-06-21 | 2011-12-28 | トムソン ライセンシング | Broadcast router with shared configuration repository |
US6931530B2 (en) | 2002-07-22 | 2005-08-16 | Vormetric, Inc. | Secure network file access controller implementing access control and auditing |
US7334124B2 (en) * | 2002-07-22 | 2008-02-19 | Vormetric, Inc. | Logical access block processing protocol for transparent secure file storage |
US6678828B1 (en) * | 2002-07-22 | 2004-01-13 | Vormetric, Inc. | Secure network file access control system |
US20040030904A1 (en) * | 2002-08-12 | 2004-02-12 | Zeromile Corp. | Novel method and system for using optical disk drive as biometric card reader for secure online user authentication |
US8260593B2 (en) | 2002-09-18 | 2012-09-04 | Siemens Product Lifecycle Management Software Inc. | System and method for simulating human movement |
US7143288B2 (en) * | 2002-10-16 | 2006-11-28 | Vormetric, Inc. | Secure file system server architecture and methods |
US7620815B2 (en) | 2003-02-21 | 2009-11-17 | Fargo Electronics, Inc. | Credential production using a secured consumable supply |
US7864780B1 (en) | 2003-04-29 | 2011-01-04 | Cisco Technology, Inc. | Apparatus and methods for handling name resolution over IPV6 using NAT-PT and DNS-ALG |
JP4430666B2 (en) * | 2003-05-02 | 2010-03-10 | ギリテック アクティーゼルスカブ | Extensive user-centric network security realized by dynamic datagram switch over mobile intelligent data carrier and on-demand authentication and encryption scheme |
EP1480406A1 (en) * | 2003-05-19 | 2004-11-24 | Sony International (Europe) GmbH | Confinement of data transfers to a local area network |
WO2005010644A2 (en) * | 2003-07-31 | 2005-02-03 | Eutech Cybernetics Pte Ltd | System and method for increased network security |
US7715326B2 (en) * | 2003-08-22 | 2010-05-11 | Eutech Cybernetics Pte. Ltd. | Webserver alternative for increased security |
US8788823B1 (en) | 2003-09-03 | 2014-07-22 | Cisco Technology, Inc. | System and method for filtering network traffic |
US7343485B1 (en) * | 2003-09-03 | 2008-03-11 | Cisco Technology, Inc. | System and method for maintaining protocol status information in a network device |
WO2005026908A2 (en) * | 2003-09-11 | 2005-03-24 | Fargo Electronics, Inc. | Identification card manufacturing system supply ordering and diagnostic report |
US8396216B2 (en) | 2003-11-21 | 2013-03-12 | Howard G. Pinder | Partial dual-encryption using program map tables |
US7305552B2 (en) * | 2003-11-26 | 2007-12-04 | Siemens Communications, Inc. | Screen saver displaying identity content |
US8065720B1 (en) | 2004-01-06 | 2011-11-22 | Novell, Inc. | Techniques for managing secure communications |
US11277465B2 (en) | 2004-03-16 | 2022-03-15 | Icontrol Networks, Inc. | Generating risk profile using data of home monitoring and security system |
US10375253B2 (en) | 2008-08-25 | 2019-08-06 | Icontrol Networks, Inc. | Security system with networked touchscreen and gateway |
US10382452B1 (en) | 2007-06-12 | 2019-08-13 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US10127802B2 (en) | 2010-09-28 | 2018-11-13 | Icontrol Networks, Inc. | Integrated security system with parallel processing architecture |
US9141276B2 (en) | 2005-03-16 | 2015-09-22 | Icontrol Networks, Inc. | Integrated interface for mobile device |
US9191228B2 (en) | 2005-03-16 | 2015-11-17 | Icontrol Networks, Inc. | Cross-client sensor user interface in an integrated security network |
US7711796B2 (en) | 2006-06-12 | 2010-05-04 | Icontrol Networks, Inc. | Gateway registry methods and systems |
US11159484B2 (en) | 2004-03-16 | 2021-10-26 | Icontrol Networks, Inc. | Forming a security network including integrated security system components and network devices |
US10339791B2 (en) | 2007-06-12 | 2019-07-02 | Icontrol Networks, Inc. | Security network integrated with premise security system |
US11489812B2 (en) | 2004-03-16 | 2022-11-01 | Icontrol Networks, Inc. | Forming a security network including integrated security system components and network devices |
US11811845B2 (en) | 2004-03-16 | 2023-11-07 | Icontrol Networks, Inc. | Communication protocols over internet protocol (IP) networks |
US11113950B2 (en) | 2005-03-16 | 2021-09-07 | Icontrol Networks, Inc. | Gateway integrated with premises security system |
US11916870B2 (en) | 2004-03-16 | 2024-02-27 | Icontrol Networks, Inc. | Gateway registry methods and systems |
US10237237B2 (en) | 2007-06-12 | 2019-03-19 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US8988221B2 (en) | 2005-03-16 | 2015-03-24 | Icontrol Networks, Inc. | Integrated security system with parallel processing architecture |
US11582065B2 (en) | 2007-06-12 | 2023-02-14 | Icontrol Networks, Inc. | Systems and methods for device communication |
US9531593B2 (en) | 2007-06-12 | 2016-12-27 | Icontrol Networks, Inc. | Takeover processes in security network integrated with premise security system |
US10522026B2 (en) | 2008-08-11 | 2019-12-31 | Icontrol Networks, Inc. | Automation system user interface with three-dimensional display |
US20160065414A1 (en) | 2013-06-27 | 2016-03-03 | Ken Sundermeyer | Control system user interface |
US20120066608A1 (en) | 2005-03-16 | 2012-03-15 | Ken Sundermeyer | Control system user interface |
US11244545B2 (en) | 2004-03-16 | 2022-02-08 | Icontrol Networks, Inc. | Cross-client sensor user interface in an integrated security network |
US8963713B2 (en) | 2005-03-16 | 2015-02-24 | Icontrol Networks, Inc. | Integrated security network with security alarm signaling system |
US10200504B2 (en) | 2007-06-12 | 2019-02-05 | Icontrol Networks, Inc. | Communication protocols over internet protocol (IP) networks |
US10142392B2 (en) | 2007-01-24 | 2018-11-27 | Icontrol Networks, Inc. | Methods and systems for improved system performance |
US10721087B2 (en) | 2005-03-16 | 2020-07-21 | Icontrol Networks, Inc. | Method for networked touchscreen with integrated interfaces |
US11343380B2 (en) | 2004-03-16 | 2022-05-24 | Icontrol Networks, Inc. | Premises system automation |
US10444964B2 (en) | 2007-06-12 | 2019-10-15 | Icontrol Networks, Inc. | Control system user interface |
US9729342B2 (en) | 2010-12-20 | 2017-08-08 | Icontrol Networks, Inc. | Defining and implementing sensor triggered response rules |
AU2005223267B2 (en) | 2004-03-16 | 2010-12-09 | Icontrol Networks, Inc. | Premises management system |
US8635350B2 (en) | 2006-06-12 | 2014-01-21 | Icontrol Networks, Inc. | IP device discovery systems and methods |
US11368429B2 (en) | 2004-03-16 | 2022-06-21 | Icontrol Networks, Inc. | Premises management configuration and control |
US9609003B1 (en) | 2007-06-12 | 2017-03-28 | Icontrol Networks, Inc. | Generating risk profile using data of home monitoring and security system |
US11201755B2 (en) | 2004-03-16 | 2021-12-14 | Icontrol Networks, Inc. | Premises system management using status signal |
US20170118037A1 (en) | 2008-08-11 | 2017-04-27 | Icontrol Networks, Inc. | Integrated cloud system for premises automation |
US10313303B2 (en) | 2007-06-12 | 2019-06-04 | Icontrol Networks, Inc. | Forming a security network including integrated security system components and network devices |
US11316958B2 (en) | 2008-08-11 | 2022-04-26 | Icontrol Networks, Inc. | Virtual device systems and methods |
US20090077623A1 (en) | 2005-03-16 | 2009-03-19 | Marc Baum | Security Network Integrating Security System and Network Devices |
US11677577B2 (en) | 2004-03-16 | 2023-06-13 | Icontrol Networks, Inc. | Premises system management using status signal |
US10156959B2 (en) | 2005-03-16 | 2018-12-18 | Icontrol Networks, Inc. | Cross-client sensor user interface in an integrated security network |
WO2005109716A2 (en) | 2004-05-03 | 2005-11-17 | Fargo Electronics, Inc. | Managed credential issuance |
US7669240B2 (en) * | 2004-07-22 | 2010-02-23 | International Business Machines Corporation | Apparatus, method and program to detect and control deleterious code (virus) in computer network |
US20060069730A1 (en) * | 2004-09-10 | 2006-03-30 | Hideyuki Azuma | Public relations communication methods and systems |
US20060059129A1 (en) * | 2004-09-10 | 2006-03-16 | Hideyuki Azuma | Public relations communication methods and systems |
US8635690B2 (en) | 2004-11-05 | 2014-01-21 | Mcafee, Inc. | Reputation based message processing |
US9083748B2 (en) * | 2004-12-16 | 2015-07-14 | Hewlett-Packard Development Company, L.P. | Modelling network to assess security properties |
US20170180198A1 (en) | 2008-08-11 | 2017-06-22 | Marc Baum | Forming a security network including integrated security system components |
US11496568B2 (en) | 2005-03-16 | 2022-11-08 | Icontrol Networks, Inc. | Security system with networked touchscreen |
US20120324566A1 (en) | 2005-03-16 | 2012-12-20 | Marc Baum | Takeover Processes In Security Network Integrated With Premise Security System |
US11700142B2 (en) | 2005-03-16 | 2023-07-11 | Icontrol Networks, Inc. | Security network integrating security system and network devices |
US20110128378A1 (en) | 2005-03-16 | 2011-06-02 | Reza Raji | Modular Electronic Display Platform |
US11615697B2 (en) | 2005-03-16 | 2023-03-28 | Icontrol Networks, Inc. | Premise management systems and methods |
US9306809B2 (en) | 2007-06-12 | 2016-04-05 | Icontrol Networks, Inc. | Security system with networked touchscreen |
US10999254B2 (en) | 2005-03-16 | 2021-05-04 | Icontrol Networks, Inc. | System for data routing in networks |
JP4575219B2 (en) | 2005-04-12 | 2010-11-04 | 株式会社東芝 | Security gateway system and method and program thereof |
US7937480B2 (en) | 2005-06-02 | 2011-05-03 | Mcafee, Inc. | Aggregation of reputation data |
US8099187B2 (en) | 2005-08-18 | 2012-01-17 | Hid Global Corporation | Securely processing and tracking consumable supplies and consumable material |
DE102005046935B4 (en) * | 2005-09-30 | 2009-07-23 | Nokia Siemens Networks Gmbh & Co.Kg | Network access node computer to a communication network, communication system and method for assigning a protection device |
RU2005139594A (en) * | 2005-12-19 | 2007-06-27 | Григорий Гемфриевич Дмитриев (RU) | ACCESS BOUNDARY DEVICE BETWEEN TWO DATA TRANSMISSION NETWORKS IN THE PROTOCOL OF IP-INTERNET NETWORK SCREEN WITHOUT OPERATING SYSTEM (OPTIONS) |
US20070214232A1 (en) * | 2006-03-07 | 2007-09-13 | Nokia Corporation | System for Uniform Addressing of Home Resources Regardless of Remote Clients Network Location |
US10079839B1 (en) | 2007-06-12 | 2018-09-18 | Icontrol Networks, Inc. | Activation of gateway device |
US8214497B2 (en) | 2007-01-24 | 2012-07-03 | Mcafee, Inc. | Multi-dimensional reputation scoring |
US11706279B2 (en) | 2007-01-24 | 2023-07-18 | Icontrol Networks, Inc. | Methods and systems for data communication |
US8179798B2 (en) | 2007-01-24 | 2012-05-15 | Mcafee, Inc. | Reputation based connection throttling |
US7949716B2 (en) | 2007-01-24 | 2011-05-24 | Mcafee, Inc. | Correlation and analysis of entity attributes |
US7779156B2 (en) | 2007-01-24 | 2010-08-17 | Mcafee, Inc. | Reputation based load balancing |
US8763114B2 (en) | 2007-01-24 | 2014-06-24 | Mcafee, Inc. | Detecting image spam |
JP4571159B2 (en) * | 2007-02-21 | 2010-10-27 | 三菱電機株式会社 | Network security protection equipment |
US7633385B2 (en) | 2007-02-28 | 2009-12-15 | Ucontrol, Inc. | Method and system for communicating with and controlling an alarm system from a remote server |
US8451986B2 (en) | 2007-04-23 | 2013-05-28 | Icontrol Networks, Inc. | Method and system for automatically providing alternate network access for telecommunications |
US11423756B2 (en) | 2007-06-12 | 2022-08-23 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US10498830B2 (en) | 2007-06-12 | 2019-12-03 | Icontrol Networks, Inc. | Wi-Fi-to-serial encapsulation in systems |
US10051078B2 (en) | 2007-06-12 | 2018-08-14 | Icontrol Networks, Inc. | WiFi-to-serial encapsulation in systems |
US11601810B2 (en) | 2007-06-12 | 2023-03-07 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US11316753B2 (en) | 2007-06-12 | 2022-04-26 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US11218878B2 (en) | 2007-06-12 | 2022-01-04 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US10616075B2 (en) | 2007-06-12 | 2020-04-07 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US11089122B2 (en) | 2007-06-12 | 2021-08-10 | Icontrol Networks, Inc. | Controlling data routing among networks |
US10389736B2 (en) | 2007-06-12 | 2019-08-20 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US11646907B2 (en) | 2007-06-12 | 2023-05-09 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US10423309B2 (en) | 2007-06-12 | 2019-09-24 | Icontrol Networks, Inc. | Device integration framework |
US10666523B2 (en) | 2007-06-12 | 2020-05-26 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US10523689B2 (en) | 2007-06-12 | 2019-12-31 | Icontrol Networks, Inc. | Communication protocols over internet protocol (IP) networks |
US11212192B2 (en) | 2007-06-12 | 2021-12-28 | Icontrol Networks, Inc. | Communication protocols in integrated systems |
US11237714B2 (en) | 2007-06-12 | 2022-02-01 | Control Networks, Inc. | Control system user interface |
US11831462B2 (en) | 2007-08-24 | 2023-11-28 | Icontrol Networks, Inc. | Controlling data routing in premises management systems |
US8185930B2 (en) | 2007-11-06 | 2012-05-22 | Mcafee, Inc. | Adjusting filter or classification control settings |
US8045458B2 (en) | 2007-11-08 | 2011-10-25 | Mcafee, Inc. | Prioritizing network traffic |
US8125796B2 (en) | 2007-11-21 | 2012-02-28 | Frampton E. Ellis | Devices with faraday cages and internal flexibility sipes |
US11916928B2 (en) | 2008-01-24 | 2024-02-27 | Icontrol Networks, Inc. | Communication protocols over internet protocol (IP) networks |
US8160975B2 (en) | 2008-01-25 | 2012-04-17 | Mcafee, Inc. | Granular support vector machine with random granularity |
US8589503B2 (en) | 2008-04-04 | 2013-11-19 | Mcafee, Inc. | Prioritizing network traffic |
US20170185278A1 (en) | 2008-08-11 | 2017-06-29 | Icontrol Networks, Inc. | Automation system user interface |
US11792036B2 (en) | 2008-08-11 | 2023-10-17 | Icontrol Networks, Inc. | Mobile premises automation platform |
US10530839B2 (en) | 2008-08-11 | 2020-01-07 | Icontrol Networks, Inc. | Integrated cloud system with lightweight gateway for premises automation |
US11729255B2 (en) | 2008-08-11 | 2023-08-15 | Icontrol Networks, Inc. | Integrated cloud system with lightweight gateway for premises automation |
US11258625B2 (en) | 2008-08-11 | 2022-02-22 | Icontrol Networks, Inc. | Mobile premises automation platform |
US11758026B2 (en) | 2008-08-11 | 2023-09-12 | Icontrol Networks, Inc. | Virtual device systems and methods |
US8082333B2 (en) * | 2008-11-10 | 2011-12-20 | Cisco Technology, Inc. | DHCP proxy for static host |
FR2940566B1 (en) | 2008-12-18 | 2011-03-18 | Electricite De France | METHOD AND DEVICE FOR SECURE TRANSFER OF DIGITAL DATA |
US8638211B2 (en) | 2009-04-30 | 2014-01-28 | Icontrol Networks, Inc. | Configurable controller and interface for home SMA, phone and multimedia |
CN101588363B (en) * | 2009-06-18 | 2011-12-14 | 天津大学 | Method for estabilishing Web service security analysis model based on program slice |
US8209714B2 (en) * | 2009-10-30 | 2012-06-26 | At&T Intellectual Property I, L.P. | System and method of problem detection in received internet data, video data, and voice data |
US8255986B2 (en) | 2010-01-26 | 2012-08-28 | Frampton E. Ellis | Methods of securely controlling through one or more separate private networks an internet-connected computer having one or more hardware-based inner firewalls or access barriers |
US8171537B2 (en) * | 2010-01-29 | 2012-05-01 | Ellis Frampton E | Method of securely controlling through one or more separate private networks an internet-connected computer having one or more hardware-based inner firewalls or access barriers |
US20110225645A1 (en) * | 2010-01-26 | 2011-09-15 | Ellis Frampton E | Basic architecture for secure internet computers |
US8429735B2 (en) | 2010-01-26 | 2013-04-23 | Frampton E. Ellis | Method of using one or more secure private networks to actively configure the hardware of a computer or microchip |
US8621638B2 (en) | 2010-05-14 | 2013-12-31 | Mcafee, Inc. | Systems and methods for classification of messaging entities |
JP2010220263A (en) * | 2010-07-06 | 2010-09-30 | Mitsubishi Electric Corp | Security-protecting device for network |
US8836467B1 (en) | 2010-09-28 | 2014-09-16 | Icontrol Networks, Inc. | Method, system and apparatus for automated reporting of account and sensor zone information to a central station |
US8904036B1 (en) * | 2010-12-07 | 2014-12-02 | Chickasaw Management Company, Llc | System and method for electronic secure geo-location obscurity network |
US11750414B2 (en) | 2010-12-16 | 2023-09-05 | Icontrol Networks, Inc. | Bidirectional security sensor communication for a premises security system |
US9147337B2 (en) | 2010-12-17 | 2015-09-29 | Icontrol Networks, Inc. | Method and system for logging security event data |
CN102118313B (en) * | 2011-01-28 | 2013-04-10 | 杭州华三通信技术有限公司 | Method and device for detecting internet protocol (IP) address |
DE102011000876A1 (en) * | 2011-02-22 | 2012-08-23 | Dimensio Informatics Gmbh | Network separation |
RU2490703C1 (en) * | 2012-06-04 | 2013-08-20 | Федеральное государственное казенное военное образовательное учреждение высшего профессионального образования "ВОЕННАЯ АКАДЕМИЯ СВЯЗИ имени Маршала Советского Союза С.М. Буденного" Министерства обороны Российской Федерации | Method of protecting communication channel of computer network |
RU2578697C2 (en) * | 2013-07-31 | 2016-03-27 | Общество с ограниченной ответственностью "НОВОТЕКС" | HARDWARE-SOFTWARE SWITCHING SYSTEM "Lan Lzoe" |
US11405463B2 (en) | 2014-03-03 | 2022-08-02 | Icontrol Networks, Inc. | Media content management |
US11146637B2 (en) | 2014-03-03 | 2021-10-12 | Icontrol Networks, Inc. | Media content management |
US9503422B2 (en) | 2014-05-09 | 2016-11-22 | Saudi Arabian Oil Company | Apparatus, systems, platforms, and methods for securing communication data exchanges between multiple networks for industrial and non-industrial applications |
RU2656839C1 (en) * | 2017-04-26 | 2018-06-06 | Федеральное государственное казенное военное образовательное учреждение высшего образования "Краснодарское высшее военное училище имени генерала армии С.М. Штеменко" | Method for masking the structure of the communication network |
RU191373U1 (en) * | 2019-06-13 | 2019-08-02 | федеральное государственное казенное военное образовательное учреждение высшего образования "Краснодарское высшее военное училище имени генерала армии С.М. Штеменко" Министерства обороны Российской Федерации | MULTI-SERVICE ROUTER WITH MASKING INFORMATION DIRECTIONS |
Family Cites Families (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4058672A (en) * | 1976-11-10 | 1977-11-15 | International Telephone And Telegraph Corporation | Packet-switched data communications system |
DE2658065A1 (en) * | 1976-12-22 | 1978-07-06 | Ibm Deutschland | MACHINE ENCRYPTION AND DECHIFREEZE |
JPS56109057A (en) * | 1980-02-04 | 1981-08-29 | Hitachi Ltd | Data communication system |
DE3210439A1 (en) * | 1982-03-22 | 1983-09-22 | Siemens AG, 1000 Berlin und 8000 München | METHOD AND CIRCUIT ARRANGEMENT FOR TRANSMITTING MESSAGE SIGNALS BETWEEN DIFFERENT TRANSMISSION PROCESSES WORKING CENTERS OF A FIRST SWITCHING NETWORK AND A SECOND SWITCHING NETWORK |
US4672572A (en) * | 1984-05-21 | 1987-06-09 | Gould Inc. | Protector system for computer access and use |
US4799153A (en) * | 1984-12-14 | 1989-01-17 | Telenet Communications Corporation | Method and apparatus for enhancing security of communications in a packet-switched data communications system |
US4944006A (en) * | 1987-03-12 | 1990-07-24 | Zenith Electronics Corporation | Secure data packet transmission system and method |
US4924513A (en) * | 1987-09-25 | 1990-05-08 | Digital Equipment Corporation | Apparatus and method for secure transmission of data over an unsecure transmission channel |
US5021949A (en) * | 1988-02-29 | 1991-06-04 | International Business Machines Corporation | Method and apparatus for linking an SNA host to a remote SNA host over a packet switched communications network |
US5105424A (en) * | 1988-06-02 | 1992-04-14 | California Institute Of Technology | Inter-computer message routing system with each computer having separate routinng automata for each dimension of the network |
US5249292A (en) * | 1989-03-31 | 1993-09-28 | Chiappa J Noel | Data packet switch using a primary processing unit to designate one of a plurality of data stream control circuits to selectively handle the header processing of incoming packets in one data packet stream |
US5113499A (en) * | 1989-04-28 | 1992-05-12 | Sprint International Communications Corp. | Telecommunication access management system for a packet switching network |
US5081678A (en) * | 1989-06-28 | 1992-01-14 | Digital Equipment Corporation | Method for utilizing an encrypted key as a key identifier in a data packet in a computer network |
US5163151A (en) * | 1990-03-22 | 1992-11-10 | Square D Company | System for processing and prioritizing alarms from devices on data communications network |
JP2701513B2 (en) * | 1990-03-29 | 1998-01-21 | 日本電気株式会社 | Line switching control method |
US5278955A (en) * | 1990-06-18 | 1994-01-11 | International Business Machines Corporation | Open systems mail handling capability in a multi-user environment |
US5086469A (en) * | 1990-06-29 | 1992-02-04 | Digital Equipment Corporation | Encryption with selective disclosure of protocol identifiers |
GB9015799D0 (en) * | 1990-07-18 | 1991-06-12 | Plessey Telecomm | A data communication system |
CA2065578C (en) * | 1991-04-22 | 1999-02-23 | David W. Carr | Packet-based data compression method |
US5321695A (en) * | 1991-05-01 | 1994-06-14 | Hewlett-Packard Company | Port arrival identification for computer network packets |
US5216670A (en) * | 1991-07-03 | 1993-06-01 | International Business Machines Corporation | Message stripping protocol for a communication network |
US5280581A (en) * | 1992-02-27 | 1994-01-18 | Hughes Aircraft Company | Enhanced call-back authentication method and apparatus for remotely accessing a host computer from a plurality of remote sites |
US5311593A (en) * | 1992-05-13 | 1994-05-10 | Chipcom Corporation | Security system for a network concentrator |
IL102394A (en) * | 1992-07-02 | 1996-08-04 | Lannet Data Communications Ltd | Method and apparatus for secure data transmission |
JP3104941B2 (en) * | 1992-11-30 | 2000-10-30 | 富士写真フイルム株式会社 | Photo print system |
US5353283A (en) * | 1993-05-28 | 1994-10-04 | Bell Communications Research, Inc. | General internet method for routing packets in a communications network |
US5416842A (en) * | 1994-06-10 | 1995-05-16 | Sun Microsystems, Inc. | Method and apparatus for key-management scheme for use with internet protocols at site firewalls |
-
1994
- 1994-12-07 US US08/350,541 patent/US5550984A/en not_active Expired - Fee Related
-
1995
- 1995-06-08 AU AU28202/95A patent/AU687575B2/en not_active Ceased
- 1995-06-08 CN CN95191513A patent/CN1086086C/en not_active Expired - Fee Related
- 1995-06-08 JP JP8517563A patent/JP3009737B2/en not_active Expired - Fee Related
- 1995-06-08 EP EP95923761A patent/EP0744107A4/en not_active Withdrawn
- 1995-06-08 RU RU96118130/09A patent/RU2152691C1/en active
- 1995-06-08 CA CA002182777A patent/CA2182777C/en not_active Expired - Fee Related
- 1995-06-08 KR KR1019960704273A patent/KR100225574B1/en not_active IP Right Cessation
- 1995-06-08 WO PCT/US1995/007285 patent/WO1996018253A1/en not_active Application Discontinuation
- 1995-06-13 TW TW084106017A patent/TW279292B/zh active
- 1995-06-15 IL IL11417895A patent/IL114178A/en not_active IP Right Cessation
Also Published As
Publication number | Publication date |
---|---|
CN1140519A (en) | 1997-01-15 |
US5550984A (en) | 1996-08-27 |
IL114178A0 (en) | 1995-10-31 |
KR970700969A (en) | 1997-02-12 |
WO1996018253A1 (en) | 1996-06-13 |
TW279292B (en) | 1996-06-21 |
AU687575B2 (en) | 1998-02-26 |
CA2182777A1 (en) | 1996-06-13 |
EP0744107A1 (en) | 1996-11-27 |
CN1086086C (en) | 2002-06-05 |
EP0744107A4 (en) | 2003-03-19 |
JP3009737B2 (en) | 2000-02-14 |
MX9602964A (en) | 1997-12-31 |
AU2820295A (en) | 1996-06-26 |
RU2152691C1 (en) | 2000-07-10 |
JPH09505719A (en) | 1997-06-03 |
IL114178A (en) | 1998-08-16 |
KR100225574B1 (en) | 1999-10-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2182777C (en) | Security system for interconnected computer networks | |
US5623601A (en) | Apparatus and method for providing a secure gateway for communication and data exchanges between networks | |
US6182226B1 (en) | System and method for controlling interactions between networks | |
US7733795B2 (en) | Virtual network testing and deployment using network stack instances and containers | |
EP1255395B1 (en) | External access to protected device on private network | |
US7428590B2 (en) | Systems and methods for reflecting messages associated with a target protocol within a network | |
US7818565B2 (en) | Systems and methods for implementing protocol enforcement rules | |
US7707401B2 (en) | Systems and methods for a protocol gateway | |
US20040088423A1 (en) | Systems and methods for authentication of target protocol screen names | |
US20060150243A1 (en) | Management of network security domains | |
CA2136150C (en) | Apparatus and method for providing a secure gateway for communication and data exchanges between networks | |
Cisco | Evolution of the Firewall Industry | |
Cisco | Evolution of the Firewall Industry | |
Cisco | Command Reference | |
Cisco | Private Internet Exchange Reference Guide | |
Cisco | Private Internet Exchange Reference Guide | |
Cisco | Evolution of the Firewall Industry | |
Cisco | Evolution of the Firewall Industry | |
Cisco | Evolution of the Firewall Industry | |
Cisco | Evolution of the Firewall Industry | |
Cisco | Private Internet Exchange Reference Guide | |
Cisco | Private Internet Exchange Reference Guide | |
Cisco | Private Internet Exchange Reference Guide | |
Cisco | Private Internet Exchange Reference Guide | |
Cisco | Private Internet Exchange Reference Guide |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKLA | Lapsed | ||
MKLA | Lapsed |
Effective date: 20030609 |