WO1997000471A3 - A system for securing the flow of and selectively modifying packets in a computer network - Google Patents

A system for securing the flow of and selectively modifying packets in a computer network Download PDF

Info

Publication number
WO1997000471A3
WO1997000471A3 PCT/IL1996/000017 IL9600017W WO9700471A3 WO 1997000471 A3 WO1997000471 A3 WO 1997000471A3 IL 9600017 W IL9600017 W IL 9600017W WO 9700471 A3 WO9700471 A3 WO 9700471A3
Authority
WO
WIPO (PCT)
Prior art keywords
packet
rule base
flow
reject
accept
Prior art date
Application number
PCT/IL1996/000017
Other languages
French (fr)
Other versions
WO1997000471A2 (en
Inventor
Gil Shwed
Shlomo Kramer
Nir Zuk
Gil Dogon
Ehud Ben-Reuven
Original Assignee
Check Point Software Tech Ltd
Gil Shwed
Shlomo Kramer
Nir Zuk
Gil Dogon
Ben Reuven Ehud
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US08/168,041 external-priority patent/US5606668A/en
Priority claimed from IL11418295A external-priority patent/IL114182A/en
Application filed by Check Point Software Tech Ltd, Gil Shwed, Shlomo Kramer, Nir Zuk, Gil Dogon, Ben Reuven Ehud filed Critical Check Point Software Tech Ltd
Priority to EP96918822A priority Critical patent/EP0807347B1/en
Priority to JP50287697A priority patent/JP3847343B2/en
Priority to CA 2197548 priority patent/CA2197548C/en
Priority to DE1996636513 priority patent/DE69636513T2/en
Priority to AU61356/96A priority patent/AU6135696A/en
Publication of WO1997000471A2 publication Critical patent/WO1997000471A2/en
Priority to NO19970611A priority patent/NO324332B1/en
Publication of WO1997000471A3 publication Critical patent/WO1997000471A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

A novel system for controlling the inbound and outbound data packet flow in a compute network by which private networks can be secured from outside attacks. A user generates a rule base (400) which is converted into a set of filter language instructions where each rule includes a source, destination, service, whether to accept or reject the packet and whether to log the event. The filter language instructions are executed on inspection engines (204) on computers acting as firewalls (124) positioned in the network such that all traffic is forced to pass through the firewall. Packets are filtered in accordance with the rule base. The inspection engine acts as a virtual packet filter machine (600) determinng whether to accept or reject a packet. If a packet is rejected, it is dropped, and if accepted may be modified. Modifications, performed in accordance with the rule base, may include encryption, decryption, signature generation or verification, or address translation.
PCT/IL1996/000017 1993-12-15 1996-06-16 A system for securing the flow of and selectively modifying packets in a computer network WO1997000471A2 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
EP96918822A EP0807347B1 (en) 1995-06-15 1996-06-16 A system for securing the flow of and selectively modifying packets in a computer network
JP50287697A JP3847343B2 (en) 1995-06-15 1996-06-16 Method and system for inspecting and selectively modifying data packets for communication security in computer networks and method of operating the system
CA 2197548 CA2197548C (en) 1995-06-15 1996-06-16 A system for securing the flow of and selectively modifying packets in a computer network
DE1996636513 DE69636513T2 (en) 1995-06-15 1996-06-16 SYSTEM FOR SECURING THE RIVER AND FOR SELECTIVELY CHANGING PACKETS IN A COMPUTER NETWORK
AU61356/96A AU6135696A (en) 1995-06-15 1996-06-16 A system for securing the flow of and selectively modifying packets in a computer network
NO19970611A NO324332B1 (en) 1995-06-15 1997-02-10 System for securing flow of and for selectively modifying packages in a computer network

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US08/168,041 US5606668A (en) 1993-12-15 1993-12-15 System for securing inbound and outbound data packet flow in a computer network
IL11418295A IL114182A (en) 1995-06-15 1995-06-15 Method for controlling computer network security
IL114182 1995-06-15

Publications (2)

Publication Number Publication Date
WO1997000471A2 WO1997000471A2 (en) 1997-01-03
WO1997000471A3 true WO1997000471A3 (en) 1997-03-06

Family

ID=26323080

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL1996/000017 WO1997000471A2 (en) 1993-12-15 1996-06-16 A system for securing the flow of and selectively modifying packets in a computer network

Country Status (1)

Country Link
WO (1) WO1997000471A2 (en)

Families Citing this family (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0858201A3 (en) * 1997-02-06 1999-01-13 Sun Microsystems, Inc. Method and apparatus for allowing secure transactions through a firewall
US5922074A (en) * 1997-02-28 1999-07-13 Xcert Software, Inc. Method of and apparatus for providing secure distributed directory services and public key infrastructure
US7821926B2 (en) 1997-03-10 2010-10-26 Sonicwall, Inc. Generalized policy server
US7580919B1 (en) 1997-03-10 2009-08-25 Sonicwall, Inc. Query interface to policy server
US8914410B2 (en) 1999-02-16 2014-12-16 Sonicwall, Inc. Query interface to policy server
US6408336B1 (en) 1997-03-10 2002-06-18 David S. Schneider Distributed administration of access to information
US7272625B1 (en) 1997-03-10 2007-09-18 Sonicwall, Inc. Generalized policy server
US7912856B2 (en) 1998-06-29 2011-03-22 Sonicwall, Inc. Adaptive encryption
US6226748B1 (en) * 1997-06-12 2001-05-01 Vpnet Technologies, Inc. Architecture for virtual private networks
US6173399B1 (en) * 1997-06-12 2001-01-09 Vpnet Technologies, Inc. Apparatus for implementing virtual private networks
US7127741B2 (en) 1998-11-03 2006-10-24 Tumbleweed Communications Corp. Method and system for e-mail message transmission
CA2301147C (en) 1997-07-24 2010-07-13 Worldtalk Corporation E-mail firewall with stored key encryption/decryption
US7162738B2 (en) 1998-11-03 2007-01-09 Tumbleweed Communications Corp. E-mail firewall with stored key encryption/decryption
NO305420B1 (en) * 1997-09-02 1999-05-25 Ericsson Telefon Ab L M Device by computer communication system, especially by communication through firewalls
US6098172A (en) * 1997-09-12 2000-08-01 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with proxy reflection
US6170012B1 (en) 1997-09-12 2001-01-02 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with cache query processing
US6141749A (en) * 1997-09-12 2000-10-31 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with stateful packet filtering
US7143438B1 (en) 1997-09-12 2006-11-28 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with multiple domain support
US6154775A (en) * 1997-09-12 2000-11-28 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules
SE513828C2 (en) * 1998-07-02 2000-11-13 Effnet Group Ab Firewall device and method for controlling network data packet traffic between internal and external networks
US6226751B1 (en) * 1998-04-17 2001-05-01 Vpnet Technologies, Inc. Method and apparatus for configuring a virtual private network
US6389532B1 (en) * 1998-04-20 2002-05-14 Sun Microsystems, Inc. Method and apparatus for using digital signatures to filter packets in a network
FR2778290B1 (en) * 1998-04-30 2004-01-30 Bull Sa METHOD AND DEVICE FOR SECURE INTERCONNECTION BETWEEN COMPUTERS, ORGANIZED IN A NETWORK, BY DRIVING A FILTER MODULE RESIDING IN THE IP COMMUNICATION LAYER
US6253321B1 (en) 1998-06-19 2001-06-26 Ssh Communications Security Ltd. Method and arrangement for implementing IPSEC policy management using filter code
AU762061B2 (en) * 1998-06-29 2003-06-19 Redleaf Group, Inc. Generalized policy server
SE513255C2 (en) 1998-09-11 2000-08-07 Telia Ab Improvements in or related to transmission systems
DE19849562C2 (en) * 1998-10-27 2000-12-28 Saios Technologies Holding S A Security interface for data exchange
AU1590900A (en) * 1998-11-24 2000-06-13 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for securing data objects
US6959006B1 (en) 1999-06-29 2005-10-25 Adc Telecommunications, Inc. Service delivery unit for an enterprise network
US6847609B1 (en) 1999-06-29 2005-01-25 Adc Telecommunications, Inc. Shared management of a network entity
DE60012870T2 (en) * 1999-12-30 2004-12-30 Samsung Electronics Co., Ltd., Suwon System and method for filtering mobile internet access in the BTS / BSC
WO2002067545A2 (en) 2001-02-17 2002-08-29 Inktomi Corporation Content based billing
GB2372413A (en) * 2001-02-20 2002-08-21 Hewlett Packard Co Digital credential exchange
FR2822318B1 (en) 2001-03-14 2003-05-30 Gemplus Card Int PORTABLE DEVICE FOR SECURING PACKET TRAFFIC IN A HOST PLATFORM
KR20030060306A (en) * 2002-01-08 2003-07-16 신중호 Using object module, active customized firewall
US7469418B1 (en) 2002-10-01 2008-12-23 Mirage Networks, Inc. Deterring network incursion
US8819285B1 (en) 2002-10-01 2014-08-26 Trustwave Holdings, Inc. System and method for managing network communications
US7506360B1 (en) 2002-10-01 2009-03-17 Mirage Networks, Inc. Tracking communication for determining device states
US7305705B2 (en) 2003-06-30 2007-12-04 Microsoft Corporation Reducing network configuration complexity with transparent virtual private networks
US9338026B2 (en) 2003-09-22 2016-05-10 Axway Inc. Delay technique in e-mail filtering system
WO2005094192A2 (en) * 2004-03-31 2005-10-13 Lg Electronics, Inc. Home network system
DE102005046935B4 (en) * 2005-09-30 2009-07-23 Nokia Siemens Networks Gmbh & Co.Kg Network access node computer to a communication network, communication system and method for assigning a protection device
US10320748B2 (en) 2017-02-23 2019-06-11 At&T Intellectual Property I, L.P. Single packet authorization in a cloud computing environment
US11210664B2 (en) * 2018-10-02 2021-12-28 Capital One Services, Llc Systems and methods for amplifying the strength of cryptographic algorithms

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5247963A (en) * 1990-09-10 1993-09-28 Ziggity Systems, Inc. Flush apparatus for watering systems
US5329623A (en) * 1992-06-17 1994-07-12 The Trustees Of The University Of Pennsylvania Apparatus for providing cryptographic support in a network
US5473607A (en) * 1993-08-09 1995-12-05 Grand Junction Networks, Inc. Packet filtering for data networks
US5485455A (en) * 1994-01-28 1996-01-16 Cabletron Systems, Inc. Network having secure fast packet switching and guaranteed quality of service
US5515376A (en) * 1993-07-19 1996-05-07 Alantec, Inc. Communication apparatus and methods
US5555346A (en) * 1991-10-04 1996-09-10 Beyond Corporated Event-driven rule-based messaging system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5247963A (en) * 1990-09-10 1993-09-28 Ziggity Systems, Inc. Flush apparatus for watering systems
US5555346A (en) * 1991-10-04 1996-09-10 Beyond Corporated Event-driven rule-based messaging system
US5329623A (en) * 1992-06-17 1994-07-12 The Trustees Of The University Of Pennsylvania Apparatus for providing cryptographic support in a network
US5515376A (en) * 1993-07-19 1996-05-07 Alantec, Inc. Communication apparatus and methods
US5473607A (en) * 1993-08-09 1995-12-05 Grand Junction Networks, Inc. Packet filtering for data networks
US5485455A (en) * 1994-01-28 1996-01-16 Cabletron Systems, Inc. Network having secure fast packet switching and guaranteed quality of service

Also Published As

Publication number Publication date
WO1997000471A2 (en) 1997-01-03

Similar Documents

Publication Publication Date Title
WO1997000471A3 (en) A system for securing the flow of and selectively modifying packets in a computer network
US7383573B2 (en) Method for transparently managing outbound traffic from an internal user of a private network destined for a public network
US5623601A (en) Apparatus and method for providing a secure gateway for communication and data exchanges between networks
US7769994B2 (en) Content inspection in secure networks
Butcher et al. Security challenge and defense in VoIP infrastructures
CA2401577C (en) System, device and method for rapid packet filtering and processing
US7533409B2 (en) Methods and systems for firewalling virtual private networks
US6321336B1 (en) System and method for redirecting network traffic to provide secure communication
US7774836B1 (en) Method, apparatus and computer program product for a network firewall
US6772347B1 (en) Method, apparatus and computer program product for a network firewall
US20070022474A1 (en) Portable firewall
FI974665A0 (en) Method of verification of the packet by means of a modifier and the addresser and protocol
US20080072280A1 (en) Method and system to control access to a secure asset via an electronic communications network
CA2197548A1 (en) A system for securing the flow of and selectively modifying packets in a computer network
US20040260943A1 (en) Method and computer system for securing communication in networks
US7194767B1 (en) Screened subnet having a secured utility VLAN
RU2373656C2 (en) Moderator for providing of contents and proofing in system of mobile communication
US20030084317A1 (en) Reverse firewall packet transmission control system
Henry An examination of firewall architectures
CA2136150C (en) Apparatus and method for providing a secure gateway for communication and data exchanges between networks
Hubbard et al. Firewalling the net
Cisco Introduction
RU2163745C2 (en) Protective system for virtual channel of corporate network using authentication router and built around shared communication network channels and switching facilities
RU2801247C1 (en) Method for ensuring the protection of information in a corporate network from unauthorized access and external computer attacks and a system for its implementation
Hutchins et al. Enhanced Internet firewall design using stateful filters final report

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AL AM AT AU AZ BB BG BR BY CA CH CN CZ DE DK EE ES FI GB GE HU IL IS JP KE KG KP KR KZ LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK TJ TM TR TT UA UG US UZ VN AM AZ BY KG KZ MD RU TJ TM

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): KE LS MW SD SZ UG AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA

WWE Wipo information: entry into national phase

Ref document number: 2197548

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 1019970700981

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 1996918822

Country of ref document: EP

AK Designated states

Kind code of ref document: A3

Designated state(s): AL AM AT AU AZ BB BG BR BY CA CH CN CZ DE DK EE ES FI GB GE HU IL IS JP KE KG KP KR KZ LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK TJ TM TR TT UA UG US UZ VN AM AZ BY KG KZ MD RU TJ TM

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): KE LS MW SD SZ UG AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA

WWP Wipo information: published in national office

Ref document number: 1019970700981

Country of ref document: KR

WWP Wipo information: published in national office

Ref document number: 1996918822

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWR Wipo information: refused in national office

Ref document number: 1019970700981

Country of ref document: KR

WWG Wipo information: grant in national office

Ref document number: 1996918822

Country of ref document: EP