Firewall providing enhanced network security and user transparency
October 17, 2016. Estimated Expiration Date is calculated based on simple USPTO term provisions. It does not account for terminal disclaimers, term adjustments, failure to pay maintenance fees, or other factors which might affect the term of a patent.Patent ReferencesSecure data processing system architecture with format control Method and apparatus for enhancing security of communications in a packet-switched data communications system Interactive market management system Method and apparatus for protecting material on storage media and for transferring material on storage media to various recipients One-time logon means and methods for distributed computing systems Method and apparatus for key-management scheme for use with internet protocols at site firewalls Method of verifying identification data in data driven information processing system System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens Personal key archive Method of conducting secure operations on an uncontrolled network InventorsAssigneeApplicationNo. 733361 filed on 10/17/1996US Classes:709/225, Computer network access regulating709/227COMPUTER-TO-COMPUTER SESSION/CONNECTION ESTABLISHINGExaminersPrimary: Palys, Joseph E.Attorney, Agent or FirmInternational ClassG06F 001/00AbstractThe present invention, generally speaking, provides a firewall that achieves maximum network security and maximum user convenience. The firewall employs "envoys" that exhibit the security robustness of prior-art proxies and the transparency and ease-of-use of prior-art packet filters, combining the best of both worlds. No traffic can pass through the firewall unless the firewall has established an envoy for that traffic. Both connection-oriented (e.g., TCP) and connectionless (e.g., UDP-based) services may be handled using envoys. Establishment of an envoy may be subjected to a myriad of tests to "qualify" the user, the requested communication, or both. Therefore, a high level of security may be achieved. The usual added burden of prior-art proxy systems is avoided in such a way as to achieve fall transparency-the user can use standard applications and need not even know of the existence of the firewall. To achieve full transparency, the firewall is configured as two or more sets of virtual hosts. The firewall is, therefore, "multi-homed," each home being independently configurable. One set of hosts responds to addresses on a first network interface of the firewall. Another set of hosts responds to addresses on a second network interface of the firewall. In one aspect, programmable transparency is achieved by establishing DNS mappings between remote hosts to be accessed through one of the network interfaces and respective virtual hosts on that interface. In another aspect, automatic transparency may be achieved using code for dynamically mapping remote hosts to virtual hosts in accordance with a technique referred to herein as dynamic DNS, or DDNS.Other References
| |
