US2012195429A1PendingUtilityA1

Method and system for securely scanning network traffic

46
Assignee: BALISSAT JOELPriority: Apr 4, 2002Filed: Jan 27, 2012Published: Aug 2, 2012
Est. expiryApr 4, 2022(expired)· nominal 20-yr term from priority
H04L 63/0435H04L 63/0209H04L 63/0272H04L 63/0464
46
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Secure network communications via a firewall device are provided between a first device and a second device, where an encryption parameter is shared by the devices. A data packet sent by the first device may then be copied within the firewall device, so that the copy of the data packet can be decrypted within a portion of the firewall device. In particular, the portion of the firewall device in which decryption takes place is defined such that contents of the portion are inaccessible to an operator of the firewall device. Thus, scanning of the decrypted copy of the data packet for compliance with a predetermined criterion may take place within the firewall device, without an operator of the firewall device having access to the contents of the data packet to be transmitted. Thereafter, the original data packet can be forwarded to its originally intended recipient.

Claims

exact text as granted — not AI-modified
1 . A method, comprising:
 based on a first negotiation pursuant to a first agreement setting conditions for packet-based network communications, negotiating a second agreement setting conditions for packet-based network communications;   accessing an encryption parameter configured to decrypt information sent between two devices that are parties to the first and second negotiations; and   implementing secure communications between the two devices based on the first and second negotiations and the encryption parameter.   
     
     
         2 . The method of  claim 1 , wherein the negotiating the second agreement includes negotiating at least one of an authentication method, an encryption method or an authentication or encryption key. 
     
     
         3 . The method of  claim 1 , wherein the implementing secure communications between the two devices includes establishing the first agreement between a first of the two devices and an intermediary device. 
     
     
         4 . The method of  claim 3 , wherein the implementing secure communication between the two devices includes establishing the second agreement between the intermediary device and a second of the two devices. 
     
     
         5 . The method of  claim 3 , wherein the establishing the first agreement between the first of the two devices and the intermediary device includes examining, by the intermediary device, a transmission from the first of the two devices to determine an identity of the second of the two devices. 
     
     
         6 . The method of  claim 4 , wherein the establishing the second agreement between the intermediary device and the second of the two devices includes representing the intermediary device to the second of the two devices in terms of an address associated with a private network. 
     
     
         7 . The method of  claim 6 , wherein the implementing the secure communications between the two devices includes decrypting, by the intermediary device, incoming data wherein operations associated with the decrypting are performed in a portion of the intermediary device to which access is restricted. 
     
     
         8 . A communication device, comprising:
 a first interface configured to communicate with a first network;   a second interface configured to communicate with a second network;   first negotiation logic configured to negotiate a first agreement that controls communication associated with the first network;   second negotiation logic configured to negotiate a second agreement that controls communication associated with the second network; and   security logic coupled to the first negotiation logic and the second negotiation logic, wherein the security logic is configured to compute and store a key configured to decrypt packets exchanged between a first device on the first network and a second device on the second network according to the first agreement and the second agreement.   
     
     
         9 . The communication device of  claim 8 , further comprising bridge logic configured to bridge the first negotiation logic and the second negotiation logic and that is coupled to the security logic, wherein the bridge logic is configured to perform Diffie-Hellman computation and key creation based on a public key received from the security logic. 
     
     
         10 . The communication device of  claim 8 , further comprising a packet buffer configured to store an encrypted data packet. 
     
     
         11 . The communication device of  claim 10 , wherein the security logic is configured to obtain a copy of the encrypted data packet from the packet buffer and decrypt the copy of the encrypted data packet using the key. 
     
     
         12 . The communication device of  claim 13 , wherein the security logic is configured to check the decrypted copy for compliance with one or more data security rules. 
     
     
         13 . The communication device of  claim 12 , wherein based on the checking, the security logic is configured to one of: discard the encrypted data packet in the packet buffer; or allow transmission of the encrypted data packet in the packet buffer. 
     
     
         14 . The communication device of  claim 8 , wherein the security logic is configured to store the key in a portion of the security logic to which access is restricted. 
     
     
         15 . The communication device of  claim 8 , wherein the first network includes a public network and the second network includes a private network. 
     
     
         16 . An apparatus, comprising:
 first interface means for receiving data packets from a first network;   second interface means for receiving data packets from a second network; and   secure content checking means for checking encrypted data packets from the first network or the second network for compliance with a data security standard, at least in part using an encryption parameter stored in hardware means to which access is restricted.   
     
     
         17 . The apparatus of  claim 16 , wherein the secure content checking means comprises encryption parameter computation means for computing the encryption parameter. 
     
     
         18 . The apparatus of  claim 16 , further comprising means for modifying a data packet to comply with the data security standard. 
     
     
         19 . The apparatus of  claim 16 , further comprising means for performing Diffie-Hellman computation. 
     
     
         20 . The apparatus of  claim 16 , further comprising means for buffering an encrypted data packet. 
     
     
         21 . A computer-readable storage medium having computer-executable instructions that, in response to execution, cause a computing system to perform operations, comprising:
 receiving, by a computing system, data packets from a first network;   receiving, by the computing system, data packets from a second network; and   checking encrypted data packets from the first network or the second network for compliance with a data security standard at least in part as a function of an encryption parameter stored in hardware for which authentication is made unavailable to an administrator or operator of the computing system.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.