USOO5915087A
`Patent Number:
`11
`(45) Date of Patent:
`
`5,915,087
`Jun. 22, 1999
`
`0 743 777 A2 11/1996 European Pat. Off. ........ HO4L 29/06
`2287 619 9/1995 United Kingdom ............ HO4L 12/22
`96/13113 5/1996 WIPO ............................ HO4L 29/06
`96/31035 10/1996 WIPO ............................ HO4L 12/24
`97/13340 4/1997 WIPO .............................. HO4L 9/00
`97/16911 5/1997 WIPO .....
`HO4L 29/06
`97/26731
`7/1997 WIPO .............................. HO4L 9/00
`97/29413 8/1997 WIPO.
`OTHER PUBLICATIONS
`
`International Search Report, PCT Application No. PCT/US
`95/12681, 8 p. (mailed Apr. 9, 1996).
`News Release: “100% of Hackers Failed to Break Into One
`Internet Site Protected by SidewinderTM", Secure Comput
`ing Corporation (Feb. 16, 1995).
`News Release: "Internet Security System Given Product of
`the Year' Award", Secure Computing Corporation (Mar. 28,
`1995).
`
`(List continued on next page.)
`Primary Examiner Joseph E. Palys
`ASSistant Examiner Pierre E. Elisca
`Attorney, Agent, Or Firm-Schwegman, Lundberg,
`Woessner & Kluth, PA.
`
`United States Patent (19)
`Hammond et al.
`
`54) TRANSPARENT SECURITY PROXY FOR
`UNRELIABLE MESSAGE EXCHANGE
`PROTOCOLS
`
`75 Inventors: Scott Hammond; Jeffery Young;
`Edward B. Stockwell, all of St. Paul
`s
`s
`
`Minn.
`73 Assignee: Secure Computing Corporation,
`Roseville, Minn.
`
`21 Appl. No.: 08/763,933
`
`Dec. 12, 1996
`22 Filed:
`(51) Int. Cl. ................................................ G06F 11/00
`52 U.S. Cl. ......................................................... 395/18701
`58 Field of Search ......................... 395/18701, 2006,
`395/2005.9,186,188.01,380/25, 4,340,825.31,
`825.34
`
`56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`3,956,615 5/1976 Anderson et al. ................. 235/61.7 B
`4,104,721 8/1978 Markstein et al. ...................... 364/200
`ABSTRACT
`57
`4,177,510 12/1979 Appell et al. .....
`... 364/200
`-
`4,442,484 4/1984 Childs, Jr. et al.
`... 364/200
`A proxy which is part of a firewall program controls
`4.584,639 4/1986 Hardy ...............
`... 364,200
`eXchanges of messages between two application entities.
`4,621,321 11/1986 Boebert et al.
`... 364/200
`The proxy interrogates attempts to Send a communication
`4,648,031 3/1987 Jenner ...............
`... 364/200
`2: 1918, E. t al - - -
`- - - 3:28 Session by requesting entities with a server entity in accor
`4870,571 9/1989 Frink. -
`- - -
`... 364,200
`dance with defined authentication procedures. The Proxy
`4.885.789 12/1989 Burger ...................................... 380/25
`interfaces with networking Software to direct a communi
`5,093.914 3/1992 Coplien et al.
`... 395/700
`cation Stack to monitor connection messages to any address
`5,124,984 6/1992 Engel ...
`3370/94.1
`on Specific ports. The requestor's address, and the Server's
`5,153,918 10/1992 Tuai .......................................... 380/25
`did
`tracted from th
`d checked f
`5,204,961 4/1993 Barlow .................................... soss address are extracted Irom ne messages and cneckea Io
`5,228,083 7/1993 Lozowick et al. .......................... 380/9
`compliance with a Security policy Such as one including an
`5,263,147 11/1993 Francisco et al.
`... 395/425
`acceSS control list. If either address is invalid, the proxy
`5,272,754 12/1993 Boebert ..................................... 380/25
`deletes the message. If both are valid, the message is
`
`5,276,735
`
`1/1994 Boebert et al. - - - - - - - - - - - - - - - - - - - - - - - - - - - 380/21
`
`relayed, and the ports used C tracked for predetermined
`
`(List continued on next page.)
`FOREIGN PATENT DOCUMENTS
`O 554 182 A1 4/1993 European Pat. Off. ........ HO4L 29/06
`
`time. Reply messages are then Sent using the address of the
`Server entity So that the proxy is transparent to the requester.
`
`25 Claims, 6 Drawing Sheets
`
`:
`I
`I
`
`228
`TIMER
`
`224
`PORT
`MANAGER
`
`226
`SECURITY
`MONITOR
`
`an an a
`
`
`
`RELAY
`
`
`
`-222
`
`--21 O
`
`214
`
`CLIENT
`
`MESSAGES
`MESSAGE 2
`MESSAGE 1. STACK 1 STACK 2
`
`MESSAGES
`
`MESSAGE 2
`MESSAGE 1
`
`216
`
`SERVER
`
`220
`
`230
`
`GUEST TEK EXHIBIT 1010
`Guest Tek v. Nomadix, IPR2018-01668
`
`

`

`5,915,087
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`
`
`5,303.303 4/1994 White ........................................ 380/49
`5,305,385
`4/1994 Schanning et al. ....................... 380/49
`5,311,593 5/1994 Carmi ........................................ 380/23
`5,329,623
`7/1994 Smith et al. ..
`... 395/275
`5,333,266
`7/1994 Boaz et al.............
`... 395/200
`5,355,474 10/1994 Thuraisingham et al.
`... 395/600
`5,414,833
`5/1995 Hershey et al. ........................ 395/575
`5,416,842 5/1995 Aziz .......................................... 380/30
`5,485.460
`1/1996 Schrier et al.
`... 370/94.1
`5,511,122 4/1996 Atkinson ................................... 380/25
`5.530,758 6/1996 Marino, Jr. et al.
`... 380/49
`5,548,646 8/1996 Aziz et al. ................................ 380/23
`5,550,984 8/1996 Gelb ................................... 395/200.17
`5,566,170 10/1996 Bakke et al. .............................. 370/60
`5,583,940 12/1996 Vidrascu et al. .......................... 380/49
`5,586,260 12/1996 Hu ........................
`... 395/200.59
`5,604,490 2/1997 Blakley, III et al. .
`... 34.0/825.31
`5,606,668 2/1997 Shwed ...............
`... 395/200.11
`5,608,720 3/1997 Biegel et al. ........................... 370/249
`5,615,340 3/1997 Dai et al. ......
`... 395/200.17
`5,619,648 4/1997 Canale et al. .
`... 395/200.01
`5,623,601
`4/1997 Vu .................
`... 395/187.01
`5,636,371
`6/1997 Yu ......
`... 395/500
`5,644,571
`7/1997 Seaman .
`... 370/401
`5,671,279 9/1997 Elgamal .................................... 380/23
`5,673,322 9/1997 Pepe et al. ................................ 380/49
`5,684.951 11/1997 Goldman et al. .
`... 395/188.01
`5,689,566 11/1997 Nguyen ..................................... 380/25
`5,699,513 3/1995 Feigen et al. .
`... 395/187.01
`5,720,035 2/1998 Allegreet al. ...
`... 395/200.06
`5,781,550 7/1998 Templin et al. ........................ 370/401
`OTHER PUBLICATIONS
`News Release: “Satan No Threat to Sidewinder (tm)”,
`Secure Computing Corporation (Apr. 26, 1995).
`“Answers to Frequently Asked Questions About Network
`Security', Secure Computing Corporation, pp. 1-41 & pp.
`1-16 (Sep. 25, 1994).
`"Sidewinder Internals', Product information, Secure Com
`puting Corporation, 16 p. (Oct. 1994).
`“Special Report: Secure Computing Corporation and Net
`work Security”, Computer Select, 13 p. (Dec. 1995).
`Adam, J.A., “Meta-Matrices”, IEEE Spectrum, p. 26 (Oct.
`1992).
`Adam, J.A., “Playing on the Net', IEEE Spectrum, p. 29
`(Oct. 1992).
`Ancilotti, P., et al., “Language Features for AcceSS Control',
`IEEE Transactions on Software Engineering, SE-9, 16-25
`(Jan. 1983).
`Atkinson, R., “IP Authentication Header', Network Working
`Group, Request For Comment No. 1826, http//ds.internic
`.net/rfc/rfc1826.txt, 9 p. (Aug. 1995).
`Atkinson, R., “IP Encapsulating Security Payload (ESP)”,
`Network Working Group, Request For Comment No. 1827,
`http//ds.internic.net/rfc/rfc1827.txt, 12 p. (Aug. 1995).
`Atkinson, R., “Security Architecture for the Internet Proto
`col”, Network Working Group, Request for Comment No.
`1825, http//ds.internic.net/rfc/ rfc.1825.txt, 21 p. (Aug.
`1995).
`Baclace, P.E., “Competitive Agents for Information Filter
`ing”, Communications of the ACM, 35, 50 (Dec. 1992).
`Badger, L., et al., “Practical Domain and Type Enforcement
`for UNIX”, Proceedings of the 1995 IEEE Symposium on
`Security and Privacy, pp. 66–77 (May 1995).
`
`Belkin, N.J., et al., “Information Filtering and Information
`Retrieval: Two Sides of the Same Coin'?', Communications
`of the ACM, 35, 29–38 (Dec. 1992).
`Bellovin, S.M., et al., “Network Firewalls”, IEEE Commu
`nications Magazine, 32, 50-57 (Sep. 1994).
`Bevier, W.R., et al., “Connection Policies and Controlled
`Interference', Proceedings of the Eighth IEEE Computer
`Security Foundations Workshop, Kenmare, Ireland, pp.
`167–176 (Jun. 13–15, 1995).
`Bowen, T.F., et al., “The Datacycle Architecture”, Commu
`nications of the ACM, 35, 71–81 (Dec. 1992).
`Bryan, J., “Firewalls For Sale", BYTE, 99-100, 102,
`104–105 (Apr. 1995).
`Cobb, S., “Establishing Firewall Policy", IEEE, 198-205
`(1996).
`Damashek, M., “Gauging Similarity with n-Grams: Lan
`guage-Independent Categorization of Text”, Science, 267,
`843–848 (Feb. 10, 1995).
`Dillaway, B.B., et al., “A Practical Design For A Multilevel
`Secure Database Management System”, American Institute
`of Aeronautics and Astronautics, Inc., pp. 44-57 (Dec.
`1986).
`Fine, T, et al., “Assuring Distributed Trusted Mach', Pro
`ceedings of the IEEE Computer Society Symposium On
`Research in Security and Privacy, pp. 206-218 (1993).
`Foltz, P.W., et al., “Personalized Information Delivery: An
`Analysis of Information Filtering Methods”, Communica
`tions of the ACM, 35, 51–60 (Dec. 1992).
`Gassman, B., “Internet Security, and Firewalls Protection on
`the Internet", IEEE, 93-107 (1996).
`Goldberg, D., et al., “Using Collaborative Filtering to Weave
`an Information Tapestry”, Communications of the ACM, 35,
`61–70 (Dec. 1992).
`Grampp, F.T., “UNIX Operating System Security”, AT&T
`Bell Laboratories Technical Journal, 63, 1649–1672 (Oct.
`1984).
`Greenwald, M., et al., “Designing an Academic Firewall:
`Policy, Practice, and Experience with SURF", IEEE, 79–92
`(1996).
`Haigh, J.T., et al., “Extending the Noninterference Version
`of MLS for SAT, Proceedings of the 1986 IEEE Sympo
`Sium On Security and Privacy, Oakland, CA, pp. 232-239
`(Apr. 7–9, 1986).
`Karn, P., et al., “The ESP DES-CBC Transform', Network
`Working Group, Request for Comment No. 1829, http//
`ds.internic.net/rfc/rfc1829.txt, 9 p. (Aug. 1995).
`Kent, S.T., “Internet Privacy Enhanced Mail', Communica
`tions of the ACM, 36, 48–60 (Aug. 1993).
`Lampson, B.W., et al., “Dynamic Protection Structures”,
`AFIPS Conference Proceedings, 35, 1969 Fall Joint Com
`puter Conference, Las Vegas, NV, 27-38 (Nov. 18–20,
`1969).
`Lee, K.C., et al., “A Framework for Controlling Cooperative
`Agents”, Computer, 8-16 (Jul. 1993).
`Loeb, S., “Architecting Personalized Delivery of Multime
`dia Information’, Communications of the ACM, 35, 39-48
`(1992).
`Loeb, S., et al., “Information Filtering”, Communications of
`the ACM, 35, 26–28 (Dec. 1992).
`McCarthy, S.P., “Hey Hackers! Secure Computing Says You
`Can't Break into This Telnet Site”, Computer Select, 2 p.
`(Dec. 1995).
`Merenbloom, P., “Network “Fire Walls' Safeguard LAN
`Data from Outside Intrusion”, Infoworld, pp. 69 & addinl.
`page (July 25, 1994).
`
`

`

`5,915,087
`Page 3
`
`Metzger, P., et al., “IP Authentication using Keyed MD5”,
`Network Working Group, Request for Comments No. 1828,
`http//ds.internic.net/rfc/rfc.1828.txt, 5 p. (Aug. 1995).
`Obraczka, K., et al., “Internet Resource Discovery Ser
`vices”, Computer, 8–22 (Sep. 1993).
`Press, L., “The Net: Progress and Opportunity”, Communi
`cations of the ACM, 35, 21–25 (Dec. 1992).
`Schroeder, M.D., et al., “A Hardware Architecture for Imple
`menting Protection Rings”, Communications of the ACM,
`15, 157-170 (Mar. 1972).
`Schwartz, M.F., “Internet Resource Discovery at the Uni
`versity of Colorado", Computer, 25-35 (Sep. 1993).
`Smith, R.E., “Constructing a High ASSurance Mail Guard”,
`Secure Computing Corporation (Appeared in the Proceed
`ings of the National Computer Security Conference), 7 p.
`(1994).
`Smith, R.E., “Sidewinder: Defense in Depth Using Type
`Enforcement”, International Journal of Network Manage
`ment, pp. 219–229 (Jul.-Aug. 1995).
`Stadnyk, I., et al., “Modeling User's Interests in Information
`Filters”, Communications of the ACM, 35, 49-50 (Dec.
`1992).
`
`Stempel, S., “Ip Access-An Internet Service Access System
`for Firewall Installations”, IEEE, 31–41 (1995).
`Stevens, C., “Automating the Creation of Information Fil
`ters”, Communications of the ACM, 35, 48 (Dec. 1992).
`Thomsen, D., “Type Enforcement: The New Security
`Model”, SPIE, 2617, 143–150 (1995).
`Warrier, U.S., et al., “A Platform for Heterogeneous Inter
`connection Network Management”, IEEE Journal On
`Selected Areas in Communications, 8, 119-126 (Jan. 1990).
`White, L.J., et al., “A Firewall Concept for Both Control
`Flow and Data-Flow in Regression Integration Testing”,
`IEEE, 262-271 (1992).
`Wolfe, A., “Honeywell Builds Hardware for Computer
`Security”, Electronics, 14-15 (Sep. 2, 1985).
`Peterson,Larry L. and Bruce S. Davie, “Computer Net
`works', Selected Internetworking and Protocol pp.,
`218-221, 284-286, (1996, Morgan Kaufmann Publishers,
`Inc.).
`
`

`

`U.S. Patent
`US. Patent
`
`Jun. 22, 1999
`Jun. 22, 1999
`
`Sheet 1 of 6
`Sheet 1 0f 6
`
`5,915,087
`5,915,087
`
`O
`0
`
`V
`
`114
`
`
`
`s
`120
`
`STORAGE
`
`
`
`Vo
`
`1 F
`
`IG.
`
`PROCESSOR
`
`
`
`
`
`S
`112
`
`

`

`US. Patent
`
`Jun. 22, 1999
`
`Sheet 2 0f 6
`
`5,915,087
`
`ON
`
`>._._m30mm
`«0.2202
`AomHzoo_
`mmo<z<2
`
`.EOn.
`
`__
`
`mm©<mmm2
`
`mmo
`<mmm2
`
`II
`
`_.m0<mmm=2Nv_o<._.mNmo<mmm§
`_.m0<mmm§I:._.Zm_40Nmo<mmm2
`
`ONN
`
`Fxo<._.m
`
`
`
`NH.
`mzm
`
`
`
`
`
`
`

`

`U.S. Patent
`US. Patent
`
`Jun. 22, 1999
`Sheet 3 of 6
`Sheet 3 0f 6
`Jun. 22, 1999
`
`
`
`5,915,087
`5,915,087
`
`mNdo
`
`Ht¢t¢t
`
`m—_‘
`
`.50mam
`
`TENNo.oo.ooo.ooo
`
`m.07..
`
`.EomQz<
`
`3.353%:
`
`nfi
`
`m3mémdmmémm
`
`.EOn.Qz<
`
`0.00.000.00U
`
`nfi
`
`93.33%
`
`Rn
`
`m2:.
`
`.50
`
`.EOn.oz<
`
`0 || 2
`
`own
`
`mmmmoo<szEm
`
`
`wmmmoo<zo_._.<z_._.mm_o
`
`mmmmoo<womaom
`
`
`
`
`
`

`

`U.S. Patent
`US. Patent
`
`Jun. 22, 1999
`Jun. 22, 1999
`
`Sheet 4 of 6
`Sheet 4 0f 6
`
`5,915,087
`5,915,087
`
`<v.Oum
`
`
`
`USNmmecwmI02:8.fixovcaofifilcouooccg
`
`mtoalooEOm.fixowqagmfifllzogoscoo
`
`8AowmmmoEvtoalmQSOm
`
`
`
`
`
`canAowmmmofivmmohcvmloQSOm8onowmmmoe95m
`
`
`
`5251038wexmhm”oEmchosooccg@5353,A330083
`
`mmmognwmlcoumccmou
`
`mltomlcosmcumoc
`
`mmmopwwmloohza
`
`”tomloohgm
`
`mmmuhcchEBB
`
`5007532
`
`
`
`
`
`Ev1;.AowmmmoEvomcommohdoZomloEan2530th
`
`“Aowmmmofivtomloopsa
`
`Aowmmmofivmmogwwmlcoumqumov
`
`mAflowmmmofivtomlcoumcwmov
`
`
`
`AuwmmmufivmmoécmloogsomoHv\<E33210BwalcouoosconvlomhgogH5?:
`
`w;\\
`
`w8:5£352:a
`
`
`
`3865Emmi?
`
`
`
`oHv3\“£5029:qubaamg
`
`
`
`
`
`N;A;\mbcoloES2008
`
`

`

`U.S. Patent
`US. Patent
`
`Jun. 22, 1999
`Jun. 22, 1999
`
`Sheet S of 6
`Sheet 5 0f 6
`
`5,915,087
`5,915,087
`
`
`
`
`
`\*6%a:HumHo:2“5:02:50EELS5:08:80*\
`
`
`
`£836:2282582:no32ch:82
`
`v3“?nmmohvvaEBE.iovsaofifialsocooccoo
`
`N99HtomIEBE.fixowcaofifilcouooccg
`
`mOtomlEowcfilaocdow
`
`nAowmmmoEvmchcmlcoumccmow
`
`mQummmmofivtomlcosmcmwmow
`
`”AomemoEmeoéumlooHDOm
`
`AowmmmoEvtoalooSom
`
`
`
`omv\LofifisfilcosooqcoalgaH5?:
`
`A
`
`
`
`vmv5;Aowmmmoevlumosvfllycfl61293:ouswooofi
`
`
`
`£22:@3358»
`
`
`
` Aomvé.mewmmmofi2:@30mev33A
`
`A
`
`omv
`
`.AommmmoEmewamlcozmcumov
`
`mRowammofivtomlcouwcumov
`
`V95$8:£3623:9w?
`
`
`
`Aowmmmofivmmegmloousom\VmsxofllofiglaouooccooIx22:
`
`.Aowammofivtomlooaa
`
`
`
`omv\cEOQIEBB.332035122838080¢owammoEscum
`
`
`
`
`
`
`
`m;.UE—
`
`8mmBEumIEEB.flxoccaofifilcouooqcoowas
`
`
`
`wasAowmmmoEmeBUcmlcoumcumon
`
`

`

`U.S. Patent
`US. Patent
`
`5,915,087
`5,915,087
`
`96332:58%20388500632%93M8525835HowtomlEBB2:ammo?“n,2%A;05883a£380:39:
`
`
`
`n.m0:8oEalso“HooccooldolowmmmoEISMJEBHowmmmofih3%\cv$>2£Hmong
`
`6v83AfIIMAommmmofifimosce
`
`Bozo0:25:avakxv
`GumtomEmmAomemoEvtoacoumcumoE(tm03\LQowmmmofivmmmmlmxooaolbfsoomVbA\*3328x23owH#5888*\£020:538
`
`
`
` Av?\rmAowmmmmfivomcommoglhofiomlflwqm:
`
`
`
`omw\rmowmmmofi38va
`
`86A
`
`
`
`\*58$8:5303“maymtom2t3838Homtom“EmEEoo*\
`
`NEH\rHomtom6m5mtom95E:
`
`UV.UEA
`
`Aowmmmofivtomlcosgcmow
`
`
`
`SJ“\v“V082$:me83500:“A
`
`
`
`
`
`newtondemeE@3352,
`
`

`

`1
`TRANSPARENT SECURITY PROXY FOR
`UNRELIABLE MESSAGE EXCHANGE
`PROTOCOLS
`
`5,915,087
`
`FIELD OF THE INVENTION
`The present invention relates to network Security Systems
`and in particular to a Security System for Securely exhchang
`ing messages using unreliable protocols.
`BACKGROUND OF THE INVENTION
`Networks connect many computers together allowing
`them to exchange data via communications lines. Several
`Standards defining how Such data eXchanges should occur
`have been developed and implemented to ensure that com
`15
`puters and computer programs using the same protocols can
`Successfully exchange data. One of the problems associated
`with the ability to exchange data is ensuring that a requestor
`entity, Such as a user on a network, Sometimes referred to as
`a client, is authorized to Send messages to and to receive data
`from a Server entity, Such as another computer.
`Firewalls are devices, Such as programs or Separate com
`puter Systems which were introduced in order to address the
`Security problems associated with connecting a once private
`network Such as a local area network connecting computers
`in an office, to an “Internet', where the data transmissions
`are open to eaves dropping, and the potential exists for
`“hostile' outsiders to disrupt network service or tamper with
`or attack Systems residing on the private network.
`There are a number of different classes of firewalls, each
`designed to address different types of Security concerns. In
`Spite of the different approaches, all firewalls perform a
`function know as “relaying", where Protocol Data Units
`(PDUs) are received by the firewall from a sending appli
`cation entity and forwarded to a receiving application entity,
`possibly with some modifications to the original PDU. Since
`firewalls are designed to enforce a Security policy, Some
`information, or context, must be extracted from the PDUs
`and Subjected to a set of rules. Based on the outcome of the
`rules check, the firewall performs an action; the PDU is
`either relayed, modified and relayed, or rejected in Some
`fashion. The precise action is chosen by the designer of the
`firewall in order to affect the behavior of the system such
`that the Security policy is Satisfied. The action is of course
`subject to the constraints of the protocol the firewall is
`designed to Support.
`The Internet uses a simple transport protocol to provide a
`process to process communication Service called User Data
`gram Protocol (UDP) UDP is a protocol for processes to
`eXchange datagrams Such as messages between processes
`coupled via a network, Internet Protocol (IP) in this case.
`One important feature of the UDP protocol is that there is no
`assurance that a message will get through. It is said to be an
`unreliable communications protocol for this reason. No
`continuous connection is established, and Since there is no
`maintenance of the States of messages to ensure delivery,
`there is very little overhead in implementing the UDP
`communication protocol. It is Suitable for transfer of data
`Such as network Video, where there is no desire to Spend time
`reconstructing lost frames of live Video, and for audio
`communications, where the same considerations apply.
`Processes communicating using UDP indirectly indentify
`each other using an abstract locator, often called a port or
`mailbox of a known host device along with the address of
`the host. Many common processes receive messages at fixed
`ports on each device on which they run. One process, known
`as a Domain Name Server (DNS) receives messages at port
`
`45
`
`50
`
`55
`
`60
`
`65
`
`25
`
`35
`
`40
`
`2
`53 for example. Following a first communication at Such a
`port, processes may then agree on a different port number,
`which frees up the original port for other processes. A
`configuration file contains a list of hosts and ports which
`packets should be relayed between.
`This points to a difficulty in implementing firewalls which
`protect Servers from illegal messages. The firewall must find
`a way to accept messages that are not addressed to it. There
`is a need for this to be done with further multilevel checking
`of the messages without confusing the processes attempting
`to communicate. There is a further need to do this without
`modifying the client that is Sending and receiving messages.
`
`SUMMARY OF THE INVENTION
`A proxy for unreliable message based protocol commu
`nication Systems accepts messages from a requesting pro
`ceSS on a client that are intended for a Server with a different
`address than a host on which the proxy is running. It also
`Sends messages back to the client, using the address of the
`Server. The proxy interrogates messages Sent by the
`requestor in accordance with defined authentication proce
`dures. In one embodiment, the proxy transparently receives
`and forwards messages in accordance with a defined Security
`policy. Messages are interrogated for conformance to
`desired protocols, and optionally further decoded to add
`additional application specific filtering.
`In one embodiment, the proxy comprises a monolithic
`computer program which interfaces with a dual Stack net
`working firewall which monitors the requestor's address
`which is extracted directly from the message and checks the
`address against an access control list. If the address is
`invalid, the proxy causes the message to be deleted. Since
`the requestor does not see the proxy, it does not need to be
`modified to work with the proxy. The dual stack refers to the
`division of the firewall into an external Stack and an internal
`Stack. The external Stack deals with communications coming
`in from external computer Systems, and the internal Stack
`handles communications with internal Systems coupled to
`the internal Stack that the firewall is designed to protect. The
`monolithic nature of the proxy arrises from the fact that it
`sits on top of both Stacks and is able to communicate with
`both StackS via a single, or monolithic process. This means
`that only one process is needed for the proxy. Multiple
`instances of the process may be operating, one for each
`Session of messages to be transferred between a requester
`and Server. This avoids the consumption of Significant
`resources exhibited by non-monolithic prior proxies when
`many Sessions are operating.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a block diagram of a computer System imple
`menting the present invention.
`FIG. 2 is a combined block diagram and logical message
`flow diagram of one embodiment of the present invention.
`FIG. 3 is a logical block diagram of a table used to track
`message flow and ports for the embodiment of FIG. 2.
`FIGS. 4a-C are pseudo code flow diagrams of a proxy
`operating on the computer System of FIG. 1 which controls
`message flow.
`DESCRIPTION OF THE EMBODIMENTS
`In the following detailed description of the preferred
`embodiments, reference is made to the accompanying draw
`ings which form a part hereof, and in which are shown by
`way of illustration specific embodiments in which the inven
`
`

`

`5,915,087
`
`15
`
`35
`
`40
`
`25
`
`3
`tion may be practiced. It is to be understood that other
`embodiments may be utilized and structural changes may be
`made without departing from the Scope of the present
`invention.
`There has been an explosion in the growth of computer
`networks as organizations realize the benefits of networking
`their personal computers and WorkStations. Increasingly,
`these networks are falling prey to malicious outsiders who
`hack into the network, reading and Sometimes destroying
`Sensitive information. Exposure to Such attacks has
`increased as companies connect to outside Systems Such as
`the Internet.
`To protect themselves from attacks by malicious
`outsiders, organizations are turning to mechanisms for
`increasing network Security. One Such mechanism is
`described in “SYSTEM AND METHOD FOR PROVID
`ING SECURE INTERNETWORK SERVICES”, U.S.
`patent application Ser. No. 08/322,078 filed Oct. 12, 1994 by
`Boebert et al., the discussion of which is hereby incorpo
`rated by reference. Boebert teaches that modifications can be
`made to the kernel of an operating System in order to add
`type enforcement protections. Type enforcement adds an
`additional level of protection to the process of accessing
`files. This is quite helpful for a BSD 4.4 UNIX type
`operating System wherein once a proceSS receives privileges,
`it uses those privileges to access other network files. This
`can lead to a dangerous breach of network Security. Boebert
`further teaches a Secure computer that is used to connect a
`private network having a plurality of WorkStations to a
`public network. A protocol package Such as TCP/IP running
`on the Secure computer implements a communications pro
`tocol used to communicate between each workStation and
`the Secure computer.
`Program code running on the Secure computer is used to
`communicate through the private network to the WorkSta
`tion's protocol package. In one embodiment, the Secure
`computer is an Intel Pentium-based machine running a
`hardened form of BSD/OS Unix. A system based on a 90
`Mhz. Pentium microprocessor with 32 megabytes of
`memory, 2 gigabytes of hard disk Space, a DAT tape for
`backup and a CD-ROM for software loads has been found
`to be adequate. Likewise, program code running on the
`Secure computer is used to communicate through a public
`network interface to a public network Such as the Internet.
`In an Internet embodiment, the program code used to
`communicate with the Internet is part of a set of Internet
`protocols which communicate with computers on the Inter
`net through an Internet connection. In one embodiment,
`different protocols may be used when communicating with
`different entities on the Internet In one embodiment, a top
`wrapper package operating in the Internet protocols is used
`to sit on the external, public network So that information
`about external problems can be logged. Such a System is
`currently being Sold under the brand name, Sidewinder, by
`the assignee hereof. Certain aspects of the Sidewinder
`product related to dual Stack network Separation are further
`55
`described in “SYSTEM AND METHOD FOR ACHIEV
`ING NETWORKSEPARATION”, U.S. patent application
`Ser. No. 08/599,232 filed Feb. 9, 1996, the discussion of
`which is hereby incorporated by reference. Internal and
`external networks are separated by have using Separate
`Stacks in programming Separated into internal and external
`burbs. A Security manager sits at the top of the Stacks and
`ensures that communications between the burbs are checked
`for predetermined Secure characteristics before being trans
`ferred to the other burb.
`The use of acceSS control lists to check whether an entity
`is authorized to communicate with another entity is
`
`45
`
`50
`
`60
`
`65
`
`4
`described in “GENERALIZED SECURITY POLICY
`MANAGEMENT SYSTEM AND METHOD, U.S. patent
`application Ser. No. 08/715,668, filed Sep. 18, 1996 and
`assigned to the same assignee hereof, the discussion of
`which is hereby incorporated by reference. In essence, a
`Security monitor maintains an address based acceSS control
`list used to identify authorized clients from which message
`receipt is acceptable.
`The current invention is an extension to the Sidewinder
`product. As shown in FIG. 1 generally at 110, a network
`communication controller Such as a computer System com
`prises a processor 112 coupled to a random acceSS memory,
`RAM 114. While only a single bus 116 is shown connecting
`the RAM 114 and processor 112 to a communications port
`118 and disk drive or other storage medium 120, it will be
`recognized by those skilled in the art that it represents
`Several different buSSes in a Standard personal computer
`architecture. The communications port represents various
`communications options in computer Systems, Such as eth
`ernet cards, modems and other communication devices.
`In FIG. 2, operation of an improved firewall product
`comprising an improved computer program extension to the
`Sidewinder product is indicated generally in block repre
`Sentation at 210. The computer program is usually Stored on
`the disk drive 120 and run or executed on top of an operating
`system running on the processor 112 out of RAM 114. It
`should be noted that disk drive 120 is used herein to
`represent various Storage medium by which the computer
`program 210 may be stored and distributed. It also repre
`Sents a communication medium in which the proxy may be
`temporarily Stored while being transferred or transmitted to
`computer system 110. Computer program 210 further com
`prises a proxy 212 which is used to process communications
`between processes. Also shown in FIG. 2 are a client 214
`and Server 216 which each have processes thereon trying to
`communicate using a UDP protocol for Sending datagrams
`comprising messages. They also may communicate using
`other protocols, but the embodiments herein will be
`described with respect to message exchange using unreliable
`communication protocols such as UDP on top of IP
`Processes communicating using UDP indirectly indentify
`each other using an abstract locator, often called a port or
`mailbox of a known host or server device along with an IP
`address of the host. Many common processes receive mes
`Sages at fixed ports on each device they run on. The Domain
`Name Server (DNS) receives messages at port 53 for
`example. Following a first communication at Such a port,
`processes may then agree on a different port number, which
`frees up the original port for other processes. Note that there
`is no connection that is maintained. The message is Sent by
`a client or Server, and the underlying network does its best
`to route it to the correct host using a destination address and
`port contained in the message.
`The Sidewinder security system provides the ability to
`accept messages intended for Selected Servers. Each UDP
`datagram or message comprises a packet with a header and
`data. Among the fields of the header are the length of the
`packet, the protocol identifier-17 for UDP, a checksum, and
`importantly for the embodiments of the invention described,
`a Source address and port identifier and a destination address
`and port identifier. The Sidewinder security system has
`networking modifications which allow it to accept a message
`intended for any destination address.
`Messages, Such as message 1, from client 214 intended
`for a server attached to the firewall are received at a first
`stack 220 even though the firewall has a different address
`
`

`

`5,915,087
`
`15
`
`25
`
`35
`
`40
`
`S
`than the server. The firewall simply keeps a list of addresses
`of Server attached to it, and accepts all messages intended for
`Such servers. They are then relayed by a relay 222 to a port
`manager 224 which receives the message, and requests the
`operating System to bind it to a port which may be based on
`5
`an address in the message if it is not already So bound. A
`Security monitor 226 is operatively coupled to the port
`manager 224 to monitor messages from clients for conform
`ance to predefined conditions and to prevent the further
`routing of non conforming messages. A timer represented at
`228 provides a time Stamp to time how long a port is being
`held open waiting for further messages from either the client
`or the server. A link table 310, shown in FIG.3 keeps track
`of which ports are currently bound and hence monitored for
`further messages, and also provides mapping for routing of
`messages with desired addresses.
`Referring to FIG. 2 again, if a message is approved for
`Sending on to the Server 216, a new port is bound if not
`already bound, and noted in the link table. The message is
`then sent via relay 222 to a second stack 230 with an address
`and port identifying it as originating from firewall 210. The
`message is then Sent on to the intended Server 216. The
`Server may respond to the message, but will use the address
`and port used by the firewall. The original client is transpar
`ent to the server, which only knows of the firewall.
`When and if the server 216 responds to the message via
`a message 2, it uses the address and port Specified by the
`firewall. The port manager uses the link table to monitor for
`messages on Specific ports identified in the table.
`Alternatively, the operating System may maintain a Separate
`table and provide Such monitoring. In any event, the link
`table is then used to identify the original client address and
`port, as well as the address and port of the firewall on which
`the first message was recieved from the client. The proxy
`then causes those addresses to be used in Sending the reply
`message from the Server on through the Stacks and relay to
`the client. In essence, it spoofs the addresses Such that the
`message appears to the client to have originated from the
`Server. In essence, the network addressing Structure of the
`Server remains unknown to the client, providing Security to
`the message exchange.
`In one practical embodiment, the client may be a laptop
`computer System used by a user to contact the home office
`internal network by means of a public network Such as the
`Internet. By going through the firewall to get to the Server,
`little if any information is exposed about the internal net
`work attached to the Server.
`As depicted in FIG.3, the link table tracks which ports