`Reid et al.
`
`US006182226B1
`(10) Patent No.:
`US 6,182,226 B1
`(45) Date of Patent:
`Jan. 30, 2001
`
`(54) SYSTEM AND METHOD FOR
`CONTROLLING INTERACTIONS BETWEEN
`NETWORKS
`
`(75) Inventors: Irving Reid, Toronto (CA); Spencer
`Minear, Fridley, MN (US)
`
`(73) Assignee: Secure Computing Corporation,
`Roseville, MN (US)
`
`- - -
`(*) Notice:
`
`Under 35 U.S.C. 154(b), the term of this
`patent shall be extended for 0 days.
`
`(21) Appl. No.: 09/040,832
`(22) Filed:
`Mar 18, 1998
`
`(51) Int. CI.7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - HO4L 9/00
`
`(52) U.S. Cl. ........................... 713/201; 709/225; 709/229
`(58) Field of Search ..................................... 713/200, 201,
`713/202; 707/9; 709/225, 229, 228, 227;
`711/163
`
`5,305,385
`5,311,593
`5,329,623
`5,333.266
`5,355,474
`2- - - 2
`5,414,833
`
`4/1994 Schanning et al. .................... 380/49
`5/1994 Carmi ..................................... 380/23
`7/1994 Smith et al. .
`395/275
`7/1994 Boaz et al. ........................... 395/200
`10/1994 Thuraisingham et al. ............ 395/600
`5/1995 Hershey et al. ..................... 395/575
`(List continued on next page.)
`FOREIGN PATENT DOCUMENTS
`O 554 182 A1
`4/1993 (EP) .............................. HO4L/29/06
`0 743 777 A2 11/1996 (EP) .............................. HO4L/29/06
`2287619
`9/1995 (GB) ............................. HO4L/12/22
`96/13 113
`5/1996 (WO) ............................ HO4L/29/06
`96/35994
`11/1996 (WO).
`... GO6F/13/14
`97/13340
`4/1997 (WO).
`... HO4L/9/00
`97/26731
`7/1997 (WO).
`... HO4L/9/00
`97/26734
`7/1997 (WO).
`... HO4L/9/00
`97/29413
`8/1997 (WO).
`
`97/26735
`
`7/1997 (WO) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - HO4L/9/00
`
`OTHER PUBLICATIONS
`Boebert, W.E., et al., “Secure Ada Target: Issues, System
`Design, and Verification”, Proceedings of the Symposium On
`Security and Privacy, Oakland, California, pp. 59-66,
`(1985).
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`(List continued on next page.)
`5/1976 Anderson et al. .............. 235/61.7 B
`3,956,615
`8/1978 Markstein et al. ................... 364/200
`4,104,721
`4177510 E.
`ity al.
`- - - : Primary Examiner Robert W. BeauSoliel, Jr.
`4,442,484
`4/1984 Childs, Jr. et al.
`364,200
`Assistant Examiner-Christopher Revak
`4.584,639
`4/1986 Hardy .........
`... 364/200
`(74) Attorney, Agent, Or Firm-Schwegman, Lundberg,
`4,621,321
`11/1986 Boebert et al.
`... 364/200
`Woessner & Kluth, PA.
`4,648,031
`3/1987 Jenner ............
`... 364/200
`4,701,840
`10/1987 Boebert et al.
`... 364/200
`(57)
`ABSTRACT
`0
`-
`4,713,753
`12/1987 Boebert et al.
`... 364/200
`4,870,571
`9/1989 Frink ..........
`... 364/200
`A firewall is used to achieve network Separation within a
`4.885,789
`12/1989 Burger et al. .......................... 380/25
`computing System having a plurality of network interfaces.
`4.914,568
`4/1990 Kodosky et al. ..
`... 364/200
`A plurality of regions is defined within the firewall and a Set
`5,093.914
`3/1992 Coplien et al.
`... 395/700
`of policies is configured for each of the plurality of regions.
`
`5,124,984
`
`6/1992 Engel - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 370/94.1
`
`The firewall restricts communication to and from each of the
`
`214 Y-2
`
`OZOWICK C all. .......................
`
`plurality of network interfaces in accordance with the Set of
`10/1992 Tuai ....................................... 380/25
`5,153,918
`3. 3.9.
`tly ketal
`- - - - 3. policies configured for the one of the plurality of regions to
`5,263,147
`11/1993 Francisco et al. .
`... 395/425
`which
`one of the plurality of network interfaces has been
`5,272,754
`12/1993 Boebert .................................. 380/25
`gned.
`5,276,735
`1/1994 Boebert et al. ........................ 380/21
`5,303,303
`4/1994 White ..................................... 380/49
`
`32 Claims, 7 Drawing Sheets
`
`
`
`
`
`36
`
`INTERNET
`
`PARTNER
`SHARED NET
`
`Securezone
`
`38
`
`SECURE SERVE
`NETWORK
`
`COMPANY
`PRIVATE NET
`
`
`
`Microsoft Ex. 1017, p. 1
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`US 6,182,226 B1
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`5/1995 Aziz ....................................... 380/30
`5,416.842
`10/1995 Zisapel .......
`... 370/85.3
`5,455,828
`1/1996 Schrier et al.
`... 370/94.1
`5,485,460
`4/1996 Atkinson ................................ 380/25
`5,511,122
`8/1996 Aziz et al. ............................. 380/23
`5,548,646
`8/1996 Gelb ................................ 395/200.17
`5,550,984
`10/1996 Bakke et al. ........................... 370/60
`5,566,170
`12/1996 Vidrascu et al. ....................... 380/49
`5,583,940
`12/1996 Hu ..................................... 395/2002
`5,586,260
`2/1997 Blakley, III et al.
`... 34.0/825.31
`5,604,490
`2/1997 Shwed ............................. 395/200.11
`5,606,668
`3/1997 Dai et al. ........................ 395/200.17
`5,615,340
`4/1997 Canale et al.
`... 395/200.01
`5,619,648
`5,623,601 * 4/1997 Vu ..............
`... 713/201
`5,636,371
`6/1997 Yu ......
`... 395/500
`5,644,571
`7/1997 Seaman ..
`... 370/401
`5,671,279
`9/1997 Elgamal ................................. 380/23
`5,673,322
`9/1997 Pepe et al. ............................. 380/49
`5,684.951
`11/1997 Goldman et al.
`395/188.01
`5,689,566
`11/1997 Nguyen .................................. 380/25
`5,699,513
`12/1997 Feigen et al. ..
`... 395/187.01
`5,706,507
`1/1998 Schloss ................................ 395/615
`5,708,780
`1/1998 Levergood et al.
`395/200.12
`5,864,683 * 1/1999 Boerbert et al. ..................... 713/201
`5,918,018 * 6/1999 Gooderum et al.
`... 713/200
`5,968,176 * 10/1999 Nessett et al. .
`... 713/201
`5,983,350
`11/1999 Minear et al. ....................... 713/201
`
`
`
`OTHER PUBLICATIONS
`
`Boebert, W.E., et al., “Secure Computing: The Secure Ada
`Target Approach”, Sci. Honeyweller, 6(2), 17 pages, (1985).
`International Search Report, PCT Application No. PCT/US
`95/12681, 8 p. (mailed Apr. 9, 1996).
`News Release: “100% of Hackers Failed to Break Into One
`Internet Site Protected by SidewinderTM", Secure Comput
`ing Corporation (Feb. 16, 1995).
`News Release: “Internet Security System Given Product of
`the Year Award”, Secure Computing Corporation (Mar. 28,
`1995).
`News Release: “SATAN No Threat to SidewinderTM',
`Secure Computing Corporation (Apr. 26, 1995).
`“Answers to Frequently Asked Questions About Network
`Security', Secure Computing Corporation, p. 1-41 & p.
`1-16 (Sep. 25, 1994).
`"Sidewinder Internals', Product information, Secure Com
`puting Corporation, 16 p. (Oct. 1994).
`“Special Report: Secure Computing Corporation and Net
`work Security”, Computer Select, 13 p. (Dec. 1995).
`Adam. J.A., “Meta-Matrices”, IEEE Spectrum, p. 26 (Oct.
`1992).
`Adam, J.A., “Playing on the Net', IEEE Spectrum, p. 29
`(Oct. 1992).
`Ancilotti, P., et al., “Language Features for AcceSS Control',
`IEEE Transactions on Software Engineering, SE-9, 16-25
`(Jan. 1983).
`Badger, L., et al., “Practical Domain and Type Enforcement
`for UNIX”, Proceedings of the 1995 IEEE Symposium on
`Security and Privacy, p. 66–77 (May 1995).
`Belkin, N.J., et al., “Information Filtering and Information
`Retrieval: Two Sides of the Same Coin'?', Communications
`of the ACM, 35, 29–38 (Dec. 1992).
`Bellovin, S.M., et al., “Network Firewalls”, IEEE Commu
`nications Magazine, 32, 50-57 (Sep. 1994).
`
`Bevier, W.R., et al., “Connection Policies and Controlled
`Interference', Proceedings of the Eighth IEEE Computer
`Security Foundations Workshop, Kenmare, Ireland, p.
`167–176 (Jun. 13–15, 1995).
`Bowen, T.F., et al., “The Datacycle Architecture”, Commu
`nications of the ACM, 35, 71–81 (Dec. 1992).
`Bryan, J., “Firewalls For Sale", BYTE, 99-100, 102,
`104–105 (Apr. 1995).
`Cobb, S., “Establishing Firewall Policy", IEEE, 198-205
`(1996).
`Damashek, M., “Gauging Similarity with n-Grams: Lan
`guage-Independent Categorization of Text”, Science, 267,
`843–848 (Feb. 10, 1995).
`Dillaway, B.B., et al., “A Practical Design For A Multilevel
`Secure Database Management System”, American Institute
`of Aeronautics and Astronautics, Inc., p. 44-57 (Dec. 1986).
`Fine, T, et al., “Assuring Distributed Trusted Mach', Pro
`ceedings of the IEEE Computer Society Symposium On
`Research in Security and Privacy, p. 206-218 (1993).
`Foltz, P.W., et al., “Personalized Information Delivery: An
`Analysis of Information Filtering Methods”, Communica
`tions of the ACM, 35, 51–60 (Dec. 1992).
`Gassman, B., “Internet Security, and Firewalls Protection on
`the Internet", IEEE, 93-107 (1996).
`Goldberg, D., et al., “Using Collaborative Filtering to Weave
`an Information Tapestry”, Communications of the ACM, 35,
`61–70 (Dec. 1992).
`Grampp, F.T., “UNIX Operating System Security”, AT&T
`Bell Laboratories Technical Journal, 63, 1649–1672 (Oct.
`1984).
`Greenwald, M., et al., “Designing an Academic Firewall:
`Policy, Practice, and Experience with SURF", IEEE, 79–92
`(1996).
`Haigh, J.T., et al., “Extending the Noninterference Version
`of MLS for SAT, Proceedings of the 1986 IEEE Sympo
`Sium On Security and Privacy, Oakland, CA, p. 232-239
`(Apr. 7–9, 1986).
`Karn, P., et al., “The ESP DES-CBC Transform', Network
`Working Group, Request for Comment No. 1829, http//
`ds.internic.net/rfc/rfc1829.txt, 9 p. (Aug. 1995).
`Kent, S.T., “Internet Privacy Enhanced Mail', Communica
`tions of the ACM, 36, 48–60 (Aug. 1993).
`Lampson, B.W., et al., “Dynamic Protection Structures”,
`AFIPS Conference Proceedings, 35, 1969 Fall Joint Com
`puter Conference, Las Vegas, NV, 27-38 (Nov. 18–20,
`1969).
`Lee, K.C., et al., “A Framework for Controlling Cooperative
`Agents”, Computer, 8-16 (Jul 1993).
`Lodin, S.W., et al., “Firewalls Fend Off Invasions from the
`Net", IEEE Spectrum, 26-34 (Feb. 1998).
`Loeb, S., “Architecting Personalized Delivery of Multime
`dia Information’, Communications of the ACM, 35, 39-48
`(1992).
`Loeb, S., et al., “Information Filtering”, Communications of
`the ACM, 35, 26–28 (Dec. 1992).
`McCarthy, S.P., “Hey Hackers? Secure Computing Says You
`Can't Break into This Telnet Site”, Computer Select, 2 p.
`(Dec. 1995).
`Merenbloom, P., “Network “Fire Walls' Safeguard LAN
`Data from Outside Intrusion”, Infoworld, p. 69 & addinl.
`page (Jul 25, 1994).
`Metzger, P., et al., “IP Authentication using Keyed MD5”,
`Network Working Group, Request for Comments No. 1828,
`http://ds.internic.net/rfc/rfc.1828.txt, 5 p. (Aug. 1995).
`
`Microsoft Ex. 1017, p. 2
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`US 6,182,226 B1
`Page 3
`
`Obraczka, K., et al., “Internet Resource Discovery Ser
`vices”, Computer, 8–22, (Sep. 1993).
`Peterson, L.L., et al., In: Computer Networks, Morgan
`Kaufmann Publishers, Inc., San Francisco, CA, p. 218-221,
`284–286 (1996).
`Press, L., “The Net: Progress and Opportunity”, Communi
`cations of the ACM, 35, 21–25 (Dec. 1992).
`Schroeder, M.D., et al., “A Hardware Architecture for Imple
`menting Protection Rings”, Communications of the ACM,
`15, 157-170 (Mar. 1972).
`Schwartz, M.F., “Internet Resource Discovery at the Uni
`versity of Colorado", Computer, 25-35 (Sep. 1993).
`Smith, R.E., “Constructing a High ASSurance Mail Guard”,
`Secure Computing Corporation (Appeared in the Proceed
`ings of the National Computer Security Conference), 7 p.
`(1994).
`Smith, R.E., “Sidewinder: Defense in Depth Using Type
`Enforcement”, International Journal of Network Manage
`ment, p. 219–229 (Juli-Aug. 1995).
`
`Stadnyk, I., et al., “Modeling User's Interests in Information
`Filters”, Communications of the ACM, 35, 49-50 (Dec.
`1992).
`Stempel, S., “Ip Access-An Internet Service Access System
`for Firewall Installations”, IEEE, 31–41 (1995).
`Stevens, C., “Automating the Creation of Information Fil
`ters”, Communications of the ACM, 35, 48 (Dec. 1992).
`Thomsen, D., “Type Enforcement: The New Security
`Model”, SPIE, 2617, 143–150 (1995).
`Warrier, U.S., et al., “A Platform for Heterogeneous Inter
`connection Network Management”, IEEE Journal On
`Selected Areas in Communications, 8, 119-126 (Jan. 1990).
`White, L.J., et al., “A Firewall Concept for Both Control
`Flow and Data-Flow in Regression Integration Testing”,
`IEEE, 262-271 (1992).
`Wolfe, A., “Honeywell Builds Hardware for Computer
`Security”, Electronics, 14-15 (Sep. 2, 1985).
`* cited by examiner
`
`Microsoft Ex. 1017, p. 3
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 1 of 7
`
`US 6,182,226 B1
`
`
`
`3/\\JES BRITIOES
`
`X{}JOM I EN
`
`auOZeuno0S
`
`| eun61
`
`99C
`
`
`
`
`
`
`
`
`
`
`
`Microsoft Ex. 1017, p. 4
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`US 6,182,226 B1
`
`o | eun614
`
`OZOZ
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 2 of 7
`
`
`
`|
`
`
`
`NO||WISXA? JONA
`
`
`
`
`
`
`
`
`
`NJ
`
`0 ||
`
`9 |
`
`TVN èJEIXE
`
`XA>JONALEN
`
`
`Microsoft Ex. 1017, p. 5
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 3 of 7
`
`US 6,182,226 B1
`
`
`
`
`
`†7 ||
`
`----+----
`
`NJ
`
`99C
`
`
`
`TVN èJEIXE
`
`X{}JOM I EN
`
`Microsoft Ex. 1017, p. 6
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 4 of 7
`
`US 6,182,226 B1
`
`BOJIMOT?JOM
`
`SET\/S
`
`| BNèJELNI
`
`
`
`
`
`
`
`
`
`Z eun614
`
`Microsoft Ex. 1017, p. 7
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 5 of 7
`
`US 6,182,226 B1
`
`GaYyINDIYSYASN3WOS
`
`
`
`MOSHGaMOTWJuv
`
`JOWIFHOWSVSHASNNIWLYO
`
`
`
`
`
`¢eunbi4
`
`Microsoft Ex. 1017, p. 8
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`09
`
`
`
`ANOAYSASONIYNGJl
`
`
`
`
`
`QGaINaqdSI3$14‘SYNOHSSANISNG
`
`Y4SNSHLAXOSHO
`
`
`
`
`
`AVGJO—AWILHOSHO
`
`S0
`
`Microsoft Ex. 1017, p. 8
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 6 of 7
`
`US 6,182,226 B1
`
`
`
`Microsoft Ex. 1017, p. 9
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 7 of 7
`
`US 6,182,226 B1
`
`80 -
`
`84 -
`
`-
`88-
`
`90
`
`RECEIVE A PACKET
`Y
`82 --
`RETRIEVE REGION ID FROM THE NETWORK
`INTERFACE AND ASSIGN TO THE PACKET
`—-
`IS PACKET ENCRYPTED?
`YES
`as IF THE PACKET. Is ENCRYPTED, RETRIEVE THE VPN
`SECURITY ASSOCATION FOR THAT PACKET
`Y
`DECRYPT THE PACKET
`Y
`REPLACE THE PREVIOUSLY STORED REGION ID FOR
`THATPACKET WITH THE REGION ID OF THE VPN
`- E
`
`-
`
`CHECK THAT THE DESTINATION IS IN THE SAME
`REGION AS THE SOURCE
`94
`YES
`YES
`CHECK THAT THE "ROUTER" FLAG IS SET FOR
`THAT REGION
`102-
`-
`NO
`| | IF EITHER CONDITION IS NOT MET, THE PACKET IS
`NOT FORWARDED
`-
`
`- LOOK FOR ANY SOCKET LISTENING FOR THE
`2
`NCOMING PACKET
`96
`
`LOOK AT SOURCE IP ADDRESS, SOURCE IP PORT,
`DESTINATION ADDRESS, DESTINATION PORT, AND
`CHECK THE REGION ASSOCIATED WITH THE PACKET
`98 - AGAINST THE REGION SPECIFIED IN THE RGNBIND() No
`SYSTEM CALL TO ENSURE THAT SOCKETS RECEIVE
`DATA ORIGINATING ONLY FROM THE CORRECT
`REGION ARE ALL CONDITIONS MET2
`
`100-
`
`FORWARD PACKET
`Figure 5
`
`Microsoft Ex. 1017, p. 10
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`US 6,182,226 B1
`
`1
`SYSTEMAND METHOD FOR
`CONTROLLING INTERACTIONS BETWEEN
`NETWORKS
`
`FIELD OF THE INVENTION
`The present invention relates generally to network
`Security, and more particularly to a System and method of
`grouping networks to enforce a Security policy.
`
`2
`tion to and from each of the plurality of network interfaces
`in accordance with the Set of policies configured for the one
`of the plurality of regions to which the one of the plurality
`of network interfaces has been assigned.
`Another aspect of the invention is a Secure Server com
`prising an operating System kernel; a plurality of network
`interfaces which communicate with the operating System
`kernel; and a firewall comprising a plurality of regions,
`wherein a Set of policies have been configured for each of
`the plurality of regions, wherein each of the plurality of
`network interfaces is assigned to only one of the plurality of
`regions, wherein at least one of the plurality of network
`interfaces is assigned to a particular region; and wherein
`communication to and from each of the plurality of network
`interfaces is restricted in accordance with the Set of policies
`configured for the one of the plurality of regions to which the
`one of the plurality of network interfaces has been assigned.
`A feature of the present invention is the application level
`approach to Security enforcement, wherein type enforcement
`is integral to the operating System. Still another feature is
`protection against attacks including intruders into the com
`puter System. Yet another feature is a new graphical user
`interface (GUI) in effective Access Control Language
`(ACL). A further feature of the present invention is a visual
`acceSS control System. Another feature is embedded Support
`for Virtual Private Networking (VPN).
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 depicts an implementation of the firewall of the
`present invention.
`FIG. 1a shows a representative computing System pro
`tected by a firewall.
`FIG. 1b depicts another computing System protected by a
`firewall.
`FIG.2 shows the regions and their members as defined in
`the present invention.
`FIG. 3 is a graphical representation of ACL commands.
`FIG. 4 is a flow diagram for a virus alert.
`FIG. 5 depicts a method by which incoming data packets
`are processed in accordance with the present invention.
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENTS
`In the following detailed description of the preferred
`embodiments, reference is made to the accompanying draw
`ings which form a part hereof, and in which is shown by way
`of illustration specific embodiments in which the invention
`may be practiced. It is to be understood that other embodi
`ments may be utilized and Structural changes may be made
`without departing from the Scope of the present invention.
`FIG. 1 depicts a block diagram showing the relationship
`between a firewall 34 in accordance with this invention, the
`Internet 36, a Secure Server Network (SSN) 38, a Company
`Private Net 40, and a Partner Shared Net 42. As shown in
`FIG. 1, communications to and from any other Servers or
`networks goes through the firewall 34.
`Two representative firewall-protected computing Systems
`are shown in FIGS. 1a and 1b. System 10 in FIG. 1a
`includes an internal network 12 connected through firewall
`14 to external network 16. A server 18 and one or more
`workstations 20 are connected to internal network 12 and
`communicate through firewall 14 with servers or worksta
`tions on external network 16.
`System 30 in FIG. 1b includes an internal network 32
`connected through firewall 34 to external network 36. A
`
`15
`
`25
`
`35
`
`BACKGROUND OF THE INVENTION
`Recent developments in technology have made acceSS
`easier to publicly available computer networks, Such as the
`Internet. Organizations are increasingly turning to external
`networkS Such as the Internet to foster communication
`between employees, Suppliers and clients. With this
`increased access comes an increased Vulnerability to mali
`cious activities on the part of both people inside and outside
`the organization. Firewalls have become a key tool in
`controlling the flow of data between internal networks and
`these external networkS.
`A firewall is a System which enforces a Security policy on
`communication traffic entering and leaving an internal net
`work. Firewalls are generally developed on one or more of
`three models: the Screening router, the bastion host, and the
`dual homed gateway. These models are described in U.S.
`Pat. No. 5,623,601 to Vu, issued Apr. 22, 1997 and entitled
`APPARATUS AND METHOD FOR PROVIDING A
`SECURE GATEWAY FOR COMMUNICATION AND
`DATA EXCHANGES BETWEEN NETWORKS (Vu),
`which is hereby incorporated herein by reference.
`Vu describes packet filters as a more Sophisticated type of
`Screening that operates on the protocol level. Packet filters
`are generally host-based applications which permit certain
`communications over predefined ports. Packet filters may
`have associated rule bases and operate on the principle of
`that which is not expressly permitted is prohibited. Public
`networks such as the Internet operate in TCP/IP protocol. A
`UNIX operating system running TCP/IP has a capacity of 64
`40
`K communication ports. It is therefore generally considered
`impractical to construct and maintain a comprehensive rule
`base for a packet filter application. Besides, packet filtering
`is implemented using the simple Internet Protocol (IP)
`packet filtering mechanisms which are not regarded as being
`robust enough to permit the implementation of an adequate
`level of protection. The principal drawback of packet filters,
`according to Vu, is that they are executed by the operating
`System kernel and there is a limited capacity at that level to
`perform Screening functions. AS noted above, protocols may
`be piggybacked to either bypass or fool packet filtering
`mechanisms and may permit skilled intruders to access the
`private network.
`Accordingly, it is an object of this invention is to provide
`a method for controlling interactions between networks by
`the use of firewalls with defined regions.
`
`45
`
`50
`
`55
`
`SUMMARY OF THE INVENTION
`The present invention is directed to a System and method
`of achieving network Separation within a computing System
`having a plurality of network interfaces. One aspect of the
`invention is a method comprising the Steps of defining a
`plurality of regions, configuring a set of policies for each of
`the plurality of regions, assigning each of the plurality of
`network interfaces to only one of the plurality of regions,
`wherein at least one of the plurality of network interfaces is
`assigned to a particular region; and restricting communica
`
`60
`
`65
`
`Microsoft Ex. 1017, p. 11
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`US 6,182,226 B1
`
`3
`server 38 and one or more workstations 40 are connected to
`internal network 32. In addition, a Server 42 is connected
`through network 44 to firewall 34. Workstations 40 com
`municate through firewall 34 with servers or workstations on
`external network 36 and with server 42 on network 44. In
`one embodiment network 44 and server 42 are in a sort of
`demilitarized Zone (DMZ) providing protected access to
`Server 42 to internal users and to external entities.
`In one embodiment, firewalls 14 and 34 implement a
`region-based Security System as will be discussed below.
`The operating system on which the firewall 34 is imple
`mented is the BSDI 3.1 version of UNIX, a security hard
`ened operating System with each application Separated out,
`and protected by type enforcement technology. The func
`tions of firewall 34 are all integrated with the operating
`System, and each one is completely compartmentalized and
`Secured on its own, and then bound by type enforcement
`control.
`Type enforcement, which is implemented within the oper
`ating System itself, assures a very high level of Security by
`dividing the entire firewall into domains and file types.
`Domains are restricted environments for applications, Such
`as FTP and Telnet. A domain is set up to handle one kind of
`application only, and that application runs Solely in its own
`domain. File types are named groups of files and Subdirec
`tories. A type can include any number of files, but each file
`on the System belongs to only one type.
`There is no concept of a root Super-user with overall
`control. Type enforcement is based on the Security principle
`of least privilege: any program executing on the System is
`given only the resources and privileges it needs to accom
`plish its tasks. On the firewall of this invention, type
`enforcement enforces the least privilege concept by control
`ling all the interactions between domains and file types.
`Domains must have explicit permission to access Specific
`file types, communicate with other domains, or acceSS
`System functions. Any attempts to the contrary fail as if the
`files did not exist. The type enforcement policy is
`mandatory, and nothing Short of Shutting the System down
`and recompiling the type enforcement policy database can
`change it.
`Type enforcement is described in two pending patent
`applications entitled SYSTEM AND METHOD FOR PRO
`VIDING SECURE INTERNETWORK SERVICES, Ser.
`No. 08/322,078, filed Oct. 12, 1994, and SYSTEM AND
`45
`METHOD FOR ACHIEVING NETWORKSEPARATION,
`Ser. No. 08/599,232, filed Feb. 9, 1996, both of which are
`incorporated herein by reference. ESSentially, a type enforce
`ment Scheme provides for the Secure transfer of data
`between a WorkStation connected to a private network and a
`remote computer connected to an unsecured network. A
`50
`Secure computer is inserted into the private network to Serve
`as the gateway to the unsecured network and a client
`Subsystem is added to the workstation in order to control the
`transfer of data from the WorkStation to the Secure computer.
`The Secure computer includes a private network interface
`connected to the private network, an unsecured network
`interface connected to the unsecured network, wherein the
`unsecured network interface includes means for encrypting
`data to be transferred from the first workstation to the remote
`computer, a Server function for transferring data between the
`private network interface and the unsecured network inter
`face and a filter function for filtering data transferred
`between the remote computer and the WorkStation.
`Application-Level Gateway Architecture
`The firewall of the present invention features application
`level gateways, which negotiate communications and never
`
`4
`make a direct connection between two different networkS.
`Hence, unlike packet filtering, which, as described in the
`prior art, applies rules on every incoming packet of data, the
`firewall applies rules applicable to the network or port in
`which data packets are entering. The gateways have a
`detailed understanding of the networking Services they man
`age. This architecture isolates activity between network
`interfaces by Shutting off all direct communication between
`them. Instead, application data is transferred in a Sanitized
`form, between the opposite sides of the gateway.
`Attack Protection
`In addition to the firewall's Secured type enforced oper
`ating System and application gateway architecture, the Sys
`tem has been designed to defend against known network
`penetration and denial of Service attacks, including:
`
`SYN Flood attack
`IP spoofing
`
`ACK storms
`Network probes
`Session hijacking
`SNMP attacks
`ICMP broadcast flooding
`Land attack
`ARP attacks
`Ghost routing attacks
`Sequence number prediction
`Buffer overflows
`Mail exploits
`Authentication race attacks
`
`Ping of death (fat ping attack)
`Malformed packet attacks (both TCP &
`UDP)
`Forged source address packets
`Packet fragmentation attacks
`Log Overflow attacks
`Log manipulation
`Source routed packets
`DNS cache corruption
`Mail spamming
`DNS denial of service
`FTP bounce or port call attack
`ICMP protocol tunnelling
`VPN key generation attacks
`
`Intruder Response
`Finding out who and where attacks are originating from is
`a key requirement to taking corrective action. The firewall
`also includes intruder response that allows administrators to
`obtain all the information available about a potential
`intruder. If an attack is detected or an alarm is triggered, the
`intruder response mechanism collects information on the
`attacker, their Source, and the route they are using to reach
`the System.
`In addition to real-time response via pager or SNMP,
`alarms can be configured to automatically print results or to
`email them to the designated perSon.
`Regions
`The growing need for applying Specific Security policies
`and access requirements to complex organizations requires
`a new way of managing firewalls-regions. Regions are
`groupings of physical interfaces (network cards) and virtual
`networks (VPNs) into entities of similar trust.
`Suppose a company has thousands of roaming users
`connecting to the company network from encrypted Virtual
`private network (“VPN”) clients-managing such users one
`at a time would be an enormous task. It would be easier to
`organize those roaming users into groups having, as an
`example, full access, medium access, and limited access
`rights. FIG. 2 depicts regions Internet, Secure DMZ, R&D
`Network, Sales Offices, Worldwide Customer Service, and
`Worldwide Sales. In FIG. 2, all Sales or Customer Support
`departments in the company's offices can be grouped
`together into regions Worldwide Sales and Worldwide Cus
`tomer Service, respectively.
`Regions permit the grouping of networks and VPNs that
`require the Same type of Security, thereby eliminating the
`
`5
`
`15
`
`25
`
`35
`
`40
`
`55
`
`60
`
`65
`
`Microsoft Ex. 1017, p. 12
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`S
`need to enter multiple versions of the same access rule for
`each network or VPN. Thus regions allow flexibility in
`tailoring a Security policy. In defining regions, the first task
`is to group together networks or VPNS that require the same
`type of network access. Each network interface card or VPN
`that is grouped in a region is considered a member of that
`region. A region can consist of the following members:
`an interface card,
`a VPN,
`a group of VPNs,
`an interface card and a VPN, or
`an interface card and a group of VPNs.
`Hence in FIG. 2, user1, user2, user3, mgr1, and mgr2 of
`Region named R&D Network would have the same rights
`defined for the R&D Region. In the same way, Roaming
`Sales 1, Roaming Sales 2, Roaming Sales 3, etc. would have
`the same rights accorded to all members of Region named
`Sales Offices. In FIG. 2, user1, user2, Roaming Sales 1,
`Roaming Sales 2, mgr1, etc., do not necessarily represent
`only workStations. In other words, it is possible for user2 to
`logon the WorkStation onto which user3 might ordinarily
`logon, or for mgr1 to logon the WorkStation onto which mgr3
`might ordinarily logon.
`Access Rules/Access Control Language
`A discussion of the use of access control language to
`define a Security policy is explained in greater detail by Reid
`et al. in SYSTEMAND METHOD FOR IMPLEMENTING
`A SECURITY POLICY, U.S. patent application Ser. No.
`09/040,827, filed herewith, which discussion is hereby
`incorporated by reference.
`Every region is protected from every other region as
`defined in the firewall of the present invention. All connec
`tions to and from each region are first examined by the
`firewall. Regions may communicate with each other only if
`an appropriate acceSS rule has been defined. For each acceSS
`rule, first, the services that the rule will control must be
`defined, then, Second, the regions that the connection is
`traveling between must also be defined. For example, if the
`Internal region is to be allowed to access Telnet Services on
`the Internet region, the acceSS rule must specify Telnet as the
`Service that the rule controls and Specify the From: region as
`Internal and the To: region as Internet. Hence, the firewall of
`the present invention does not allow traffic to pass directly
`through the firewall in any direction. Region to Region
`connections are made via an application aware gateway.
`Application-level gateways understand and interpret net
`work protocol and provide increased access control ability.
`The ACLS are the heart and Soul of the firewall. For each
`connection attempt, the firewall checks the ACLS for per
`missions on use and for constraints for the connection.
`Constraints can include: encryption requirements, authenti
`cation requirements, time of day restrictions, concurrent
`Sessions restrictions, connection redirection, address or host
`name restrictions, user restrictions and So forth.
`AcceSS rules are the way in which the firewall protects
`regions from unauthorized access. For each connection
`attempt, the firewall checks it against the defined acceSS
`rules. The rule that matches the characteristics of the con
`nection request is used to determine whether the connection
`should be allowed or denied.
`With the firewall of the present invention, access rules are
`created in a completely new way-using decision trees.
`Knowing that an access rule is based on a Series of decisions
`made about a connection, the firewall permits the building of
`
`6
`an access rule based on “nodes' of decision criteria. A node
`can be added to check for Such criteria as the time of day,
`whether the connection uses the appropriate authentication
`or encryption, the user or groups initiating the connection
`request or the IP address or host of the connection. Each
`node is compared against an incoming connection request
`and you determine whether the connection is allowed or
`denied based on the results of the node comparison.
`Every access