公开(公告)号：US06550012B1

公开(公告)日：2003-04-15

申请号：US09328177

申请日：1999-06-08

申请人： Emilio Villa ,  Adrian Zidaritz ,  Michael David Varga ,  Gerhard Eschelbeck ,  Michael Kevin Jones ,  Mark James McArdle

发明人： Emilio Villa ,  Adrian Zidaritz ,  Michael David Varga ,  Gerhard Eschelbeck ,  Michael Kevin Jones ,  Mark James McArdle

IPC分类号： G06F1130

CPC分类号： H04L63/0218 ,  H04L63/0263 ,  H04L63/0823 ,  H04L63/20

摘要： System and methodology providing automated or “proactive” network security (“active” firewall) are described. The system implements methodology for verifying or authenticating communications, especially between network security components thereby allowing those components to share information. In one embodiment, a system implementing an active firewall is provided which includes methodology for verifying or authenticating communications between network components (e.g., sensor(s), arbiter, and actor(s)), using cryptographic keys or digital certificates. Certificates may be used to digitally sign a message or file and, in a complementary manner, to verify a digital signature. At the outset, particular software components that may participate in authenticated communication are specified, including creating a digital certificate for each such software component. Upon detection by a sensor that an event of interest that has occurred in the computer network system, the system may initiate authenticated communication between the sensor component and a central arbiter (e.g., “event orchestrator”) component, so that the sensor may report the event to the arbiter or “brain.” Thereafter, the arbiter (if it chooses to act on that information) initiates authenticated communication between itself and a third software component, an “actor” component (e.g., “firewall”). The arbiter may indicate to the actor how it should handle the event. The actor or firewall, upon receiving the information, may now undertake appropriate action, such as dynamically creating or modifying rules for appropriately handling the event, or it may choose to simply ignore the information.

摘要翻译： 描述了提供自动或“主动”网络安全（“主动”防火墙）的系统和方法。 该系统实现用于验证或认证通信的方法，特别是在网络安全组件之间，从而允许这些组件共享信息。 在一个实施例中，提供了实现主动防火墙的系统，其包括使用加密密钥或数字证书验证或认证网络组件（例如，传感器，仲裁器和演员）之间的通信的方法。 证书可用于对消息或文件进行数字签名，并以互补的方式验证数字签名。 首先指定可能参与认证通信的特定软件组件，包括为每个这样的软件组件创建数字证书。 在传感器检测到在计算机网络系统中发生的感兴趣的事件时，系统可以启动传感器组件和中央仲裁器（例如，“事件编排器”）组件之间的认证通信，使得传感器可以报告 事件到仲裁者或“大脑”。 此后，仲裁者（如果选择对该信息采取行动）发起自身与第三软件组件，“演员”组件（例如，“防火墙”）之间的认证通信。 仲裁者可以向演员说明应该如何处理事件。 演员或防火墙在收到信息后，现在可以采取适当的行动，例如动态创建或修改适当处理事件的规则，或者可以选择简单地忽略该信息。

公开(公告)号：US07096362B2

公开(公告)日：2006-08-22

申请号：US09872797

申请日：2001-06-01

申请人： Stephen Paul Morgan ,  John Irish ,  Frank Michael Pittelli ,  Michael David Varga

发明人： Stephen Paul Morgan ,  John Irish ,  Frank Michael Pittelli ,  Michael David Varga

IPC分类号： H04L9/00

CPC分类号： H04L63/0823 ,  H04L9/3247 ,  H04L9/3263

摘要： A system for authentication to support secure data transfer includes a protocol wherein a certificate payload, an ID payload, and a signature payload all respectively contain at least two certificates, IDs, and signatures, concatenated together. The certificates are generated by different certificate authorities (CA) that have no trust relationship with each other. One certificate can be granted to a person and another to a particular host computer intended to be used by the person, so that for secure data transfer to take place, both a certified user and a certified host computer must be involved.