公开(公告)号：US07500102B2

公开(公告)日：2009-03-03

申请号：US10056889

申请日：2002-01-25

申请人： Brian Swander ,  Christian Huitema

发明人： Brian Swander ,  Christian Huitema

IPC分类号： H04L9/00 ,  H04L1/00

CPC分类号： H04L63/029 ,  H04L29/1249 ,  H04L61/256 ,  H04L63/061 ,  H04L69/16 ,  H04L69/164 ,  H04L69/166

摘要： A method and apparatus for fragmenting and reassembling IKE protocol data packets that exceed a Maximum Transmission Unit is provided. A transmitting node determines whether to fragment IKE data depending on whether the receiving node has the capability to receive and reassemble fragmented data packets. The transmitting node detects whether fragmentation is appropriate and then intercepts and fragments appropriate IKE payloads for transmission over a network. The invention further includes a method and apparatus for reassembling fragmented IKE payloads. The receiving node discards certain packets according to a set of predetermined rules that are designed to prevent denial of service attacks and other similar attacks. No modification is required to the existing IKE protocol or to other lower level networking protocols.

摘要翻译： 提供了一种用于分段和重新组合超过最大传输单元的IKE协议数据分组的方法和装置。 发送节点根据接收节点是否具有接收和重组分段数据分组的能力来确定是否分片IKE数据。 发送节点检测分段是否合适，然后拦截并分片适当的IKE有效载荷，以便通过网络进行传输。 本发明还包括用于重新组装分段的IKE有效载荷的方法和装置。 接收节点根据旨在防止拒绝服务攻击和其他类似攻击的一组预定规则来丢弃某些分组。 现有的IKE协议或其他较低级别的网络协议不需要修改。

公开(公告)号：US20070011448A1

公开(公告)日：2007-01-11

申请号：US11175923

申请日：2005-07-06

申请人： Avnish Chhabra ,  Brian Swander

发明人： Avnish Chhabra ,  Brian Swander

IPC分类号： H04L9/00

CPC分类号： H04L63/0227 ,  H04L63/164

摘要： A method of communicating using IPSec security protocol. Security associations are provided for a connection based on session information that may include user information and/or information related to an application running on the device. One or more filters determine whether or not to accept a connection based on session information.

摘要翻译： 使用IPSec安全协议进行通信的方法。 为基于会话信息的连接提供安全关联，所述会话信息可以包括与在设备上运行的应用相关的用户信息和/或信息。 一个或多个过滤器确定是否基于会话信息接受连接。

公开(公告)号：US20050114704A1

公开(公告)日：2005-05-26

申请号：US10722831

申请日：2003-11-26

申请人： Brian Swander

发明人： Brian Swander

IPC分类号： G06F11/30

CPC分类号： H04L63/0263

摘要： A preprocessor used in conjunction with a network firewall is disclosed. The preprocessor creates a first index for identifying a plurality of filters installed in the firewall. The preprocessor maintains statistics including selected criteria and corresponding values for the installed filters. When the value for the selected criteria exceeds a threshold value, the preprocessor creates a second index and moves a subset of filters from the first index to the second index.

摘要翻译： 公开了一种与网络防火墙结合使用的预处理器。 预处理器创建用于识别安装在防火墙中的多个过滤器的第一索引。 预处理器维护统计信息，包括所选标准和已安装过滤器的相应值。 当所选标准的值超过阈值时，预处理器创建第二索引并将滤波器的子集从第一索引移动到第二索引。

公开(公告)号：US08301895B2

公开(公告)日：2012-10-30

申请号：US12629059

申请日：2009-12-02

申请人： Brian Swander ,  Daniel R. Simon ,  Pascal Menezes

发明人： Brian Swander ,  Daniel R. Simon ,  Pascal Menezes

IPC分类号： H04L9/32

CPC分类号： H04L9/3247 ,  H04L9/3263 ,  H04L63/0281 ,  H04L63/0823 ,  H04L63/123 ,  H04L67/02 ,  H04L2209/60

摘要： Enhanced network data transmission security and individualized data transmission processing can be implemented by intermediaries in a communication path between two endpoint peers individually having the capability to identify and authenticate one or both of the endpoint peers. Communication session establishment, endpoint peer identity processing and authentication and data traffic encryption protocols are modified to allow intermediaries to track the communications between endpoint peers for a particular communication session and obtain information to authenticate the endpoint peers and identify data traffic transmitted between them. Intermediaries can use the identities of one or both of the endpoint peers to enforce identity based rules for processing data traffic between the endpoint peers for a communication session.

摘要翻译： 增强的网络数据传输安全性和个性化数据传输处理可以由两个端点对等体之间的通信路径中的中介机构实现，该端点对等体具有识别和认证端点对等体之一或两者的能力。 修改通信会话建立，端点对等体身份处理和认证以及数据流量加密协议，以允许中间人跟踪特定通信会话的端点对等体之间的通信，并获得用于认证端点对等体的信息，并识别它们之间传输的数据流量。 中间人可以使用一个或两个端点对等体的身份来强制基于身份的规则来处理通信会话的端点对等体之间的数据流量。

公开(公告)号：US20110131417A1

公开(公告)日：2011-06-02

申请号：US12629059

申请日：2009-12-02

申请人： Brian Swander ,  Daniel R. Simon ,  Pascal Menezes

发明人： Brian Swander ,  Daniel R. Simon ,  Pascal Menezes

IPC分类号： H04L9/32

CPC分类号： H04L9/3247 ,  H04L9/3263 ,  H04L63/0281 ,  H04L63/0823 ,  H04L63/123 ,  H04L67/02 ,  H04L2209/60

摘要： Enhanced network data transmission security and individualized data transmission processing can be implemented by intermediaries in a communication path between two endpoint peers individually having the capability to identify and authenticate one or both of the endpoint peers. Communication session establishment, endpoint peer identity processing and authentication and data traffic encryption protocols are modified to allow intermediaries to track the communications between endpoint peers for a particular communication session and obtain information to authenticate the endpoint peers and identify data traffic transmitted between them. Intermediaries can use the identities of one or both of the endpoint peers to enforce identity based rules for processing data traffic between the endpoint peers for a communication session.

摘要翻译： 增强的网络数据传输安全性和个性化数据传输处理可以由两个端点对等体之间的通信路径中的中介机构实现，该端点对等体具有识别和认证端点对等体之一或两者的能力。 修改通信会话建立，端点对等体身份处理和认证以及数据流量加密协议，以允许中间人跟踪特定通信会话的端点对等体之间的通信，并获得用于认证端点对等体的信息，并识别它们之间传输的数据流量。 中间人可以使用一个或两个端点对等体的身份来强制基于身份的规则来处理通信会话的端点对等体之间的数据流量。

公开(公告)号：US20090113517A1

公开(公告)日：2009-04-30

申请号：US11981427

申请日：2007-10-31

申请人： Christopher J. Engdahl ,  Brian Swander ,  Lee Walker

发明人： Christopher J. Engdahl ,  Brian Swander ,  Lee Walker

IPC分类号： H04L9/00 ,  G06F15/16

CPC分类号： H04L63/08 ,  H04L47/2433 ,  H04L47/2441 ,  H04L63/0254 ,  H04L63/0272

摘要： A network firewall may apply policies to packets based on a security classification. Packets with an authenticated and established security connection may be handled at a high throughput while packets with unauthenticated connections may be handed at a low throughput or even discarded. In some embodiments, three or more levels of security classifications may be used to process packets at different speeds or priorities. In some embodiments, one device may classify and tag each packet, while another device within the network may process the packets according to the tags.

摘要翻译： 网络防火墙可以根据安全分类对策略应用策略。 具有认证和建立的安全连接的数据包可以以高吞吐量处理，而具有未认证连接的数据包可能以低吞吐量或甚至丢弃传送。 在一些实施例中，可以使用三个或更多级别的安全分类来以不同的速度或优先级来处理分组。 在一些实施例中，一个设备可以对每个分组进行分类和标记，而网络内的另一设备可以根据标签处理分组。

公开(公告)号：US20050108531A1

公开(公告)日：2005-05-19

申请号：US10713980

申请日：2003-11-14

申请人： Brian Swander ,  Sara Bitan ,  Christian Huitema ,  Paul Mayfield ,  Daniel Simon

发明人： Brian Swander ,  Sara Bitan ,  Christian Huitema ,  Paul Mayfield ,  Daniel Simon

IPC分类号： H04L9/00 ,  H04L9/08 ,  H04L29/06

CPC分类号： H04L63/061 ,  H04L9/0844 ,  H04L63/0823 ,  H04L63/164 ,  H04L63/20

摘要： A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.

摘要翻译： 公开了一种用于在两个或多个网络设备之间认证和协商安全参数的方法。 该方法具有多个模式，包括在两个或多个网络设备之间交换的多个消息。 在主模式中，两个或多个网络设备建立安全通道并选择在快速模式和用户模式期间使用的安全参数。 在快速模式下，两台或多台计算机派生一组密钥来保护根据安全协议发送的数据。 可选的用户模式提供了认证与两个或多个网络设备相关联的一个或多个用户的手段。 快速模式的一部分在主模式期间进行，从而最小化需要在启动器和应答器之间交换的多个消息。

公开(公告)号：US08060927B2

公开(公告)日：2011-11-15

申请号：US11981427

申请日：2007-10-31

申请人： Christopher J. Engdahl ,  Brian Swander ,  Lee Walker

发明人： Christopher J. Engdahl ,  Brian Swander ,  Lee Walker

IPC分类号： H04L29/02 ,  G06F21/24

CPC分类号： H04L63/08 ,  H04L47/2433 ,  H04L47/2441 ,  H04L63/0254 ,  H04L63/0272

摘要： A network firewall may apply policies to packets based on a security classification. Packets with an authenticated and established security connection may be handled at a high throughput while packets with unauthenticated connections may be handed at a low throughput or even discarded. In some embodiments, three or more levels of security classifications may be used to process packets at different speeds or priorities. In some embodiments, one device may classify and tag each packet, while another device within the network may process the packets according to the tags.

摘要翻译： 网络防火墙可以根据安全分类对策略应用策略。 具有认证和建立的安全连接的数据包可以以高吞吐量处理，而具有未认证连接的数据包可能以低吞吐量或甚至丢弃传送。 在一些实施例中，可以使用三个或更多级别的安全分类来以不同的速度或优先级来处理分组。 在一些实施例中，一个设备可以对每个分组进行分类和标记，而网络内的另一设备可以根据标签来处理分组。

公开(公告)号：US07925693B2

公开(公告)日：2011-04-12

申请号：US11627510

申请日：2007-01-26

申请人： Brian Swander ,  Richard Lamb ,  Eduard Guzovsky

发明人： Brian Swander ,  Richard Lamb ,  Eduard Guzovsky

IPC分类号： G06F15/16

CPC分类号： H04L63/0245 ,  H04L29/12481 ,  H04L61/2557 ,  H04L63/0254 ,  H04L63/0478 ,  H04L63/168

摘要： An architecture that can provide for improved network content filtering is described herein. In particular, access to remote resources can be controlled by a remote mechanism. In accordance therewith, a gateway can seamlessly and/or transparently redirect packets from a client that are meant for an intended destination to an access control component. The access control component can determine whether the client has access to the resources requested. In addition, the gateway can provide IPSec features on behalf to the client.

摘要翻译： 这里描述了可以提供改进的网络内容过滤的架构。 特别是，远程资源的访问可以由远程机制来控制。 因此，网关可以无缝地和/或透明地将来自客户端的分组意图重定向到预期目的地的目的地到访问控制组件。 访问控制组件可以确定客户端是否可以访问所请求的资源。 此外，网关可以代表客户端提供IPSec功能。

公开(公告)号：US20060015935A1

公开(公告)日：2006-01-19

申请号：US11232553

申请日：2005-09-22

申请人： William Dixon ,  Gurdeep Pall ,  Ashwin Palekar ,  Bernard Aboba ,  Brian Swander

发明人： William Dixon ,  Gurdeep Pall ,  Ashwin Palekar ,  Bernard Aboba ,  Brian Swander

IPC分类号： G06F15/16

CPC分类号： H04L63/0218 ,  H04L63/164

摘要： The distributed firewall performs user authentication at a first level to establish a user security context for traffic from that user, and an authority context provides authorization for subsequent traffic. This authority context may be based on an underlying policy for particular types of traffic, access to particular applications, etc. Additionally, the system includes the ability to allow a user/process/application to define its own access control. The linking of the user security context from the traffic to the application is accomplished by enabling IPSec on a socket and forcing the socket to be bound in exclusive mode. The most common policy definitions may be included by default. Extensions of the Internet key exchange protocol (IKE) to provide the desired user authentication plus application/purpose are also provided. The architecture includes pluggable authorization module(s) that are called after IKE has successfully authenticated the peer, but before the connection is allowed to complete.