公开(公告)号：US06925572B1

公开(公告)日：2005-08-02

申请号：US09514461

申请日：2000-02-28

申请人： Neta Amit ,  Eran Harel ,  Abraham Nathan ,  Nevet Basker

发明人： Neta Amit ,  Eran Harel ,  Abraham Nathan ,  Nevet Basker

IPC分类号： B60C1/00 ,  C08K5/1515 ,  C08K5/45 ,  C08L21/00 ,  G06F15/16 ,  G06F15/177 ,  G06F11/30 ,  G06F12/14 ,  H04L9/00 ,  H04L9/32

CPC分类号： H04L63/0245 ,  H04L45/74 ,  H04L63/0263 ,  H04L63/105 ,  Y02T10/862

摘要： Two-phase filtering for a firewall is disclosed. In the first, general phase, a request is filtered to verify one or more of: that the request is pursuant to a supported protocol, that a command of the request is allowed, that the length of the request does not exceed the allowed maximum for the command, and that characters of the request are of an allowable type. Upon first-phase verification, a second phase is invoked that is particular to the protocol of the request. In the second, specialized phase, the request is filtered to verify one or more of the source, the destination, and the content of the request. Upon second-phase verification, the request is allowed to pass. If either first-or second-phase verification fails, then the request is denied.

摘要翻译： 公开了防火墙的两相过滤。 在第一个通用阶段，请求被过滤以验证以下一个或多个请求：请求是否依赖于支持的协议，允许请求的命令，请求的长度不超过允许的最大值 该命令，并且该请求的字符是允许的类型。 在进行第一阶段验证时，会调用第二阶段，该阶段特定于请求的协议。 在第二个专业阶段，请求被过滤以验证请求的源，目的地和内容中的一个或多个。 经第二阶段验证后，允许该请求通过。 如果第一阶段或第二阶段验证失败，则请求被拒绝。

公开(公告)号：US09319383B2

公开(公告)日：2016-04-19

申请号：US11124833

申请日：2005-05-09

申请人： Neta Amit ,  Eran Harel ,  Abraham Nathan ,  Nevet Basker

发明人： Neta Amit ,  Eran Harel ,  Abraham Nathan ,  Nevet Basker

IPC分类号： G06F15/16 ,  H04L29/06

CPC分类号： H04L63/0245 ,  H04L45/74 ,  H04L63/0263 ,  H04L63/105 ,  Y02T10/862

摘要： Two-phase filtering for a firewall is disclosed. In the first, general phase, a request is filtered to verify one or more of: that the request is pursuant to a supported protocol, that a command of the request is allowed, that the length of the request does not exceed the allowed maximum for the command, and that characters of the request are of an allowable type. Upon first-phase verification, a second phase is invoked that is particular to the protocol of the request. In the second, specialized phase, the request is filtered to verify one or more of the source, the destination, and the content of the request. Upon second-phase verification, the request is allowed to pass. If either first- or second-phase verification fails, then the request is denied.

摘要翻译： 公开了防火墙的两相过滤。 在第一个通用阶段，请求被过滤以验证以下一个或多个请求：请求是否依赖于支持的协议，允许请求的命令，请求的长度不超过允许的最大值 该命令，并且该请求的字符是允许的类型。 在进行第一阶段验证时，会调用第二阶段，该阶段特定于请求的协议。 在第二个专业阶段，请求被过滤以验证请求的源，目的地和内容中的一个或多个。 经第二阶段验证后，允许该请求通过。 如果第一阶段或第二阶段验证失败，则请求被拒绝。

公开(公告)号：US20050210294A1

公开(公告)日：2005-09-22

申请号：US11124833

申请日：2005-05-09

申请人： Neta Amit ,  Eran Harel ,  Abraham Nathan ,  Nevet Basker

发明人： Neta Amit ,  Eran Harel ,  Abraham Nathan ,  Nevet Basker

IPC分类号： B60C1/00 ,  C08K5/1515 ,  C08K5/45 ,  C08L21/00 ,  H04L9/00 ,  H04L9/32 ,  G06F11/30 ,  G06F12/14

CPC分类号： H04L63/0245 ,  H04L45/74 ,  H04L63/0263 ,  H04L63/105 ,  Y02T10/862

摘要： Two-phase filtering for a firewall is disclosed. In the first, general phase, a request is filtered to verify one or more of: that the request is pursuant to a supported protocol, that a command of the request is allowed, that the length of the request does not exceed the allowed maximum for the command, and that characters of the request are of an allowable type. Upon first-phase verification, a second phase is invoked that is particular to the protocol of the request. In the second, specialized phase, the request is filtered to verify one or more of the source, the destination, and the content of the request. Upon second-phase verification, the request is allowed to pass. If either first- or second-phase verification fails, then the request is denied.

摘要翻译： 公开了防火墙的两相过滤。 在第一个通用阶段，请求被过滤以验证以下一个或多个请求：请求是否依赖于支持的协议，允许请求的命令，请求的长度不超过允许的最大值 该命令，并且该请求的字符是允许的类型。 在进行第一阶段验证时，会调用第二阶段，该阶段特定于请求的协议。 在第二个专业阶段，请求被过滤以验证请求的源，目的地和内容中的一个或多个。 经第二阶段验证后，允许该请求通过。 如果第一阶段或第二阶段验证失败，则请求被拒绝。

公开(公告)号：US07266604B1

公开(公告)日：2007-09-04

申请号：US09541461

申请日：2000-03-31

申请人： Abraham Nathan ,  Vinod V. Valloppillil

发明人： Abraham Nathan ,  Vinod V. Valloppillil

IPC分类号： G06F15/173 ,  G06F15/16 ,  G06F15/167

CPC分类号： H04L63/0281 ,  H04L29/06 ,  H04L29/12009 ,  H04L29/12367 ,  H04L29/125 ,  H04L29/12556 ,  H04L29/1282 ,  H04L61/2514 ,  H04L61/2564 ,  H04L61/2585 ,  H04L61/6013 ,  H04L69/22

摘要： Proxy network address translation (PNAT) is disclosed, which combines proxy server capability with network address translation (NAT) capability. At a NAT component, address translation is performed at a packet level of a stream of packets originating from a client and destined for a server. The address translation redirects the packets to a proxy component, and masks the source of the packets. At the proxy component, filtering is performed at a stream level of the stream of packets. The proxy component transmits the packets to the server. A specific installed component is not required at clients for access through the PNAT. The PNAT retains the advantages of a proxy server, while retaining for the component-less nature of access of NAT.

摘要翻译： 代理网络地址转换（PNAT）被公开，其将代理服务器能力与网络地址转换（NAT）能力相结合。 在NAT组件中，地址转换在源自客户端并发往服务器的分组流的分组级执行。 地址转换将数据包重定向到代理组件，并掩盖数据包的来源。 在代理组件处，在数据包流的流级别执行过滤。 代理组件将数据包传输到服务器。 客户端不需要特定的安装组件来访问PNAT。 PNAT保留代理服务器的优点，同时保留NAT的访问无组件特性。

公开(公告)号：US07398308B2

公开(公告)日：2008-07-08

申请号：US11275610

申请日：2006-01-19

申请人： Guy Friedel ,  Ariel Katz ,  Abraham Nathan ,  Yaron Shamir

发明人： Guy Friedel ,  Ariel Katz ,  Abraham Nathan ,  Yaron Shamir

IPC分类号： G06F15/173

CPC分类号： H04L63/102 ,  H04L63/20

摘要： A distributed policy model for access control is disclosed. In an enterprise-only mode, each node within a networking environment has its resource access governed by the same enterprise-wide policy. The enterprise-wide policy is set through creation of one or more enterprise policy objects. In an integrated mode, nodes are organized in a number of arrays. Each array has an array-wide policy set through creation of an array policy object. Each array-wide policy initially inherits the enterprise-wide policy. Additional resource access and protocol use restrictions can be added to the individual array-wide policies. In an array-only mode, each array has an array-wide policy also set through creation of an array policy object, but the policy does not necessarily initially inherit an enterprise-wide policy. In a stand-alone mode, a single server has its own policy.

摘要翻译： 公开了一种用于访问控制的分布式策略模型。 在企业级模式中，网络环境中的每个节点都具有由相同的企业级策略管理的资源访问。 通过创建一个或多个企业策略对象来设置企业范围的策略。 在集成模式中，节点被组织成多个阵列。 每个阵列通过创建数组策略对象都有一个阵列范围的策略集。 每个阵列范围的策略最初都会继承企业范围的策略。 额外的资源访问和协议使用限制可以添加到单个阵列范围的策略。 在仅数组模式下，每个阵列都具有通过创建数组策略对象设置的阵列范围策略，但该策略不一定最初继承企业级策略。 在独立模式下，单个服务器有自己的策略。

公开(公告)号：US07013332B2

公开(公告)日：2006-03-14

申请号：US09681106

申请日：2001-01-09

申请人： Guy Friedel ,  Ariel Katz ,  Yaron Shamir ,  Abraham Nathan

发明人： Guy Friedel ,  Ariel Katz ,  Yaron Shamir ,  Abraham Nathan

IPC分类号： G06F15/173

CPC分类号： H04L63/102 ,  H04L63/20

摘要： A distributed policy model for access control is disclosed. In an enterprise-only mode, each node within a networking environment has its resource access governed by the same enterprise-wide policy. The enterprise-wide policy is set through creation of one or more enterprise policy objects. In an integrated mode, nodes are organized in a number of arrays. Each array has an array-wide policy set through creation of an array policy object. Each array-wide policy initially inherits the enterprise-wide policy. Additional resource access and protocol use restrictions can be added to the individual array-wide policies. In an array-only mode, each array has an array-wide policy also set through creation of an array policy object, but the policy does not necessarily initially inherit an enterprise-wide policy. In a stand-alone mode, a single server has its own policy.

公开(公告)号：US20060168257A1

公开(公告)日：2006-07-27

申请号：US11275610

申请日：2006-01-19

申请人： Guy Friedel ,  Ariel Katz ,  Abraham Nathan ,  Yaron Shamir

发明人： Guy Friedel ,  Ariel Katz ,  Abraham Nathan ,  Yaron Shamir

IPC分类号： G06F15/16

CPC分类号： H04L63/102 ,  H04L63/20

摘要： A distributed policy model for access control is disclosed. In an enterprise-only mode, each node within a networking environment has its resource access governed by the same enterprise-wide policy. The enterprise-wide policy is set through creation of one or more enterprise policy objects. In an integrated mode, nodes are organized in a number of arrays. Each array has an array-wide policy set through creation of an array policy object. Each array-wide policy initially inherits the enterprise-wide policy. Additional resource access and protocol use restrictions can be added to the individual array-wide policies. In an array-only mode, each array has an array-wide policy also set through creation of an array policy object, but the policy does not necessarily initially inherit an enterprise-wide policy. In a stand-alone mode, a single server has its own policy.

摘要翻译： 公开了一种用于访问控制的分布式策略模型。 在企业级模式中，网络环境中的每个节点都具有由相同的企业级策略管理的资源访问。 通过创建一个或多个企业策略对象来设置企业范围的策略。 在集成模式中，节点被组织成多个阵列。 每个阵列通过创建数组策略对象都有一个阵列范围的策略集。 每个阵列范围的策略最初都会继承企业范围的策略。 额外的资源访问和协议使用限制可以添加到单个阵列范围的策略。 在仅数组模式下，每个阵列都具有通过创建数组策略对象设置的阵列范围策略，但该策略不一定最初继承企业级策略。 在独立模式下，单个服务器有自己的策略。