[go: up one dir, main page]

US20080134300A1 - Method for Improving Security of Computer Networks - Google Patents

Method for Improving Security of Computer Networks Download PDF

Info

Publication number
US20080134300A1
US20080134300A1 US11/775,214 US77521407A US2008134300A1 US 20080134300 A1 US20080134300 A1 US 20080134300A1 US 77521407 A US77521407 A US 77521407A US 2008134300 A1 US2008134300 A1 US 2008134300A1
Authority
US
United States
Prior art keywords
network
security device
requesting user
network security
reply
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/775,214
Inventor
David Izatt
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Arxceo Corp
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US11/775,214 priority Critical patent/US20080134300A1/en
Assigned to ARXCEO CORPORATION reassignment ARXCEO CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: IZATT, DAVID
Publication of US20080134300A1 publication Critical patent/US20080134300A1/en
Priority to US13/034,697 priority patent/US8181237B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Definitions

  • the invention relates generally to computer software. More specifically, the present invention relates to computer software that enhances computer network security for unauthorized intrusion.
  • FIG. 1 shows a schematic of a prior art network 10 with a firewall.
  • the network 10 includes a series of users 12 a - 12 d that are linked and controlled through a server 14 .
  • the device could also be a router or a switch for the network.
  • a firewall 16 is installed between the server 14 and the network exterior 20 .
  • the server 14 , the firewall 16 , and the exterior 20 are interconnected through a single line 18 .
  • the single line 18 prevents outsiders from accessing the network except through the firewall 16 .
  • the firewall receives all data from the network exterior before it is sent to the network users.
  • the data may be e-mail, encrypted data, internet queries, or any other type of network traffic.
  • the firewall sorts and analyzes the data and determines whether it should have access to the network. If the data is authorized, the firewall forwards the data on to its destination. If the data is unauthorized, the firewall denies access to the network.
  • FIG. 2 shows a diagram of a prior art data packet 30 .
  • the packet 30 includes three segments: a header 32 ; a body 34 ; and a trailer 36 .
  • the body 34 is the segment that contains the actual substance of the data.
  • the header 32 and the trailer 36 both contain various fields that are necessary for the administrative control of the packet 30 .
  • the header 32 segment includes: a flag 38 a ; an address field 40 : and a control field 42 .
  • the trailer 36 segment includes: a sequence check field 44 and a flag 38 b .
  • the first flag 38 a signifies the start of the packet 30 .
  • a second flag 38 b signifies the end of the packet 30 .
  • the sequence check field 44 provides a check to ensure the data of the packet was properly received.
  • the address field 40 includes the addresses of the source and the destination of the data.
  • the control field 42 contains various information related to the administration of the packet 30 including a “time-to-live” field.
  • the time-to-live field is an internal countdown mechanism that ensures that undeliverable or lost packets are deleted.
  • the time-to-live field is given a certain value when the packet is first transmitted. As the packet passes through various servers, routers, switches, bridges, gateways, etc, that makes up a network, the time-to-live field is decremented once by each device it passes through. Once the time-to-live field reaches zero, the packet is deleted. This mechanism prevents a lost or undeliverable packet from circulating on the network in an endless loop.
  • FIG. 3 shows a flow chart 50 of a prior art network firewall protection scheme.
  • a packet is received at the firewall 52 from the network exterior 20 .
  • the firewall then conducts a handshake protocol 54 after receipt of the packet.
  • the operations of network components are governed by protocols,
  • a protocol is simply an established set of rules or standards that allow computers to connect with one another and exchange information and data with as little error as possible, Protocols may vary widely based different types of computer operating systems and on the different types of communications that are being transmitted.
  • a handshake protocol governs a series of signals acknowledging that the transfer of data can take place between devices (“the handshake”).
  • the handshake various changes are made to the packet by the firewall.
  • the address of the firewall is added to the address field to show that the packet has left the firewall. Also, the time-to-live field is decremented by the firewall.
  • the packet is analyzed by the firewall to determine whether or not the data is acceptable to forward on to its destination in the network 56 .
  • the firewall analyzes the data through a technique called “pattern matching” that is well known in the art. Additionally, other techniques such as “protocol analysis” could be used as well. If the packet is authorized, it is forwarded on to the network destination by the firewall 58 .
  • the packet is unauthorized, it is denied access to the network 60 and a message such as “resource denied” or “resource restricted” is sent to the sender.
  • the party who sent the data from the exterior network is able to monitor and detect the presence of the firewall after the handshake protocol 62 and after access has been denied 62 due to the changes in the packet at the handshake 62 .
  • a hacker is able to detect the presence of a firewall, attempts can be made penetrate it and gain access to the network. If a hacker gains knowledge of the presence of a firewall, probes can be made against it. Ultimately, the firewall may be breached or bypassed and unauthorized access to the network can be gained by the hacker.
  • a data packet will also contain an “ethernet frame field”.
  • the ethernet frame field is used by an ethernet card which is a piece of hardware within the firewall that manages access to the network.
  • FIG. 4 shows a schematic 70 of a prior art data packet with an ethernet frame field. The contents of the data packet are similar to what was previously described in FIG. 2 .
  • the data packet includes three segments: a header 72 : a body 74 ; and a trailer 76 ,
  • the header 72 segment includes: a flag 78 a ; an address field 80 ; and a control field 82 .
  • the trailer 76 segment includes: a sequence check field 84 and a flag 78 b , Additionally, two segments of the ethernet frame field 86 a and 86 b are included immediately in front of the first flag 78 a and immediately following the second flag 78 b respectively.
  • the ethernet frame field 86 a and 86 b is simply a protocol for processing the packet. Like the data packet, its contents are changed when it leaves the firewall. Specifically, the firewall adds its specific media access controller (“MAC”) address to frame field 86 a and 86 b .
  • the MAC address is a layer of the ISO/OSI (International Organization for Standardization/Open Systems Interconnection) reference model. The ISO/OSI model separates computer to computer communication into seven protocol layers. The ethernet card and the MAC are parts of one of the lower layers of this model and they manage access to the physical network.
  • FIG. 5 shows a flow chart 90 of a prior art network stealth firewall protection scheme.
  • a packet is first received at the firewall 92 from the network exterior 20 .
  • a stealth firewall conducts a different type of handshake protocol 94 .
  • a stealth firewall does not decrement the time-to-live Held of the packet. Consequently, anyone monitoring the status of the packets in the network exterior 20 will not be able to see the stealth firewall due to a change in the value of the time-to-live field.
  • the stealth firewall analyzes the packet 96 in a similar manner as previously described for reference number 56 in prior art FIG.
  • the packet is authorized, it is forwarded on to the network destination by the firewall 98 . If the packet is not authorized, it is denied access to the network 100 However, the firewall does not respond to the sender with any type of message indicating a denial of access. Instead, the stealth firewall simply drops the packet 102 . The sender is prevented from detecting the stealth firewall by finding any indication of its presence in a decremented rime-to-live field or a denial of access message.
  • a stealth firewall may still be detected by the changes it makes to the packet during its handshake protocol 94 . Specifically, a stealth firewall leaves its own MAC address in the packet as it conducts the stealth handshake protocol 94 . Once the presence of the stealth firewall is detected through the MAC address, a hacker can then begin to probe the firewall and attempt to find a way around it to gain access to the network, in order to prevent attacks by hackers on a firewall, it is necessary to make the firewall undetectable to parties outside the network.
  • the invention relates to a method of preventing unauthorized user access to a computer network, comprising; receiving a domain name server resolution request at the computer network from a requesting user; replying to the requesting user with a domain name server resolution and internet protocol address of a target device within the computer network; inspecting the reply to the requesting user with a network security device, where the network security device does not have an assigned internet protocol address; monitoring data traffic to the computer network with the network security device to detect a reply to the internet protocol address of the target device from the requesting user; intercepting the reply to the internet protocol address of the target device from the requesting user with the network security device; and verifying that the requesting user is authorized to access the computer network with the network security device.
  • the invention relates to a method of preventing unauthorized user access to a computer network, comprising: step for receiving an access request to the computer network from a requesting user; step for replying to the access request with an internet protocol address within the computer network; step inspecting the reply to the requesting user with a network security device, where the network security device does not have an assigned internet protocol address; step for detecting a reply from the requesting user with the network security device; step for intercepting the reply from the requesting user with the network security device so that it appears to the requesting user that a connection has been established with the internet protocol address within the computer network; and step for verifying that the requesting user is authorized to access the computer network with the network security device.
  • FIG. 1 shows a schematic of a prior art network with a firewall.
  • FIG. 2 shows a schematic of a prior art data packet.
  • FIG. 3 shows a flow chart of a prior art network firewall protection scheme.
  • FIG. 4 shows a schematic of a prior art data packet with an Ethernet frame.
  • FIG. 5 shows a flow chart of a prior art network stealth firewall protection scheme.
  • FIG. 6 shows a block diagram of a network security system in accordance with one embodiment of the present invention.
  • FIG. 6 shows a block diagram of a network security system 200 in accordance with one example of the present invention.
  • the system 200 provides a network security device 210 that is located along the data path between the network interior 230 and the network exterior 220 .
  • the network security device may be a firewall or other similar device that is used to protect a network interior such as a local area network (LAN) from unauthorized access from the network exterior such as the internet.
  • the network security device 210 is located so that all data traffic between the LAN and the Internet passes through the device.
  • LAN local area network
  • the present invention provides a method for a network security device 210
  • IP Internet Protocol
  • This method uses Domain Name Server (DNS) resolution to obtain the IP address from a server.
  • DNS Domain Name Server
  • the network security device 210 must be between the Internet and the client/end user attempting to connect to the device.
  • the network security device 210 uses the invented method by looking for the return, or resolution, to the client's DNS resolution request. Upon seeing the resolution, the network security device 210 assigns itself the IP address contained within the DNS resolution and forwards the resolution requests, as defined and intended, to the client.
  • the client's session will attempt to connect to the IP address it received within the DNS resolution and since the network security device 210 assigned itself that same address, said session establishment will resolve between the client and the network security device 210 .
  • a browser would be opened on a client machine sitting within a LAN
  • the URL entered into the browser could be related to the name of the device, such as; device.manage.com.
  • a DNS resolution would be setup for device.mauage.com.
  • the DNS resolution request will exit the client machine and head outward into the Internet asking for a DNS server to resolve that URL into a IP address.
  • the network security device 210 will be looking for a return, or DNS resolution, packet coming from the Internet.
  • the network security device 210 Upon receiving the DNS resolution packet, the network security device 210 assigns itself the IP address contained within the DNS resolution packet and forwards it to its intended destination (the original client browser), The browser sees this resolution and plugs in the same IP address contained within that DNS resolution packet. Since the browser is seeking to establish a session to mat IP address and the network security device 210 has temporarily assigned itself the same IP address, the session will connect to the network security device 210 .
  • the network security device 210 simply “grabs” the data traffic to a target IP address in the network interior 230 from a requesting client in the network exterior 220 without having a separate IP address to reveal its presence.
  • the DNS resolution request goes out from the originator as described previously and the DNS resolution and the target IP address within the network are returned to the requester. As it is returned, the DNS resolution and the target IP address are observed and inspected by the network security device 210 .
  • the security device 210 now begins watching for data traffic that is intended for the target IP address that is coming from the requester. If such traffic is detected, it is intercepted by the network security device 210 .
  • the browser of the requesting client believes that is connected with the device at the target IP address but in fact it is connected to the network security device 210 .
  • the client cannot detect the presence of the network security device 210 since it has no separate IP address and therefore remains invisible to the network exterior. The client may not connect with the targeted network device until it is authorized by the network security device 210 .
  • An alternative embodiment of the present invention provides a method for an electronic network security device 210 to reset itself back to a set of factory default parameters without logging into the device, using any type of user interface or any type of hardware reset button.
  • Network security devices generally have a network connector of some type and generally have a status or activity light (LED) located next to the connector.
  • LED status or activity light
  • One such example of an embodiment is a RJ45 100BaseT connector.
  • a light/LED is usually turned on or blinks due to traffic.
  • the network security device 210 itself is able to detect this attachment as well By using a sequence of attachments and disconnects of cables to the network security device 210 , a pre-defined sequence can be used to tell the device that it should restore its configuration back to the factory defaults.
  • network security device 210 has two RJ45 100BaseT connectors. The user is told to first connect a live network to the first connector and wait until the LED comes on. Then the other connector is attached to a computer or network, using another cable and user waits until the LED comes on. Once the LED of the second connector comes on, the cable is removed from the first connector and reattached. Upon the LED coming back on, the cable is removed from the second connector and reattached. Upon the LED of the second connector coming on, the cable on the first connector is again removed and reconnected.
  • the network security device 210 is looking for a 5 part sequence: Connector 1 “ON”; Connector 2 “ON”; Connector 1 “ON”; Connector 2 “ON”; Connector 1 “ON”. Once that sequence is seen, within the correct time period, the device resets itself back to factory default settings.
  • Another alternative embodiment of the present invention relates to a method of handling traffic directed to a nonexistent destination.
  • This embodiment provides a method that allows a network security device 210 to make decisions as to how to handle network traffic based on the packets intended destination.
  • the destination address of a packet comprises a destination IP address and a port number.
  • the combination of these two fields in an IP packet's header typically tells a network security device 210 how to forward it to its intended destination which consists of a address (e.g., a computer) and a network port (e.g., an assigned number ranging from 1-65536) that a particular application, or “service” is assigned to listen to in order to see the incoming request.
  • a network security device 210 e.g., an assigned number ranging from 1-65536
  • a network security device 210 can choose to handle network packet traffic uniquely based on the destination of the packet going to an invalid address, port or both. This method does not require the network security device 210 to learn or keep track of valid addresses, invalid addresses, or ports of the devices it is protecting. It can determine whether a destination is invalid just prior to completing session establishment. Upon determining the intended destination of a packet is not a valid destination, the network security device 210 can choose to drop the traffic. It can also choose to blacklist the source or origin of the packet. It can also choose to continue providing false information in reply such that the source device is unable to determine that it has been blacklisted or treated uniquely. This approach creates a silent or stealth blacklist which doesn't alert the attacker that he has been discovered.
  • the invention may include a method for creating a whitelist that would allow the invention to ignore this method. We do this because sometimes a “real web server” might be down temporarily and people wouldn't want to blacklist clients that are correctly trying to connect during that system down time period.
  • a “worm” is a self-replicating computer program, similar to a computer virus.
  • a virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers.
  • a “signature” is a pattern of network traffic that has been determined to be an attack or exploit on a vulnerable computer.
  • a “signature database” is a collection of various signatures used by network firewall-type devices to determine and stop a previously discovered attack that is now occurring.
  • a worm propagates itself usually with the same replicating method. We can detect this attack, based on the second occurrence of the same identical, or very close, behavior within a “close” timeframe to the first occurrence of that pattern. This does mean the worm was successful once. But then we are able to stop additional attacks that are trying to target other similar machines on the LAN. So, this means that if we see behavior indicating a worm, that is using certain network header fields and occur in a repeating pattern, we can deduce a worm is attacking upon seeing the second identical pattern.
  • a signature can be created that can be used to stop further attacks. Possible actions include: classifying this as an attack and act accordingly (e.g., drop the traffic and blacklist the offending computer); create a signature in “real time” based on that pattern; and use the signature in the future for detection.
  • Another alternative embodiment of the present invention relates to a method of detecting or preventing unauthorized access to a wireless access point by having the wireless access point publicly broadcast fake or virtual connections.
  • the invention replies to connection attempts that target the fake access points with real-looking information that makes it further appear to the unauthorized connection that it is successfully connecting.
  • the invention monitors whether any connection is attempted to the fake access points and recording the device's address where the connection attempt began, if that device continues to attempt connections to fake access points, it can be blacklisted. Further traffic from that device address can be dropped.
  • the invention may have an ‘anti-recon’ capability.
  • the real access point would also implement a process that embeds various information into a range of fields in the IP header. This would randomize those fields in such a way as to harden them against attackers that are “reconing” a network for valid IP addresses and open ports.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method of preventing unauthorized user access to a computer network has been developed. The method includes receiving a domain name server resolution request at the computer network from a requesting user. Next a reply to the requesting user is generated with a domain name server resolution and internet protocol address of a target device within the computer network. The reply is inspected with a network security device, where the network security device does not have an assigned internet protocol address so that it remains undetected by the requesting user. The network security device then monitors data traffic to the computer network to detect a reply from the requesting user. Once detected, the reply to the internet protocol address is intercepted with the network security device. Finally, the network security device verifies that the requesting user is authorized to access the computer network with the network security device.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims priority from U.S. Provisional Patent Application No. 60/806,771 entitled “Method for Improving Security of Computer Networks” that was filed on Jul. 08, 2007.
    • FIELD OF THE INVENTION
  • The invention relates generally to computer software. More specifically, the present invention relates to computer software that enhances computer network security for unauthorized intrusion.
    • BACKGROUND ART
  • As society's dependence on computers increases, the importance of security for computers and their networks also increases. Threats such as hackers can shut down or damage large computer networks and cost significant amounts of money, resources, and time. Security measures to prevent such incidents are constantly evolving along with the nature and sophistication of the threat,
  • One technique to protect a computer network from external threats is by using a “firewall”. A firewall is a combination of hardware and software that is placed between a network and its exterior. FIG. 1 shows a schematic of a prior art network 10 with a firewall. The network 10 includes a series of users 12 a-12 d that are linked and controlled through a server 14. The device could also be a router or a switch for the network. A firewall 16 is installed between the server 14 and the network exterior 20. The server 14, the firewall 16, and the exterior 20 are interconnected through a single line 18. The single line 18 prevents outsiders from accessing the network except through the firewall 16. The firewall receives all data from the network exterior before it is sent to the network users. The data may be e-mail, encrypted data, internet queries, or any other type of network traffic. The firewall sorts and analyzes the data and determines whether it should have access to the network. If the data is authorized, the firewall forwards the data on to its destination. If the data is unauthorized, the firewall denies access to the network.
  • Data is normally transmitted in multiple bundles of information called “data packet's” or “packets”. A message, query, etc. from the outside network is broken down into these packets in order to provide more efficient transmission of the data. Once all packets of data arrive at the destination, the packets are re-assembled. Flow ever, the packets contain more information than just the transmitted data. FIG. 2 shows a diagram of a prior art data packet 30. The packet 30 includes three segments: a header 32; a body 34; and a trailer 36. The body 34 is the segment that contains the actual substance of the data.
  • The header 32 and the trailer 36 both contain various fields that are necessary for the administrative control of the packet 30. The header 32 segment includes: a flag 38 a; an address field 40: and a control field 42. The trailer 36 segment includes: a sequence check field 44 and a flag 38 b. The first flag 38 a signifies the start of the packet 30. A second flag 38 b signifies the end of the packet 30. The sequence check field 44 provides a check to ensure the data of the packet was properly received. The address field 40 includes the addresses of the source and the destination of the data. The control field 42 contains various information related to the administration of the packet 30 including a “time-to-live” field. The time-to-live field is an internal countdown mechanism that ensures that undeliverable or lost packets are deleted. The time-to-live field is given a certain value when the packet is first transmitted. As the packet passes through various servers, routers, switches, bridges, gateways, etc, that makes up a network, the time-to-live field is decremented once by each device it passes through. Once the time-to-live field reaches zero, the packet is deleted. This mechanism prevents a lost or undeliverable packet from circulating on the network in an endless loop.
  • FIG. 3 shows a flow chart 50 of a prior art network firewall protection scheme. First, a packet is received at the firewall 52 from the network exterior 20. The firewall then conducts a handshake protocol 54 after receipt of the packet. The operations of network components are governed by protocols, A protocol is simply an established set of rules or standards that allow computers to connect with one another and exchange information and data with as little error as possible, Protocols may vary widely based different types of computer operating systems and on the different types of communications that are being transmitted. A handshake protocol governs a series of signals acknowledging that the transfer of data can take place between devices (“the handshake”). During the handshake, various changes are made to the packet by the firewall. The address of the firewall is added to the address field to show that the packet has left the firewall. Also, the time-to-live field is decremented by the firewall.
  • After completing the handshake 54, the packet is analyzed by the firewall to determine whether or not the data is acceptable to forward on to its destination in the network 56. The firewall analyzes the data through a technique called “pattern matching” that is well known in the art. Additionally, other techniques such as “protocol analysis” could be used as well. If the packet is authorized, it is forwarded on to the network destination by the firewall 58. If the packet is unauthorized, it is denied access to the network 60 and a message such as “resource denied” or “resource restricted” is sent to the sender, The party who sent the data from the exterior network is able to monitor and detect the presence of the firewall after the handshake protocol 62 and after access has been denied 62 due to the changes in the packet at the handshake 62. Once a hacker is able to detect the presence of a firewall, attempts can be made penetrate it and gain access to the network. If a hacker gains knowledge of the presence of a firewall, probes can be made against it. Ultimately, the firewall may be breached or bypassed and unauthorized access to the network can be gained by the hacker.
  • In addition to the contents of the data packet described in FIG. 2, a data packet will also contain an “ethernet frame field”. The ethernet frame field is used by an ethernet card which is a piece of hardware within the firewall that manages access to the network. FIG. 4 shows a schematic 70 of a prior art data packet with an ethernet frame field. The contents of the data packet are similar to what was previously described in FIG. 2. The data packet includes three segments: a header 72: a body 74; and a trailer 76, The header 72 segment includes: a flag 78 a; an address field 80; and a control field 82. The trailer 76 segment includes: a sequence check field 84 and a flag 78 b, Additionally, two segments of the ethernet frame field 86 a and 86 b are included immediately in front of the first flag 78 a and immediately following the second flag 78 b respectively.
  • The ethernet frame field 86 a and 86 b is simply a protocol for processing the packet. Like the data packet, its contents are changed when it leaves the firewall. Specifically, the firewall adds its specific media access controller (“MAC”) address to frame field 86 a and 86 b. The MAC address is a layer of the ISO/OSI (International Organization for Standardization/Open Systems Interconnection) reference model. The ISO/OSI model separates computer to computer communication into seven protocol layers. The ethernet card and the MAC are parts of one of the lower layers of this model and they manage access to the physical network.
  • One prior art solution is to make a firewall more difficult to detect (a “stealth firewall”). FIG. 5 shows a flow chart 90 of a prior art network stealth firewall protection scheme. As shown previously in FIG. 3, a packet is first received at the firewall 92 from the network exterior 20. However, a stealth firewall conducts a different type of handshake protocol 94. A stealth firewall does not decrement the time-to-live Held of the packet. Consequently, anyone monitoring the status of the packets in the network exterior 20 will not be able to see the stealth firewall due to a change in the value of the time-to-live field. After the stealth handshake 94, the stealth firewall analyzes the packet 96 in a similar manner as previously described for reference number 56 in prior art FIG. 3. If the packet is authorized, it is forwarded on to the network destination by the firewall 98. If the packet is not authorized, it is denied access to the network 100 However, the firewall does not respond to the sender with any type of message indicating a denial of access. Instead, the stealth firewall simply drops the packet 102. The sender is prevented from detecting the stealth firewall by finding any indication of its presence in a decremented rime-to-live field or a denial of access message.
  • However, a stealth firewall may still be detected by the changes it makes to the packet during its handshake protocol 94. Specifically, a stealth firewall leaves its own MAC address in the packet as it conducts the stealth handshake protocol 94. Once the presence of the stealth firewall is detected through the MAC address, a hacker can then begin to probe the firewall and attempt to find a way around it to gain access to the network, in order to prevent attacks by hackers on a firewall, it is necessary to make the firewall undetectable to parties outside the network.
    • SUMMARY OF THE INVENTION
  • In some aspects, the invention relates to a method of preventing unauthorized user access to a computer network, comprising; receiving a domain name server resolution request at the computer network from a requesting user; replying to the requesting user with a domain name server resolution and internet protocol address of a target device within the computer network; inspecting the reply to the requesting user with a network security device, where the network security device does not have an assigned internet protocol address; monitoring data traffic to the computer network with the network security device to detect a reply to the internet protocol address of the target device from the requesting user; intercepting the reply to the internet protocol address of the target device from the requesting user with the network security device; and verifying that the requesting user is authorized to access the computer network with the network security device.
  • In other aspects, the invention relates to a method of preventing unauthorized user access to a computer network, comprising: step for receiving an access request to the computer network from a requesting user; step for replying to the access request with an internet protocol address within the computer network; step inspecting the reply to the requesting user with a network security device, where the network security device does not have an assigned internet protocol address; step for detecting a reply from the requesting user with the network security device; step for intercepting the reply from the requesting user with the network security device so that it appears to the requesting user that a connection has been established with the internet protocol address within the computer network; and step for verifying that the requesting user is authorized to access the computer network with the network security device.
  • Other aspects and advantages of the invention will be apparent from the following description and the appended claims.
    • BRIEF DESCRIPTION OF DRAWINGS
  • It should be noted that identical features in different drawings are shown with the same reference numeral
  • FIG. 1 shows a schematic of a prior art network with a firewall.
  • FIG. 2 shows a schematic of a prior art data packet.
  • FIG. 3 shows a flow chart of a prior art network firewall protection scheme.
  • FIG. 4 shows a schematic of a prior art data packet with an Ethernet frame.
  • FIG. 5 shows a flow chart of a prior art network stealth firewall protection scheme.
  • FIG. 6 shows a block diagram of a network security system in accordance with one embodiment of the present invention.
    •  DETAILED DESCRIPTION
  • The present invention relates to a method for providing an IP address target when no IP address is assigned to a network security device used to provide security for a network. FIG. 6 shows a block diagram of a network security system 200 in accordance with one example of the present invention. The system 200 provides a network security device 210 that is located along the data path between the network interior 230 and the network exterior 220. In this example, the network security device may be a firewall or other similar device that is used to protect a network interior such as a local area network (LAN) from unauthorized access from the network exterior such as the internet. The network security device 210 is located so that all data traffic between the LAN and the Internet passes through the device.
  • The present invention provides a method for a network security device 210
  • to dynamically assign itself a temporary Internet Protocol (IP) address. The network security device 210 can temporarily assign itself a unique IP address so that a connection to the device can be established using standard Internet tools. Upon the end of the session, this IP address is no longer assigned to the device.
  • This method uses Domain Name Server (DNS) resolution to obtain the IP address from a server. The network security device 210 must be between the Internet and the client/end user attempting to connect to the device. The network security device 210 uses the invented method by looking for the return, or resolution, to the client's DNS resolution request. Upon seeing the resolution, the network security device 210 assigns itself the IP address contained within the DNS resolution and forwards the resolution requests, as defined and intended, to the client. The client's session will attempt to connect to the IP address it received within the DNS resolution and since the network security device 210 assigned itself that same address, said session establishment will resolve between the client and the network security device 210.
  • One example of this process is that a browser would be opened on a client machine sitting within a LAN, The URL entered into the browser could be related to the name of the device, such as; device.manage.com. Prior to use, a DNS resolution would be setup for device.mauage.com. When that URL is entered into a client browser, the DNS resolution request will exit the client machine and head outward into the Internet asking for a DNS server to resolve that URL into a IP address. The network security device 210 will be looking for a return, or DNS resolution, packet coming from the Internet. Upon receiving the DNS resolution packet, the network security device 210 assigns itself the IP address contained within the DNS resolution packet and forwards it to its intended destination (the original client browser), The browser sees this resolution and plugs in the same IP address contained within that DNS resolution packet. Since the browser is seeking to establish a session to mat IP address and the network security device 210 has temporarily assigned itself the same IP address, the session will connect to the network security device 210.
  • In a further example, the network security device 210 simply “grabs” the data traffic to a target IP address in the network interior 230 from a requesting client in the network exterior 220 without having a separate IP address to reveal its presence. With this method, the DNS resolution request goes out from the originator as described previously and the DNS resolution and the target IP address within the network are returned to the requester. As it is returned, the DNS resolution and the target IP address are observed and inspected by the network security device 210. The security device 210 now begins watching for data traffic that is intended for the target IP address that is coming from the requester. If such traffic is detected, it is intercepted by the network security device 210. In such a case, the browser of the requesting client believes that is connected with the device at the target IP address but in fact it is connected to the network security device 210. The client cannot detect the presence of the network security device 210 since it has no separate IP address and therefore remains invisible to the network exterior. The client may not connect with the targeted network device until it is authorized by the network security device 210.
  • An alternative embodiment of the present invention, provides a method for an electronic network security device 210 to reset itself back to a set of factory default parameters without logging into the device, using any type of user interface or any type of hardware reset button. Network security devices generally have a network connector of some type and generally have a status or activity light (LED) located next to the connector. One such example of an embodiment is a RJ45 100BaseT connector.
  • Upon connecting the network security device 210 to a network, via a cable of appropriate type, network activity, or traffic, is detected by the network controller and a light/LED is usually turned on or blinks due to traffic. The network security device 210 itself is able to detect this attachment as well By using a sequence of attachments and disconnects of cables to the network security device 210, a pre-defined sequence can be used to tell the device that it should restore its configuration back to the factory defaults.
  • One embodiment of this is as follows: network security device 210 has two RJ45 100BaseT connectors. The user is told to first connect a live network to the first connector and wait until the LED comes on. Then the other connector is attached to a computer or network, using another cable and user waits until the LED comes on. Once the LED of the second connector comes on, the cable is removed from the first connector and reattached. Upon the LED coming back on, the cable is removed from the second connector and reattached. Upon the LED of the second connector coming on, the cable on the first connector is again removed and reconnected. All of this process must be completed within a pre-defined time period, in this example, the network security device 210 is looking for a 5 part sequence: Connector 1 “ON”; Connector 2 “ON”; Connector 1 “ON”; Connector 2 “ON”; Connector 1 “ON”. Once that sequence is seen, within the correct time period, the device resets itself back to factory default settings.
  • Another alternative embodiment of the present invention relates to a method of handling traffic directed to a nonexistent destination. This embodiment provides a method that allows a network security device 210 to make decisions as to how to handle network traffic based on the packets intended destination. The destination address of a packet comprises a destination IP address and a port number. The combination of these two fields in an IP packet's header typically tells a network security device 210 how to forward it to its intended destination which consists of a address (e.g., a computer) and a network port (e.g., an assigned number ranging from 1-65536) that a particular application, or “service” is assigned to listen to in order to see the incoming request.
  • A network security device 210 can choose to handle network packet traffic uniquely based on the destination of the packet going to an invalid address, port or both. This method does not require the network security device 210 to learn or keep track of valid addresses, invalid addresses, or ports of the devices it is protecting. It can determine whether a destination is invalid just prior to completing session establishment. Upon determining the intended destination of a packet is not a valid destination, the network security device 210 can choose to drop the traffic. It can also choose to blacklist the source or origin of the packet. It can also choose to continue providing false information in reply such that the source device is unable to determine that it has been blacklisted or treated uniquely. This approach creates a silent or stealth blacklist which doesn't alert the attacker that he has been discovered. Furthermore, the invention may include a method for creating a whitelist that would allow the invention to ignore this method. We do this because sometimes a “real web server” might be down temporarily and people wouldn't want to blacklist clients that are correctly trying to connect during that system down time period.
  • Another alternative embodiment of the present invention relates to a worm propagation detection method. A “worm” is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. A “signature” is a pattern of network traffic that has been determined to be an attack or exploit on a vulnerable computer. A “signature database” is a collection of various signatures used by network firewall-type devices to determine and stop a previously discovered attack that is now occurring.
  • A worm propagates itself usually with the same replicating method. We can detect this attack, based on the second occurrence of the same identical, or very close, behavior within a “close” timeframe to the first occurrence of that pattern. This does mean the worm was successful once. But then we are able to stop additional attacks that are trying to target other similar machines on the LAN. So, this means that if we see behavior indicating a worm, that is using certain network header fields and occur in a repeating pattern, we can deduce a worm is attacking upon seeing the second identical pattern. Upon attack detection of a second similar attack, a signature can be created that can be used to stop further attacks. Possible actions include: classifying this as an attack and act accordingly (e.g., drop the traffic and blacklist the offending computer); create a signature in “real time” based on that pattern; and use the signature in the future for detection.
  • Another alternative embodiment of the present invention relates to a method of detecting or preventing unauthorized access to a wireless access point by having the wireless access point publicly broadcast fake or virtual connections. The invention replies to connection attempts that target the fake access points with real-looking information that makes it further appear to the unauthorized connection that it is successfully connecting. The invention monitors whether any connection is attempted to the fake access points and recording the device's address where the connection attempt began, if that device continues to attempt connections to fake access points, it can be blacklisted. Further traffic from that device address can be dropped. The invention may have an ‘anti-recon’ capability. When using a wireless access point to also broadcast fake connections, the real access point would also implement a process that embeds various information into a range of fields in the IP header. This would randomize those fields in such a way as to harden them against attackers that are “reconing” a network for valid IP addresses and open ports.
  • While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this disclosure, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as disclosed here. Accordingly, the scope of the invention should be limited only by the attached claims.

Claims (6)

1. A method of preventing unauthorized user access to a computer network,
comprising:
receiving a domain name server resolution request at the computer network from a requesting user;
replying to the requesting user with a domain name server resolution and internet protocol address of a target device within the computer network;
inspecting the reply to the requesting user with a network security device, where the network security device does not have an assigned internet protocol address;
monitoring data traffic to the computer network with the network security device to detect a reply to the internet protocol address of the target device from the requesting user;
intercepting the reply to the interact protocol address of the target device from the requesting user with the network security device; and
verifying that the requesting user is authorized to access the computer network with the network security device.
2. The method of claim 1, where the network security device uses the internet protocol address of the target device when intercepting the reply from the requesting user in order to remain undetected by the requesting user.
3. The method of claim 1, where the network security device comprises a firewall.
4. The method of claim I, where the computer network in a local area network.
5. A method of preventing unauthorized user access to a computer network, comprising:
step for receiving an access request to the computer network from a requesting user;
step for replying to the access request with an internet protocol address within the computer network;
step inspecting the reply to the requesting user with a network security device, where the network security device does not have an assigned internet protocol address;
step for detecting a reply from the requesting user with the network security device;
step for intercepting the reply from the requesting user with the network security device so that it appears to the requesting user that a connection has been established with the internet protocol address within the computer network; and
step for verifying that the requesting user is authorized to access the computer network with the network security device.
6. The method of claim 5, where the network security device uses the internet protocol address within the computer network when intercepting the reply from the requesting user in order to remain undetected by the requesting user.
US11/775,214 2006-07-08 2007-07-09 Method for Improving Security of Computer Networks Abandoned US20080134300A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US11/775,214 US20080134300A1 (en) 2006-07-08 2007-07-09 Method for Improving Security of Computer Networks
US13/034,697 US8181237B2 (en) 2006-07-08 2011-02-24 Method for improving security of computer networks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US80677106P 2006-07-08 2006-07-08
US11/775,214 US20080134300A1 (en) 2006-07-08 2007-07-09 Method for Improving Security of Computer Networks

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/034,697 Continuation US8181237B2 (en) 2006-07-08 2011-02-24 Method for improving security of computer networks

Publications (1)

Publication Number Publication Date
US20080134300A1 true US20080134300A1 (en) 2008-06-05

Family

ID=39477451

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/775,214 Abandoned US20080134300A1 (en) 2006-07-08 2007-07-09 Method for Improving Security of Computer Networks
US13/034,697 Active US8181237B2 (en) 2006-07-08 2011-02-24 Method for improving security of computer networks

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/034,697 Active US8181237B2 (en) 2006-07-08 2011-02-24 Method for improving security of computer networks

Country Status (1)

Country Link
US (2) US20080134300A1 (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090138959A1 (en) * 2007-11-22 2009-05-28 Chae Tae Im DEVICE, SYSTEM AND METHOD FOR DROPPING ATTACK MULTIMEDIA PACKET IN THE VoIP SERVICE
US8135853B1 (en) 2007-11-21 2012-03-13 Marvell International Ltd. Streaming data engine
US20120089744A1 (en) * 2010-10-12 2012-04-12 Microsoft Corporation Range Weighted Internet Protocol Address Blacklist
US8181237B2 (en) 2006-07-08 2012-05-15 Arxceo Corporation Method for improving security of computer networks
US8296421B1 (en) * 2008-10-23 2012-10-23 Marvell International Ltd. Methods, algorithms, circuits, and systems for controlling a network connection status indicator
WO2014086246A1 (en) * 2012-12-05 2014-06-12 Tencent Technology (Shenzhen) Company Limited Method and computer device for monitoring wireless network
US20150016289A1 (en) * 2013-07-11 2015-01-15 Eden Rock Communications, Llc Method and system for proxy base station
US20150067764A1 (en) * 2013-09-03 2015-03-05 Electronics And Telecommunications Research Institute Whitelist-based network switch
US20150106910A1 (en) * 2008-08-05 2015-04-16 At&T Intellectual Property I, L.P. Method and apparatus for reducing unwanted traffic between peer networks
US9100325B2 (en) 2008-10-23 2015-08-04 Marvell International Ltd. Controlling a network connection status indicator
US20170034128A1 (en) * 2011-08-24 2017-02-02 Mcafee, Inc. System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy
US20170230334A1 (en) * 2016-02-04 2017-08-10 Airwatch Llc Enterprise mobility management and network micro-segmentation
US20210176211A1 (en) * 2017-03-23 2021-06-10 Pismo Labs Technology Limited Method and system for restricting transmission of data traffic for devices with networking capabilities
US11108738B2 (en) * 2018-07-24 2021-08-31 Alaxala Networks Corporation Communication apparatus and communication system
US11108823B2 (en) * 2018-07-31 2021-08-31 International Business Machines Corporation Resource security system using fake connections

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9001699B2 (en) * 2011-12-26 2015-04-07 Jaya MEGHANI Systems and methods for communication setup via reconciliation of internet protocol addresses
KR102218202B1 (en) * 2014-08-01 2021-02-23 삼성전자주식회사 Semiconductor device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6751738B2 (en) * 1996-10-17 2004-06-15 Ralph E. Wesinger, Jr. Firewall providing enhanced network security and user transparency
US7100201B2 (en) * 2002-01-24 2006-08-29 Arxceo Corporation Undetectable firewall
US7188365B2 (en) * 2002-04-04 2007-03-06 At&T Corp. Method and system for securely scanning network traffic
US7327746B1 (en) * 2003-08-08 2008-02-05 Cisco Technology, Inc. System and method for detecting and directing traffic in a network environment
US20090288158A1 (en) * 2002-01-24 2009-11-19 Arxceo Corporation Intelligent firewall

Family Cites Families (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5606668A (en) 1993-12-15 1997-02-25 Checkpoint Software Technologies Ltd. System for securing inbound and outbound data packet flow in a computer network
US5633858A (en) 1994-07-28 1997-05-27 Accton Technology Corporation Method and apparatus used in hashing algorithm for reducing conflict probability
US5987611A (en) 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
US5896499A (en) 1997-02-21 1999-04-20 International Business Machines Corporation Embedded security processor
US6098172A (en) 1997-09-12 2000-08-01 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with proxy reflection
USH1944H1 (en) 1998-03-24 2001-02-06 Lucent Technologies Inc. Firewall security method and apparatus
US6141755A (en) 1998-04-13 2000-10-31 The United States Of America As Represented By The Director Of The National Security Agency Firewall security apparatus for high-speed circuit switched networks
US6966004B1 (en) * 1998-08-03 2005-11-15 Cisco Technology, Inc. Method for providing single step log-on access to a differentiated computer network
US6311275B1 (en) * 1998-08-03 2001-10-30 Cisco Technology, Inc. Method for providing single step log-on access to a differentiated computer network
US6400707B1 (en) 1998-08-27 2002-06-04 Bell Atlantic Network Services, Inc. Real time firewall security
US6826694B1 (en) 1998-10-22 2004-11-30 At&T Corp. High resolution access control
US6754831B2 (en) 1998-12-01 2004-06-22 Sun Microsystems, Inc. Authenticated firewall tunneling framework
US7194554B1 (en) * 1998-12-08 2007-03-20 Nomadix, Inc. Systems and methods for providing dynamic network authorization authentication and accounting
US6654796B1 (en) 1999-10-07 2003-11-25 Cisco Technology, Inc. System for managing cluster of network switches using IP address for commander switch and redirecting a managing request via forwarding an HTTP connection to an expansion switch
US7213063B2 (en) 2000-01-18 2007-05-01 Lucent Technologies Inc. Method, apparatus and system for maintaining connections between computers using connection-oriented protocols
US6823387B1 (en) 2000-06-23 2004-11-23 Microsoft Corporation System and method for enhancing a server's ability to withstand a “SYN flood” denial of service attack
US6577630B1 (en) 2000-08-04 2003-06-10 Intellon Corporation Self-configuring source-aware bridging for noisy media
CA2417817C (en) 2000-08-11 2007-11-06 British Telecommunications Public Limited Company System and method of detecting events
US7398317B2 (en) 2000-09-07 2008-07-08 Mazu Networks, Inc. Thwarting connection-based denial of service attacks
US6823453B1 (en) 2000-10-06 2004-11-23 Hewlett-Packard Development Company, L.P. Apparatus and method for implementing spoofing-and replay-attack-resistant virtual zones on storage area networks
RU2214623C2 (en) 2000-12-29 2003-10-20 Купреенко Сергей Витальевич Computer network with internet screen and internet screen
US20020133586A1 (en) 2001-01-16 2002-09-19 Carter Shanklin Method and device for monitoring data traffic and preventing unauthorized access to a network
US6907525B2 (en) * 2001-08-14 2005-06-14 Riverhead Networks Inc. Protecting against spoofed DNS messages
US7313815B2 (en) * 2001-08-30 2007-12-25 Cisco Technology, Inc. Protecting against spoofed DNS messages
EP1433076B1 (en) 2001-08-30 2017-10-25 Cisco Technology, Inc. Protecting against distributed denial of service attacks
JP3663627B2 (en) 2001-10-18 2005-06-22 ソニー株式会社 COMMUNICATION PROCESSING DEVICE, COMMUNICATION PROCESSING METHOD, AND COMPUTER PROGRAM
US7058718B2 (en) 2002-01-15 2006-06-06 International Business Machines Corporation Blended SYN cookies
US7743415B2 (en) 2002-01-31 2010-06-22 Riverbed Technology, Inc. Denial of service attacks characterization
US6845452B1 (en) * 2002-03-12 2005-01-18 Reactivity, Inc. Providing security for external access to a protected computer network
US6856991B1 (en) 2002-03-19 2005-02-15 Cisco Technology, Inc. Method and apparatus for routing data to a load balanced server using MPLS packet labels
US7088718B1 (en) 2002-03-19 2006-08-08 Cisco Technology, Inc. Server load balancing using IP option field approach to identify route to selected server
US7140041B2 (en) 2002-04-11 2006-11-21 International Business Machines Corporation Detecting dissemination of malicious programs
US7257834B1 (en) * 2002-10-31 2007-08-14 Sprint Communications Company L.P. Security framework data scheme
US7346770B2 (en) * 2002-10-31 2008-03-18 Microsoft Corporation Method and apparatus for traversing a translation device with a security protocol
US7536719B2 (en) * 2003-01-07 2009-05-19 Microsoft Corporation Method and apparatus for preventing a denial of service attack during key negotiation
US7979694B2 (en) * 2003-03-03 2011-07-12 Cisco Technology, Inc. Using TCP to authenticate IP source addresses
US7114096B2 (en) 2003-04-02 2006-09-26 International Business Machines Corporation State recovery and failover of intelligent network adapters
US7404205B2 (en) 2003-06-03 2008-07-22 Hewlett-Packard Development Company, L.P. System for controlling client-server connection requests
US9160714B2 (en) 2003-06-30 2015-10-13 Telefonaktiebolaget L M Ericsson (Publ) Using tunneling to enhance remote LAN connectivity
US7356587B2 (en) 2003-07-29 2008-04-08 International Business Machines Corporation Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram
US7266754B2 (en) 2003-08-14 2007-09-04 Cisco Technology, Inc. Detecting network denial of service attacks
US7263717B1 (en) * 2003-12-17 2007-08-28 Sprint Communications Company L.P. Integrated security framework and privacy database scheme
US20050240989A1 (en) 2004-04-23 2005-10-27 Seoul National University Industry Foundation Method of sharing state between stateful inspection firewalls on mep network
US7584301B1 (en) * 2004-05-06 2009-09-01 Foundry Networks, Inc. Host-level policies for global server load balancing
US7854000B2 (en) 2004-10-26 2010-12-14 Cisco Technology, Inc. Method and system for addressing attacks on a computer connected to a network
EP1847093A1 (en) 2005-02-04 2007-10-24 Nokia Corporation Apparatus, method and computer program product to reduce tcp flooding attacks while conserving wireless network bandwidth
KR100608136B1 (en) 2005-02-18 2006-08-08 재단법인서울대학교산학협력재단 How to Improve Security Performance in Stateful Inspection of TPC Connections
JP4557815B2 (en) 2005-06-13 2010-10-06 富士通株式会社 Relay device and relay system
US7633917B2 (en) 2006-03-10 2009-12-15 Cisco Technology, Inc. Mobile network device multi-link optimizations
US20080134300A1 (en) 2006-07-08 2008-06-05 David Izatt Method for Improving Security of Computer Networks
US20080276294A1 (en) * 2007-05-02 2008-11-06 Brady Charles J Legal intercept of communication traffic particularly useful in a mobile environment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7249378B2 (en) * 1996-02-06 2007-07-24 Graphon Nes Sub, Llc Firewall providing enhanced network security and user transparency
US7249376B2 (en) * 1996-02-06 2007-07-24 Graphon Nes Sub, Llc Firewall providing enhanced network security and user transparency
US6751738B2 (en) * 1996-10-17 2004-06-15 Ralph E. Wesinger, Jr. Firewall providing enhanced network security and user transparency
US7100201B2 (en) * 2002-01-24 2006-08-29 Arxceo Corporation Undetectable firewall
US20090288158A1 (en) * 2002-01-24 2009-11-19 Arxceo Corporation Intelligent firewall
US7188365B2 (en) * 2002-04-04 2007-03-06 At&T Corp. Method and system for securely scanning network traffic
US7543332B2 (en) * 2002-04-04 2009-06-02 At&T Corporation Method and system for securely scanning network traffic
US7327746B1 (en) * 2003-08-08 2008-02-05 Cisco Technology, Inc. System and method for detecting and directing traffic in a network environment
US20080101391A1 (en) * 2003-08-08 2008-05-01 Cisco Technology, Inc. System and Method for Detecting and Directing Traffic in a Network Environment

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8181237B2 (en) 2006-07-08 2012-05-15 Arxceo Corporation Method for improving security of computer networks
US8135853B1 (en) 2007-11-21 2012-03-13 Marvell International Ltd. Streaming data engine
US20090138959A1 (en) * 2007-11-22 2009-05-28 Chae Tae Im DEVICE, SYSTEM AND METHOD FOR DROPPING ATTACK MULTIMEDIA PACKET IN THE VoIP SERVICE
US10439986B2 (en) * 2008-08-05 2019-10-08 At&T Intellectual Property I, L.P. Method and apparatus for reducing unwanted traffic between peer networks
US20150106910A1 (en) * 2008-08-05 2015-04-16 At&T Intellectual Property I, L.P. Method and apparatus for reducing unwanted traffic between peer networks
US8296421B1 (en) * 2008-10-23 2012-10-23 Marvell International Ltd. Methods, algorithms, circuits, and systems for controlling a network connection status indicator
US9100325B2 (en) 2008-10-23 2015-08-04 Marvell International Ltd. Controlling a network connection status indicator
US20120089744A1 (en) * 2010-10-12 2012-04-12 Microsoft Corporation Range Weighted Internet Protocol Address Blacklist
US9148432B2 (en) * 2010-10-12 2015-09-29 Microsoft Technology Licensing, Llc Range weighted internet protocol address blacklist
US10701036B2 (en) * 2011-08-24 2020-06-30 Mcafee, Llc System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy
US20170034128A1 (en) * 2011-08-24 2017-02-02 Mcafee, Inc. System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy
US9553897B2 (en) 2012-12-05 2017-01-24 Tencent Technology (Shenzhen) Company Limited Method and computer device for monitoring wireless network
WO2014086246A1 (en) * 2012-12-05 2014-06-12 Tencent Technology (Shenzhen) Company Limited Method and computer device for monitoring wireless network
US9736705B2 (en) * 2013-07-11 2017-08-15 Nokia Solutions And Networks Oy Method and system for proxy base station
US20150016289A1 (en) * 2013-07-11 2015-01-15 Eden Rock Communications, Llc Method and system for proxy base station
US9369434B2 (en) * 2013-09-03 2016-06-14 Electronics And Telecommunications Research Institute Whitelist-based network switch
US20150067764A1 (en) * 2013-09-03 2015-03-05 Electronics And Telecommunications Research Institute Whitelist-based network switch
US20170230334A1 (en) * 2016-02-04 2017-08-10 Airwatch Llc Enterprise mobility management and network micro-segmentation
US10523636B2 (en) * 2016-02-04 2019-12-31 Airwatch Llc Enterprise mobility management and network micro-segmentation
US11032247B2 (en) 2016-02-04 2021-06-08 Airwatch Llc Enterprise mobility management and network micro-segmentation
US20210176211A1 (en) * 2017-03-23 2021-06-10 Pismo Labs Technology Limited Method and system for restricting transmission of data traffic for devices with networking capabilities
US11722458B2 (en) * 2017-03-23 2023-08-08 Pismo Labs Technology Limited Method and system for restricting transmission of data traffic for devices with networking capabilities
US11108738B2 (en) * 2018-07-24 2021-08-31 Alaxala Networks Corporation Communication apparatus and communication system
US11108823B2 (en) * 2018-07-31 2021-08-31 International Business Machines Corporation Resource security system using fake connections

Also Published As

Publication number Publication date
US20110258691A1 (en) 2011-10-20
US8181237B2 (en) 2012-05-15

Similar Documents

Publication Publication Date Title
US8181237B2 (en) Method for improving security of computer networks
US7472414B2 (en) Method of processing data traffic at a firewall
US7100201B2 (en) Undetectable firewall
AU2005207632B2 (en) Upper-level protocol authentication
US6745333B1 (en) Method for detecting unauthorized network access by having a NIC monitor for packets purporting to be from itself
US7984493B2 (en) DNS based enforcement for confinement and detection of network malicious activities
EP1817685B1 (en) Intrusion detection in a data center environment
Bellovin A look back at" security problems in the tcp/ip protocol suite
US20030065943A1 (en) Method and apparatus for recognizing and reacting to denial of service attacks on a computerized network
JP2002026907A (en) Communication network security methods and methods for analyzing network security of communication networks and communication systems and security host computers and machine readable media.
Zhong et al. Research on DDoS Attacks in IPv6
Pandey et al. Attacks & defense mechanisms for TCP/IP based protocols
Upadhya et al. A Survey on different Port Scanning Methods and the Tools used to perform them
Djalaliev et al. Sentinel: hardware-accelerated mitigation of bot-based DDoS attacks
Kamal et al. Analysis of network communication attacks
Zia et al. Security technique to prevent port knocking and illegal access in SDN
Stopforth Techniques and countermeasures of TCP/IP OS fingerprinting on Linux Systems
CN120034346A (en) Message transmission method and device
Bisen et al. Countermeasure tool-Carapace for Network Security
Tajdini et al. IPv6 Common Security Vulnerabilities and Tools: Overview of IPv6 with Respect to Online Games
Hooper An intellilgent infrastructure strategy to improvilng the performance and detection capability of intrusion detection systems
Beyene Firewalls in Linux: Principles and Implementation
Rubin A Report to the Federal Trade Commission on Reponses to their Request For Information on Establishing a National Do Not E-mail Registry
Onah THE MENACE OF IP-SPOOFING VULNERABILITY IN NETWORK ENVIRONMENTS AND MITIGATION RESPONSES
Balakrishnan et al. and Harish Sukumaran {lokesh, ksrini, vinodkk, chow, sharish}@ utdallas. edu Department of Computer Science University of Texas at Dallas

Legal Events

Date Code Title Description
AS Assignment

Owner name: ARXCEO CORPORATION, ALABAMA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:IZATT, DAVID;REEL/FRAME:020433/0635

Effective date: 20080128

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION