CN1173256A - 网络安全装置 - Google Patents

网络安全装置 Download PDF

Info

Publication number
CN1173256A
CN1173256A CN96191481A CN96191481A CN1173256A CN 1173256 A CN1173256 A CN 1173256A CN 96191481 A CN96191481 A CN 96191481A CN 96191481 A CN96191481 A CN 96191481A CN 1173256 A CN1173256 A CN 1173256A
Authority
CN
China
Prior art keywords
network
node
security device
network security
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN96191481A
Other languages
English (en)
Inventor
阿隆·弗里德曼
本·蔡恩·利维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Digital Secured Networks Technology Inc
Original Assignee
Digital Secured Networks Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Digital Secured Networks Technology Inc filed Critical Digital Secured Networks Technology Inc
Publication of CN1173256A publication Critical patent/CN1173256A/zh
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

一种网络安全装置(10),连接在受保护客户机(12)与网络(100)之间。网络安全装置(10)与另一受保护客户机协调对话密钥。然后,对两客户机之间的所有通信进行加密。本发明的装置是自配置的,它把自己锁定在其客户机(12)的IP地址上。因此,一旦设备后客户机(12)不能改变其IP地址,所以不能仿真另一客户机的IP地址。当从受保护主机传输数据包时,在把数据包传输到网络内之前,安全装置(10)把客户机的MAC地址转换成其自己的MAC地址。定址到主机的数据包含有安全装置的MAC地址。在把数据包传输给客户机(12)之前,安全装置(10)把其MAC地址转换成客户机(12)的MAC地址。

Description

网络安全装置
技术领域
本发明涉及一种连接在受保护计算机(客户机)与网络之间的网络安全装置和利用这种网络安全装置的方法。网络安全装置通过对话密钥与其它受保护客户机对话。然后,把两客户机之间的所有通信进行加密。本发明的装置是一种自构成的,把其自身锁定到其客户机的IP(互联网协议)地址和MAC地址。一旦设置之后,客户机不能改变其IP或MAC。因此,本发明的的网络安全装置不允许客户通过设置一个假的IP或MAC地址仿真另一客户机。
背景技术A.网络体系结构
图1示出了一种互联通信网100,它包括5个传输或基干网A、B、C、D和E以及3个支干网络(stub network,一种只收送本地主机资料的网络)R、Y和Z。“基干”网络是一种中间网络,它从一个网络向另一网络传送通信数据。“支干”网络是一种终端和末端网络,通过该网络只能最初产生或者最终接收通信数据。每个网络,例如短支网络R,包括一个或多个互联的子网络I、J、L和M。如这里所使用的一样,述语“子网络”涉及一个或多个节点的集合,例如,(d),(a)(b,x,y),(q,v)(r,z),(s,u),(e,f,g),(h,i),(j,k,l),(m,n)以及(o,p)等,它们通过线路或开关互联,以进行本地节点通信。每个子网络可以是一种局域网或LAN。每个子网络具有一个或多个节点,它们可以是主计算机(“主机”)u,v,w,x,y,z或者路由器a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s。主机是一种可以最初产生或最终接收通信数据的末端节点。路由器是一种单独用作两其它节点之间的中间节点的节点;路由器从一节点接收通信数据,再把该数据重新传输给另一节点。在这里,把基干网络、支干网络、子网络和节点一起称为:“互联网系统”。
图2示出了主机或路由器节点10的方框图。如图所示,节点可以包括一CPU11、存储器12和一个或多个输入/输出(I/O)端口(或网络接口)13-1,13-2,…,13-N,它们连接到总线14上。如图所示,每个I/O端口13-1,13-2,…,13-N通过导线,光纤和/或开关连接到另一节点的I/O端口。I/O端口13-1,13-2,…,13-N用于以组织成一个或多个数据包的位流形式把通信数据传输给另一节点,以及用于从另一节点接收数据包。如果主机10为一台连接到子网络(以太网)上的主计算机,则,主机将有一个I/O端口(以太接口)。
初始产生传输给另一节点的数据包的主机称为源节点,最终接收数据包的主机称为目的地节点。把数据包通过包括源节点、零个或多个中间节点以及目的地节点的顺序节点以组桶形式传输来实现通信。例如,可以把数据包从节点w传送到节点c、节点d、节点b以及节点x。
图3A示出了一种典型的数据包40,具有包含通信数据(即用户数据)的有用负荷41和包含控制和/或地址信息的首部42。通常,首部信息以层次的形式排列,包括IP层和物理层。
IP层一般包括IP源地址、IP目的地地址、校验和以及指示多跳跃网络内的跳跃数的跳跃计数。物理层首部包括源的MAC地址(硬件地址)和目的地的MAC地址。
用户数据可以包括TCP(转移控制协议)包(包括TCP首部)或者UDP(用户数据协议)包(包括UDP首部)。这些协议控制其它事物之一,包括把要传输的信息进行打包,把接收到的包再组装成最初传输的信息,发送和接收数据包的调度(参见例如D.Commer的“具有TCP/IP的互联网”第一卷(1991);D.Commer和D.Stevens的“具有TCP/IP的互联网”第二卷(1991))。
在典型的互联网协议调用IP中,为互联网100的每个节点分配一个在整个互联网100上是唯一的互联网(IP)地址,例如图3B所示的节点Y的互联网地址。参见信息科学协会,RFC791的“互联网协议”,1981年9月。IP地址以分级形式分配;每个节点的互联网(IP)地址包含指示节点的网络地址部分31、指示节点的特定子网络地址部分32、指示特定主机或路由器并区分特定子网络中的各节点的主机部分33。
在使用IP协议的互联网100中,源和目的地节点的IP地址由源节点放在数据包首部42内。接收数据包的节点通过检查这些地址可以识别出源和目的地节点。B.加密技术
利用消息加密技术可以防止在诸如图1的网络100的网络中进行偷听。消息加密技术利用加密函数,它使用一个称为对话密钥的数字对数据(消息内容)进行加密。只有彼此通信的一对主机(所以只有特定通信中适当成对的主机)都知道该对话密钥才能对数字信号进行加密和解密。加密功能的两个例子是国家标准局的数据加密标准(DES)(参见例如国家标准局的“数据加密标准”1977FIPS-PUB-45)以及更近的快速加密算法(FEAL)(参见例如Shimizu和S.Miyaguchi的“FEAL快速数据加密算法”,日本的系统与计算机,第19卷,第7号和S.Miyaguchi的“FEAL密码族”,CRYPTO处理90,Santa Barbara,Calif.1990年8月)。另一种加密函数称为IDEA。使用加密函数的一种方法是电子码本技术。在这种技术中,对明文本消息m进行加密,利用公式c=f(m,xk)的加密函数产生密码文本消息c,其中sk为对话密钥。消息c只可以用已知的对话密钥sk来解密,以获得明文文本消息m=f(c,sk)。
两通信主机之间的密钥协议可以利用公共密钥密码来实现。(参见例如美国专利No.5,222,140和5,229,263)。
在讨论公共密钥加密技术之前,提供一些背景信息是有用的。最实际的现代加密是基于被认为(但没有证明)是难度很大(即,按平均数用多项式不能解决)的两个皆知的数学问题。这两个问题称为因式分解(Factorization)和离散Log(Discrete-Log)。把因式分解问题定义如下:
输入:N,其中N=pq,p和q为大的质数
输出:p和/或q
把离散Log问题定义如下:
输入:p,g,y,其中Y=gxmod P,P为较大的质数
输出:x
(离散Log问题可以同样用组合模数N=pq定义)。
根据因式分解和离散Log问题,一些其它的问题定义成对应于加密系统的进一步修改问题。
在加密中前面已经开发利用的这一问题的一个系统(参见H.C.williams的“对RSA公共密钥加密的改进”,IEEE信息理论汇刊,1980年11月6第IT-26卷)是模平方根问题,定义如下:
输入:N,y,其中Y=x2mod N,N=pg,p和q为较大的质数
输出:x
如果已知p和q,则计算平方根是容易的,如果p和q不知,则较难。当N是两质数组成时,通常对模N进行四次方根。如这里所使用的,把zm√x mod N定义成表示x为最小的整数,所以z2mx mod N。
另一个问题称为组合Diffic-hellman(CDH)问题,定义如下:
输入:N,g,gxmod N,gymod N,其中N=pq,p和q为大的质数
输出:gxymod N
数学方法已经证明,模平方根和组合Diffie-Hellman问题同样难以解决上述因式分解问题(参见例如M.O.Rabin的“如因式分解一样难以处理的数字化签字和公共密钥函数”计算机科学MIT实验室,1979年1月TR212;Z.Shmuely的“组合Diffie-Hellman公共密钥产生方案是难以击破的”,以色列Technion计算机科学部,1985年2月Israel TR 356;以及K.S.McCurley的“等效于因式分解的密钥分布系统”,密码术期刊1988年第2卷第2号,第95至105页)。
在一般的公共密钥加密系统中,每个用户i都有一个公共密钥Pi(例如模数N)和一个保密密钥Si(例如系数p和q)。对用户i的消息利用使用每个人都已知的公共密钥的共用操作进行加密(例如,对模数N进行平方)。然而,该消息利用使用保密密钥(例如系数p和q)的保密(例如对模数N进行开方)来解密。C.网络安全装置
目前已有的网络安全产品分成两类:(1)防火墙,例如两面神(Janus)和ANS以及(2)软件产品,诸如加密邮件、保密http、一次口令等。
防火墙是一种专用计算机,通常运行Unix操作系统。它起到对输入和输出的通信进行过滤的作用。防火墙作为路由器放置在局域网(LAN)与外界世界之间。根据源和/或目的地IP地址以及TCP端口号决定是否让数据包通过。一些防火墙还能加密数据,只要通信的两端都使用相同类型的防火墙。一些防火墙具有个入鉴定的特点。
软件产品是基于这样一种假定,安装有软件产品的计算是安全的,仅需要对外部网络进行保护。因此,这种软件产品能通过断开计算机容易地旁路。一种通常的方案是当入侵者在计算机上植入“特洛伊马”时,它向他传送每次处理的未加密的复制件。有时,即使在计算机不可能受监视的间断时间期间,把它用为延迟动作一样完成。
另外,有一些设计成防止入侵以保持计算机完整的鉴别产品。这些产品是基于这种假设,即它们是100%安全的。一旦该产品受到危害,它就完全无效了。有时,一用户的不小心使用可能会危害该产品的所有其它用户。
防火墙在保持网络安全性方面更有效。然而,它们非常昂贵。其价格范围在$10,000至$50,000之间,加上硬件的价格。它们需要高级专家来安装和维护。大多数复杂和高效的防火墙需要经专门训练技师或工程师对它们进行维护。对每个人专门训练的费用高达$10,000,加上每年$60,000至$120,000的薪水。
防火墙不得不进行经常维护、改进以及监视,以提供相当的安全性。它们仅覆盖互联网协议的TCP部分,没有覆盖UDP部分。因此,它们不能对NFS(网络文件服务)和许多客户机/服务器应用提供安全性。
防火墙是一种全服务计算机,它可以登入以进行维护和监视。因此,它可以断开。一旦防火墙受到危害,它就失去其作用,成为负担而不是安全助手。防火墙仅保护LAN与WAN(广域网)之间的连接。它不保护从LAN内入侵到特定的主机。
由于上述原因,本发明的目的在于提供一种网络安全装置,它克服了已有技术的网络安全装置的缺点。
本发明的目的尤其是提供一种硬件装置,为连接到网络上的单独的主机进行网络安全保护。
发明内容
本发明的安全装置包含连接到受保护客户机的第一网络接口、连接到网络部分的第二网络接口以及连接到该两接口上的处理电路。如图所示,连接客户机的网络部分为以太网,第一和第二网络接口是以太网接口。连接在两接口之间的处理电路可以是传统的诸如Intel 486 DX2-66或Pentium等CPU。另一方面,处理单元可以做成一个或多个ASIC(专用集成电路)或者ASIC与CPU的组合。从受保护客户机来的通信从客户机经第一接口、处理电路、第二接口进入到网络。同样,从网络接收到的通信从第二接口经处理电路、第一接口进入到受保护客户机。
较佳地,网络安全装置是一个密封的装置,它不能登入。它具有与受保护客户机相同的IP地址。
许多重要的功能由本发明的网络安全装置实现。网络安全装置获得其客户机的MAC和/或IP地址,把其本身锁定到这些地址上。为了进行锁定,把MAC和/或IP地址存储在网络安全装置的永久存储器内。如果从客户机到达的数据包的MAC和/或IP地址与存储在该存储器内的地址不同,则该数据包不能通过进入到网络内。因此,受保护客户机不能改变其MAC和/或IP地址。这防止了受保护客户机仿真网络中的其它客户机的MAC和/或IP地址。当数据包从客户机到达第一网络接口时,处理电路用网络安全装置的MAC地址代替受保护客户机的MAC地址。然后,让数据包通过第二接口进入网络。反过来,在数据包从网络侧到达网络安全装置时,进行相同的转换。
从受保护客户机接收到的数据包在通过网络传输到目的地之前,利用诸如IDEA、FEAL或DES等加密函数进行加密。同样,对从目的地接收到的经加密的数据包进行解密。这种加密和解密需要受保护客户机和目的地共同具有共用对话密钥(目的地是位于网络某处的另一网络安全装置的受保护客户机)。
共用对话密钥是通过利用公共密钥加密技术来获得的。因此,两保持客户机(下文标为i和j)都具有公共密钥Pi,Pj以及保密密钥Si,Sj。公共密钥Pi和Pj具有静态部分和周期地更新的动态部分。保密密钥Si,Sj也具有静态部分和动态部分。
为了进行密钥交换,网络安全装置保持有两个数据库。静态数据库包含有关网络中保密主机或节点的信息。保密主机或节点是受网络安全装置保护的主机或节点。静态数据库的每个表项包含有关特定保密主机的信息,即主机IP地址、进入数据库的时间,以及主机永久公共密钥。
动态数据库包含有关保密和非保密主机的信息。动态数据库的每个表项包括主机IP地址、指示主机是否保密的标记、指示主机是否处于传输的标记(即处于密钥交换中),以及共用保密对话密钥的指针。
主机i的网络安全装置使用的使共用对话密钥与主机j的网络安全装置一致的协议如下:
假设从主机i到主机j进行通信。通信从主机j到达主机i的网络安全装置。网络安全装置检查主机j是否在动态数据库内。如果主机j是在动态数据库内,则确定动态数据库是否具有主机i与主机j之间进行通信用的共用对话密钥。如果有这种共用对话密钥,则利用该共用对话密钥对主机i的通信进行加密,并传输给主机j。如果没有共用对话密钥,则主机i把其公共密钥Pi的动态部分传送给主机j,主机j通过把其公共密钥Pj的动态部分传送给主机i作为回复。公共密钥的动态部分的交换可以利用公代密钥的静态部分进行加密,它可以从主机i和主机j的静态数据库获得。然后,根据Diffie-Hellman计算共用对话密钥,例如:
假设,Pi=Gsimod N,其中N为质数或两质数的积。假设,Pj=Gsjmod N。在公共密钥交换之后,主机i的网络安全装置计算η=PjSi=gSjSimod N。同样,主机j的网络安全装置计算η=piSi=gSjSi mod N。因此,两主机i和j都具有相同的η。然后,该数字可以用作共用对话密钥或用于取得共用对话密钥。
请注意,这里假设在主机i的静态数据库内具有主机j的表项。如果没有,则在交换动态公共密钥之前先交换静态公共密钥,在主机i的静态数据内形成主机j的动态数据库表项。而且,如果在主机i的动态数据库内没有主机j的表项,则在交换动态密钥之前应先产生该表项。
应当注意,加密是在IP级进行的,以对TCP和UDP数据包进行骗码。
简言之,本发明的网络安全装置具有许多显著的优点。
如防火墙一样,本发明的网络安全装置在一种较佳的实现方式中是硬件/软件的组合。然而,它是一密封的“盒子”,不能登入。因此,它不会受到危害,而防火墙会。因而,在LAN的每个节点上都可以装备它。这样,它在LAN内以及外面提供保护。网络安全装置直接在IP级上工作。因此,它覆盖了所有类型的IP协议,不需要对不同的网络应用作专门的配置。因而,本发明的网络安全装置是免维护的。
本发明的网络安全装置检测客户主机的IP地址,并把其本身锁定在该地址上。它不需要安装。一旦锁定,就不允许客户主机改变其IP地址。本发明的网络安全装置还保持保密主机的永久数据库。如果对密钥的仲裁请求到达,与数据库冲突,则拒绝主机进行通信。上述两个特点的组合产生了IP地址的双重鉴别。本发明的安全装置在客户机与网络之间产生有形的障栏。因此,防止了通过直接与以太网通信而旁路。
本发明的安全装置对所有到网络的通信进行加密,包括动态公共密钥的交换。
附图概述
图1示意性地示出了互联网。
图2示意性地示出了图1网络内的主机的构造。
图3A和3B示出了在图1的网络内传输的数据包的格式。
图4示出了根据本发明的实施例的在图1网络内主机使用的网络安全装置。
图5示出了图4的网络安全装置保持的静态数据库内的表项。
图6示出了图4的网络安全装置保持的动态数据库内的表项。
图7是图4的网络安全装置使用的密钥交换算法的流程图。
图8是图4的网络安全装置利用的ARP处理算法的流程图。
图9是图4的网络安全装置利用的IP数据包处理算法的流程图。
本发明的实施方式
图4示意性地示出了根据本发明实施例的的网络安全装置。安全装置10包含第一接口0,连接到客户主机12上。具体地说,接口0通过电缆或电线13连接到客户机12的网络接口上(例如图24接口13)。安全装置10包含第二接口1,连接到网络100的一部分上。如图所示,接口1连接到以太网上,所以接口0,1是以太网接口,例如SMC以太网超接口。
CPU14连接到接口0,1上。CPU是例如Intel 486 DX 62-66。静态存储器16(例如快擦写EEPROM)连接到CPU14上,动态存储器18(例如RAM)连接到CPU14上。可选的加密模块20进行加密和大量的运算操作。加密单元用实现可编程的逻辑阵列来实现。另一方面,加密模块也可以省略,其功能可以利用软件程序由CPU14执行来实现。接口0偶然模式放置。在这种模式中,接口0通过客户主机12来的所有通信,在电缆13上传送给CPU14。网络连接是通过接口1,接口1设置成与客户机12相同的IP地址。网络安全装置10通过发送其自已的(而不是客户机的)MAC地址响应于地址分辨协议。通过阻止试图利用以太网协议来旁路装置10入而增加了安全程度。
CPU要4保持两数据库。一数据库为静态数据库,存储在快擦ROM16内。该数据库包含有关网络内的保密节点的永久信息,即节点IP地址,进入到数据库的时间,节点永久公共密钥。图5示出了这种数据库内节点的记录结构。
第二数据库是动态数据库。动态数据库包含有关保密和非保密节点的信息,即,节点IP地址,最后更新的时间,指示节点是否保密(即具有其自已的网络安全装置)的标记,指示节点是否处于传输(即处于密钥交换中)的标记,对具有该节点的共用保密对话密钥的指针。图6示出了这种数据库内节点记录的结构。传输标记有三种可能的值0-不处于传输状态,1-待回复远程主机,2-待计算共用密钥。
CPU14运行的软件有三个部分:(1)操作系统,(2)网络系统,(3)密钥运算。操作系统和网络系统两者都是类似Unix的内核的一部分。密钥运算驻留在存储器内,由网络系统指令其工作。操作系统是一种修改过的Linux系统,除了RAM,盘和以太接口的驱动程序外,除去了所有其它驱动程序。网络系统用于通信、密钥交换、加密和配置等。
密钥交换算法图示在图7中。假设主客户机要向网络内IP=A的节点传送一通信。当通信到达主客户机的网络安全装置时(图7的步骤60),检查动态数据库(DDB)以确定在动态数据库内是否有节点A的表项(步骤61)。如果在动态数据库内有节点A的表项,则检查节点A和受保护客户机的共用对话密钥是否已经换效(步骤62)。
如果共用对话密钥没有换效,则利用对话密钥和诸如IDEA等加密函数对数据包进行加密(步骤63)。如果共用对话密钥已经换效,在未加密传输时对IP=A的节点的动态数据库表项进行标注(步骤64),这表示正在进行密钥交换。
主客户机和IP=A的节点的公共密钥动态部分交换如下。主客户机(即源)向IP=A的节点(即目的地)传送其动态公共密钥和IP地址(步骤65),并等待5秒以得到回复(步骤66)。主机的动态公共密钥可以用IP=A的节点的静态公共密钥加密。回复是IP=A的目的地节点的动态公共密钥。这可以用主客户机的静态公共密钥来加密。步骤65和66重复三次。如果没有从目的地收到回复(步骤68),则源网络安全装置在目的地DDB表项内标注传输结束(步骤67)。
如果接收到回复,则把主机网络安全装置的DDB内的目的地传输标记设置成2(步骤69)。然后,源网络安全装置利用例如上述的Diffie-Hellman技术计算源和目的地的共用对话密钥(步骤70)。然后,把共用对话密钥输入到源网络安全装置的DDB内(步骤71),把该DDB表项的传输标记标注为0(步骤72)。
动态公共密钥的交换和共用对话密钥的计算假设在源网络安全装置的静态数据库(SDB)和源网络安全装置的动态数据库内有IP=A的目的地节点的表项。如果这些表项不存在,则可以在动态公共密钥交换之前创建它们(步骤65-69)。
如果没有IP=A的节点的DDB表项(步骤61),则把该表项的传输标记标注成非保密传输(步骤82)。然后进行检查以确定源网络安全装置的SDB是否具有IP=A的节点的表项(步骤83)。如果有这种表项,则进行动态密钥交换(步骤65等)。源网络安全装置向IP=A的节点传输源的永久公共密钥(步骤84),并等待5秒,以得到回复(步骤85)。步骤84和85可以重复几次,例如3次。
如果接收到回复(步骤86),则在SDB内创建表项(步骤87)。如果没有接收到回复,把DDB内的表项传输标记标注成传输结束(步骤67)。
如上述较佳实施例中所指出的,网络安全装置是密封的盒子,不能登入。网络安全装置10检测客户主机12的IP(和/或MAC)地址,并将其锁定到该地址。一旦网络安全装置锁定到该地址上,客户机面临的是网络安全装置不能改变其IP(和/或MAC)地址。
地址分辨协议(ARP)是用于把IP地址分解成匹配以太机(MAC)地址的协议,MAC地址是网络接口响应的实际地址。
本发明的网络安全装置利用ARP(地址分辨协议)来配置其本身,隐藏客户主机。
图8示出本发明的网络安全装置是如何处理IP=B的ARP请求的。请求可能从主机到达接口0或者从网络到达接口1(步骤100)。如果请求通过接口0到达,则网络安全装置确定它是否已配置(步骤102)。如果网络产装置没有配置,则对其自身进行配置(步骤103)。配置包括在永久存储器内存储主机的IP地址和/或MAC地址。在配置之后,网络安全装置内的CPU用接口1的MAC地址代替源MAC地址(步骤104),并把该请求发送给接口1(步骤105)。然后,把该请求通过网络传输给其目的地。
如果主机网络安全装置已经配置了(步骤102),就确定该请求是否为回复(步骤106)。这是通过检查目的地MAC段来进行的。在回复时,该字段不为零。如果该请求不是回复,则根据步骤104进行MAC地址转换,并把该请求传送给接口1(步骤105),以传输到网络内。如果该请求为回复,就确定该请求内的源IP地址与目前永久存储在存储器内的IP地址是否一致(步骤107)。如果一致,由于网络安全装置已经回答了ARP,所以就把该请求放弃,如果不一致,则关闭该系统(步骤109)。
如果,请求通过网络到达接口1,则让该请求通过接口0(步骤111)。如果该请求为回复(步骤112),则把该请求通过接口0(步骤113)。如果该请求不为回复,则用接口1的MAC地址回答该请求(步骤114)。
图9示出了本发明的网络安全装置使用的数据包处理算法。如图所示,数据包还有源地址IP=C到达(步骤200)。数据包可能从主机到达接口0或从网络到达接口1。
首先,假设数据包从主机到达接口0。如果数据包载有ICMP(互联网控制消息协议)或IGMP(互联网网关消息协议)标识(步骤201),则让数据包通过接口而不进行加密。然而,把数据包内的源MAC地址转换成接口1的MAC地址(步骤202)。不把ICMP和IGMP定址到目的地主机。而是由网络内的中间表项利用这些数据包,例如路由器等,用于各种功能。
如果数据包定址的目的地不可靠,就放弃该数据包(步骤203、204)。该装置可以处于保密/非保密模式(指定的顺序)。在这种情况下,数据包将不改变地传送。
接着,确定数据包是否包含已经分成碎片的消息的一部分(步骤205)。如果数据包含有碎片,则收集这些碎片(步骤206),并对消息进行加密(步骤207)。加密是利用共用对话密钥和加密函数进行的。如果对于特定的LAN,加密消息太长(步骤208),则将它分成碎片(步骤209)。然后,把加密数据传输给接口,以便传输到网络内(步骤210)。
加密数据包在IP首部的协议IS部分内载有一签字。这表示数据包已加密。不对数据包的IP地址进行加密,否则该数据包不能按路线通过网络。
现在假设数据包通过网络到达接口1的情况。如果数据包是ICMP或IGMP数据包(步骤220),则不需要解密,就把该数据包传送给接口0(步骤221)。如果数据包为密钥交换数据包(步骤222),则根据密钥交换协议处理该数据包(步骤223)。如果该数据没有加密(步骤224),就放弃该数据包(步骤225)。该装置可以处于保密/非保密模式(指定的顺序)。在这种情况下,将把数据包不改变地传送给客户机。如果数据包加密了,而网络产装置没有该密钥(步骤226),则执行密钥交换协议(步骤227),放弃该数据包(步骤228)。如果在网络安全装置的动态数据库内的密钥可用,则对数据包进行解密(步骤229),并把它传送给接口0(步骤230)。
对于从网络接收到的数据包,把网络安全装置的MAC地址转换成客户机的MAC地址。对于从受保护客户机接收到的数据包,把客户机的MAC地址转换成网络安全装置的MAC地址。
简言之,上述揭示了独特的网络安全装置。最后要说明的是,上述本发明的实施例只是图示说明而已。对于本技术领域的熟练人员来说,不脱离下面权利要求书的范围可以作出大量可替换的实施例。

Claims (27)

1、一种至少保护一个通过网络进行通信的特定节点的网络安全装置,其特征在于,包含:
(a)连接到至少一个特定节点上的第一网络接口,
(b)连接到网络上的第二网络接口,
(c)连接到所述第一和第二接口上的处理电路,所述处理电路
(1)在所述第二接口把所述数据包传输给所述网络之前,把包含在所述第一接口从所述至少一个特定节点接收到的数据包内的所述至少一特定节点的MAC地址转换成所述网络安全装置的MAC地址,
(2)把包含在从所述网络接收到的数据包内的所述网络安全装置的MAC地址转换成所述至少一个特定节点的所述MAC地址。
2、如权利要求1所述的网络安全装置,其特征在于,所述第一和第二网络接口为以太网接口。
3、如权利要求1所述的网络安全装置,其特征在于,所述处理电路对包含在从所述至少一个特定节点接收到的所述数据包内的用户数据进行加密,而包含在从所述至少一个特定节点接收到的所述数据包内的IP地址保持不加密。
4、如权利要求3所述的网络安全装置,其特征在于,所述处理电路对包含在从所述至少一个特定节点接收到的所述数据包内的、包括TCP数据包首部的TCP数据包进行加密。
5、如权利要求3所述的网络安全装置,其特征在于,所述处理电路对包含在从所述至少一个特定节点接收到的所述数据包内的、包括UDP数据包首部的UDP数据包进行加密。
6、如权利要求3所述的网络安全装置,其特征在于,所述处理电路利用对话密钥和加密函数对所述用户数据进行加密。
7、如权利要求1所述的网络安全装置,其特征在于,所述网络安全装置保持包含指示所述网络内一个或多个节点的IP地址和永久公共密钥的信息的第一数据库。
8、如权利要求7所述的网络安全装置,其特征在于,所述网络安全装置保持包含指示所述网络内一个或多个节点的IP地址以及所述至少一个特定节点的共用对话密钥的第二数据库。
9、如权利要求8所述的网络安全装置,其特征在于,所述动态数据库内的一个或多个节点是不保密节点。
10、一种至少保护一个通过网络进行通信的特定节点的网络安全装置,其特征在于,包含:
连接到至少一个特定节点上的第一网络接口,
连接到网络上的第二网络接口,和
连接到所述第一和第二接口上的处理电路,所述处理电路在所述第二接口把所述数据包传输给所述网络之前,对包含在所述第一接口从所述至少一个特定节点接收到的数据包内的用户数据进行加密,而保持所述数据包的IP地址不加密。
11、如权利要求10所述的网络安全装置,其特征在于,所述用户数据为TCP数据包。
12、如权利要求10所述的网络安全装置,其特征在于,所述用户数据为UDP数据。
13、如权利要求10所述的网络安全装置,其特征在于,所述处理电路把包含在所述数据包内的所述至少一个特定节点的MAC地址转换成所述网络安全装置的MAC地址。
14、一种把数据包从第一节点传输到网络内的方法,包含下列步骤:
(1)产生包含所述第一节点的MAC地址、目的地的IP地址和用户数据的数据包以及,
(2)在连接在所述第一节点与所述网络之间的网络安全装置内,把所述第一节点的所述MAC地址转换成所述网络安全装置的MAC地址,以及
(3)把所述数据包传输给所述网络。
15、如权利要求14所述的方法,其特征在于,还包含在所述网络安全装置内对所述用户数据进行加密,而保持所述IP地址不加密的步骤。
16、如权利要求14所述的方法,其特征在于,所述用户数据包括TCP数据包。
17、如权利要求14所述的方法,其特征在于,所述用户数据包括UTP数据包。
18、如权利要求14所述的方法,其特征在于,所述加密步骤包含协调所述网络内的所述第一节点与第二节点所共用的对话密钥的步骤。
19、如权利要求18所述的方法,其特征在于,所述协调共用对话密钥的步骤包含下列步骤:
(1)在所述网络安全装置上,利用所述第二节点的静态公共密钥对所述第一节点的动态公共密钥进行加密,并把所述第一节点的所述动态公共密钥传输给所述第二节点,
(2)从所述第二节点接收所述第二节点的与所述第一节点的静态公共密钥加密的动态公共密钥,并在所述网络安全装置内用所述第一节点的静态保密密钥对所述第二节点的所述动态公共密钥进行解密,
(3)在所述网络安全装置上,根据所述第一主机的动态保密密钥和所述第二节点的所述动态公共密钥产生所述共用对话密钥。
20、如权利要求19所述的方法,其特征在于,所述第一节点保持包含指示所述网络内其它节点的静态公共密钥的信息的静态数据库,所述网络安全装置根据该数据库获得所述第二节点的所述静态公共密钥。
21、如权利要求20所述的方法,其特征在于,所述网络安全装置保持包括所述共用对话密钥指示器的动态数据库。
22、一种把数据包从一节点传输到网络内的方法,其特征在于,包含下列步骤:
(1)产生包含所述主机MAC地址、目的地的IP地址和用户数据的数据包,
(2)在连接所述主机所述网络之间的网络安全装置中,对所述用户数据进行加密,而不对所述IP地址加密,
(3)把所述数据包传输到所述网络内。
23、在一种组合中,包含:
一在网络中的节点,以及
连接在所述节点所网络之间的安全装置,
所述安全装置防止所述节点改变其IP地址,使所述节点不能仿真所述网络内的另一节点。
24、如权利要求22所述的组合,其特征在于,所述安全装置在永久存储器内存储所述IP地址,阻止从与所述存储的IP地址不同的IP地址的所术节点处接收的数据包进入所述网络。
25、如权利要求22所述的组合,其特征在于,所述安全装置包含连接到所述节点的第一网络接口、连接到所述网络上的第二网络接口,和连接到所述第一第二接口上以对用户数据加密而不对IP地址加密的处理电路。
26、一种防止网络中的节点仿真所述网络内的另一节点的方法,其特征在于,所述方法包含下列步骤:
(1)在连接在所述第一节点和所述网络之间的网络安全装置的存储器内,永久地存储所述节点的特征地址,和
(2)利用所述网络安全装置,阻止所述节点用与永久存储地址不同的源地址进入所述网络在所述网络安全装置上接收数据包。
27、如权利要求26所述的方法,其特征在于,所述特征地址为IP地址或MAC地址。
CN96191481A 1995-09-18 1996-09-06 网络安全装置 Pending CN1173256A (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US08/529,497 US5757924A (en) 1995-09-18 1995-09-18 Network security device which performs MAC address translation without affecting the IP address
US08/529,497 1995-09-18

Publications (1)

Publication Number Publication Date
CN1173256A true CN1173256A (zh) 1998-02-11

Family

ID=24110154

Family Applications (1)

Application Number Title Priority Date Filing Date
CN96191481A Pending CN1173256A (zh) 1995-09-18 1996-09-06 网络安全装置

Country Status (8)

Country Link
US (2) US5757924A (zh)
EP (1) EP0872074A1 (zh)
CN (1) CN1173256A (zh)
AU (1) AU725712B2 (zh)
CA (1) CA2211301C (zh)
IL (1) IL121416A (zh)
SG (2) SG96185A1 (zh)
WO (1) WO1997013340A1 (zh)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1326347C (zh) * 2002-12-30 2007-07-11 成都三零盛安信息系统有限公司 一种网络环境中实现多级安全访问控制的技术方法
CN100364291C (zh) * 2003-06-25 2008-01-23 阿尔卡特公司 用于桥接以太网住宅接入网络的体系结构
CN100463429C (zh) * 2004-04-19 2009-02-18 西安交通大学 基于地址重写的防ip地址伪造方法
CN102739506A (zh) * 2011-04-13 2012-10-17 李小林 对vpn通信进行透传的方法
WO2014114232A1 (zh) * 2013-01-22 2014-07-31 横河电机株式会社 隔离保护系统及其执行双向数据包过滤检查的方法
CN104106251A (zh) * 2012-02-09 2014-10-15 贺利实公司 具有可变身份参数的动态计算机网络
US9130907B2 (en) 2012-05-01 2015-09-08 Harris Corporation Switch for communicating data in a dynamic computer network
US9154458B2 (en) 2012-05-01 2015-10-06 Harris Corporation Systems and methods for implementing moving target technology in legacy hardware
US9264496B2 (en) 2013-11-18 2016-02-16 Harris Corporation Session hopping
US9338183B2 (en) 2013-11-18 2016-05-10 Harris Corporation Session hopping
CN106083589A (zh) * 2016-06-14 2016-11-09 常州大学 一种高级β‑酮酯的催化合成方法
US9503324B2 (en) 2013-11-05 2016-11-22 Harris Corporation Systems and methods for enterprise mission management of a computer network
CN106357690A (zh) * 2016-11-08 2017-01-25 浙江中控技术股份有限公司 一种数据传输方法、数据发送装置及数据接收装置
CN108471408A (zh) * 2018-03-13 2018-08-31 广州市冰海网络技术有限公司 一种网络安全加密装置
US10122708B2 (en) 2013-11-21 2018-11-06 Harris Corporation Systems and methods for deployment of mission plans using access control technologies
CN109194676A (zh) * 2018-09-21 2019-01-11 无锡润盟软件有限公司 数据流加密方法、数据流解密方法

Families Citing this family (194)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7702540B1 (en) * 1995-04-26 2010-04-20 Ebay Inc. Computer-implement method and system for conducting auctions on the internet
US7937312B1 (en) 1995-04-26 2011-05-03 Ebay Inc. Facilitating electronic commerce transactions through binding offers
US5793763A (en) * 1995-11-03 1998-08-11 Cisco Technology, Inc. Security system for network address translation systems
US7113508B1 (en) * 1995-11-03 2006-09-26 Cisco Technology, Inc. Security system for network address translation systems
US5918018A (en) * 1996-02-09 1999-06-29 Secure Computing Corporation System and method for achieving network separation
US5867647A (en) * 1996-02-09 1999-02-02 Secure Computing Corporation System and method for securing compiled program code
US5913024A (en) * 1996-02-09 1999-06-15 Secure Computing Corporation Secure server utilizing separate protocol stacks
US7130888B1 (en) * 1996-02-16 2006-10-31 G&H Nevada-Tek Method and apparatus for controlling a computer over a TCP/IP protocol network
FR2745967B1 (fr) * 1996-03-07 1998-04-17 Bull Cp8 Procede de securisation des acces d'une station a au moins un serveur et dispositif mettant en oeuvre le procede
US5983090A (en) * 1996-04-02 1999-11-09 Kabushiki Kaisha Toshiba Mobile communication system with access function to computer network
US6003084A (en) * 1996-09-13 1999-12-14 Secure Computing Corporation Secure network proxy for connecting entities
US5983350A (en) * 1996-09-18 1999-11-09 Secure Computing Corporation Secure firewall supporting different levels of authentication based on address or encryption status
GB2317792B (en) * 1996-09-18 2001-03-28 Secure Computing Corp Virtual private network on application gateway
US6072942A (en) * 1996-09-18 2000-06-06 Secure Computing Corporation System and method of electronic mail filtering using interconnected nodes
US5950195A (en) * 1996-09-18 1999-09-07 Secure Computing Corporation Generalized security policy management system and method
US6130889A (en) * 1996-10-02 2000-10-10 International Business Machines Corporation Determining and maintaining hop-count for switched networks
US6005943A (en) * 1996-10-29 1999-12-21 Lucent Technologies Inc. Electronic identifiers for network terminal devices
GB9622535D0 (en) * 1996-10-30 1997-01-08 3Com Ireland Search apparatus
US5915087A (en) * 1996-12-12 1999-06-22 Secure Computing Corporation Transparent security proxy for unreliable message exchange protocols
EP0951767A2 (en) 1997-01-03 1999-10-27 Fortress Technologies, Inc. Improved network security device
US5968133A (en) * 1997-01-10 1999-10-19 Secure Computing Corporation Enhanced security network time synchronization device and method
IL131553A0 (en) * 1997-03-06 2001-01-28 Software And Systems Engineeri System and method for gaining access to information in a distributed computer system
US6263444B1 (en) * 1997-03-11 2001-07-17 National Aerospace Laboratory Of Science & Technology Agency Network unauthorized access analysis method, network unauthorized access analysis apparatus utilizing the method, and computer-readable recording medium having network unauthorized access analysis program recorded thereon
ES2290986T3 (es) * 1997-03-12 2008-02-16 Nomadix, Inc. Transmisor o router nomada.
US6477648B1 (en) * 1997-03-23 2002-11-05 Novell, Inc. Trusted workstation in a networked client/server computing system
US7136359B1 (en) * 1997-07-31 2006-11-14 Cisco Technology, Inc. Method and apparatus for transparently proxying a connection
US6473406B1 (en) * 1997-07-31 2002-10-29 Cisco Technology, Inc. Method and apparatus for transparently proxying a connection
US6307837B1 (en) * 1997-08-12 2001-10-23 Nippon Telegraph And Telephone Corporation Method and base station for packet transfer
US6591291B1 (en) * 1997-08-28 2003-07-08 Lucent Technologies Inc. System and method for providing anonymous remailing and filtering of electronic mail
JPH11112561A (ja) * 1997-09-30 1999-04-23 Sony Corp 通信方法および通信装置
US6158008A (en) * 1997-10-23 2000-12-05 At&T Wireless Svcs. Inc. Method and apparatus for updating address lists for a packet filter processor
US6343289B1 (en) * 1997-10-31 2002-01-29 Nortel Networks Limited Efficient search and organization of a forwarding database or the like
KR100246608B1 (ko) * 1997-11-13 2000-03-15 이계철 웹 인포샵 서비스 시스템의 대체 인증 및 대체 과금 방법
SE513828C2 (sv) * 1998-07-02 2000-11-13 Effnet Group Ab Brandväggsapparat och metod för att kontrollera nätverksdatapakettrafik mellan interna och externa nätverk
US6357010B1 (en) 1998-02-17 2002-03-12 Secure Computing Corporation System and method for controlling access to documents stored on an internal network
US6006272A (en) * 1998-02-23 1999-12-21 Lucent Technologies Inc. Method for network address translation
US6321336B1 (en) 1998-03-13 2001-11-20 Secure Computing Corporation System and method for redirecting network traffic to provide secure communication
US6182226B1 (en) 1998-03-18 2001-01-30 Secure Computing Corporation System and method for controlling interactions between networks
US6453419B1 (en) 1998-03-18 2002-09-17 Secure Computing Corporation System and method for implementing a security policy
US6738814B1 (en) * 1998-03-18 2004-05-18 Cisco Technology, Inc. Method for blocking denial of service and address spoofing attacks on a private network
US6681327B1 (en) * 1998-04-02 2004-01-20 Intel Corporation Method and system for managing secure client-server transactions
US6154839A (en) * 1998-04-23 2000-11-28 Vpnet Technologies, Inc. Translating packet addresses based upon a user identifier
US6711127B1 (en) * 1998-07-31 2004-03-23 General Dynamics Government Systems Corporation System for intrusion detection and vulnerability analysis in a telecommunications signaling network
US6618398B1 (en) * 1998-08-06 2003-09-09 Nortel Networks Limited Address resolution for internet protocol sub-networks in asymmetric wireless networks
US6317837B1 (en) * 1998-09-01 2001-11-13 Applianceware, Llc Internal network node with dedicated firewall
US6233626B1 (en) * 1998-10-06 2001-05-15 Schneider Automation Inc. System for a modular terminal input/output interface for communicating messaging application layer over encoded ethernet to transport layer
US10511573B2 (en) 1998-10-30 2019-12-17 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
FI106417B (fi) 1998-12-08 2001-01-31 Nokia Mobile Phones Ltd Menetelmä tiedonsiirron optimoimiseksi
US8266266B2 (en) 1998-12-08 2012-09-11 Nomadix, Inc. Systems and methods for providing dynamic network authorization, authentication and accounting
US8713641B1 (en) 1998-12-08 2014-04-29 Nomadix, Inc. Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device
US7194554B1 (en) 1998-12-08 2007-03-20 Nomadix, Inc. Systems and methods for providing dynamic network authorization authentication and accounting
US6954775B1 (en) 1999-01-15 2005-10-11 Cisco Technology, Inc. Parallel intrusion detection sensors with load balancing for high speed networks
US7062550B1 (en) * 1999-01-20 2006-06-13 Bindview Corporation Software-implemented method for identifying nodes on a network
US7107614B1 (en) 1999-01-29 2006-09-12 International Business Machines Corporation System and method for network address translation integration with IP security
US6738377B1 (en) 1999-01-29 2004-05-18 International Business Machines Corporation System and method for dynamic micro placement of IP connection filters
US6615357B1 (en) * 1999-01-29 2003-09-02 International Business Machines Corporation System and method for network address translation integration with IP security
US8060926B1 (en) 1999-03-16 2011-11-15 Novell, Inc. Techniques for securely managing and accelerating data delivery
US7904951B1 (en) 1999-03-16 2011-03-08 Novell, Inc. Techniques for securely accelerating external domains locally
US6081900A (en) * 1999-03-16 2000-06-27 Novell, Inc. Secure intranet access
DE19914326A1 (de) * 1999-03-30 2000-10-05 Delphi 2 Creative Tech Gmbh Verfahren zur Nutzung von fraktalen semantischen Netzen für alle Arten von Datenbank-Anwendungen
US6591306B1 (en) 1999-04-01 2003-07-08 Nec Corporation IP network access for portable devices
US6947394B1 (en) * 1999-04-09 2005-09-20 Telefonaktiebolaget Lm Ericsson (Publ) Flexible radio link control protocol
US6393484B1 (en) 1999-04-12 2002-05-21 International Business Machines Corp. System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks
DE19917592A1 (de) 1999-04-19 2000-10-26 Delphi 2 Creative Tech Gmbh Situationsabhängig operierendes semantisches Netz n-ter Ordnung
US6754214B1 (en) * 1999-07-19 2004-06-22 Dunti, Llc Communication network having packetized security codes and a system for detecting security breach locations within the network
US7778259B1 (en) 1999-05-14 2010-08-17 Dunti Llc Network packet transmission mechanism
US6957346B1 (en) 1999-06-15 2005-10-18 Ssh Communications Security Ltd. Method and arrangement for providing security through network address translations using tunneling and compensations
US7177952B1 (en) * 1999-10-01 2007-02-13 Nortel Networks Limited Method and system for switching between two network access technologies without interrupting active network applications
US6442696B1 (en) 1999-10-05 2002-08-27 Authoriszor, Inc. System and method for extensible positive client identification
WO2001031885A2 (en) 1999-10-22 2001-05-03 Nomadix, Inc. Gateway device having an xml interface and associated method
US6684253B1 (en) 1999-11-18 2004-01-27 Wachovia Bank, N.A., As Administrative Agent Secure segregation of data of two or more domains or trust realms transmitted through a common data channel
US6771649B1 (en) * 1999-12-06 2004-08-03 At&T Corp. Middle approach to asynchronous and backward-compatible detection and prevention of ARP cache poisoning
GB2357166B (en) * 1999-12-07 2001-10-31 Marconi Comm Ltd Memory access system
DE19960372A1 (de) * 1999-12-14 2001-06-21 Definiens Ag Verfahren zur Verarbeitung von Datenstrukturen
US7079495B1 (en) 2000-01-04 2006-07-18 Cisco Technology, Inc. System and method for enabling multicast telecommunications
US7006494B1 (en) * 2000-01-04 2006-02-28 Cisco Technology, Inc. System and method for a virtual telephony intermediary
US6804254B1 (en) 2000-01-04 2004-10-12 Cisco Technology, Inc. System and method for maintaining a communication link
US7069432B1 (en) * 2000-01-04 2006-06-27 Cisco Technology, Inc. System and method for providing security in a telecommunication network
US7324948B2 (en) * 2000-01-14 2008-01-29 Carl Teo Balbach Context-specific contact information
KR100348612B1 (ko) * 2000-02-01 2002-08-13 엘지전자 주식회사 디지탈 콘텐츠 보호용 사용자 암호키 생성방법
US7814309B1 (en) * 2000-02-29 2010-10-12 Cisco Technology, Inc. Method for checkpointing and reconstructing separated but interrelated data
US6865673B1 (en) * 2000-03-21 2005-03-08 3Com Corporation Method for secure installation of device in packet based communication network
AU2001257306A1 (en) * 2000-04-27 2001-11-07 Fortress Technologies, Inc. A method and apparatus for integrating tunneling protocols with standard routingprotocols
US7480939B1 (en) * 2000-04-28 2009-01-20 3Com Corporation Enhancement to authentication protocol that uses a key lease
US6895502B1 (en) 2000-06-08 2005-05-17 Curriculum Corporation Method and system for securely displaying and confirming request to perform operation on host computer
US7757272B1 (en) * 2000-06-14 2010-07-13 Verizon Corporate Services Group, Inc. Method and apparatus for dynamic mapping
US8037530B1 (en) 2000-08-28 2011-10-11 Verizon Corporate Services Group Inc. Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor
US7043633B1 (en) * 2000-08-28 2006-05-09 Verizon Corporation Services Group Inc. Method and apparatus for providing adaptive self-synchronized dynamic address translation
US6870841B1 (en) * 2000-09-18 2005-03-22 At&T Corp. Controlled transmission across packet network
US20020083344A1 (en) * 2000-12-21 2002-06-27 Vairavan Kannan P. Integrated intelligent inter/intra networking device
US20030084020A1 (en) * 2000-12-22 2003-05-01 Li Shu Distributed fault tolerant and secure storage
US6877042B2 (en) * 2001-01-02 2005-04-05 Dell Products L.P. System and method for generating world wide names
US7076538B2 (en) * 2001-01-12 2006-07-11 Lenovo (Singapore) Pte. Ltd. Method and system for disguising a computer system's identity on a network
US20020116644A1 (en) * 2001-01-30 2002-08-22 Galea Secured Networks Inc. Adapter card for wirespeed security treatment of communications traffic
EP1368726A4 (en) * 2001-02-06 2005-04-06 En Garde Systems APPARATUS AND METHOD FOR PROVIDING SECURE NETWORK COMMUNICATION
US7739497B1 (en) * 2001-03-21 2010-06-15 Verizon Corporate Services Group Inc. Method and apparatus for anonymous IP datagram exchange using dynamic network address translation
US7174368B2 (en) * 2001-03-27 2007-02-06 Xante Corporation Encrypted e-mail reader and responder system, method, and computer program product
US7007169B2 (en) * 2001-04-04 2006-02-28 International Business Machines Corporation Method and apparatus for protecting a web server against vandals attacks without restricting legitimate access
US6920556B2 (en) * 2001-07-20 2005-07-19 International Business Machines Corporation Methods, systems and computer program products for multi-packet message authentication for secured SSL-based communication sessions
US7134012B2 (en) * 2001-08-15 2006-11-07 International Business Machines Corporation Methods, systems and computer program products for detecting a spoofed source address in IP datagrams
US7020784B2 (en) * 2001-08-20 2006-03-28 Yitran Communications Ltd. Mechanism for detecting intrusion and jamming attempts in a shared media based communications network
US20030046583A1 (en) * 2001-08-30 2003-03-06 Honeywell International Inc. Automated configuration of security software suites
US20030065941A1 (en) * 2001-09-05 2003-04-03 Ballard Clinton L. Message handling with format translation and key management
US7032244B2 (en) * 2001-10-02 2006-04-18 International Business Machines Corporation Identifying potential intruders on a server
US7171493B2 (en) * 2001-12-19 2007-01-30 The Charles Stark Draper Laboratory Camouflage of network traffic to resist attack
US7096490B2 (en) * 2002-03-20 2006-08-22 Actiontec Electronics, Inc. Information routing device having an auto-configuration feature
US7712130B2 (en) * 2002-03-22 2010-05-04 Masking Networks, Inc. Multiconfigurable device masking shunt and method of use
US7941559B2 (en) * 2002-04-23 2011-05-10 Tellabs Bedford, Inc. Media access control address translation for a fiber to the home system
US7191331B2 (en) * 2002-06-13 2007-03-13 Nvidia Corporation Detection of support for security protocol and address translation integration
US7346057B2 (en) * 2002-07-31 2008-03-18 Cisco Technology, Inc. Method and apparatus for inter-layer binding inspection to prevent spoofing
US7143435B1 (en) * 2002-07-31 2006-11-28 Cisco Technology, Inc. Method and apparatus for registering auto-configured network addresses based on connection authentication
AU2012202410B2 (en) * 2002-07-31 2014-09-18 Cisco Technology, Inc. Method and apparatus for inspecting inter-layer address binding protocols
US20040064725A1 (en) * 2002-09-18 2004-04-01 Microsoft Corporation Method and system for detecting a communication problem in a computer network
US8819285B1 (en) * 2002-10-01 2014-08-26 Trustwave Holdings, Inc. System and method for managing network communications
US7506360B1 (en) * 2002-10-01 2009-03-17 Mirage Networks, Inc. Tracking communication for determining device states
US7469418B1 (en) 2002-10-01 2008-12-23 Mirage Networks, Inc. Deterring network incursion
US7801361B2 (en) * 2002-10-15 2010-09-21 Definiens Ag Analyzing pixel data using image, thematic and object layers of a computer-implemented network structure
US8239942B2 (en) 2002-12-30 2012-08-07 Cisco Technology, Inc. Parallel intrusion detection sensors with load balancing for high speed networks
US7570648B2 (en) * 2003-02-03 2009-08-04 At&T Intellectual Property I, L.P. Enhanced H-VPLS service architecture using control word
DE10305413B4 (de) * 2003-02-06 2006-04-20 Innominate Security Technologies Ag Verfahren und Anordnung zur transparenten Vermittlung des Datenverkehrs zwischen Datenverarbeitungseinrichtungen sowie ein entsprechendes Computerprogramm und ein entsprechendes computerlesbares Speichermedium
KR100512954B1 (ko) * 2003-03-12 2005-09-07 삼성전자주식회사 안전한 통신을 위한 rr 방법
US20040184407A1 (en) * 2003-03-21 2004-09-23 Sbc Knowledge Ventures, L.P. Operations, administration, and maintenance data packet and related testing methods
US7643424B2 (en) 2003-03-22 2010-01-05 At&T Intellectual Property L, L.P. Ethernet architecture with data packet encapsulation
NZ543148A (en) * 2003-03-24 2006-12-22 Re Src Ltd Multiconfigurable device masking shunt and method of use
US7516487B1 (en) 2003-05-21 2009-04-07 Foundry Networks, Inc. System and method for source IP anti-spoofing security
US7523485B1 (en) 2003-05-21 2009-04-21 Foundry Networks, Inc. System and method for source IP anti-spoofing security
US20040255154A1 (en) * 2003-06-11 2004-12-16 Foundry Networks, Inc. Multiple tiered network security system, method and apparatus
US20050022017A1 (en) 2003-06-24 2005-01-27 Maufer Thomas A. Data structures and state tracking for network protocol processing
US7876772B2 (en) * 2003-08-01 2011-01-25 Foundry Networks, Llc System, method and apparatus for providing multiple access modes in a data communications network
JPWO2005015419A1 (ja) * 2003-08-12 2006-10-05 ソニー株式会社 通信処理装置、および通信制御方法、並びにコンピュータ・プログラム
JP4174392B2 (ja) * 2003-08-28 2008-10-29 日本電気株式会社 ネットワークへの不正接続防止システム、及びネットワークへの不正接続防止装置
US7735114B2 (en) * 2003-09-04 2010-06-08 Foundry Networks, Inc. Multiple tiered network security system, method and apparatus using dynamic user policy assignment
US7626948B1 (en) 2003-09-12 2009-12-01 Cisco Technology, Inc. System and method for verifying the validity of a path in a network environment
US7774833B1 (en) 2003-09-23 2010-08-10 Foundry Networks, Inc. System and method for protecting CPU against remote access attacks
US7643484B2 (en) * 2003-09-26 2010-01-05 Surgient, Inc. Network abstraction and isolation layer rules-based federation and masquerading
US7769004B2 (en) * 2003-09-26 2010-08-03 Surgient, Inc. Network abstraction and isolation layer for masquerading machine identity of a computer
US8528071B1 (en) 2003-12-05 2013-09-03 Foundry Networks, Llc System and method for flexible authentication in a data communications network
US8065720B1 (en) 2004-01-06 2011-11-22 Novell, Inc. Techniques for managing secure communications
US7298707B2 (en) * 2004-01-21 2007-11-20 Cisco Technology, Inc. System and method for controlling the flooding of information in a network environment
US7877595B2 (en) * 2004-03-23 2011-01-25 Harris Corporation Modular cryptographic device and related methods
US20050213762A1 (en) * 2004-03-23 2005-09-29 Harris Corporation Modular cryptographic device and coupling therefor and related methods
US7711963B2 (en) * 2004-03-23 2010-05-04 Harris Corporation Modular cryptographic device providing enhanced interface protocol features and related methods
US9003199B2 (en) * 2004-03-23 2015-04-07 Harris Corporation Modular cryptographic device providing multi-mode wireless LAN operation features and related methods
US7657755B2 (en) * 2004-03-23 2010-02-02 Harris Corporation Modular cryptographic device providing status determining features and related methods
US7644289B2 (en) * 2004-03-23 2010-01-05 Harris Corporation Modular cryptographic device providing enhanced communication control features and related methods
US20050235363A1 (en) * 2004-04-06 2005-10-20 Fortress Technologies, Inc. Network, device, and/or user authentication in a secure communication network
US8554889B2 (en) * 2004-04-21 2013-10-08 Microsoft Corporation Method, system and apparatus for managing computer identity
US7971053B2 (en) * 2004-05-26 2011-06-28 At&T Intellectual Property I, L. P. Methods, systems, and products for intrusion detection
US8458453B1 (en) 2004-06-11 2013-06-04 Dunti Llc Method and apparatus for securing communication over public network
US7457244B1 (en) 2004-06-24 2008-11-25 Cisco Technology, Inc. System and method for generating a traffic matrix in a network environment
US7391730B1 (en) 2004-07-21 2008-06-24 Cisco Technology System and method for synchronizing link state databases in a network environment
US8234686B2 (en) * 2004-08-25 2012-07-31 Harris Corporation System and method for creating a security application for programmable cryptography module
WO2006039771A1 (en) * 2004-10-12 2006-04-20 Bce Inc. System and method for access control
US7760720B2 (en) * 2004-11-09 2010-07-20 Cisco Technology, Inc. Translating native medium access control (MAC) addresses to hierarchical MAC addresses and their use
US7742581B2 (en) 2004-11-24 2010-06-22 Value-Added Communications, Inc. Electronic messaging exchange
US9876915B2 (en) 2005-01-28 2018-01-23 Value-Added Communications, Inc. Message exchange
US9282188B2 (en) 2005-01-28 2016-03-08 Value-Added Communications, Inc. Voice message exchange
US7996894B1 (en) 2005-02-15 2011-08-09 Sonicwall, Inc. MAC address modification of otherwise locally bridged client devices to provide security
US20060250966A1 (en) * 2005-05-03 2006-11-09 Yuan-Chi Su Method for local area network security
US20060280138A1 (en) * 2005-06-13 2006-12-14 Nvidia Corporation Wireless access point repeater
US20070201490A1 (en) * 2005-07-13 2007-08-30 Mahamuni Atul B System and method for implementing ethernet MAC address translation
KR100736047B1 (ko) * 2005-07-28 2007-07-06 삼성전자주식회사 무선 네트워크 장치 및 이를 이용한 인증 방법
US7966654B2 (en) 2005-11-22 2011-06-21 Fortinet, Inc. Computerized system and method for policy-based content filtering
US8468589B2 (en) 2006-01-13 2013-06-18 Fortinet, Inc. Computerized system and method for advanced network content processing
US7831996B2 (en) * 2005-12-28 2010-11-09 Foundry Networks, Llc Authentication techniques
US7832009B2 (en) * 2005-12-28 2010-11-09 Foundry Networks, Llc Techniques for preventing attacks on computer systems and networks
US8510812B2 (en) 2006-03-15 2013-08-13 Fortinet, Inc. Computerized system and method for deployment of management tunnels
US8078728B1 (en) 2006-03-31 2011-12-13 Quest Software, Inc. Capacity pooling for application reservation and delivery
US9166883B2 (en) 2006-04-05 2015-10-20 Joseph Robert Marchese Network device detection, identification, and management
US8086873B2 (en) * 2006-06-05 2011-12-27 Lenovo (Singapore) Pte. Ltd. Method for controlling file access on computer systems
US7917747B2 (en) * 2007-03-22 2011-03-29 Igt Multi-party encryption systems and methods
US8194674B1 (en) 2007-12-20 2012-06-05 Quest Software, Inc. System and method for aggregating communications and for translating between overlapping internal network addresses and unique external network addresses
US8683572B1 (en) 2008-01-24 2014-03-25 Dunti Llc Method and apparatus for providing continuous user verification in a packet-based network
US8953601B2 (en) * 2008-05-13 2015-02-10 Futurewei Technologies, Inc. Internet protocol version six (IPv6) addressing and packet filtering in broadband networks
EP2134029A1 (en) * 2008-06-09 2009-12-16 THOMSON Licensing Network device and method for obtaining terminal multicast status
US9621714B2 (en) 2009-01-27 2017-04-11 Value-Added Communications, Inc. System and method for electronic notification in institutional communication
US8934625B2 (en) 2009-03-25 2015-01-13 Pacid Technologies, Llc Method and system for securing communication
US20110307707A1 (en) 2009-03-25 2011-12-15 Pacid Technologies, Llc Method and system for securing a file
TW201105083A (en) 2009-03-25 2011-02-01 Pacid Technologies Llc Token for securing communication
WO2010111448A1 (en) 2009-03-25 2010-09-30 Pacid Technologies, Llc Method and system for securing communication
US8726032B2 (en) 2009-03-25 2014-05-13 Pacid Technologies, Llc System and method for protecting secrets file
US9325802B2 (en) * 2009-07-16 2016-04-26 Microsoft Technology Licensing, Llc Hierarchical scale unit values for storing instances of data among nodes of a distributed store
US8640221B2 (en) * 2009-12-11 2014-01-28 Juniper Networks, Inc. Media access control address translation in virtualized environments
JP5727258B2 (ja) * 2011-02-25 2015-06-03 ウイングアーク1st株式会社 分散型データベースシステム
US8479021B2 (en) 2011-09-29 2013-07-02 Pacid Technologies, Llc Secure island computing system and method
US8605895B2 (en) * 2011-12-13 2013-12-10 International Business Machines Corporation Computing the eth root of a number using a variant of the RSA algorithm (for even e's)
US8826388B2 (en) 2012-02-16 2014-09-02 Sonicwall, Inc. Mobile device identify factor for access control policies
US10091201B2 (en) 2012-02-16 2018-10-02 Sonicwall Inc. Mobile device identify factor for access control policies
US9172721B2 (en) 2013-07-16 2015-10-27 Fortinet, Inc. Scalable inline behavioral DDOS attack mitigation
EP3022652A2 (en) 2013-07-19 2016-05-25 eyeQ Insights System for monitoring and analyzing behavior and uses thereof
CN104581715B (zh) * 2014-11-22 2018-06-26 杭州木梢科技有限公司 物联网领域的传感系统密钥保护方法及无线接入设备
US20180234535A1 (en) * 2017-02-10 2018-08-16 Mediatek Inc. Method and apparatus for communication
US10749827B2 (en) 2017-05-11 2020-08-18 Global Tel*Link Corporation System and method for inmate notification and training in a controlled environment facility
US11122054B2 (en) 2019-08-27 2021-09-14 Bank Of America Corporation Security tool

Family Cites Families (80)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4182933A (en) * 1969-02-14 1980-01-08 The United States Of America As Represented By The Secretary Of The Army Secure communication system with remote key setting
US3816666A (en) * 1972-10-02 1974-06-11 Communications Satellite Corp System for changing the burst format in a tdma communication system
US4185166A (en) * 1975-04-14 1980-01-22 Datotek, Inc. Multi-mode digital enciphering system
US4160120A (en) * 1977-11-17 1979-07-03 Burroughs Corporation Link encryption device
US4159468A (en) * 1977-11-17 1979-06-26 Burroughs Corporation Communications line authentication device
US4238854A (en) * 1977-12-05 1980-12-09 International Business Machines Corporation Cryptographic file security for single domain networks
US4203166A (en) * 1977-12-05 1980-05-13 International Business Machines Corporation Cryptographic file security for multiple domain networks
US4227253A (en) * 1977-12-05 1980-10-07 International Business Machines Corporation Cryptographic communication security for multiple domain networks
US4249180A (en) * 1978-09-20 1981-02-03 Northern Telecom Limited Past dependent microcomputer cipher apparatus
GB2140656A (en) * 1983-05-13 1984-11-28 Philips Electronic Associated Television transmission system
US4633391A (en) * 1983-10-21 1986-12-30 Storage Technology Partners Ii Extended index for digital information storage and retrieval device
US4621321A (en) * 1984-02-16 1986-11-04 Honeywell Inc. Secure data processing system architecture
US4829569A (en) * 1984-09-21 1989-05-09 Scientific-Atlanta, Inc. Communication of individual messages to subscribers in a subscription television system
US4757536A (en) * 1984-10-17 1988-07-12 General Electric Company Method and apparatus for transceiving cryptographically encoded digital data
US4799153A (en) * 1984-12-14 1989-01-17 Telenet Communications Corporation Method and apparatus for enhancing security of communications in a packet-switched data communications system
US4713753A (en) * 1985-02-21 1987-12-15 Honeywell Inc. Secure data processing system architecture with format control
US4802220A (en) * 1985-03-20 1989-01-31 American Telephone And Telegraph Company, At&T Bell Laboratories Method and apparatus for multi-channel communication security
US4901348A (en) * 1985-12-24 1990-02-13 American Telephone And Telegraph Company Data transmission security arrangement for a plurality of data stations sharing access to a communication network
US4837822A (en) * 1986-04-08 1989-06-06 Schlage Lock Company Cryptographic based electronic lock system and method of operation
US4731841A (en) * 1986-06-16 1988-03-15 Applied Information Technologies Research Center Field initialized authentication system for protective security of electronic information networks
US4829560A (en) * 1987-01-30 1989-05-09 Spectradyne Communications system for use in a hotel/motel
GB8704883D0 (en) * 1987-03-03 1987-04-08 Hewlett Packard Co Secure information storage
EP0287720B1 (en) * 1987-04-22 1992-01-08 International Business Machines Corporation Management of cryptographic keys
US4956803A (en) * 1987-07-02 1990-09-11 International Business Machines Corporation Sequentially processing data in a cached data storage system
US4916704A (en) * 1987-09-04 1990-04-10 Digital Equipment Corporation Interface of non-fault tolerant components to fault tolerant system
US4924513A (en) * 1987-09-25 1990-05-08 Digital Equipment Corporation Apparatus and method for secure transmission of data over an unsecure transmission channel
JPH0732373B2 (ja) * 1988-03-26 1995-04-10 株式会社ケンウッド Pcm音楽放送のワンウェイアドレス伝送方法
US4980913A (en) * 1988-04-19 1990-12-25 Vindicator Corporation Security system network
US5001755A (en) * 1988-04-19 1991-03-19 Vindicator Corporation Security system network
US4910777A (en) * 1988-09-20 1990-03-20 At&T Bell Laboratories Packet switching architecture providing encryption across packets
US4965804A (en) * 1989-02-03 1990-10-23 Racal Data Communications Inc. Key management for encrypted packet based networks
US4933971A (en) * 1989-03-14 1990-06-12 Tandem Computers Incorporated Method for encrypting transmitted data using a unique key
US4956863A (en) * 1989-04-17 1990-09-11 Trw Inc. Cryptographic method and apparatus for public key exchange with authentication
GB8927623D0 (en) * 1989-12-06 1990-02-07 Bicc Plc Repeaters for secure local area networks
US5056140A (en) * 1990-02-22 1991-10-08 Blanton Kimbell Communication security accessing system and process
US5204961A (en) * 1990-06-25 1993-04-20 Digital Equipment Corporation Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols
US5086469A (en) * 1990-06-29 1992-02-04 Digital Equipment Corporation Encryption with selective disclosure of protocol identifiers
US5309437A (en) * 1990-06-29 1994-05-03 Digital Equipment Corporation Bridge-like internet protocol router
US5161193A (en) * 1990-06-29 1992-11-03 Digital Equipment Corporation Pipelined cryptography processor and method for its use in communication networks
US5070528A (en) * 1990-06-29 1991-12-03 Digital Equipment Corporation Generic encryption technique for communication networks
GB9015799D0 (en) * 1990-07-18 1991-06-12 Plessey Telecomm A data communication system
US5245696A (en) * 1990-11-21 1993-09-14 Ricoh Co. Ltd. Evolution and learning in neural networks: the number and distribution of learning trials affect the rate of evolution
US5182554A (en) * 1990-12-18 1993-01-26 International Business Machines Corporation Third party evavesdropping for bus control
US5272754A (en) * 1991-03-28 1993-12-21 Secure Computing Corporation Secure computer interface
US5222137A (en) * 1991-04-03 1993-06-22 Motorola, Inc. Dynamic encryption key selection for encrypted radio transmissions
US5179554A (en) * 1991-04-08 1993-01-12 Digital Equipment Corporation Automatic association of local area network station addresses with a repeater port
JP2862030B2 (ja) * 1991-06-13 1999-02-24 三菱電機株式会社 暗号化方式
US5577209A (en) * 1991-07-11 1996-11-19 Itt Corporation Apparatus and method for providing multi-level security for communication among computers and terminals on a network
US5177788A (en) * 1991-10-15 1993-01-05 Ungermann-Bass, Inc. Network message security method and apparatus
US5222140A (en) * 1991-11-08 1993-06-22 Bell Communications Research, Inc. Cryptographic method for key agreement and user authentication
FR2686755A1 (fr) * 1992-01-28 1993-07-30 Electricite De France Procede de chiffrement de messages transmis entre reseaux interconnectes, appareil de chiffrement et dispositif de communication de donnees chiffrees mettant en óoeuvre un tel procede.
US5537099A (en) * 1992-04-16 1996-07-16 Bay Networks, Inc. Receiving port security in a network concentrator
US5276735A (en) * 1992-04-17 1994-01-04 Secure Computing Corporation Data enclave and trusted path system
US5311593A (en) * 1992-05-13 1994-05-10 Chipcom Corporation Security system for a network concentrator
IL102394A (en) * 1992-07-02 1996-08-04 Lannet Data Communications Ltd Method and apparatus for secure data transmission
US5596718A (en) * 1992-07-10 1997-01-21 Secure Computing Corporation Secure computer network using trusted path subsystem which encrypts/decrypts and communicates with user through local workstation user I/O devices without utilizing workstation processor
US5268962A (en) * 1992-07-21 1993-12-07 Digital Equipment Corporation Computer network with modified host-to-host encryption keys
US5361359A (en) * 1992-08-31 1994-11-01 Trusted Information Systems, Inc. System and method for controlling the use of a computer
IL103467A (en) * 1992-10-18 1996-03-31 Lannet Data Communications Ltd Network with a security capability
US5414694A (en) * 1993-02-19 1995-05-09 Advanced Micro Devices, Inc. Address tracking over repeater based networks
US5299263A (en) * 1993-03-04 1994-03-29 Bell Communications Research, Inc. Two-way public key authentication and key agreement for low-cost terminals
US5442708A (en) * 1993-03-09 1995-08-15 Uunet Technologies, Inc. Computer network encryption/decryption device
US5444782A (en) * 1993-03-09 1995-08-22 Uunet Technologies, Inc. Computer network encryption/decryption device
US5353283A (en) * 1993-05-28 1994-10-04 Bell Communications Research, Inc. General internet method for routing packets in a communications network
US5394402A (en) * 1993-06-17 1995-02-28 Ascom Timeplex Trading Ag Hub for segmented virtual local area network with shared media access
US5331637A (en) * 1993-07-30 1994-07-19 Bell Communications Research, Inc. Multicast routing using core based trees
JP3263878B2 (ja) * 1993-10-06 2002-03-11 日本電信電話株式会社 暗号通信システム
US5386471A (en) * 1994-01-25 1995-01-31 Hughes Aircraft Company Method and apparatus for securely conveying network control data across a cryptographic boundary
US5394469A (en) * 1994-02-18 1995-02-28 Infosafe Systems, Inc. Method and apparatus for retrieving secure information from mass storage media
US5416842A (en) * 1994-06-10 1995-05-16 Sun Microsystems, Inc. Method and apparatus for key-management scheme for use with internet protocols at site firewalls
US5588060A (en) * 1994-06-10 1996-12-24 Sun Microsystems, Inc. Method and apparatus for a key-management scheme for internet protocols
US5557765A (en) * 1994-08-11 1996-09-17 Trusted Information Systems, Inc. System and method for data recovery
US5557346A (en) * 1994-08-11 1996-09-17 Trusted Information Systems, Inc. System and method for key escrow encryption
US5548646A (en) * 1994-09-15 1996-08-20 Sun Microsystems, Inc. System for signatureless transmission and reception of data packets between computer networks
US5590201A (en) * 1994-11-10 1996-12-31 Advanced Micro Devices Inc. Programmable source address locking mechanism for secure networks
US5623601A (en) * 1994-11-18 1997-04-22 Milkway Networks Corporation Apparatus and method for providing a secure gateway for communication and data exchanges between networks
US5550984A (en) * 1994-12-07 1996-08-27 Matsushita Electric Corporation Of America Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information
US5548649A (en) * 1995-03-28 1996-08-20 Iowa State University Research Foundation Network security bridge and associated method
US5699513A (en) * 1995-03-31 1997-12-16 Motorola, Inc. Method for secure network access via message intercept
US5781550A (en) * 1996-02-02 1998-07-14 Digital Equipment Corporation Transparent and secure network gateway

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1326347C (zh) * 2002-12-30 2007-07-11 成都三零盛安信息系统有限公司 一种网络环境中实现多级安全访问控制的技术方法
CN100364291C (zh) * 2003-06-25 2008-01-23 阿尔卡特公司 用于桥接以太网住宅接入网络的体系结构
CN100463429C (zh) * 2004-04-19 2009-02-18 西安交通大学 基于地址重写的防ip地址伪造方法
CN102739506A (zh) * 2011-04-13 2012-10-17 李小林 对vpn通信进行透传的方法
CN102739506B (zh) * 2011-04-13 2015-09-09 李小林 对vpn通信进行透传的方法
CN104106251A (zh) * 2012-02-09 2014-10-15 贺利实公司 具有可变身份参数的动态计算机网络
CN104106251B (zh) * 2012-02-09 2015-09-23 贺利实公司 具有可变身份参数的动态计算机网络
US9154458B2 (en) 2012-05-01 2015-10-06 Harris Corporation Systems and methods for implementing moving target technology in legacy hardware
US9130907B2 (en) 2012-05-01 2015-09-08 Harris Corporation Switch for communicating data in a dynamic computer network
WO2014114232A1 (zh) * 2013-01-22 2014-07-31 横河电机株式会社 隔离保护系统及其执行双向数据包过滤检查的方法
US9503324B2 (en) 2013-11-05 2016-11-22 Harris Corporation Systems and methods for enterprise mission management of a computer network
US9264496B2 (en) 2013-11-18 2016-02-16 Harris Corporation Session hopping
US9338183B2 (en) 2013-11-18 2016-05-10 Harris Corporation Session hopping
US10122708B2 (en) 2013-11-21 2018-11-06 Harris Corporation Systems and methods for deployment of mission plans using access control technologies
CN106083589A (zh) * 2016-06-14 2016-11-09 常州大学 一种高级β‑酮酯的催化合成方法
CN106357690A (zh) * 2016-11-08 2017-01-25 浙江中控技术股份有限公司 一种数据传输方法、数据发送装置及数据接收装置
CN108471408A (zh) * 2018-03-13 2018-08-31 广州市冰海网络技术有限公司 一种网络安全加密装置
CN109194676A (zh) * 2018-09-21 2019-01-11 无锡润盟软件有限公司 数据流加密方法、数据流解密方法
CN109194676B (zh) * 2018-09-21 2020-11-27 无锡润盟软件有限公司 数据流加密方法、数据流解密方法

Also Published As

Publication number Publication date
US5757924A (en) 1998-05-26
IL121416A0 (en) 1999-10-28
AU725712B2 (en) 2000-10-19
EP0872074A1 (en) 1998-10-21
AU7154896A (en) 1997-04-28
CA2211301C (en) 2006-01-24
WO1997013340A1 (en) 1997-04-10
SG96185A1 (en) 2003-05-23
SG92687A1 (en) 2002-11-19
IL121416A (en) 2001-09-13
CA2211301A1 (en) 1997-04-10
US6151679A (en) 2000-11-21

Similar Documents

Publication Publication Date Title
CN1173256A (zh) 网络安全装置
US6240513B1 (en) Network security device
US5633933A (en) Method and apparatus for a key-management scheme for internet protocols
US6026167A (en) Method and apparatus for sending secure datagram multicasts
US6091820A (en) Method and apparatus for achieving perfect forward secrecy in closed user groups
US5416842A (en) Method and apparatus for key-management scheme for use with internet protocols at site firewalls
US8346949B2 (en) Method and system for sending a message through a secure connection
US5668877A (en) Method and apparatus for stepping pair keys in a key-management scheme
US8837729B2 (en) Method and apparatus for ensuring privacy in communications between parties
CN101420423A (zh) 网络系统
EP1493243B1 (en) Secure file transfer
CN1423451A (zh) 基于时间的加密密钥
CN1543117A (zh) 用于安全通信的返回路径可选择的方法
US20130219172A1 (en) System and method for providing a secure book device using cryptographically secure communications across secure networks
CN1728637A (zh) 入网终端物理唯一性识别方法和终端接入认证系统
Orman et al. Paving the road to network security, or the value of small cobblestones
CN111656728A (zh) 一种用于安全数据通信的设备、系统和方法
JP2001094548A (ja) 暗号鍵交換方法および暗号鍵交換装置
Venugopal The design, implementation, and evaluation of cryptographic distributed applications: Secure PVM
Atighehchi et al. A cryptographic keys transfer protocol for secure communicating systems
CN1315298C (zh) 同步封包处理系统与方法
Bharanidharan et al. RETRACTED ARTICLE: Group hash function-based enhancing network security for network service providence
KR100411436B1 (ko) 가상 사설망에서 라우터의 계산을 분산시키는 방법
Simpson et al. RADIUS Working Group C Rigney INTERNET-DRAFT Livingston A Rubens Merit

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: GR

Ref document number: 1052783

Country of ref document: HK