U.S. patent application number 08/977768 was filed with the patent office on 2001-08-16 for distributed security system for a communication network.
This patent application is currently assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION. Invention is credited to SEGAL, EDWARD ROBERT.
Application Number | 20010014912 08/977768 |
Document ID | / |
Family ID | 25525487 |
Filed Date | 2001-08-16 |
United States Patent
Application |
20010014912 |
Kind Code |
A1 |
SEGAL, EDWARD ROBERT |
August 16, 2001 |
DISTRIBUTED SECURITY SYSTEM FOR A COMMUNICATION NETWORK
Abstract
In a data communication network, a system for protecting parts
of the network. The system comprises a plurality of user nodes
linked together within the network. Each user node comprises means
for transmitting list indicating to other nodes in the network the
identification of allowed senders and receivers; and two or more
security nodes within the network; each security node detects
transmission and relays each signal only to the recipients
specified in the list.
Inventors: |
SEGAL, EDWARD ROBERT; (WHITE
PLAINS, NY) |
Correspondence
Address: |
FLEIT, KAIN, GIBBONS,
GUTMAN & BONGINI, P.L.
ONE BOCA COMMERCE CENTER
551 NORTHWEST 77TH STREET, SUITE 111
BOCA RATON
FL
33487
US
|
Assignee: |
INTERNATIONAL BUSINESS MACHINES
CORPORATION
|
Family ID: |
25525487 |
Appl. No.: |
08/977768 |
Filed: |
November 26, 1997 |
Current U.S.
Class: |
709/223 ;
709/207; 709/217; 709/225; 726/13 |
Current CPC
Class: |
H04L 63/0218 20130101;
H04L 63/10 20130101 |
Class at
Publication: |
709/223 ;
709/225; 709/217; 709/207; 713/201 |
International
Class: |
G06F 015/16; H04L
009/00; H04L 009/32; G06F 011/30; G06F 015/173; G06F 012/14 |
Claims
What is claimed is:
1. In a data communication network comprising a plurality of user
nodes linked together within the network, a system for protecting
secure parts of the network, the system comprising: a plurality of
security nodes for coupling at least one user node to the
communication network; and each security node comprising a shared
list setting forth a plurality of listed nodes and a set of access
privileges for each listed node.
2. The data communication network of claim 1 wherein each shared
list comprises a set of allowed network addresses for each of the
listed nodes and wherein each of the listed nodes is permitted to
transmit to each of its associated allowed addresses.
3. The data communication network of claim 1 wherein each user node
comprises means for transmitting a node ID for each of the
specified recipients or allowed transmitters.
4. The data communication network of claim 2 wherein each user node
comprises means for transmitting a medium-access control layer
address for each of the specified recipients or allowed
senders.
5. In a communication network comprising a plurality of nodes, a
security unit for coupling at least one node with the communication
network, the security unit comprising: means for receiving incoming
signals from nodes in the network; storage means for storing the
incoming signals; detection means for detecting an identification
portion of the incoming signal; means for determining a source node
associated with each incoming signal; access means for determining
to which nodes the signal is permitted to be transmitted, the
determination being made by reference to a shared list; and means
for relaying the signal to a set of permitted recipients specified
in the shared list.
6. The security unit of claim 5 wherein the security unit comprises
a copy of the shared list.
7. In a data communication network comprising a plurality of user
nodes linked together within the network and a plurality of
security units each for coupling at least one user unit with the
data communication network, a system for protecting secure parts of
the network, a computer program product comprising: a computer
readable information storage medium comprising a shared list
setting forth a plurality of listed nodes and a set of access
privileges for each listed node.
8. In a network comprising a plurality of nodes, a method for
distributing a list comprising security permissions for a set of
nodes within the network, each node of said set of nodes includes
local storage, the method comprising the steps of: originating
means for creating a new list of security permissions; distributing
said new list of security permissions to said set of nodes within
said network; receiving means on each of said set of nodes for
receiving said new list of security permissions; and updating means
updating said local storage on said set of nodes wherein each said
of set nodes selectively permits transmissions based on said list
of permissions updated in said local storage.
Description
BACKGROUND OF THE INVENTION
[0001] The present invention relates to computers and computer
networks and more specifically to a system for providing
distributed security and protection in a computer network.
[0002] Data communications is of great importance to businesses
today. A principal function of computers is to perform
communications functions over various computer networks such as
local area networks (LANs), wide area networks (WANs) and the
Internet. Given the critical nature of much of the information that
is transmitted on networks, security has become a great concern to
users of such networks. The magnitude of the concern has been
increased by the popularity of the Internet with the advent of the
World-Wide Web (WWW) which has provided access to thousands of
users to a global network of computers and smaller networks all
linked together.
[0003] Thus, it is becoming increasingly important to provide
network access that is reliable and has a higher degree of
security. It is also desirable to provide control over the granting
of "permission" to utilize the network. It is also important to
provide protection against overutilization and unfair utilization
of network resources and from the growing number and various types
of "Denial of Service" attacks.
[0004] One common solution to the security problem in networks has
been to provide one large, complex, centralized firewall, that
often has to deal with a very large amount of traffic coming
through it from all the various paths from many networks. These
firewall units are generally large computers having the means to
filter information coming into the protected network and to limit
access to the protected network. FIG. 1 is a block diagram of a
data network 10 having a conventional firewall node 12 at a gateway
station. The firewall node 12 protects communications between an
unprotected public network 14 (e.g., the Internet) and a private
protected network 16. The network 16 can be any of various private
networks and it may be comprised of various computers, servers,
systems, etc. 18-24. As the size of each network increases so do
the demands upon firewall unit 12 which must process all incoming
and outgoing data traffic possibly from a vast global network.
[0005] Routes in a network are provided to indicate reachability to
destinations. They inform where to send to reach destinations.
Currently, general networking practice is to send routes to every
router in a network, to the entire (inter) corporate net or
autonomous system and then at run time try to have built a firewall
that is syntactically correct and fast enough to keep undesired
traffic out. This is very difficult to begin with and doesn't even
prevent all problems such as denial of service attacks and attacks
which simply overwhelm the network links and/or the firewall
devices and intermediate routers and bridges with more packets than
they can filter per unit time, therefore effectively blocking out
desired traffic and preventing legitimate users from using the
system.
[0006] U.S. Pat. No. 5,416,842 relates to a method and apparatus
for a key-management scheme for use with internet protocols at site
firewalls. It requires encryption and is very processor intensive.
It is a centralized approach to the network security problem that
is vulnerable to attacks that can overwhelm the unit.
[0007] U.S. Pat. No. 5,623,601 relates to an apparatus and method
for providing a secure gateway for communication and data exchanges
between networks. This discusses a network security system that
requires every communication to go through a single gateway that
must perform all the processing and is vulnerable to
overloading.
[0008] Most known network security systems depend on one
centralized unit to handle communications for each network. One
method seems to briefly recognize this as a significant limitation
but does not really suggest a good solution and is a limited method
anyway that is still subject to denial of service attacks.
Publications IDPR (rfc 1479) and IDRP mention some methods that
could increase security.
[0009] Most need a device that has enough capacity to handle all
traffic going into and out of the network. Most need complex setup
protocols and/or security keys. Many require encryption. Most are
not distributed and typically require higher level processing for
each communication which is processor intensive and time
consuming.
SUMMARY OF THE INVENTION
[0010] Briefly, in accordance with the invention, the present
situation can be improved upon by limiting access to nodes, routes
and other networking devices. Routers, firewalls, ingress nodes,
and switches could be informed which destination networks and
routes should be allowed to which source nodes or networks. A
security filtering system enables distributed granting of admission
to transmission of signals on to the network, and means for
providing distributed admission control, and for providing a
distributed firewall. The distributed security system provides a
protocol for transmitting to a node location and a list of nodes or
networks that are allowed access to the various nodes and
services.
BRIEF DESCRIPTION OF THE DRAWING(S)
[0011] FIG. 1 is a block diagram of a data network having a
conventional firewall node.
[0012] FIG. 2 shows a data network having a distributed security
system in accordance with the invention.
[0013] FIG. 3 shows a security node comprising an information
handling system in accordance with the invention.
[0014] FIG. 3 shows a user node comprising an information handling
system in accordance with the invention.
[0015] FIG. 5 is a flow chart of an originating node modifying
security protection in accordance with the invention.
[0016] FIG. 6 is a flow chart of a receiving node modifying
security protection in accordance with the invention.
DESCRIPTION OF THE ILLUSTRATIVE EMBODIMENT(S)
[0017] FIG. 2 shows a data network 40 having a distributed firewall
in accordance with the invention. Network 40 comprises various
subnetworks 42, 44, 46, 48, 52, and 53, and firewall units 43, 45,
46, 47, 49, and 50. The network 40 can be any network, such as the
Internet, that links networks together. Each subnetwork can include
a different protocol. Each firewall unit is a node that provides
network access to at least one node in a secure subnetwork. In one
possible embodiment, units 43, 45, 46, 47, 49, and 50 are servers
operated by Internet Service Providers (ISPs). In accordance with
the invention, the network 40 the units 43, 45, 46, 47, 49, and 50
each comprise a shared list setting forth a plurality of listed
nodes and a set of access privileges for each listed node. Access
privileges are the types of transmissions that a given node listed
in the shared list is permitted to make. For example, consider the
case where node B1 is a computer or LAN at an accounting firm. The
firm may want to restrict the nodes from which it receives or
transmits E-mail or certain types of transmissions (i.e. File
Transfer Protocol (FTP). In this case, the firm wishes to receive
e-mail only form its clients Z1, Y2, and X4. Node B1 would instruct
node 45 to provide that the shared list residing at security node
45 would intercept all e-mail and only allow e-mail form nodes Z1,
Y2 and X4 but in this distributed system, it is also possible for
security node 49 to only allow e-mail from Y2, node 50 prohibits
e-mail form Z2 and so forth. Thus, with the cooperation of other
nodes, it is virtually impossible to overwhelm node 45 with
unpermitted transmissions. The shared list may provide with respect
to any listed node that it can only transmit to certain other
listed nodes and, with respect to those nodes it can transmit to,
restrictions applicable to such transmissions.
[0018] Nodes in the Internet are commonly populated by information
handling units having commercial content that the operators of such
nodes want to advertise. Accordingly, it is common for such nodes
to transmit routes to other nodes, indicating how to reach the
transmitting node. Such advertising reaches not only those targeted
by the node operator but anyone else in the network 40. This
presents security problems because the widespread knowledge of the
transmitting node's location provides an opportunity for users of
other nodes to transmit undesirable signals or transmissions to the
transmitting node. In accordance with the invention, a protocol for
the network 40 would provide for lists sent by each node indicating
which other nodes are permitted to receive from, and transmit to
it, and what types of access they are allowed. That information is
detected by each firewall unit which limits transmissions the
routes only to their intended destinations. The firewall units also
have the capability to accept signals from the network for only
certain defined purposes. The list of intended recipients can have
any desired granularity. The situation can be improved upon by
providing a set of firewall-type commands that include lists of
which nodes, sources, networks are allowed to use certain
destinations. These commands can be utilized by filtering devices
and/or security devices such as firewalls, ingress nodes, switches,
which would be informed which destination nodes, addresses, ports,
are permitted to which source nodes or networks. These filtering
devices and /or security devices may be separate stand-alone
components or their capability may be integrated into other,
possibly already existing, devices.
[0019] Referring to FIG. 3, there is shown a network node that
comprises an information handling unit comprising an information
handling unit (e.g., a computer) comprising a processor unit 102, a
memory subsystem (including RAM, ROM, and/or hard disk storage)
104, and a communication subsystem 110 which can be any of several
well-known communication adapters for communicating with other
nodes in the network. The memory 104 includes software such as
network protocol program 106, and an allowable sender and recipient
list 108 for transmissions. This list can be maintained in the unit
100 or received from nodes on the network.
[0020] Referring to FIG. 4, there is shown a user node that
comprises an information handling unit 200 comprising an
information handling unit (e.g., a computer) comprising a processor
unit 202, a memory subsystem (including RAM, ROM, and/or hard disk
storage) 204, and a communication subsystem 208 which can be any of
several well-known communication adapters and a modem for
communicating with other nodes in the network. The memory 204
includes software such a network protocol program 206, that
includes the functionality shown in FIG. 4.
[0021] FIG. 5 is a flow chart illustrating a method 300 in
accordance with the invention. The method 300 may be performed in
any node in the network authorized to modify the list. In step 302,
a request is made at a node to modify security or access
protection. In step 304, the node originates a new list with access
protection. Step 306 updates the local list. Step 308 encrypts the
list and step 310 transmits the encrypted list to other security
devices on the network.
[0022] FIG. 6 is a flow chart illustrating a method 400 in
accordance with the invention. In step 402, a node comprising a
security device receives the encrypted list. In step 404, the
receiving security device decrypts the received list. A decision
406 is then made to determine whether the received list is newer
than the local list. If it is not, the received list is discarded
in step 408. If the received list is newer than the local list, the
received list is copied into the local database (i.e, storage) in
step 410. Then in step 412, the security unit filters received
transmissions in accordance with the most recent local list.
[0023] The system presented allows for inter-firewall cooperation
and sharing the load between various filtering and security
devices. This provides for a distributed firewall capability and
also permits (multiple) smaller firewalls and/or admission control
points. It also allows sharing the load. Information on which
networks and nodes should be granted access could be transmitted to
the distributed elements.
[0024] While the invention has been illustrated in connection with
a preferred embodiment, it will be understood that many variations
will occur to those of ordinary skill in the art, and that the
scope of the invention is defined only by the claims appended
hereto and equivalents.
* * * * *