The present invention is directed to the routing of data packets. In particular, the present invention is directed to systems which prevent the unauthorized access to packetized information, which reduce processing costs and time, and which prevent the loss of transmitted information.
Connectivity and security are two competing objectives of the computing environment in most organizations. The typical modern computing system is built around network communications and supplying transparent access to a multitude of services. The global availability of these services is perhaps the single most important feature of modem computing solutions. Demand for connectivity comes from both outside and inside organizations.
Protecting network services from unauthorized usage is of importance to any organization. Any PC work station, once connected to the Internet can offer all of the features which are offered to any other stations on the network. Using available technology, an organization must give up much of its connectivity in order to prevent the threat of loss or theft, even to the point of eliminating some or all connections to the outside environment or to other sites.
As the need for increased security grows, the means for controlling access to network resources has become an administrative priority for many companies. In order to save costs and maintain productivity, access control must be simple to configure and xe2x80x9ctransparentxe2x80x9d to both users and applications. The minimization of set up costs and down time are also important factors.
Computerized data is typically transmitted in packets. A xe2x80x9cpacketxe2x80x9d is a sequence of bytes delivered by the communication line that are rendered distinct from other sequences of bytes, according to a xe2x80x9cprotocolxe2x80x9d applied when the bytes are xe2x80x9cencodedxe2x80x9d and decoded. Packet techniques are well know to those skilled in the art and include, for example, the EtherNet Protocol (IEEE Standard 802.3) and various commercial packet protocols such as the Synchronous Datalink Protocol (SDLC) and Expoint 2.5. A xe2x80x9ccircuitxe2x80x9d monitors incoming communication line and determines when the packet begins. Bytes of the packet are then processed until packet reception is complete.
Commercially available circuits and interfaces are known for performing the tasks of recognizing the beginning of a packet and the processing of bytes until complete, for example, as known from a byte count and marker or the like. The generic function of receiving packets is thus well known in the art. However, once a packet or sequence of bytes is extracted from the communication network, there are a variety of possibilities as to how the encoded data are to be processed.
In a conventional broadcast network, the sender of the data packet encodes information that explicitly determines a recipient, or a set of recipients, to whom the data packet is directed. The recipient, or set of recipients, is identified in the packet by the sender inserting specific bytes in the message at the time of transmission. Conventional circuitry as described above, for example, recognizes information at a predetermined byte or bit position, typically in a header block at the start of the packet. This information is used to identify the intended receiver or receivers. Only packets destined for the respective data processing equipment require intervention by that data processing equipment and other packets can be ignored.
xe2x80x9cPacket filteringxe2x80x9d is a method which allows connectivity, yet provides security by controlling the traffic being passed, thus preventing illegal communication attempts, both within single networks and between connected networks. The current implementation of packet filtering allows specification of access and list tables according to a fixed format. This method is limited in its flexibility by the organizations"" security policy. It is also limited to the set of protocols and services defined in that particular table. This method also does not allow the introduction of different protocols or services which are not specified in the original table. Another method of implementing packet filtering is tailoring the computer-operating system code manually in every strategic point in the organization. This method is limited by its flexibility to future changes in network topology, new protocols, enhanced services, and to future security threats. It requires a substantial amount of work by experts modifying proprietary computer programs, making it inefficient and expensive to set up and maintain.
In addition to protecting data transmission, the need for secure long distance communications between enterprises, branch offices and business partners is becoming an essential requirement in modern day business practice. Historically, dedicated point-to-point connections between networks were fully private inter-enterprise commerce and long distance transactions. However, their inflexibility and prohibitive costs have prevented their widespread use. Public networks such as the Internet, provide a flexible and inexpensive solution for long distance inter-networking. Instead of establishing dedicated lines, enterprises can communicate using the Internet as a mediator. Once connected to a local Internet provider, private networks can quickly connect to any destination around the world. These issues force additional security issues.
A number of prior art patents are directed to data routing systems and for methods of providing data security. U.S. Pat. No. 5,805,572 discloses a transparent routing system within the xe2x80x9cclusterxe2x80x9d which is achieved (without changing the networking code on each xe2x80x9cnodexe2x80x9d of the cluster) by using a pair of xe2x80x9cmodulesxe2x80x9d interposed on the networking xe2x80x9cstackxe2x80x9d. In a xe2x80x9cclusteredxe2x80x9d system built out of several computers, the networking subsystem appears to xe2x80x9capplicationsxe2x80x9d as if the applications are running on a single computer. In addition, no modifications to the networking code is needed. The disclosed system is extensible to a variety of networking protocols, allows the routing within the cluster to be performed dynamically. A packet filter and remote communication between the nodules through IDL enable the modules to function.
In U.S. Pat. No. 5,608,662, a xe2x80x9cdata processorxe2x80x9d is connected to a digital communication system such that information packets broadcast on the system are examined to determine if the contents of each packet meet selection criteria, whereupon the packet is xe2x80x9ccoupledxe2x80x9d to the xe2x80x9cprocessorxe2x80x9d. A xe2x80x9cstate machinexe2x80x9d or xe2x80x9cinterface processorxe2x80x9d is connected between the processor and the network, and compares packets to the selection criteria, passing accepted packets and blocking rejected ones. The selection criteria are programmed into the state machine as a xe2x80x9cdecision treexe2x80x9d of any length, configuration or data requirements, preferably by the attached data processor, and can include examination of arbitrary sections of the packet for equality/inequality greater-than/less than, signed and unsigned comparisons and bit mask comparisons. Thus, content is variably examined, as opposed to checking for an address or key code at a given byte position. The state machine operates on recognition instructions including xe2x80x9cbyte offsetxe2x80x9d and content specifics. The recognition instructions can include xe2x80x9cplural distinctxe2x80x9d criteria, determined by the data processor to serve applications programs running in a xe2x80x9cmulti-taskingxe2x80x9d environment. Thus, the data processor compiles a series of recognition instructions that are passed to the state machine as tasks in the multi-taking environment are added or deleted, or when a task decides to change selection requirements. Preferably, xe2x80x9csignaling linesxe2x80x9d allow the data processor to determine the reason for selection of a packet, for example, by the state machine reporting to the data processor its program count upon acceptance.
U.S. Pat. No. 5,715,418 discloses a system which translates between xe2x80x9cphysical and logical (or virtual) address spacesxe2x80x9d autonomously using information decoded by an address mode translator from command bits within a host CPU issued command. The disclosed translator communicates with a hard disc controller unit local microprocessor or microcontroller and controller unit task registers. A host CPU issued command interrupts the local microprocessor and activates the address mode translator by writing to an appropriate controller unit task register using indirect addressing. The address mode translator preferably provides four algorithms, with algorithm selection occurring autonomously according to the decoded command bits. The algorithms provide physical block address to physical xe2x80x9cCHSxe2x80x9d cylinder-head-sector conversion, logical CHS to logical block address conversion, and also provide divide and multiply functions, useful for disc catching. Upon completion of the conversion or other function procedure, the address translator signals that the processed result is ready for reading by the controller unit local microprocessor or microcontroller. The translator may be implemented as a microprogrammed sequencer with an instruction set tailored to perform linear address translations and stored in memory associated with the local microprocessor. Alternatively, the instruction set may be downloaded by the microprocessor from disc drive software. The address translator provides the microprocessor with a translated address in a usable form more rapidly than if the local microprocessor had made the translation.
U.S. Pat. No. 5,742,792 discloses a system in which two data storage systems are interconnected by a data link for remote mirroring of data. Each volume of data is configured as local, primary in a remotely mirrored volume pair, or secondary in a remotely mirrored volume pair. Normally, a host computer directly accesses either a local or a primary volume, and data written to a primary volume is automatically sent over the link to a corresponding secondary volume. Each remotely mirrored volume pair can operate in a selected synchronization mode including synchronous, semi-synchronous, adaptive copyxe2x80x94remote write pending, and adaptive copyxe2x80x94disk. Direct write access to a secondary volume is denied if a xe2x80x9csync requiredxe2x80x9d attribute is set for the volume and the volume is not synchronized. If a xe2x80x9cvolume dominoxe2x80x9d mode is enabled for a remotely mirrored volume pair, access to a volume of the pair is denied when the other volume is inaccessible. In a xe2x80x9clinks dominoxe2x80x9d mode, access to all remotely mirrored volumes is denied when remote mirroring is disrupts by an all-links failure. The domino mode can be used to initiate application-based recovery, for example, recovering a secondary data file using a secondary log file. In an active migration mode, host processing of a primary volume is concurrent with migration to a secondary volume. In an overwrite cache mode, remote write-pending data in cache can be overwritten. Write data for an entire host channel command word chain is bundled in one link transmission.
U.S. Pat. No. 5,606,668 discloses a system in which a filter module allows controlling network security by specifying security rules for traffic in the network and accepting or dropping communication packets according to these security rules. A set of security rules are defined in a high level form and are translated into a packet filter code. The packet filter code is loaded into packet filter modules located in strategic points in the network. Each packet transmitted or received at these locations is inspected by performing the instructions in the packet filter code. The result of the packet filter code operation decides whether to accept (pass) or reject (drop) the packet, disallowing the communication attempt.
U.S. Pat. No. 5,832,222 discloses a computer system having a sealable software architecture. The sealable communication or data replication architecture that enables transparent replication of data or state information over a network of geographically dispersed processing units. Transparent data replication over a geographically dispersed computer network is useful in applications such as parallel computing and disaster recovery. The communication architecture also provides a transparent interface to a kernel I/O subsystem, device drivers and system applications. The communication architecture provides a distributed data model presenting a single system image of the I/O subsystem that allows two or more geographically dispersed processing units or clusters thereof, access to common data. In one particular implementation, the communication architecture permits RAID algorithms, such as RAID level 1 and RAID level 1 and RAID level 5 state information to be applied to the geographically dispersed network for site disaster recovery. The distributed data moxiel software package may be a uni-processor or multi-processor system, each having the same or different operating environments.
Finally, U.S. Pat. No. 5,835,726 discloses a novel system for controlling the inbound and outbound data packet flow in a computer network. By controlling the packet flow in a computer network, private networks can be secured from outside attacks in addition to controlling the flow of packets from within the private network to the outside world. A user generates a rule base which is then converted into a set of filter language instruction. Each rule in the rule base included a source, destination, service, whether to accept or reject the packet and whether to log the event. The set of filter language instructions are installed and execute on inspection engines which are placed on computers acting as firewalls. The firewalls are positioned in the computer network such that all traffic to and from the network to be protected is forced to pass through the firewall. Thus, packets are filtered as they flow into and out of the network in accordance with the rules comprising the rule base. The inspection engine acts as a virtual packet filtering machine which determines on a packet by packet basis whether to reject or accept a packet. If a packet is rejected, it is dropped. If it is accepted, the packet may then be modified. Modification may include encryption, decryption, signature generation, signature verification or address translation. All modifications are performed in accordance with the contents of the rule base.
While there are a number of prior art systems for routing data packets and security, none provide a fast, reliable, and efficient method for processing data packets transmitted between computers via intranet or the Internet. The present invention is directed to a system and method for processing data packets, in order to protect them from theft and destruction. The present invention is directed to a fast, reliable and efficient method to process data packets. The present invention is specifically directed to a system and method for processing data packets based upon specific criteria such as the number position of the packet. The true nature and scope of the present invention is to be determined by reference to the detailed description and attached claims.
The present invention comprises a system for processing data packets between an environment internal to the system and an environment external to the system. The system comprises a plurality of processors within an internal environment, each processor processing data packets based upon an initial criteria of the packet, first cable means for connecting the plurality of processors and for transmitting data packets between said plurality of processors based upon said initial criteria, second cable means for transmitting data packets between the plurality of processors and to the external environment, and third cable means for transmitting data between the plurality of processors and the internal environment. In each case, the cable could be either physical (including PCB cases) or logical.
In a further embodiment, the present invention is directed to a method for transmitting secured data packets over a network comprising the following steps (a) receiving a data packet having a source address from a point external to the network, (b) determining whether the data packet is a zero packet, and if so: (i) determining the binary sequence of a bit set (e.g., as shown in FIGS. 3 and 4) of the source address of the packet, (ii) forwarding the packet to a processor whose number corresponds with the sequence of the aforementioned bit set, (iii) using a security table to generate an IT entry in an IT table for directing the processing of data packets, (iv) transmitting the IT entry to a plurality of processors for inclusion in said IT table, (v) processing the packet in accordance with the entry in the IT table that corresponds to the source address, destination address and point number of the packet; (c) determining whether the packet is the last packet of the message, and if so: (i) deleting the IT entry for the message from the IT table, and (ii) forwarding the packet for further processing.
In still a further embodiment, the present invention is directed to a system for processing data packets between an environment external to the system and an environment internal to the system, comprising a plurality of processors within an internal system, each processor processing data packets based upon the sequence number of the packet, first cable means for connecting the plurality of processors and for transmitting data packets between said plurality of processors based upon the said sequence number, second cable means for transmitting data packets between the plurality of processors and the internal environment, and third cable means for transmitting data between the plurality of processors and a point internal to the system.
In yet another embodiment, a method for transmitting secured data packets over a network comprising the following steps: (a) receiving a data packet from a point external to the network, (b) determining whether the data packet is a zero packet, and if so: (i) determining the binary sequence of a bit set of the source address of the packet, (ii) forwarding the packet to a processor whose number corresponds with that bit set, (iii) using a security table to generate an IT entry in an IT table for directing the processing of data packets, (iv) transmitting the IT entry to a plurality of processors for inclusion in said IT table, (v) processing the packet in accordance with the entry in the IT table that corresponds to the source address, destination address and point number of the packet; (c) determining whether the packet is the last packet of the message, and if so: (i) deleting the IT entry for the message from the IT table, and (ii) forwarding the packet for further processing.