System for packet filtering of data packets at a computer network interface

Assignee

• Sun Microsystems Inc. · US

Inventors

• Geoffrey G. Baehr · Menlo Park, US
• William Danielson · Decatur, US
• Thomas L. Lyon · Palo Alto, US
• Geoffrey Mulligan · Fremont, US
• Martin Patterson · Menlo Park, US
• Glenn C. Scott · Portola Valley, US
• Carolyn Turbyfill · Los Gatos, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/0236
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A system for screening data packets transmitted between a network to be protected, such as a private network, and another network, such as a public network. The system includes a dedicated computer with multiple (specifically, three) types of network ports: one connected to each of the private and public networks, and one connected to a proxy network that contains a predetermined number of the hosts and services, some of which may mirror a subset of those found on the private network. The proxy network is isolated from the private network, so it cannot be used as a jumping off point for intruders. Packets received at the screen (either into or out of a host in the private network) are filtered based upon their contents, state information and other criteria, including their source and destination, and actions are taken by the screen depending upon the determination of the filtering phase. The packets may be allowed through, with or without alteration of their data, IP (internet protocol) address, etc., or they may be dropped, with or without an error message generated to the sender of the packet. Packets may be sent with or without alteration to a host on the proxy network that perf…