Secure cloud storage distribution and aggregation
US-2015363611-A1 · Dec 17, 2015 · US
Method, device, and system for monitoring a security network interface unit
US9979695B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9979695-B2 |
| Application number | US-201414913414-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 22, 2014 |
| Priority date | Aug 23, 2013 |
| Publication date | May 22, 2018 |
| Grant date | May 22, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The invention relates to a method for monitoring a security network interface unit ( 23 ), for example a firewall, which receives a stream of data packets via a first interface ( 21 ), checks said data stream with respect to filtering rules, and outputs said data stream to a second interface ( 22 ). The method has the steps of duplicating and outputting the data stream to the second interface ( 22 ), checking the output data stream for inadmissible data traffic, transmitting a warning message to the security network interface unit if inadmissible data traffic is detected in the data stream, and restricting the data stream by means of the security network interface unit if the warning message is received in the security network interface unit ( 23 ). The device or the system according to the invention comprises units which are designed to carry out the aforementioned method.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for monitoring a security network gateway unit that receives a stream of data packets via a first interface, checks the data stream with respect to filtering rules, and outputs the data stream to a second interface, the method comprising: duplicating and outputting the data stream at the second interface; checking the output data stream for impermissible data traffic; transmitting a warning message to the security network gateway unit when impermissible data traffic is detected in the data stream; and restricting the data stream by the security network gateway unit when the warning message is received in the security network gateway unit, wherein restricting the data stream comprises restarting the security network gateway unit with protected boot software, restarting the security network gateway unit with a replacement firmware image, or changing from an active virtual machine to a replacement virtual machine in the security network gateway unit. 2. The method of claim 1 further comprising: duplicating and outputting the data stream at the first interface; comparing the data stream at the first interface with the data stream at the second interface; and transmitting a warning message to the security network gateway unit when the data stream from the second interface differs from the data stream from the first interface. 3. The method of claim 1 , wherein restricting the data stream further comprises activating replacement filtering rules of the security network gateway unit. 4. The method of claim 1 , wherein restricting the data stream further comprises deactivating the second interface, deactivating the first interface of the security network gateway unit, or a combination thereof. 5. The method of claim 1 , wherein restricting the data stream further comprises deactivating a power supply unit of the network gateway unit. 6. The method of claim 1 , wherein the restriction of the data stream of the security network gateway unit remains active while the warning message is received at the security network gateway unit. 7. The method of claim 1 , wherein the restriction of the data stream remains active until an explicit signal for canceling the restriction is received at the security network gateway unit. 8. The method of claim 7 , wherein the explicit signal for canceling the restriction is the result of an action by administration personnel. 9. A device for monitoring a security network gateway that receives a stream of data packets via a first interface, checks the stream of data packets with respect to filtering rules and outputs the stream of data packets to a second interface, the device comprising: a processor configured to: duplicate and output the stream of data packets at the second interface; check the output stream of data packets for impermissible data traffic; and transmit a warning message to the security network gateway when impermissible data traffic is detected in the stream of data packets, wherein the security network gateway is configured to restrict the data stream when the warning message is received in the security network gateway, wherein restricting the data stream comprises restarting the security network gateway with protected boot software, restarting the security network gateway with a replacement firmware image, or changing from an active virtual machine to a replacement virtual machine in the security network gateway. 10. The device of claim 9 , wherein the processor is further configured to: duplicate and output the data stream at the first interface; compare the output data stream from the first interface with the data stream from the second interface; and transmit a warning message to the security network gateway when differences between the data stream from the second interface and the data stream from the first interface are detected. 11. A system for monitoring a security network gateway, the system comprising: a security network gateway configured to: receive a stream of data packets via a first interface; check the stream of data packets with respect to filtering rules; and output the stream of data packets to a second interface; and a processor configured to monitor the security network gateway, the processor configured to: duplicate and output the stream of data packets at the second interface; check the output data stream for impermissible data traffic; and transmit a warning message to the security network gateway when impermissible data traffic is detected in the stream of data packets, wherein the security network gateway is configured to restrict the stream of data packets, wherein restricting the data stream comprises restarting the security network gateway with protected boot software, restarting the security network gateway with a replacement firmware image, or changing from an active virtual machine to a replacement virtual machine in the security network gateway. 12. The system of claim 11 , wherein the processor is further configured to: duplicate and output the stream of data packets at the first interface; compare the output data stream from the first interface with the stream of data packets from the second interface; and transmit a warning message to the security network gateway when differences between the stream of data packets from the second interface and the stream of data packets from the first interface are detected. 13. The system of claim 12 , wherein the restriction of the stream of data packets comprises activating replacement filtering rules of the security network gateway. 14. A non-transitory computer-readable storage medium storing instructions executable by a processor to monitor a security network gateway unit that receives a stream of data packets via a first interface, checks the data stream with respect to filtering rules, and outputs the data stream to a second interface, the instructions comprising: duplicating and outputting the data stream at the second interface; checking the output data stream for impermissible data traffic; transmitting a warning message to the security network gateway unit when impermissible data traffic is detected in the data stream; and restricting the data stream by the security network gateway unit when the warning message is received in the security network gateway unit, wherein restricting the data stream comprises restarting the security network gateway unit with protected boot software, restarting the security network gateway unit with a replacement firmware image, or changing from an active virtual machine to a replacement virtual machine in the security network gateway unit.
Assignees
Inventors
Classifications
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Event detection, e.g. attack signature detection · CPC title
- H04L63/02Primary
for separating internal from external traffic, e.g. firewalls · CPC title
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Rule management · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9979695B2 cover?
- The invention relates to a method for monitoring a security network interface unit ( 23 ), for example a firewall, which receives a stream of data packets via a first interface ( 21 ), checks said data stream with respect to filtering rules, and outputs said data stream to a second interface ( 22 ). The method has the steps of duplicating and outputting the data stream to the second interface (…
- Who is the assignee on this patent?
- Siemens Ag
- What technology area does this patent fall under?
- Primary CPC classification H04L63/02. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 22 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).