U.S. Navy Patents the Firewall?

Krishna Dagli writes to mention a post by Bruce Schneier on his site indicating that the U.S. Navy may be patenting the Firewall. Whether or not it is their intention to do so is unclear. From the patent description: "In a communication system having a plurality of networks, a method of achieving network separation between first and second networks is described. First and second networks with respective first and second degrees of trust are defined, the first degree of trust being higher than the second degree of trust. Communication between the first and second networks is enabled via a network interface system having a protocol stack, the protocol stack implemented by the network interface system in an application layer."

Re:Might not be a bad thing?

[tinkerghost]

It's cheaper to make a declaritory statement saying "This is public domain, this is how to do it, and this is why it works. Have a nice day, thank you."
The end result is it's public domain. Patented it costs 3-5 grand vs a PDF on a website.

Re:Errr...

[Grant,thompson]

It really is a method to allow information to flow between secure and insecure networks without creating security leaks (as you mentioned). Here is an article published by some of the inventors: http://chacs.nrl.navy.mil/publications/CHACS/1998/ 1998kang-IEEE.pdf [navy.mil] Also remember, this was filed for in 2003.

It's all in the claims (broad vs. specific)

[Andy Dodd]

From what I've read of the actual patent so far, it appears that it is a very specific implementation of a specific type of firewall.

See claim 3 for example - What they are describing implies a machine with two dedicated processors with shared memory, one for each network. Note that for what they are describing, a typical SMP or dual core system does NOT count - It seems that they are effectively describing two seperate machines in one box that can communicate via shared memory.

Also other claims imply that the patented system will be talking to each network at the application level, so it's more of a special form of proxy server rather than a firewall.

I don't have time right now to read further details, but keep in mind that even specific patents can appear much broader than they are in the abstract. For example, one can't patent the wheel or a tire, but when patenting a tire with a specific tread pattern, it might appear in the abstract that the applicant is trying to patent the tire in general even when they're not.

Re:The Military Gets Patents?

[DoofusOfDeath]

I asked a Navy guy about this. He gave two reasons that Navy researchers are encouraged to get patents:
1) To ensure that no one else can patent the same idea, and then charge the Navy for using it. Personally, I don't buy this, because the Navy could just establish a prior art database for these ideas to achieve the same effect.

2) Being able to license the technology to non-Navy industries. I.e., medical applications. This justification at least seems, albeit distasteful.

jesus harold christ.

[hamburger lady]

i love it. "the navy patents the firewall!!!one!". and they include a link to a Patent Application.

here's a tip: an application aint a patent.

Does Marcus J. Ranum know about this

[rs232]

Marcus J. Ranum .. is recognized as the inventor [awprofessional.com] of the proxy firewall, and the implementor of the first commercial firewall product.

Re:Government patents?

[ch-chuck]

I can't find anything in the constitution that makes this abhorent practice illegal or unjustified.

Here it is, in Article I, section 8:

"Congress shall have power . . . To promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries."

Re:I was...

[C-Shalom]

The government has patented numerous things.
The link below is just one of those things.
NSA PCMCIA Card Connector [nsa.gov]
Here is a page [nsa.gov] about how the NSA specifically creates and licenses these technologies and invention to the public.

Your tax dollars at work, helping to generate more revenue with those tax dollars.

Proxy firewalls

[booch]

The patent does not apply to packet filter firewalls (the majority of all firewalls, including the ones you listed) because it says the packets traverse the application layer. The market for application layer (proxy) firewalls is actually pretty narrow. The main contender (SideWinder) recently bought out the 2 main competitors (Gauntlet and CyberGuard). Whether it would apply to hybrid firewalls (packet filters that do deep inspection, like Checkpoint and Netscreen) is less clear.

Re:Errr...

[simong_oz]

This is in the DESCRIPTION of the patent. What they are actually (trying) to patent (this is a patent application, not a granted patent) is detailed in the CLAIMS. These are what you need to read, carefully, and probably with advice from a patent attorney.

Once a patent application has been published (usually at 12/18 months after filing), it then gets passed on to the patent office in each country to be examined. It is entirely possible that a patent has got to this stage without anyone "official" actually doing any kind of search for proior art or examination of the claims. There may have been an international search report, but this still doesn't mean that much.

Re:Might not be a bad thing?

[superid]

The Navy doesn't collect royalties, they collect license fees. Go here [navy.mil] to browse some patents. If you license one of mine, I get a percentage of the fee :)

Re:Proxy firewalls

[ThePhilips]

Application layer proxies in the firewall world refer to intelligent proxies that do protocol inspection.

I do not want to go into the depth, but any protocol recognition/etc is already intellegent. And after some time spent in industry, you would have known that there is no such thing as "intelegent proxies". It's all PR myth. What they really do is look at TCP/UDP port numbers. Nothing more. And there is nothing else you can actually do.

Simple example some time ago used to crash experimental demo of such system. First line of TCP stream looks like "GET / HTTP/1.0". What protocol could that be? The answer isn't trivial as many might have thought. It might be (1) HTTP protocol, (2) FTP data connection receiving text file containing HTTP dump, (3) It might be Skype probing for transparent HTTP(S) proxies and so on. There is no way you can analyze it intelegently. All the methods have holes.

In my case it was even more problematic. Telcos/celcos wanted to use that for quality of service and charging. E.g. if you connect to www.o2.com - it's free, if you go to www.t-online.com - you pay $XX. But they are still not reached the magic number of 85% of properly classified traffic. Not yet. As soon as you find out that you have such equipment installed, simple countermeasures like proxying and encryption will get you off the hook.

P.S. Biggest problem with such analyzers, that they cannot look into encrypted protocols. Even BitTorrent started encrypting traffic to avoid dumb packet matching.

P.P.S. Another interesting situation arises from dropped TCP connections. Was it legit connection? Or was it not? Has anybody received anything or not? Many intelegent accounting systems can be bypassed by tuning OS to *not* to close cleanly TCP connections. Not good situation too. If you are not on receiving end - no way you would know what was happening.