U.S. Navy Patents the Firewall? 206
Krishna Dagli writes to mention a post by Bruce Schneier on his site indicating that the U.S. Navy may be patenting the Firewall. Whether or not it is their intention to do so is unclear. From the patent description: "In a communication system having a plurality of networks, a method of achieving network separation between first and second networks is described. First and second networks with respective first and second degrees of trust are defined, the first degree of trust being higher than the second degree of trust. Communication between the first and second networks is enabled via a network interface system having a protocol stack, the protocol stack implemented by the network interface system in an application layer."
Re:Might not be a bad thing? (Score:3, Informative)
The end result is it's public domain. Patented it costs 3-5 grand vs a PDF on a website.
Re:Errr... (Score:4, Informative)
It's all in the claims (broad vs. specific) (Score:5, Informative)
See claim 3 for example - What they are describing implies a machine with two dedicated processors with shared memory, one for each network. Note that for what they are describing, a typical SMP or dual core system does NOT count - It seems that they are effectively describing two seperate machines in one box that can communicate via shared memory.
Also other claims imply that the patented system will be talking to each network at the application level, so it's more of a special form of proxy server rather than a firewall.
I don't have time right now to read further details, but keep in mind that even specific patents can appear much broader than they are in the abstract. For example, one can't patent the wheel or a tire, but when patenting a tire with a specific tread pattern, it might appear in the abstract that the applicant is trying to patent the tire in general even when they're not.
Re:The Military Gets Patents? (Score:3, Informative)
1) To ensure that no one else can patent the same idea, and then charge the Navy for using it. Personally, I don't buy this, because the Navy could just establish a prior art database for these ideas to achieve the same effect.
2) Being able to license the technology to non-Navy industries. I.e., medical applications. This justification at least seems, albeit distasteful.
jesus harold christ. (Score:3, Informative)
here's a tip: an application aint a patent.
Does Marcus J. Ranum know about this (Score:3, Informative)
Re:Government patents? (Score:2, Informative)
Here it is, in Article I, section 8:
"Congress shall have power . . . To promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries."
Re:I was... (Score:4, Informative)
The link below is just one of those things.
NSA PCMCIA Card Connector [nsa.gov]
Here is a page [nsa.gov] about how the NSA specifically creates and licenses these technologies and invention to the public.
Your tax dollars at work, helping to generate more revenue with those tax dollars.
Proxy firewalls (Score:5, Informative)
Re:Errr... (Score:3, Informative)
Once a patent application has been published (usually at 12/18 months after filing), it then gets passed on to the patent office in each country to be examined. It is entirely possible that a patent has got to this stage without anyone "official" actually doing any kind of search for proior art or examination of the claims. There may have been an international search report, but this still doesn't mean that much.
Re:Might not be a bad thing? (Score:4, Informative)
Re:Proxy firewalls (Score:3, Informative)
I do not want to go into the depth, but any protocol recognition/etc is already intellegent. And after some time spent in industry, you would have known that there is no such thing as "intelegent proxies". It's all PR myth. What they really do is look at TCP/UDP port numbers. Nothing more. And there is nothing else you can actually do.
Simple example some time ago used to crash experimental demo of such system. First line of TCP stream looks like "GET / HTTP/1.0". What protocol could that be? The answer isn't trivial as many might have thought. It might be (1) HTTP protocol, (2) FTP data connection receiving text file containing HTTP dump, (3) It might be Skype probing for transparent HTTP(S) proxies and so on. There is no way you can analyze it intelegently. All the methods have holes.
In my case it was even more problematic. Telcos/celcos wanted to use that for quality of service and charging. E.g. if you connect to www.o2.com - it's free, if you go to www.t-online.com - you pay $XX. But they are still not reached the magic number of 85% of properly classified traffic. Not yet. As soon as you find out that you have such equipment installed, simple countermeasures like proxying and encryption will get you off the hook.
P.S. Biggest problem with such analyzers, that they cannot look into encrypted protocols. Even BitTorrent started encrypting traffic to avoid dumb packet matching.
P.P.S. Another interesting situation arises from dropped TCP connections. Was it legit connection? Or was it not? Has anybody received anything or not? Many intelegent accounting systems can be bypassed by tuning OS to *not* to close cleanly TCP connections. Not good situation too. If you are not on receiving end - no way you would know what was happening.