A method of establishing a representation of an abstract network security policy is disclosed. The representation is established in the form of a decision tree that is constructed by assembling graphical symbols representing policy actions and policy conditions. A user modifies properties of the graphical symbols to create a logical representation of the policy. Concurrently, the logical representation is transformed into a textual script that represents the policy, and the script is displayed as the user works with the logical representation. When the policy representation is saved, the script is translated into machine instructions that govern the operation of a network gateway or firewall. The policy representation is named. The policy representation may be applied to other network devices or objects by moving an icon identifying the representation over an icon representing the network device.
Network Gateway Mechanism Having A Protocol Stack Proxy
A system for a network gateway that provides computer data security using a protocol stack proxy is disclosed. The system evaluates data that arrives at a computer system that is executing a network operating system. The system comprises a protocol stack proxy, coupled between a device driver on the computer system that is configured to receive the data from a network and deliver the data according to a first protocol associated with a first network layer, and one or more components of the network operating system that receive packets according to the first protocol. The protocol stack proxy has one or more protocol proxy layers configured to (A) receive the data from the device driver; (B) pass the data to a second network layer that is higher than the first network layer; (C) evaluate the data to determine whether the data satisfies a predetermined criteria; and (D) if the data satisfies the predetermined criteria, to (D1) pass the data to the first network layer, and (D2) transmit the data to the one or more components to the network operating system.