Patents by Inventor Philip Kwan
Philip Kwan has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 8918875Abstract: A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.Type: GrantFiled: July 18, 2011Date of Patent: December 23, 2014Assignee: Foundry Networks, LLCInventor: Philip Kwan
-
Patent number: 8893256Abstract: A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.Type: GrantFiled: June 30, 2010Date of Patent: November 18, 2014Assignee: Brocade Communications Systems, Inc.Inventors: Ronald W. Szeto, Philip Kwan, Raymond Wai-Kit Kwong
-
Patent number: 8769260Abstract: Encryption of message content of an e-mail sent by way of a webmail service may be performed in response to activation of a user interface element. The message content may be encrypted using a symmetric key. A public key of a recipient of the e-mail is received from a backend service and employed to encrypt the symmetric key. The encrypted symmetric key and encrypted message content are sent to a recipient by way of the webmail service. Decryption of the encrypted message content may be performed in response to activation of another user interface element. A private key of the recipient is received from the backend service and employed to decrypt the encrypted symmetric key. The symmetric key is thereafter employed to decrypt the encrypted message content.Type: GrantFiled: April 10, 2012Date of Patent: July 1, 2014Assignee: Trend Micro IncorporatedInventors: Philip Kwan, Michael Harry Palmer
-
Patent number: 8762712Abstract: A person-to-person secure file transfer system includes an originating computer that receives a public key of a recipient from a cloud computing system. The originating computer encrypts a file using a message key, and encrypts the message key using the public key of the recipient. The encrypted file is stored in the cloud computing system. In response to a request from a receiving computer, the cloud computing system decrypts the encrypted message key using a private key of the recipient, decrypts the encrypted file using the message key, and provides the now decrypted file to the receiving computer. In another example, the cloud computing system provides the private key of the recipient and the encrypted file to the receiving computer, which decrypts the encrypted message key using the private key of the recipient and decrypts the encrypted file using the message key.Type: GrantFiled: July 27, 2012Date of Patent: June 24, 2014Assignee: Trend Micro IncorporatedInventors: Philip Kwan, Michael Harry Palmer
-
Patent number: 8681800Abstract: A system, method and apparatus for providing multiple access modes in a data communications network includes a network access device having a plurality of input ports, a plurality of output ports, and a switching fabric for routing data received on the plurality of input ports to at least one of the plurality of output ports. Control logic within the network access device is adapted to determine whether a user device coupled to one of the plurality of input ports supports a user authentication protocol used by a host network. If the user authentication protocol is not supported, then the input port to which the network access device is coupled is placed in a semi-authorized access state that limits access to a pre-configured network accessible via the host network.Type: GrantFiled: May 1, 2012Date of Patent: March 25, 2014Assignee: Foundry Networks, LLCInventor: Philip Kwan
-
Patent number: 8533823Abstract: A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.Type: GrantFiled: February 25, 2009Date of Patent: September 10, 2013Assignee: Foundry Networks, LLCInventors: Ronald W. Szeto, Nitin Jain, Ravindran Suresh, Philip Kwan
-
Patent number: 8528071Abstract: A system and method for providing for a number of different authentication methods. The system and method can be used in conjunction with a data communications network, where client devices gain access to the data communications network through a network access device. The different authentication methods can allow for authentication based on a physical address for the client device, and can allow for authentication based on a web authentication procedure, and can provide for an authentication method which utilizes a combination of authentication methods which includes authentication based on both the physical address of the client device and based on user credential information.Type: GrantFiled: August 24, 2004Date of Patent: September 3, 2013Assignee: Foundry Networks, LLCInventor: Philip Kwan
-
Publication number: 20120216256Abstract: A system, method and apparatus for providing multiple access modes in a data communications network includes a network access device having a plurality of input ports, a plurality of output ports, and a switching fabric for routing data received on the plurality of input ports to at least one of the plurality of output ports. Control logic within the network access device is adapted to determine whether a user device coupled to one of the plurality of input ports supports a user authentication protocol used by a host network. If the user authentication protocol is not supported, then the input port to which the network access device is coupled is placed in a semi-authorized access state that limits access to a pre-configured network accessible via the host network.Type: ApplicationFiled: May 1, 2012Publication date: August 23, 2012Applicant: Brocade Communications Systems, Inc.Inventor: Philip Kwan
-
Patent number: 8249096Abstract: A system, method and apparatus for providing multiple access modes in a data communications network includes a network access device having a plurality of input ports, a plurality of output ports, and a switching fabric for routing data received on the plurality of input ports to at least one of the plurality of output ports. Control logic within the network access device is adapted to determine whether a user device coupled to one of the plurality of input ports supports a user authentication protocol used by a host network. If the user authentication protocol is not supported, then the input port to which the network access device is coupled is placed in a semi-authorized access state that limits access to a pre-configured network accessible via the host network.Type: GrantFiled: August 26, 2010Date of Patent: August 21, 2012Assignee: Foundry Networks, LLCInventor: Philip Kwan
-
Patent number: 8245300Abstract: A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.Type: GrantFiled: June 4, 2009Date of Patent: August 14, 2012Assignee: Foundry Networks LLCInventor: Philip Kwan
-
Patent number: 8239929Abstract: A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.Type: GrantFiled: April 28, 2010Date of Patent: August 7, 2012Assignee: Foundry Networks, LLCInventors: Philip Kwan, Chi-Jui Ho
-
Publication number: 20120011584Abstract: A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.Type: ApplicationFiled: July 18, 2011Publication date: January 12, 2012Applicant: Foundry Networks, LLCInventor: Philip Kwan
-
Patent number: 8006304Abstract: A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.Type: GrantFiled: June 4, 2009Date of Patent: August 23, 2011Assignee: Foundry Networks, LLCInventor: Philip Kwan
-
Patent number: 7979903Abstract: A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets.Type: GrantFiled: February 25, 2009Date of Patent: July 12, 2011Assignee: Foundry Networks, LLCInventor: Philip Kwan
-
Patent number: 7876772Abstract: A system, method and apparatus for providing multiple access modes in a data communications network includes a network access device having a plurality of input ports, a plurality of output ports, and a switching fabric for routing data received on the plurality of input ports to at least one of the plurality of output ports. Control logic within the network access device is adapted to determine whether a user device coupled to one of the plurality of input ports supports a user authentication protocol used by a host network. If the user authentication protocol is not supported, then the input port to which the network access device is coupled is placed in a semi-authorized access state that limits access to a pre-configured network accessible via the host network.Type: GrantFiled: August 1, 2003Date of Patent: January 25, 2011Assignee: Foundry Networks, LLCInventor: Philip Kwan
-
Publication number: 20100333191Abstract: A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.Type: ApplicationFiled: June 30, 2010Publication date: December 30, 2010Applicant: Foundry Networks, Inc.Inventors: Ronald W. Szeto, Philip Kwan, Raymond Wai-Kit Kwong
-
Publication number: 20100325700Abstract: A system, method and apparatus for providing multiple access modes in a data communications network includes a network access device having a plurality of input ports, a plurality of output ports, and a switching fabric for routing data received on the plurality of input ports to at least one of the plurality of output ports. Control logic within the network access device is adapted to determine whether a user device coupled to one of the plurality of input ports supports a user authentication protocol used by a host network. If the user authentication protocol is not supported, then the input port to which the network access device is coupled is placed in a semi-authorized access state that limits access to a pre-configured network accessible via the host network.Type: ApplicationFiled: August 26, 2010Publication date: December 23, 2010Applicants: Brocade Communications Systems, Inc.Inventor: Philip KWAN
-
Publication number: 20100223654Abstract: A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.Type: ApplicationFiled: April 28, 2010Publication date: September 2, 2010Applicant: Brocade Communications Systems, Inc.Inventors: Philip Kwan, Chi-Jui Ho
-
Patent number: 7774833Abstract: A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.Type: GrantFiled: September 23, 2003Date of Patent: August 10, 2010Assignee: Foundry Networks, Inc.Inventors: Ronald W. Szeto, Philip Kwan, Raymond Wai-Kit Kwong
-
Patent number: 7735114Abstract: A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.Type: GrantFiled: September 4, 2003Date of Patent: June 8, 2010Assignee: Foundry Networks, Inc.Inventors: Philip Kwan, Chi-Jui Ho