Patents by Inventor Linwood H. Overby, Jr.
Linwood H. Overby, Jr. has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20130013915Abstract: Embodiments of the present invention address deficiencies of the art in respect to secure communications for multiple hosts in an address translation environment and provide a method, system and computer program product for IPsec SA management for multiple clients sharing a single network address. In one embodiment, a computer implemented method for IPsec SA management for multiple hosts sharing a single network address can include receiving a packet for IPsec processing for a specified client among the multiple clients sharing the single network address. A dynamic SA can be located among multiple dynamic SAs for the specified client using client identifying information exclusive of a 5-tuple produced for the dynamic SA. Finally, IPsec processing can be performed for the packet.Type: ApplicationFiled: July 12, 2012Publication date: January 10, 2013Applicant: International Business Machines CorporationInventors: Linwood H. Overby, Jr., Joyce A. Porter, David J. Wierbowski
-
Publication number: 20120222087Abstract: Intrusion detection is performed by communicating an initialization request from an intrusion detection system enabled application to an intrusion module to begin intrusion detection. Also, a request is communicated to a policy transfer agent to provide an intrusion detection system policy specifically configured for the application. The application identifies where in the application code the intrusion detection system policy is to be checked against an incoming or outgoing communication. Information obtained by the application program is selectively evaluated against information in the intrusion detection system policy. A conditional response is made based upon information in the intrusion detection system policy if an intrusion associated with the application program is detected.Type: ApplicationFiled: May 11, 2012Publication date: August 30, 2012Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Lap T. Huynh, Linwood H. Overby, JR.
-
Patent number: 8250229Abstract: Embodiments of the present invention address deficiencies of the art in respect to secure communications for multiple hosts in an address translation environment and provide a method, system and computer program product for IPsec SA management for multiple clients sharing a single network address. In one embodiment, a computer implemented method for IPsec SA management for multiple hosts sharing a single network address can include receiving a packet for IPsec processing for a specified client among the multiple clients sharing the single network address. A dynamic SA can be located among multiple dynamic SAs for the specified client using client identifying information exclusive of a 5-tuple produced for the dynamic SA. Finally, IPsec processing can be performed for the packet.Type: GrantFiled: September 29, 2005Date of Patent: August 21, 2012Assignee: International Business Machines CorporationInventors: Linwood H. Overby, Jr., Joyce A. Porter, David J. Wierbowski
-
Publication number: 20120198542Abstract: A mechanism is provided for sharing one or more security appliances. A trusted system component associated with an application of a plurality of applications in a logically partitioned data processing system sets a destination address of a received packet to an address of a security appliance shared by the plurality of applications. The trusted system component sends the received packet to the security appliance. The trusted system component receives a response from the security appliance. The trusted system component determines whether the response indicates permitting the received packet to proceed to the intended recipient. The trusted system component sends the received packet to the recipient in response to the response indicating permitting the received packet to proceed.Type: ApplicationFiled: March 19, 2012Publication date: August 2, 2012Applicant: International Business Machines CorporationInventors: Lap T. Huynh, Constantinos Kassimis, Jeffrey A. Lucovsky, Linwood H. Overby, JR., Jerry W. Stevens
-
Patent number: 8220052Abstract: A method of detecting an intrusion into a computer. At least one communication to an application program is selectively evaluated by the application program accessing an intrusion detection service to evaluate the communication.Type: GrantFiled: June 10, 2003Date of Patent: July 10, 2012Assignee: International Business Machines CorporationInventors: Lap T. Huynh, Linwood H. Overby, Jr.
-
Patent number: 8199916Abstract: A method, network element, and computer storage program product, are provided for selectively loading a communication network security enforcement point (“SEP”) with security association (“SA”) information for inspection of encrypted data in a secure, end-to-end communications path. At least one encrypted data packet is received. It is determined that SA information for decrypting the at least one encrypted data packet fails to exist locally at the SEP. A request is sent to a communication network key server for SA information associated with the at least one encrypted data packet. The SA information associated with the at least one encrypted data packet is received from the communication network key server.Type: GrantFiled: December 26, 2007Date of Patent: June 12, 2012Assignee: International Business Machines CorporationInventors: Christopher Meyer, Wuchieh J. Jong, Linwood H. Overby, Jr.
-
Patent number: 8195806Abstract: Embodiments of the present invention address deficiencies of the art in respect to the visibility of an IP address for a remote resource behind a proxy server and provide a novel and non-obvious method, system and computer program product for managing remote host visibility in a proxy server environment. In one embodiment of the invention, a method for managing remote resource visibility in a proxy server environment can be provided. The method can include establishing a secure connection between a proxy server and a destination server, proxying different connections between different remote hosts and the destination server through the proxy server, providing remote host information for each of the different remote hosts, including IP address, port and protocol, for example, to the destination server over the secure connection, and mapping each provided IP address to an IP address for a corresponding one of the proxied different connections.Type: GrantFiled: July 16, 2007Date of Patent: June 5, 2012Assignee: International Business Machines CorporationInventors: Linwood H. Overby, Jr., Jeffery L. Smith
-
Patent number: 8141126Abstract: Embodiments of the present invention address deficiencies of the art in respect to IPsec SA recovery and provide a novel and non-obvious method, system and computer program product for selective IPsec SA recovery from security enforcement point outages. In one embodiment of the invention, a security enforcement point outage recovery method can be provided. The method can include compiling a listing of SAs for a security enforcement point and monitoring the security enforcement point for an outage. Responsive to detecting an outage in the security enforcement point, the listing can be pruned to include SAs that remain contextually valid or are utilized by the peer of the security enforcement point. Thereafter, only SAs in the pruned list can be re-established.Type: GrantFiled: January 24, 2007Date of Patent: March 20, 2012Assignee: International Business Machines CorporationInventors: Curtis M. Gearhart, Christopher Meyer, Linwood H. Overby, Jr., David J. Wierbowski
-
Publication number: 20110239290Abstract: Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session.Type: ApplicationFiled: June 11, 2011Publication date: September 29, 2011Applicant: International Business Machines CorporationInventors: David G. Kuehr-McLaren, Linwood H. Overby, JR.
-
Publication number: 20110219442Abstract: Policy filtering services are built into security processing of an execution environment for resolving how to handle a digital security certificate of a communicating entity without requiring a local copy of a root certificate that is associated with the entity through a certificate authority (“CA”) chain. Policy may be specified using a set of rules (or other policy format) indicating conditions for certificate filtering. This filtering is preferably invoked during handshaking, upon determining that a needed root CA certificate is not available. In one approach, the policy uses rules specifying conditions under which a certificate is permitted (i.e., treated as if it is validated) and other rules specifying conditions under which a certificate is blocked (i.e., treated as if it is invalid). Preferably, policy rules are evaluated and enforced in order of most-specific to least-specific.Type: ApplicationFiled: May 19, 2011Publication date: September 8, 2011Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Roy F. Brabson, Barry Mosakowski, Linwood H. Overby, JR.
-
Patent number: 7992200Abstract: Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session.Type: GrantFiled: July 16, 2007Date of Patent: August 2, 2011Assignee: International Business Machines CorporationInventors: David G. Kuehr-McLaren, Linwood H. Overby, Jr.
-
Patent number: 7984479Abstract: Policy filtering services are built into security processing of an execution environment for resolving how to handle a digital security certificate of a communicating entity without requiring a local copy of a root certificate that is associated with the entity through a certificate authority (“CA”) chain. Policy may be specified using a set of rules (or other policy format) indicating conditions for certificate filtering. This filtering is preferably invoked during handshaking, upon determining that a needed root CA certificate is not available. In one approach, the policy uses rules specifying conditions under which a certificate is permitted (i.e., treated as if it is validated) and other rules specifying conditions under which a certificate is blocked (i.e., treated as if it is invalid). Preferably, policy rules are evaluated and enforced in order of most-specific to least-specific.Type: GrantFiled: April 17, 2006Date of Patent: July 19, 2011Assignee: International Business Machines CorporationInventors: Roy F. Brabson, Barry Mosakowski, Linwood H. Overby, Jr.
-
Publication number: 20110126194Abstract: A mechanism is provided for sharing one or more security appliances. A trusted system component associated with an application of a plurality of applications in a logically partitioned data processing system sets a destination address of a received packet to an address of a security appliance shared by the plurality of applications. The trusted system component sends the received packet to the security appliance. The trusted system component receives a response from the security appliance. The trusted system component determines whether the response indicates permitting the received packet to proceed to the intended recipient. The trusted system component sends the received packet to the recipient in response to the response indicating permitting the received packet to proceed.Type: ApplicationFiled: November 24, 2009Publication date: May 26, 2011Applicant: International Business Machines CorporationInventors: Lap T. Huynh, Constantinos Kassimis, Jeffrey A. Lucovsky, Linwood H. Overby, JR., Jerry W. Stevens
-
Patent number: 7702785Abstract: Methods, systems and computer program products are provided for selectively allowing a user of a multi-user system access to a plurality of resources in a network. Pursuant to these methods, systems and computer program products, a request, originated by a user of the multi-user system, may be received to transmit a message over the network to one of the plurality of resources in the network. A security zone associated with this resource may then be identified. Pursuant to the operations of the present invention, if it is determined that the user is authorized access to the identified security zone, the message may be forwarded over the network to the resource.Type: GrantFiled: January 31, 2001Date of Patent: April 20, 2010Assignee: International Business Machines CorporationInventors: David Aro Bruton, III, Linwood H. Overby, Jr., Adolfo Francisco Rodriguez
-
Publication number: 20100071025Abstract: In an embodiment of the invention, a method for secure live migration of a virtual machine (VM) in a virtualized computing environment can include selecting a VM in a secure virtualized computing environment for live migration to a different virtualized computing environment and blocking data communications with the selected VM and other VMs in the secure virtualized computing environment. The selected VM can be live migrated to the different virtualized computing environment and the VM cna be restarted in the different virtualized computing environment. Notably, a secure communicative link can be established between the restarted VM and at least one other of the VMs in the secure virtualized computing environment. Finally, data communications between the restarted VM and the at least one other of the VMs can be enabled over the secure communicative link.Type: ApplicationFiled: September 15, 2008Publication date: March 18, 2010Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Wesley M. Devine, Sivaram Gottimukkala, Lap T. Huynh, Dinakaran Joseph, Michael S. Law, Linwood H. Overby, JR.
-
Publication number: 20090169005Abstract: A method, network element, and computer storage program product, are provided for selectively loading a communication network security enforcement point (“SEP”) with security association (“SA”) information for inspection of encrypted data in a secure, end-to-end communications path. At least one encrypted data packet is received. It is determined that SA information for decrypting the at least one encrypted data packet fails to exist locally at the SEP. A request is sent to a communication network key server for SA information associated with the at least one encrypted data packet. The SA information associated with the at least one encrypted data packet is received from the communication network key server.Type: ApplicationFiled: December 26, 2007Publication date: July 2, 2009Inventors: Christopher Meyer, Wuchieh J. Jong, Linwood H. Overby, JR.
-
Patent number: 7519721Abstract: Methods, systems and computer program products provide Internet Protocol Security (IPSec) to a plurality of target hosts in a cluster of data processing systems which communicate with a network through a routing communication protocol stack utilizing a dynamically routable Virtual Internet Protocol Address (DVIPA) by negotiating security associations (SAs) associated with the DVIPA utilizing an Internet Key Exchange (IKE) component associated with the routing communication protocol stack and distributing information about the negotiated SAs to the target hosts so as to allow the target hosts to perform IPSec processing of communications from the network utilizing the negotiated SAs.Type: GrantFiled: April 4, 2008Date of Patent: April 14, 2009Assignee: International Business Machines CorporationInventors: James Russell Godwin, Linwood H. Overby, Jr.
-
Publication number: 20090025078Abstract: Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session.Type: ApplicationFiled: July 16, 2007Publication date: January 22, 2009Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: David G. Kuehr-McLaren, Linwood H. Overby, JR.
-
Publication number: 20090024750Abstract: Embodiments of the present invention address deficiencies of the art in respect to the visibility of an IP address for a remote resource behind a proxy server and provide a novel and non-obvious method, system and computer program product for managing remote host visibility in a proxy server environment. In one embodiment of the invention, a method for managing remote resource visibility in a proxy server environment can be provided. The method can include establishing a secure connection between a proxy server and a destination server, proxying different connections between different remote hosts and the destination server through the proxy server, providing remote host information for each of the different remote hosts, including IP address, port and protocol, for example, to the destination server over the secure connection, and mapping each provided IP address to an IP address for a corresponding one of the proxied different connections.Type: ApplicationFiled: July 16, 2007Publication date: January 22, 2009Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Linwood H. Overby, Jr., Jeffery L. Smith
-
Patent number: 7426566Abstract: Methods, systems and computer program products provide Internet Protocol Security (IPSec) to a plurality of target hosts in a cluster of data processing systems which communicate with a network through a routing communication protocol stack utilizing a dynamically routable Virtual Internet Protocol Address (DVIPA) by negotiating security associations (SAs) associated with the DVIPA utilizing an Internet Key Exchange (IKE) component associated with the routing communication protocol stack and distributing information about the negotiated SAs to the target hosts so as to allow the target hosts to perform IPSec processing of communications from the network utilizing the negotiated SAs.Type: GrantFiled: January 17, 2001Date of Patent: September 16, 2008Assignee: International Business Machines CorporationInventors: James Russell Godwin, Linwood H. Overby, Jr.