Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
2000-05-26
2003-11-11
Vu, Viet D. (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C709S245000, C709S250000, C713S152000
Reexamination Certificate
active
06647418
ABSTRACT:
FIELD OF THE INVENTION
The invention relates to packet filters in general. More particularly, the invention relates to a method and apparatus for filtering data packets using a dedicated processor and a list of source addresses stored in high-speed memory, as well as a means for periodically updating the list of source addresses to ensure the list is kept current.
BACKGROUND OF THE INVENTION
Many companies and individual homes have access to the Internet, and more particularly, the World Wide Web (WWW). With the growing number of Internet sites, there is also a growing number of sites which provide content that some companies may deem inappropriate for the workplace. Similarly, there are many Internet sites which provide content that parents may deem inappropriate for young children.
Data packet filters are currently available which filter out data packets from certain Internet sites. On the commercial side, these filters are often implemented as part of a router or “firewall.” On the individual side, these filters are implemented as programs which run on a personal computer and operate in conjunction with individual browser software. Both the commercial and individual filters operate by storing lists of prohibited source addresses, such as Internet Protocol (IP) addresses, and filtering out any data packets received from a site with a prohibited source IP address. One problem with the currently available filters is that there is a performance degradation as the list of prohibited source IP addresses grows. Another problem is the administration of prohibited source IP address lists. Internet sites are being added and changed every day, and it is very difficult to keep a prohibited source IP address list up to date.
One example of a conventional data packet filter is described in U.S. Pat. No. 5,606,668 titled “System for Securing Inbound and Outbound Data Packet Flow in a Computer Network.” The '668 patent relates to computer network security and the control of information flow between internal and external network destinations. The patent broadly describes prior art packet filtering using access list tables. The patent is directed to a filter module which provides network security by specifying security rules for network traffic and accepting or dropping data packets according to the security rules. The rules are implemented in packet filter code which is executed by packet filter modules located at various locations within the network.
The packet filter disclosed in the '668 patent, however, is less than satisfactory for a number of reasons. In accordance with the disclosure of the '668 patent, the packet filter modules are embodied as “virtual machines” residing on existing network host computers. Thus, these filters are software modules executing on existing network computers, and are not separate dedicated filtering processors. Further, this patent fails to describe a method for administering and updating the access list tables. In addition, the packet filter disclosed in the '668 patent is implemented between the data link layer and network layer of the International Standardization Organization (ISO) protocol stack as set forth in ISO standard 7498 titled “Basic Reference Model for Open Systems Interconnection” (1984). Therefore, the packets must unnecessarily pass through the protocols set forth for the data link layer before being filtered, which slows down the processing speed of the packet filter.
Another example of a conventional data packet filter is shown in U.S. Pat. No. 5,615,340 titled “Network Interfacing Apparatus and Method Using Repeater and Cascade Interface with Scrambling.” The '340 patent relates to interfacing nodes in a network. Each node is associated with a plurality of working ports. When a node receives an incoming data packet, the destination address of the data packet is compared against a stored address table to determine if the data packet is destined for a working port associated with the node. The node will only transmit the data packet to the node's working ports if there is a match. Similarly, when a node receives an outgoing data packet, the destination address of the data packet is compared against the stored address table to determine if the data packet is destined for a working port associated with the node. If there is a match, then the node will transmit the data packet back to its working nodes. Otherwise, the node will transmit the data packet to the network. This system is not used for filtering unwanted data packets, but is instead used for network routing of data packets. Further, as with the '668 patent, the '340 patent fails to disclose a means for updating the source address list.
From the foregoing, it can be appreciated that a substantial need exists for a high performance data packet filter which can work with a large number of source IP addresses. There is also a need for an efficient way administer source IP address lists.
SUMMARY OF THE INVENTION
One embodiment of the present invention proposes a dedicated data packet filtering processor whose only function is to filter data packets based on a list of source IP addresses stored in high-speed memory of the processor. The processor has a specialized operating system which controls the operation of the processor. The only function of the processor is to look at the source IP address of each received data packet to determine if the source IP address matches one of the stored source IP addresses, and if there is a match, to either discard or forward the data packet depending on the processor configuration. Since the processor is dedicated to one task, it can perform the filtering process very quickly and efficiently. In various embodiments, the filtering processor may be used in conjunction with a local area network and many end users (such as in a commercial or business environment), or a single end user computer (such as in a home environment). Further, the filtering processor may be connected to the Internet via wired connections or wireless connections, such as a fixed wireless network.
With these and other advantages and features of the invention that will become hereinafter apparent, the nature of the invention may be more clearly understood by reference to the following detailed description of the invention, the appended claims and to the several drawings attached herein.
REFERENCES:
patent: 4715030 (1987-12-01), Koch et al.
patent: 4888796 (1989-12-01), Olivo, Jr.
patent: 5172111 (1992-12-01), Olivo, Jr.
patent: 5396493 (1995-03-01), Sugiyama
patent: 5448698 (1995-09-01), Wilkes
patent: 5481720 (1996-01-01), Loucks et al.
patent: 5561770 (1996-10-01), de Bruun et al.
patent: 5606668 (1997-02-01), Shwed
patent: 5615340 (1997-03-01), Dai et al.
patent: 5787253 (1998-07-01), McCreery et al.
patent: 5826014 (1998-10-01), Coley et al.
patent: 5848233 (1998-12-01), Radia et al.
patent: 5884025 (1999-03-01), Baehr et al.
patent: 5970066 (1999-10-01), Lowry et al.
patent: 6128298 (2000-10-01), Wootton et al.
patent: 6147976 (2000-11-01), Shand et al.
patent: 6335939 (2002-01-01), Hanna et al.
patent: 074377 (1996-11-01), None
patent: WO96/13113 (1996-05-01), None
Patent Abstracts of Japan, vol. 097, No. 010, Oct. 31, 1997 & JP 09-152969A (Kenwood Corp.), Jun. 10, 1997.
Skokowski P.,: Penny-Pinching Networks for Distributed Control, Control Engineering, vol. 39, No. 5, Jan.1, 1992, pp. 35-37.
Andrew S. Tannenbaum: Computer Networks, 1996, Prentice-Hall International, Upper Saddle River, New Jersey, US, pp. 7-16.
Maria Arturo
Owens Leslie Dale
AT&T Wireless Services Inc.
Vu Viet D.
LandOfFree
Method and apparatus for filtering packets using a dedicated... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for filtering packets using a dedicated..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for filtering packets using a dedicated... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3133994