Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
1998-10-16
2001-04-17
Maung, Zarni (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C709S232000, C713S152000
Reexamination Certificate
active
06219706
ABSTRACT:
BACKGROUND OF THE INVENTION
This invention relates to network firewalls for controlling external access to a particular local network. More particularly, the invention relates to network firewalls having dynamic access control lists.
Firewalls were developed to protect networks from unauthorized accesses. Hackers, corporate spies, political spies, and others may attempt to penetrate a network to obtain sensitive information or disrupt the functioning of the network. To guard against these dangers, firewalls inspect packets and sessions to determine if they should be transmitted or dropped. In effect, firewalls have become a single point of network access where traffic can be analyzed and controlled according to parameters such as application, address, and user, for both incoming traffic from remote users and outgoing traffic to the Internet.
Firewalls most commonly exist at points where private networks meet public ones, such as a corporate Internet access point. However, firewalls can also be appropriate within an organization's network, to protect sensitive resources such as engineering workgroup servers or financial databases from unauthorized users.
Firewalls protect by a variety of mechanisms. Generally, state-of-the art firewall technology is described in “Building Internet Firewalls” by D. Brent Chapman and Elizabeth D. Zwicky, O'Reilly and Associates, Inc. which is incorporated herein by reference for all purposes.
One firewall mechanism involves “packet filtering.” A packet filtering firewall employs a list of permissible packet types from external sources. This list typically includes information that may be checked in a packet header. The firewall checks each inbound packet to determine whether it meets any of the listed criteria for an admissible inbound packet. If it does not meet these criteria, the firewall rejects it. A similar mechanism may be provided for outbound packets.
Often, the firewall maintains the access criteria as an access control list or “ACL.” This list may contain network and transport layer information such as addresses and ports for acceptable sources and destination pairs. The firewall checks packet headers for source and destination addresses and source and destination ports, if necessary, to determine whether the information conforms with any ACL items. From this, it decides which packets should be forwarded and which should be dropped. For example, one can block all User Datagram Protocol (“UDP”) packets from a specific source IP address or address range. Some extended access lists can also examine transport-layer information to determine whether to forward or block packets.
While packet filtering is a very fast firewall technology, it is not, unfortunately, very good at handling protocols that create multiple channels or do not necessarily employ well-known port numbers. A channel is typically defined by a source address, a destination address, a source port number, and a destination port number. In Transport Control Protocol (“TCP”), a channel is referred to as a connection. For some protocols, such as SMTP (electronic mail), only a single well-known destination port is used. Conversations involving these protocols involve only a single channel. For such cases, the packet filtering mechanism will include an ACL item defining allowed accesses using the well-known port number. Because this well-known port number never changes, the ACL item can be set initially and left unchanged during the life of the firewall. Other protocols do not necessarily use well-known port numbers. In these cases, the port number is assigned dynamically. That is, for each new session a different port number may be assigned. Obviously, in these cases, a static packet filtering mechanism must either block all use of this protocol or allow all use, regardless of port number. This represents a significant limitation of standard packet filtering mechanisms.
In addition to single channel protocols, a variety of multi-channel protocols are known and others are being developed. For example, the File Transfer Protocol (“FTP”) sets up a control channel using a well-known port and a data channel using a variable port number. The control channel is used to initiate the FTP connection between the clients and a server. Via this control channel, the client and server negotiate a port number for a data channel. Once this data channel is established, the file to be retrieved is transmitted from the server to the client over the data channel. Other newer protocols such as the H.323 protocol used for video conferencing employ multiple control channels and multiple data channels such as channels for transmission of audio information and channels for transmission of video information. The port numbers for these data channels can not be known ahead of time. Static packet filtering mechanisms have difficulty handling FTP and most multi-channel protocols.
Another approach to firewall designs is employed in a “Stateful Inspection” firewall provided by Check Point Software Technology Ltd. In this approach, the firewall inspects not only the packet header but also the packet payload. This allows for the possibility of identifying channels in which the port number or numbers are set by the communicating nodes during a conversation. Specifically, the port numbers of channels about to be opened may be specified in the payload or payloads of packets transmitted over a control channel for a conversation. By inspecting packet payloads in a control channel, the firewall can open a temporary channel corresponding to the port numbers agreed upon by the nodes establishing the session. When the session is terminated, the firewall can reseal the channel associated with those port numbers.
Unfortunately, the firewall implemented by Check Point resides on a PC or a workstation host. Such host must be positioned at the interface of a local network and an external network. Typically, it must be used in conjunction with a router. This configuration limits the flexibility and efficiency of the firewall.
For the above and other reasons, it would be desirable to have an improved firewall design.
SUMMARY OF THE INVENTION
The present invention addresses this need by providing an access control system and method for controlling traffic to and from a local network. The system and procedures of this invention are preferably implemented on a dedicated network device such as a router positioned between a local network and an external network, e.g., the Internet, or between one or more local networks. In this procedure, access control items are dynamically generated and removed based upon the context of an application conversation. Specifically, the procedures of this invention may dynamically allocate channels through the firewall based upon its knowledge of the type of application and protocol (context) employed in the conversation involving a node on the local network. Further, the procedure may selectively examine packet payloads to determine when new channels are about to be opened. In one example, the system employs different rules for handling SMTP (e-mail using a single channel having a well-known port number) sessions, FTP sessions (file transfer using a single control channel having a well known port number and using one or more data channels having arbitrary port numbers), and H.323 (video conferencing using multiple control channels and multiple data channels, which use arbitrary port numbers) sessions.
One aspect of the invention pertains to methods of limiting access to a local network. The methods may be characterized by the following sequence: (a) receiving a packet; (b) identifying an application associated with the packet; (c) determining whether the packet possesses a predefined source or destination address or port; (d) determining whether the packet meets criteria for a current state of a TCP or UDP session with which it is associated; (e) determining whether to examine the payload of the packet; and (f) examining the packet payload. The method may also include various other operations
Fan Serene
Truong Steve
Bever Weaver & Thomas LLP
Cisco Technology Inc.
Maung Zarni
LandOfFree
Access control for networks does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Access control for networks, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Access control for networks will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2470368