Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1998-01-29
2002-03-05
Maung, Zarni (Department: 2152)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S230000, C709S237000
Reexamination Certificate
active
06353856
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a firewall and more specifically to a firewall in communications using IP over ATM protocols.
2. Description of the Related Art
The Internet, which is increasingly being spread, employs TCP (Transmission Control Protocol)/IP (Internet Protocol) as its standard protocol. A system has been discussed which allows communications based on TCP/IP (TCP/IP communications) to be implemented over ATM networks. Such a system is called the IP over ATM. If this technology is established, the Internet can be implemented using the ATM networks.
With the spread of the Internet, opportunities to connect terminals, such as computers, to public networks have been increasing. Under these circumstances, it is important to protect terminals (information that the terminals store) from unauthorized access from the public network side. In this case, a function of blocking a particular type of traffic becomes necessary. The function of blocking a particular type of traffic to thereby increase the security of computers and so on or a device for performing such a function is called a firewall.
FIG. 1
shows an example of installing a firewall in the IP over an ATM system. In this example, terminals (DTE: Date Terminal Equipment)
102
and
107
, which can perform TCP/IP communications, are connected to an ATM network
101
. A LAN
103
, which is an Ethernet network based on TCP/IP, is connected to the ATM network
101
via a router
105
, which has a firewall function to allow selective access to the LAN
103
through the ATM network
101
.
When, in the above system, the terminal
102
makes access to the terminal
107
to conform to TCP/IP (TCP/IP-based access or TCP/IP access), an ATM connection is first set up between the terminals
102
and
107
and then a TCP/IP connection is set up on that ATM connection.
When the terminal
102
makes TCP/IP access to the terminal
107
within the LAN
103
, an ATM connection is first set up between the terminal
102
and the router
105
. The terminal
102
then sends an access request to the router
105
over that ATM connection. Upon receipt of the access request, the router
105
decides whether the access request is to be granted or denied in accordance with the IP address and the TCP port number. When the access request is granted, the router
105
sets up a TCP/IP connection between the terminals
102
and
104
utilizing the ATM connection between the terminal
102
and the router
105
, so that TCP/IP communications are started. When the access request is denied, on the other hand, the router
105
disconnects the ATM connection to the terminal
102
.
Thus, the conventional system prevents unauthorized access to resources within the LAN
103
by the firewall function installed in the router
105
, which selectively grants access to the LAN
103
over the ATM network
101
.
In the IP over ATM system, in order to make a decision as to whether an access request is to be granted or denied at the TCP/IP level, an ATM connection is once set up without fail regardless of whether the access request is granted or denied at a later time. (An access request which will be granted is referred to as a permissible access request, whereas an access request which will be denied is referred to as the non-permissible access request.) In the example of
FIG. 1
, an ATM connection is set up between the terminal
102
and the router
105
.
With the ATM network
101
, once an ATM connection is set up for a call, the call will be billed (or charged). Thus, even when an access request by the terminal
102
to the terminal
104
is regulated (rejected) by the router
105
, the terminal
102
will be charged though it receives no service. This is because an ATM connection is set up between it and the router.
Since an ATM connection is set up even for a non-permissible access, network resources are used in vain. For example, even if a request for access by the terminal
102
to the terminal
104
is a non-permissible access request, an ATM connection is set up between the terminal
102
and the router
105
, so that a portion of the band of a line
106
that connects the ATM network
101
to the router
105
is assigned to that ATM connection. As a result, the available band of the line
106
may become reduced. A shortage of the available band of the line
106
results in failure to set up an ATM connection on the line. Thus, even if a permissible access request is made, it becomes impossible to make access to the LAN
103
. Thus, there is the possibility that a non-permissible access may disturb permissible accesses.
The above problem arises not only in the IP over ATM system but also in a system in which data in a LAN, such as an Ethernet or token ring network, are transferred over an ATM network (such a system may be called LAN emulation).
SUMMARY OF THE INVENTION
It is an object of the present invention to provide a system which implements a firewall while making effective use of network resources.
A firewall system of the present invention which, for use with a communications system in which, over a connection-oriented network that exchanges fixed-length packets to conform to a first protocol, communication traffic that conforms to a second protocol is transferred, controls communications that conform to the second protocol and comprises: a switching node for exchanging fixed-length packets and extracting from received fixed-length packets a fixed-length packet that contains a request made by a first terminal for access to a second terminal, the access request being based on the second protocol; and an agent unit, installed in the network, for judging whether to grant the request for access to the second terminal or not on the basis of information contained in the fixed-length packet extracted by the switching node.
According to the above arrangement, a determination can be made as to whether to grant access to the second terminal without establishing a connection between the switching node and the second terminal. That is, such a determination can be made without using a line connecting the network and the second terminal.
REFERENCES:
patent: 5138659 (1992-08-01), Kelkar et al.
patent: 5379297 (1995-01-01), Glover et al.
patent: 5452296 (1995-09-01), Shimizu
patent: 5452297 (1995-09-01), Hiller et al.
patent: 5483527 (1996-01-01), Doshi et al.
patent: 5528592 (1996-06-01), Schibler et al.
patent: 5581552 (1996-12-01), Civanlar et al.
patent: 5600644 (1997-02-01), Chang et al.
patent: 5732078 (1998-03-01), Arango
patent: 5796829 (1998-08-01), Newby et al.
patent: 5826242 (1998-10-01), Montulli
patent: 5828844 (1998-10-01), Civanlar et al.
patent: 5878043 (1999-03-01), Casey
patent: 5892924 (1999-04-01), Lyon et al.
patent: 5896382 (1999-04-01), Davis et al.
patent: 5898830 (1999-04-01), Wesinger, Jr. et al.
patent: 5903559 (1999-05-01), Acharya et al.
patent: 5909430 (1999-06-01), Reaves
patent: 5912891 (1999-06-01), Kanai
patent: 5950195 (1999-09-01), Stockwell et al.
patent: 6081845 (2000-06-01), Kanemaki et al.
patent: 6229820 (2001-05-01), Kanemaki et al.
patent: 7264207 (1995-10-01), None
Esaki, H., “Call Admission Control Method in ATM networks”, IEEE Supercomm/ICC '92, ISBN: 0-7803-0599-X, pp. 1628-1633, Jun. 1992.*
Myers, E.D., “STU-III-multilevel Secure Computer Interface”, IEEE CSAC '94, ISBN: 0-8186-6795-8, pp. 170-179, Dec. 1994.*
Stempel, S., “IpAccess: An Internet Service Access System for Firewall Installations”, IEEE, ISBN: 0-8186-7027-4, pp. 31-41, Feb. 1995.*
Chuang, Shaw-Cheng, “Securing ATM Networks”, 3rd ACM Conf. on Computer and Communications Security, pp. 19-30, Mar. 1996.*
Perkins, C.E. et al., “Mobility Support in IPv6”, 2nd ACM Conf. on Mobile Computing and Networking, pp. 27-37, Nov. 1996.*
Pan, H. et al., “SNMP Based VANTAGE Network Management”, IEEE GTC '96, ISBN: 0-7803-336-5, pp. 168-172, Nov. 1996.
Cardone Jason D.
Helfgott & Karas P.C.
Maung Zarni
LandOfFree
Firewall system and method does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Firewall system and method, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Firewall system and method will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2854860