Electrical computers and digital processing systems: multicomput – Computer network managing
Reexamination Certificate
2000-12-18
2004-11-23
Jean, Frantz B. (Department: 2151)
Electrical computers and digital processing systems: multicomput
Computer network managing
C713S152000, C713S152000
Reexamination Certificate
active
06823378
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to distributed computing systems and more particularly to a system and method for managing the distribution of bandwidth at an endpoint of a distributed computing network.
BACKGROUND OF THE INVENTION
Distributed data processing networks with thousands of nodes, or endpoints, are known in the prior art. The nodes can be geographically dispersed and the computing environment managed in a distributed manner with a plurality of computing locations running distributed kernels services (DKS). The managed environment can be logically separated into a series of loosely connected managed regions in which each region has its own management server for managing local resources. The management servers coordinate activities across the network and permit remote site management and operation. Local resources within one region can be exported for the use of other regions in a variety of manners.
Managed regions within a highly distributed network may attempt to incorporate fault-tolerance with firewalls that attempt to limit any damage that might be caused by harmful entities. A firewall can prevent certain types of network traffic from reaching devices that reside on the “other” side, beyond the firewall. For example, a firewall can examine the frame types or other information of incoming data packets (i.e., so-called “packet sniffing”) and decide to stop certain types of information that has previously been determined to be harmful, such as virus probes, pings, broadcast data, etc. Another use of such firewalls is to influence the distribution of bandwidth by denying access to certain types of communications which may unnecessarily consume needed bandwidth. Yet another role of a firewall is to prevent outside entities' attempts to breach an internal network (or network devices located beyond the firewall) to steal information and/or attack (i.e., “hack”) the network. While existing firewalls can prevent certain entities from obtaining information from the protected network devices, firewalls can simultaneously present a barrier to the operation of legitimate, useful processes.
A firewall typically comprises a static dedicated piece of code that operates by using a dedicated port. Each software component communicates with another component by knowing the dedicated port number of the other component. However, memory and other system constraints can eventually limit the number and the management of dedicated ports, and the dynamic reconfiguration of port numbers can be quite difficult. Another drawback to the static firewall system which is executed at the device driver level (i.e., the packet sniffing type firewall) is that the component must necessarily look at every packet which traverses that port. Given the quantity of communications in vast distributed networks, the analysis of every data packet can be an overwhelming task. If communications could be screened based on protocol, a significant amount of packet analysis could be foregone.
Yet another drawback to the presently available firewall technology is that it provides a “yes” or “no” approach to evaluating communications, whereby usage is either permitted or denied. There exists no mechanism today for a performance-based analysis of network communications at a firewall in order to allow continued usage provided that the bandwidth being consumed is within predetermined limits.
It is desirable, therefore, and is an object of the present invention, to have a method and apparatus for providing a performance-based firewall in a distributed network environment.
Another object of the present invention is to provide a firewall which can dynamically influence distribution of bandwidth in a network.
Yet another object of the present invention is to provide a firewall at the protocol layer rather than the packet layer.
SUMMARY OF THE INVENTION
The foregoing and other objects are realized by the present invention wherein a method and apparatus are disclosed for implementing a performance-based firewall at the protocol layer. Application Action Objects (AAOs) are created for requesting applications and are mapped to specific protocol events. Each AAO is then used as a Usage Based Firewall (UBF) to monitor all usage of the protocol at the endpoint identified by the application, thereby acting as a performance-based, protocol layer firewall for communications at that endpoint. A responsible logical gateway monitors the AAO and reports AAO activity to a UBF Manager at a control server to direct the AAO regarding continued usage based on bandwidth considerations.
REFERENCES:
patent: 5359593 (1994-10-01), Derby et al.
patent: 5790554 (1998-08-01), Pitcher et al.
patent: 5864669 (1999-01-01), Osterman et al.
patent: 6049549 (2000-04-01), Ganz et al.
patent: 6084955 (2000-07-01), Key et al.
patent: 6128657 (2000-10-01), Okanoya et al.
patent: 6438592 (2002-08-01), Killian
patent: PCTSE9902279 (1999-12-01), None
Dougherty Anne V.
Jean Frantz B.
LaBaw Jeffrey
Phillips Hassan
LandOfFree
Method and apparatus in network management system for... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus in network management system for..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus in network management system for... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3330816