Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
2000-09-08
2004-10-19
Harvey, Jack B. (Department: 2142)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C709S217000, C709S249000, C707S793000, C707S793000, C707S793000, C707S793000, C707S793000, C345S215000
Reexamination Certificate
active
06807576
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to computer systems which utilize filter rules, and more particularly to a method and system for providing a graphical representation of filter rules.
BACKGROUND OF THE INVENTION
Networks typically include multiple hosts, at least one server and at least one switch and/or router. Networks may also include one or more gateways to the Internet. Traffic flows through the networks and must be routed by the switch or router. In order to manage communications in a network and route data packets through the switch, filter rules are used. A filter rule enforces a particular action on a packet matching the filter rule. Thus, a filter rule tests packets which are being transmitted via a network in order to provide a variety of services. A filter rule may test packets entering the network from an outside source to ensure that attempts to break into the network can be thwarted. For example, traffic from the Internet entering the network may be tested in order to ensure that packets from unauthorized sources are denied entrance. Similarly, packets from one portion of a network may be prevented from accessing another portion of the network and take other appropriate action, such as recording the attempted access. Filter rules may also be used to transmit traffic based on the priorities of packets. For example, packets from a particular host may be transmitted because the packets have higher priority even when packets from other hosts in the network are dropped. Filter rules may also be used to ensure that new sessions are not permitted to be started when congestion is high even though traffic from established sessions is transmitted. Other functions could be achieved based on the filter rule.
Filter rules test a key in order to determine whether the filter rule will operate on a particular packet. The key that is typically used is the Internet Protocol (IP) header of the packet. The IP header typically contains five fields of interest: the source address, the destination address, the source port, the destination port and the protocol. These fields are typically thirty-two bits, thirty-two bits, sixteen bits, sixteen bits and eight bits, respectively. Thus, the part of IP header of interest is typically one hundred and four bits in length. Filter rules typically utilize these one hundred and four bits, and possible more bits, in order to perform their functions. For example, based on the source and destination addresses, the filter rule may determine whether a packet from a particular host is allowed to reach a particular destination address. However, the key often contains additional bits other than the fields of the IP header. The additional bits may be used by a filter rule which manages traffic through a network. Thus, the filter rules typically operate using a key that includes at least some fields of the IP header of a packet and may include additional bits. When the key matches the filter rule, the filter rule enforces its action on the packet corresponding to the key.
The filter rules that control traffic through a network may intersect. In other words, a key for a particular packet may match multiple filter rules. Filter rules are thus accorded a priority. A higher priority filter rule identifies which filter rule to check first for a match. Thus, the higher priority filter rule controls the action taken on a particular packet. In other words, the higher priority filter rule dominates the lower priority filter rule. For example, if a key for a packet matches two (intersecting) filter rules, then the higher priority filter rule controls. This prevents conflicting actions from being taken on a particular filter rule. For example, a first filter rule may be a default filter rule, which treats most cases. A second filter rule can be an exception to the first filter rule. The second filter rule would typically have a higher priority than the first filter rule to ensure that where a packet matches both the first and the second filter rule, the second filter rule's action will be enforced.
Multiple filter rules are typically used for each network. Because the filter rules may intersect and have different priorities, it is desirable for the network administrator or other user to be able to ensure that the filter rules can adequately function together. For example, it would be undesirable to provide two intersecting filter rules of the same priority which specify that conflicting actions be taken. For example, it would be undesirable for a first rule to specify that a packet is dropped while a second intersecting rule of the same priority specifies that the packet be transmitted. In addition, it would be desirable for the network administrator to monitor other information about the filter rules, such as how often the filter rule is used and the actual structure of the filter rule in the computer system. Thus, the user should be able to obtain information about filter rules.
Conventional systems generally display information relating to filter rules in a table format. For example, a filter rule, the ranges of keys which match the filter rule and the action taken are typically displayed. However, other information may not be readily available. This information in a table format may also be difficult for a user to understand. Thus, the user may provide filter rules that intersect, are inconsistent and have the same priority. In such a case, a switch in the network may be unable to determine the appropriate action to enforce for a particular packet having a key that fits both filter rules. As a result, the traffic through the switch may not be properly controlled.
Accordingly, what is needed is a system and method for improving the access of a user to information relating to filter rules. The present invention addresses such a need.
SUMMARY OF THE INVENTION
The present invention provides a method and system for graphically representing relationships between a plurality of filter rules in a computer system. The computer system includes a display. Each of the plurality of filter rules has a priority. The method and system comprise allowing entry of at least one filter rule of the plurality of filter rules and providing a graphical display of a first portion of the plurality of filter rules on the display. Each of the first portion of the plurality of filter rules is displayed hierarchically based on the priority of each of the first portion of the plurality of filter rules. If the first portion of plurality of filter rules includes a plurality of intersecting filter rules, then displaying the plurality of intersecting filter rules in the graphical display to indicate at least one intersection of at least one higher priority filter rule and at least one lower priority filter rule and to indicate that the at least one higher priority filter rule dominates the at least one lower priority filter rule.
According to the system and method disclosed herein, the present invention provides a user, such as a network administrator, with the ability to easily identify relationships between filter rules and make desired adjustments to the filter rules.
REFERENCES:
patent: 5835727 (1998-11-01), Wong et al.
patent: 5864666 (1999-01-01), Shrader
patent: 5899991 (1999-05-01), Karch
patent: 5951651 (1999-09-01), Lakshman et al.
patent: 5983270 (1999-11-01), Abraham et al.
patent: 6009475 (1999-12-01), Shrader
patent: 6298340 (2001-10-01), Calvignac et al.
patent: 6473763 (2002-10-01), Corl, Jr. et al.
patent: 6484171 (2002-11-01), Corl, Jr. et al.
patent: 6529897 (2003-03-01), Corl, Jr. et al.
patent: 6539394 (2003-03-01), Calvignac et al.
patent: 6677963 (2004-01-01), Mani et al.
patent: WO9921335 (1999-04-01), None
Hayden, et al., “Miro: Visual Specification of Security,”IEEE Transactions on Software Engineering, vol. 16, No. 10, Oct. 1990, pp. 1185-1196.
Mayer, et al., “Firmato: A Novel Firewall Management Toolkit,”Proceeding on the 1999 Symposium on Security and Privacy, IEEE, May 1999, pp. 17-31.
Jeffries Clark Debs
Thio Victoria Sue
Warshavsky Alex
Zehavi Avraham
Harvey Jack B.
International Business Machines - Corporation
Nguyen Hai V.
Sawyer Law Group LLP
LandOfFree
Method and system for determining and graphically... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for determining and graphically..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for determining and graphically... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3293514