Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2000-03-15
2004-08-03
Wright, Norman M. (Department: 2134)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S154000, C709S242000, C709S243000
Reexamination Certificate
active
06772347
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to the field of computer networks. In particular, the present invention relates to a method, apparatus and computer program product for providing network security.
BACKGROUND OF THE INVENTION
A packet switch communication system includes a network of one or more routers connecting a plurality of users. A packet is the fundamental unit of transfer in the packet switch communication system. A user can be an individual user terminal or another network. A router is a switching device that receives packets containing data or control information on one port and, based on destination information contained within the packets, routes the packets out another port to their final destination, or to some intermediary destination(s). Conventional routers perform this switching function by evaluating header information contained within the packet in order to determine the proper output port for a particular packet.
As known, a communications network can be a public network, such as the Internet, in which data packets are passed between users over untrusted, i.e., nonsecure communication links. Alternatively, various organizations, typically corporations, use what is known as an intranet communications network, accessible only by the organization's members, employees, or others having access authorization. Intranets typically connect one or more private servers, such as a local area network (LAN). The network configuration in a preferred embodiment of this invention can include a combination of public and private networks. For example, two or more LANs can be coupled together with individual terminals using a public network, such as the Internet. A network point that acts as an entrance to another network is known in the art as a gateway.
Conventional packet switched communication systems that include links between public and private networks typically include means to safeguard the private networks against intrusions through the gateway provided at the interface of the private and public networks. The means designed to prevent unauthorized access to or from a private are commonly known as firewalls, which can be implemented in both hardware and software, or a combination of both. Thus, a firewall is a device that can be coupled in-line between a public network and a private network for screening packets received from the public network.
Referring to
FIG. 1
, a conventional packet switch communication system
100
can include two (or more) private networks
102
a
and
102
b
coupled by a public network
104
for facilitating the communication between a plurality of user terminals
106
. Each private network
102
can include one or more servers and a plurality of individual terminals. Each private network
102
can be an intranet, such as a LAN. Public network
104
can be the Internet, or other public network having untrusted links for linking packets between private networks
102
a
and
102
b
. In a preferred embodiment, at each gateway between a private network
102
and public network
104
there is a firewall
110
.
The architecture of an illustrative prior art firewall is shown in
FIG. 2
a
. The firewall
110
generally includes one or more public network links
120
, one or more private network links
122
, and memory controller
124
coupled to the network links by a PCI bus
125
. Memory controller
124
is also coupled by a memory bus
129
to a memory (RAM)
126
and a firewall engine, implemented in a preferred embodiment as an ASIC
128
. The firewall engine ASIC
128
performs packet screening prior to routing packets through to private network
102
. The firewall engine ASIC
128
processes the packets to enforce an access control policy, screening the packets in accordance with one or more sets of rules. The rules are described in more detail below. A central processor (CPU)
134
is coupled to memory controller
124
by a CPU bus
132
. CPU
134
oversees the memory transfer operations on all buses shown. Memory controller
124
is a bridge connecting CPU bus
132
, memory bus
129
, and PCI bus
125
.
In operation, packets are received at public network link
120
. Each packet is transferred on bus
125
to, and routed through, memory controller
124
and on to RAM
126
via memory bus
129
. When firewall engine
128
is available, packets are fetched. using memory bus
129
and processed by the firewall engine
128
. After processing, the packet is returned to RAM
126
using memory bus
129
. Finally the packet is retrieved by the memory controller
124
using memory bus
129
, and routed to private network link
122
. The screening rules implemented by the firewall engine
128
are typically searched in linear order, beginning with the internal rule memory. Certain aspects of the rule structure are described below.
As known in the art, a rule is a control policy for filtering incoming and outgoing packets. Rules specify actions to be applied as against certain packets. When a packet is received for processing through a rule search, the packet's IP header, TCP header, or UDP header may require inspecting. A rule will generally include, at a minimum, source/destination IP addresses, UDP/TCP source/destination ports and transport layer protocol. Additional criteria may be used by the rules as well.
Generally, the address information is used as matching criterion—in other words to match a rule, a packet must have come from a defined source IP address and its destination must be the defined destination IP address. The UDP/TCP source/destination port specifies what client or server process the packet originates from on the source machine. The firewall engine can be configured to permit or deny a packet based upon these port numbers. The rule may include a range of values or a specific value for a TCP/UDP port. The transport layer protocol specifies which protocol above the IP layer, such as TCP or UDP, the policy rule is to be enforced against.
The firewall engine described above essentially screens packets using an access control list (ACL), and may be referred to as an ACL engine. That is, it performs a simple comparison of various matching criteria of an incoming IP packet—typically source, destination, port and protocol—to each rule in a rule set in sequence. Based upon this comparison, an incoming IP packet is either allowed or denied. A data-flow chart for this firewall engine is shown in FIG.
5
.
It will be appreciated that using a fixed set of rules can be restrictive in many practical applications. Therefore, it is desirable to provide a system and method capable of adding rules to the rule set of the firewall engine dynamically—that is, to extract from a sequence of packets information, such as the port number and IP address, and generate new rules using this information. However, generating these new rules dynamically would increase the complexity of the comparison and decrease the speed of the firewall engine. There is therefore a need in the art for a firewall engine which can generate rules dynamically, based upon information extracted from incoming packets, with a limited impact on the speed of the firewall engine.
SUMMARY OF THE INVENTION
In accordance with a preferred embodiment, an apparatus, method and computer program product for providing network security is described. The apparatus includes an engine for sorting incoming IP packets into initially allowed and initially denied packets using a fixed set of rules. The packets are then further sorted by a second engine. In one embodiment, the engine further sorts the initially denied packets into allowed packets and denied packets, using dynamically generated rules. The denied packets are dropped and the allowed packets are permitted to enter the network.
Likewise, the method includes the step of sorting incoming IP packets into initially allowed and initially denied packets using a fixed set of rules. The packets are then further sorted. In one embodiment, additional steps include sorting the initially denied packets into allowed packets and
Ke Yan
Mao Yuming
Xie Ken
Fish & Richardson P.C.
Juniper Networks, Inc.
Wright Norman M.
LandOfFree
Method, apparatus and computer program product for a network... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method, apparatus and computer program product for a network..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method, apparatus and computer program product for a network... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3344895