Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Utility Patent
1997-09-12
2001-01-02
Maung, Zarni (Department: 2756)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S225000, C713S152000
Utility Patent
active
06170012
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to the prevention of unauthorized access in computer networks and, more particularly, to firewall protection within computer networks.
BACKGROUND OF THE INVENTION
In computer networks, information is conventionally transmitted in the form of packets. Information present at one site may be accessed by or transmitted to another site at the command of the former or the latter. Thus, e.g., if information is proprietary, there is a need for safeguards against unauthorized access. To this end, techniques known as packet filtering, effected at a network processor component known as a firewall, have been developed and commercialized. At the firewall, packets are inspected and filtered, i.e., passed on or dropped depending on whether they conform to a set of predefined access rules. Conventionally, these rule sets are represented in tabular form.
Typically, a firewall administrator allows broad access which is consented to from one side of the firewall to the other, but blocks transmissions in the opposite direction which are not part of an active network session. For example, “inside” company employees may have unrestricted access through the firewall to an “outside” network such as the Internet, but access from the Internet is blocked unless it has been specifically authorized. In addition to such a firewall at a corporate boundary to the Internet, firewalls can be interposed between network domains, and can also be used within a domain to protect sub-domains. In each case, different security policies may be involved.
In certain complex network protocols, separate, additional network sessions are required from the outside back to the user. One such complex protocol is employed by a service known by the trade name “RealAudio.” Without special measures, the request for the separate session will be blocked by the firewall.
For such complex protocols, separate “proxy” processes have been developed to run concurrently on the firewall processor on behalf of the user. Proxy processes have also been developed for other special-purpose applications, e.g., to perform services such as authentication, mail handling, and virus scanning.
In the interest of maximizing the number of sessions which can run concurrently, since the capacity of a firewall processor to support concurrent processes is limited, it is desirable to minimize the need for proxy processes on the firewall. Such minimization is desirable further in the interest of over-all transmission rate, as passage of incoming data through separate processes tends to slow transmission down.
SUMMARY OF THE INVENTION
The present invention provides techniques for implementing computer network firewalls so as to improve processing efficiency, improve security, increase access rule flexibility, and enhance the ability of a firewall to deal with complex protocols. In accordance with a first aspect of the invention, a computer network firewall is able to support (a) multiple security policies, (b) multiple users, or (c) multiple security policies as well as multiple users, by applying any one of several distinct sets of access rules for a given packet. The particular rule set that is applied for any packet can be determined based on information such as the incoming and outgoing network interfaces as well as the network source and destination addresses.
In accordance with a second aspect of the invention, a computer network firewall can be configured to utilize “stateful” packet filtering which improves performance by storing the results of rule processing applied to one or more packets. Stateful packet filtering may be implemented by caching rule processing results for one or more packets, and then utilizing the cached results to bypass rule processing for subsequent similar packets. For example, the results of applying a rule set to a particular packet of a network session may be cached, such that when a subsequent packet from the same network session arrives in the firewall, the cached results from the previous packet are used for the subsequent packet. This avoids the need to apply the rule set to each incoming packet.
In accordance with a third aspect of the invention, a computer network firewall authorizes or prevents certain network sessions using a dependency mask which can be set based on session data items such as source host address, destination host address, and type of service. The dependency mask can be used to query a cache of active sessions being processed by the firewall, to thereby identify the number of sessions that satisfy the query. The query may be associated with an access rule, such that the selection of that particular rule is dependent on the number of successful matches to the query.
In accordance with a fourth aspect of the invention, a computer network firewall may make use of dynamic rules which are added to a set of access rules for processing packets. The dynamic rules allow a given rule set to be modified based on events happening in the network without requiring that the entire rule set be reloaded. Exemplary dynamic rules include a “one-time” rule which is only used for a single session, a time-limited rule which is used only for a specified time period, and a threshold rule which is used only when certain conditions are satisfied. Other types of dynamic rules include rules which define a host group, such that the host group can be modified to add or drop different hosts without altering other aspects of the access rule set.
In accordance with a fifth aspect of the invention, a computer network firewall can be instructed to redirect a network session to a separate server for processing, so as to unburden the firewall of application proxies. The separate server processes the redirected network session, and then passes the session back through the firewall to the intended original destination.
The computer network firewalls of the present invention facilitate firewall processing in a wide variety of important applications. For example, the invention may be implemented in a dial-up access gateway. Another exemplary embodiment of the invention may be implemented in a distributed manner with a first portion of the firewall resident in the network and a second portion of the firewall resident in a set-top box, computer or other user terminal in a home or business. The latter embodiment can allow the firewall techniques of the invention to provide, for example, parental control of Internet and video access in the home. These and other features and advantages of the present invention will become more apparent from the accompanying drawings and the following detailed description.
REFERENCES:
patent: 5689566 (1997-11-01), Nguyen
patent: 5720033 (1998-02-01), Deo
patent: 5751971 (1998-05-01), Dobbins et al.
patent: 5802278 (1998-09-01), Isfeld et al.
patent: 5812784 (1998-09-01), Watson et al.
patent: 5835726 (1998-11-01), Shwed et al.
patent: 5838916 (1998-11-01), Dominikos et al.
patent: 5845068 (1998-12-01), Winiger
patent: 5848233 (1998-12-01), Radia et al.
patent: 5889958 (1999-03-01), Willens
patent: 0 743 777 A2 (1996-11-01), None
patent: 0 856 974 A2 (1998-08-01), None
patent: WO 97/00471 (1997-01-01), None
patent: WO 97/02734 (1997-01-01), None
patent: WO 97/49038 (1997-12-01), None
Coss Michael John
Majette David L.
Sharp Ronald L.
Cardone Jason D.
Lucent Technologies - Inc.
Maung Zarni
LandOfFree
Methods and apparatus for a computer network firewall with... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Methods and apparatus for a computer network firewall with..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Methods and apparatus for a computer network firewall with... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2540798