Electrical computers and digital processing systems: memory – Storage accessing and control – Hierarchical memories
Reexamination Certificate
1997-01-15
2001-01-09
Thai, Tuan V. (Department: 2752)
Electrical computers and digital processing systems: memory
Storage accessing and control
Hierarchical memories
C711S003000, C711S133000, C711S154000
Reexamination Certificate
active
06173364
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to information systems security, particularly to a dynamic filter whose local rule bases change frequently, and more particularly to a session rule cache that effectively eliminates redundant rule base searching in such a dynamic filter.
BACKGROUND OF THE INVENTION
A common information systems security measure that regulates the flow of information between two automated information systems (AIS) is a filter. Here, the term “AIS” refers to a computer, network of computers, internetwork of computers, or any subset thereof. A computer with a network address is known as a “host.” A host may be a computer with either a fixed or temporary network address. A host with its own rules (known as a local rule base) for regulating the flow of information is called a “peer.” Information on certain AIS flows in discrete quanta called “packets.” Each packet on certain AIS has a header and a payload. The header comprises packet identification data. An example of packet identification data is a circuit identification number, which occurs in packets flowing in a circuit switched network. Another example of packet identification data is a 5-tuple consisting of a network source address and destination address, a source port and destination port, and a protocol identifier. The 5-tuple occurs in packets flowing in a connectionless packet switched network.
In accordance with the invention disclosed in co-pending application Ser. No. 08/785,501, entitled System and Method for Providing Peer Level Access Control on a Network, and filed on the same date as this application, a dynamic filter loads and stores a peer's local rule base when the peer is authenticated, and deletes (or “ejects”) the rule base when the peer loses authentication. The filter is positioned between the peer and another AIS, such that packets that flow between the peer and the AIS pass through the filter. The filter receives a packet, and then searches for rules (usually in global and local rule bases) that that match the packet. A rule comprises a key and an action. The key identifies to which packets the rule applies, based upon the packet identification data of each packet. The action is generally either PASS or DROP, meaning that the packet is either forwarded to its intended destination, or else deleted. If a matching rule is found, the action prescribed by the matching rule is applied to the packet. One of the novel features of the dynamic filter is the ability to accommodate frequent changes in its local rule bases.
A filter in a typical setting is shown in
FIG. 1. A
corporate network
10
may wish to provide access for peers A
11
, B
12
and C
13
to Internet
14
, but may wish to limit the access that Internet hosts G
15
, H
16
and I
17
have to the corporate network
10
, which may contain trade secrets and proprietary information. The corporate network
10
places a filter
18
at the interface between the corporate network
10
and the Internet
14
.
A filter operates on a packet by receiving a packet and searching for a rule whose key matches the identification data of the packet. If the received packet identification data matches the key of a rule, then the action of the rule is carried out on the packet.
In one embodiment, the filter stores rules that take the form of a 5-tuple, of similar structure to a packet's header, and an action, which is either PASS or DROP. The 5-tuple is advantageous to use because it allows the filter to distinguish packets not only based upon source and destination, but on the particular process with which the packet is involved. This is because several well-known processes (file transfer protocol, e-mail, etc.) use standard port numbers that are recognizable by the filter. Thus, in accordance with this embodiment, a filter may advantageously enforce a security policy which, for example, allows files to be transferred from host A to host B, but forbids the exchange of e-mail between the same two hosts.
An example of a rule base for corporate network
10
having peers A
11
, B
12
and C
13
, connected through filter
18
to the Internet
14
having hosts G
15
, H
16
and I
17
is as follows:
SOURCE
DESTINATION
Address,Port
Address, Port
PROTOCOL
ACTION
A,21
G,32
4
PASS
A,22
H,19
3
DROP
G,11
A,64
4
DROP
C,9
I,23
4
PASS
This rule base is defined by the network system administrator in accordance with the security requirements of the hosts on the network.
When a packet arrives at the filter, the filter determines if the packet 5-tuple matches any rule 5-tuple. Here the rule 5-tuple is the rule key. If there is a match, the filter carries out the matching rule action, either PASS or DROP.
A filter generally has a default rule for transactions that are not explicitly specified in the rule base. Thus, if there are no matching rules in the rule base, the packet is compared to the default rule. If there is a match, then the default action is carried out, which is usually to DROP the packet. If there is no match to the default rule, then an error message is generated. In one embodiment the default rule may be structured so that all packets match the default rule so that no error message is ever generated.
By selectively passing and dropping packets between peers and hosts, the filter regulates the flow of information to and from AIS which are said to be “behind” or “protected by” the filter. In
FIG. 1
, the corporate network
10
is behind filter
18
.
A traditional filter is only able to load and store rules through the intervention of a system administrator, a slow and cumbersome process. Indeed, the system administrator generally must hand-code rules in a format specific to the filter platform. These rules are based upon a security policy promulgated by the protected AIS. Hence, a traditional rule base is inflexible and cannot easily accommodate the changing security needs of the protected AIS.
This inflexibility often necessitates rule bases that are too broad for a given application. Without the possibility of easy updates, it is simpler to mandate global rules that apply to all AIS behind a filter rather than to load rules that apply to specific hosts. In such a case, all AIS behind the filter must conform to the most restrictive security requirements of any such AIS, resulting in overly restrictive filtering.
Even when rules are formulated to apply to individual hosts behind a firewall, such a level of access control may be insufficient. An example of this situation occurs for Internet Service Providers (ISP). An ISP has subscribers that are generally stand-alone personal computers having modems. The ISP has one or more hosts, each host connected to the Internet and having a pool of Internet Protocol (IP) addresses. When a subscriber dials-in to an ISP host (called a Point-of-Presence, or POP), the POP assigns the subscriber a temporary IP address from its pool of IP addresses. This temporary address generally corresponds to the calling subscriber only for a single session of connectivity. A future session is likely to result in another IP address being assigned to the subscriber.
This is problematic because rules are based in part upon network source and destination addresses. Thus, known filters cannot effectively control access to subscribers because their IP addresses change on a session by session basis.
The dynamic filter disclosed in co-pending application Ser. No. 08/785,501, entitled System and Method for Providing Peer Level Access Control on a Network, and filed on the same date as this application, remedies this deficiency by providing a system and method by which a subscriber's rules may be dynamically loaded into the filter when the host is authenticated, and ejected when the host is no longer authenticated. While the rules are stored in the dynamic filter, the rules correspond to the subscriber's temporary IP address, and thus can be effectuated.
The dynamic filter has yet broader application because it can also easily and dynamically change the rules in the filter for any peer, including a peer wi
Dutta Partha P.
London Thomas B.
Siil Karl Andres
Vrsalovic Dalibor F.
Zenchelsky Daniel N.
AT&T Corp.
Thai Tuan V.
LandOfFree
Session cache and rule caching method for a dynamic filter does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Session cache and rule caching method for a dynamic filter, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Session cache and rule caching method for a dynamic filter will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2493920