Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing
Reexamination Certificate
1999-10-22
2003-06-03
Barot, Bharat (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
C709S224000, C709S225000, C709S229000, C713S151000, C713S164000, C713S152000
Reexamination Certificate
active
06574666
ABSTRACT:
FIELD OF THE INVENTION
The field of the invention is information systems access control, and in particular the dynamic loading of a rule in a firewall.
BACKGROUND OF THE INVENTION
A firewall regulates the flow of packetized information. A packet includes a header and a payload. The header includes header parameters, such as a source address and destination address for the packet, as well as source and destination port numbers and a protocol number, flags, priority parameters, security information, etc. The payload includes the data meant to be conveyed by the packet from its source to its intended destination. A known firewall is placed between the packet's source and intended destination, where it intercepts the packet. The known firewall filters a packet based upon the packet's header parameters and a rule loaded into the firewall. The rule correlates a pattern in the header of a packet with a prescribed action, either PASS or DROP. The filter identifies the rule that applies to the packet based upon the packet's header, and then implements the rule's prescribed action. When a DROP action is performed, the packet is blocked (deleted), and does not reach its intended destination. When a PASS action is performed, the packet is passed onto ward its intended destination. The set of rules loaded into a firewall reflect a security policy, which prescribes what type of information is permissible to pass through the firewall, e.g., from which source, to which destination, for which applications, etc.
The set of rules loaded into a known firewall is static. The rules must typically be loaded with the intervention of a system administrator, and any changes to the rule set (additions, deletions, modifications) must also be implemented by the administrator. This disadvantageously limits the flexibility of the firewall to respond to changes in the security policy which it implements. Also, the firewall must disadvantageously store the entire set of rules implementing the security policy because the rules must be loaded manually. This is inefficient because it can require a large amount of memory resources, and increase the processor time needed to search for and locate a rule that applies to a given packet.
U.S. patent application Ser. No. 08/785,501, System and Method for Providing Peer-Level Access control on a Network, filed Jan. 17, 1997 now U.S. Pat. No. 6,233,686, discloses a firewall that dynamically loads a rule pertinent to the security policy of a peer when the peer is authenticated (e.g., logs on), and then deletes the rule when the peer logs off. Thus, for example, the rules pertaining to a peer are only stored at the firewall when the peer is logged on. This economically saves memory resources and reduces the search time and processor load to find a rule for a given packet. It also allows for greater flexibility because the peer rule set can be changed (e.g., by the peer) between the times it is loaded into the firewall.
Although the Peer-Level Access invention is more efficient and flexible than known firewalls, further improvements are needed in both areas. For example, while the peer's rule set is loaded at the filter, only a small fraction of the rules may actually be implemented, depending upon the type of packets received at the firewall. The rules that are loaded but not needed during a session (e.g., the time between peer logon and log off) disadvantageously increase processor time during rule searches and absorb memory resources at the firewall unnecessarily.
SUMMARY OF THE INVENTION
In accordance with an embodiment of the present invention, a rule is loaded at a firewall when it is needed to prescribe an action with respect to a packet that is received. When the packet is received, the rules loaded at the firewall are searched for a rule that is pertinent to the received packet. If no such rule is found, then a pertinent rule is retrieved from a source external to the firewall, and loaded at the firewall. The firewall then implements the rule with respect to the packet. In one embodiment, the packet is either allowed to pass on to its intended destination, or dropped, in accordance with the action prescribed by the retrieved rule. When the rule expires (e.g., no further packets are received that correspond to the rule), the rule is deleted. This advantageously minimizes the amount of memory resources required to keep a current set of rules at the firewall. It also advantageously reduces the load on the processor at the firewall by reducing the number of rules that must be searched to find a rule that pertains to a received packet. Latency is advantageously reduced because a pertinent rule can be found more quickly when it is stored at the firewall.
REFERENCES:
patent: 5473607 (1995-12-01), Hausman et al.
patent: 5896499 (1999-04-01), McKelvey
patent: 6141749 (2000-10-01), Coss et al.
patent: 6154775 (2000-11-01), Coss et al.
patent: 6170012 (2001-01-01), Coss et al.
patent: 6212184 (2001-04-01), Venkatachary et al.
patent: 6233686 (2001-05-01), Zenchelsky et al.
patent: 6308276 (2001-10-01), Ashdown et al.
patent: 6321338 (2001-11-01), Porras et al.
patent: 0 762 707 (1997-08-01), None
patent: 95/05549 (1996-02-01), None
Bellovin, S..M., “Network Firewalls”, IEEE Communications Magazine, vol. 32, No. 9, Sep. 1, 1994, pp. 50-57, XP000476555; p. 52, col. 1, In. 60; p. 54, col. 2, In 30.
Dutta Partha P.
Vrsalovic Dalibor F.
AT&T Corp.
Barot Bharat
LandOfFree
System and method for dynamic retrieval loading and deletion... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for dynamic retrieval loading and deletion..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for dynamic retrieval loading and deletion... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3108014