Controlled information flow between communities via a firewall
First Claim
1. A method of controlling information flow through a firewall, said method comprising:
- determining an incoming packet community set (PCS) of a first data packet received on an interface of said firewall;
discarding said first data packet in response to detecting said PCS is not a subset of an interface community set (IFCS) of said interface; and
processing said first data packet in response to detecting said PCS is a subset of said IFCS.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and mechanism of controlling information flow in a firewall. A firewall controls the flow of information between different communities. The enforcement method and mechanism uses a database of associations of sets of communities corresponding to network addresses. Upon receiving an incoming data packet, a packet community set (PCS) is deterined for the data packet. If the PCS is not a subset of an interface community set (IFCS) of the interface upon which the data packet was received, the data packet is discarded. Otherwise, a firewall rule match is determined for the data packet. If a rule match is detected, a PCS attribute of the matching rule is compared to the PCS of the data packet. If the PCS attribute of the rule matches the PCS of the data packet and the rule indicates the data packet is to be forwarded, the PCS of the data packet is changed to a second PCS indicated by the matching rule. If the new PCS of the data packet is a subset of an IFCS of the interface upon which the data packet is to be output, the data packet is transmitted. Otherwise, the data packet is discarded.
106 Citations
51 Claims
-
1. A method of controlling information flow through a firewall, said method comprising:
-
determining an incoming packet community set (PCS) of a first data packet received on an interface of said firewall;
discarding said first data packet in response to detecting said PCS is not a subset of an interface community set (IFCS) of said interface; and
processing said first data packet in response to detecting said PCS is a subset of said IFCS. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
-
18. A node configured to act as a firewall, wherein said node comprises:
-
a processing unit, wherein said processing unit is configured to determine an incoming packet community set (PCS) of a first data packet received on an interface of said node, discard said first data packet in response to detecting said PCS is not a subset of an interface community set (IFCS) of said interface, and process said first data packet in response to detecting said PCS is a subset of said IFCS; and
a community information base coupled to said processing unit.
-
-
35. A computer network comprising:
-
a node configured to act as a firewall, wherein said node comprises;
a processing unit, wherein said processing unit is configured to determine an incoming packet community set (PCS) of a first data packet received on an interface of said node, discard said first data packet in response to detecting said PCS is not a subset of an interface community set (IFCS) of said interface, and process said first data packet in response to detecting said PCS is a subset of said IFCS; and
a community information base coupled to said processing unit;
a first computer network coupled to said node; and
a second computer network coupled to said node.
-
Specification