Method for high speed discrimination of policy in packet filtering type firewall system
First Claim
1. A method for high speed discrimination of a policy in a packet filtering type firewall system, the method comprising the steps of:
- (A) setting policy set tables for minimizing a required time to discriminate the policy among a plurality of policies for an incoming packet, wherein the step of setting policy set tables comprising the sub-steps of;
(a1) generating a plurality of first-order policy set tables containing policy information to be compared with packet information sectioned by a predetermined bits in the packet;
(a2) pairing off the plurality of first-order policy set tables arbitrarily, and generating a plurality of second-order policy set tables constituted policy members which belong to both paired first-order policy set tables; and
(a3) generating sequentially at least one post-second order policy set tables including k-th (where, 3≦
k, k is a natural number) order policy set tables by pairing off (k−
1)-th order policy set tables arbitrarily, and generating k-th order policy set tables constituted the policy members which belong to paired (k−
1)-th order policy set tables in common; and
(B) discriminating the policy firstly conformed to each condition of the fields of the incoming packet information from the plurality of policies as a final policy corresponding to the packet, wherein the step of discriminating a policy comprising the steps of;
(b1) sectioning the packet to obtain the packet sections, and extracting the packet variables which is an object to be compared with the policy information contained in the first-order policy set tables; and
(b2) querying to the first through K-th order policy set tables sequentially by using the index values corresponding to the packet variables extracted from the packet sections obtained by sectioning the packet with the predetermined bits, and discriminating the final policy by using the queried index values.
2 Assignments
0 Petitions
Accused Products
Abstract
The step of setting policy set tables includes the steps of generating one or more first-order policy set tables corresponding to one or more sections of packet information, respectively, each of said first-order policy set tables containing at least one policy sets having a predetermined number of policy members to be related with the corresponding section of the packet information; and pairing off said plurality of policy set tables to generate next-order policy set tables with all possible intersections of the paired first-order policy set tables. The step of discriminating the policy includes the steps of extracting one or more sections of packet information related to the policy information from the incoming packet; and querying to each of all the generated policy set tables with respective index values corresponding to each of the extracted packet information sections to discriminate the final policy for the incoming packet.
-
Citations
13 Claims
-
1. A method for high speed discrimination of a policy in a packet filtering type firewall system, the method comprising the steps of:
-
(A) setting policy set tables for minimizing a required time to discriminate the policy among a plurality of policies for an incoming packet, wherein the step of setting policy set tables comprising the sub-steps of;
(a1) generating a plurality of first-order policy set tables containing policy information to be compared with packet information sectioned by a predetermined bits in the packet;
(a2) pairing off the plurality of first-order policy set tables arbitrarily, and generating a plurality of second-order policy set tables constituted policy members which belong to both paired first-order policy set tables; and
(a3) generating sequentially at least one post-second order policy set tables including k-th (where, 3≦
k, k is a natural number) order policy set tables by pairing off (k−
1)-th order policy set tables arbitrarily, and generating k-th order policy set tables constituted the policy members which belong to paired (k−
1)-th order policy set tables in common; and
(B) discriminating the policy firstly conformed to each condition of the fields of the incoming packet information from the plurality of policies as a final policy corresponding to the packet, wherein the step of discriminating a policy comprising the steps of;
(b1) sectioning the packet to obtain the packet sections, and extracting the packet variables which is an object to be compared with the policy information contained in the first-order policy set tables; and
(b2) querying to the first through K-th order policy set tables sequentially by using the index values corresponding to the packet variables extracted from the packet sections obtained by sectioning the packet with the predetermined bits, and discriminating the final policy by using the queried index values. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
Specification