Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device
First Claim
1. An L2 device in a packet switched communication system, the packet switched communication system having plural zones, each zone representing a distinct security domain and having an associated policy for use in inspecting packets entering/exiting an associated zone, the L2 device comprising:
- at least one port coupled to a terminal unit included in a first security zone;
at least one port coupled to a terminal unit included in a second security zone;
a controller determining for each packet received whether the received packet is destined for another zone;
a firewall engine inspecting and filtering inter-zone packets using a zone specific policy; and
an L2 switching engine immediately transferring to a port all intra-zone packets passing through the L2 device using a table of MAC addresses and corresponding ports, and only transferring to a port inter-zone packets that are retained after the inspection by the firewall engine.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.
-
Citations
27 Claims
-
1. An L2 device in a packet switched communication system, the packet switched communication system having plural zones, each zone representing a distinct security domain and having an associated policy for use in inspecting packets entering/exiting an associated zone, the L2 device comprising:
-
at least one port coupled to a terminal unit included in a first security zone;
at least one port coupled to a terminal unit included in a second security zone;
a controller determining for each packet received whether the received packet is destined for another zone;
a firewall engine inspecting and filtering inter-zone packets using a zone specific policy; and
an L2 switching engine immediately transferring to a port all intra-zone packets passing through the L2 device using a table of MAC addresses and corresponding ports, and only transferring to a port inter-zone packets that are retained after the inspection by the firewall engine.
-
-
2. An L2 device in a packet switched communication system, the packet switched communication system having plural zones, each zone representing a distinct security domain and having an associated policy for use in inspecting packets entering/exiting an associated zone, the L2 device comprising:
-
a controller determining for each packet received whether the received packet is to be transferred intra-zone or inter-zone;
a firewall engine inspecting and filtering inter-zone packets using a zone specific policy; and
an L2 switching engine operable to immediately route to a port all intra-zone packets passing through the L2 device using a table of MAC addresses and corresponding ports, and only route to a port inter-zone packets that are retained after the inspection by the firewall engine.
-
-
3. An L2 device in a packet switched communication system, the packet switched communication system having plural zones, each zone representing a distinct security domain, the L2 device comprising:
-
a controller determining for each packet received whether the received packet is to be transferred inter-zone; and
a firewall engine inspecting and filtering inter-zone packets using a zone specific policy prior to routing using L2 protocols.
-
-
4. An L2 device in a packet switched communication system, the packet switched communication system having plural zones, each zone representing a distinct security domain, the L2 device comprising:
-
a controller determining for each packet received whether the received packet is to be transferred inter-zone; and
an inspection device inspecting and filtering inter-zone packets using a zone specific policy prior to routing using L2 protocols.
-
-
5. An L2 device in a packet switched communication system, the packet switched communication system having plural zones, each zone representing a distinct security domain, the L2 device comprising:
-
a controller determining for each packet received whether the received packet is to be inspected;
an inspection device inspecting and filtering packets identified by the controller including using a zone specific policy; and
an L2 controller transferring inspected packets in accordance with L2 header information using L2 protocols. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for transferring packets in a communication network, the communication network including plural zones, each zone representing a distinct security domain, the method comprising:
-
receiving a packet at an L2 device;
determining whether the received packet is to be transferred inter-zone; and
inspecting and filtering inter-zone packets using a zone specific policy prior to routing using L2 protocols.
-
-
19. A method for transferring packets in a communication network, the communication network including plural zones, each zone representing a distinct security domain, the method comprising:
-
receiving a packet at an L2 device;
determining whether the received packet is to be inspected; and
inspecting and filtering identified packets using a zone specific policy prior to transferring the packet through the L2 device using L2 protocols.
-
-
20. A method for switching packets in a communication network the communication network including plural zones, each zone representing a distinct security domain, the method comprising:
-
receiving a packet at an interface of an L2 device;
determining if a destination MAC address associated with the received packet is known; and
if not, holding the received packet a predetermined amount of time without transferring the packet to any port of the L2 device, creating a probe packet that includes the unknown MAC address, and broadcasting the probe packet to all interfaces except the receiving interface. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A method of providing secure communications between users without requiring encryption and decryption services at a respective user, the method comprising:
-
identifying first and second users;
coupling the first and second users through two or more L2 devices over a communication network;
specifying a virtual private network for communications between the first and second users, the virtual private network defined between a first and second L2 device in the network;
receiving a packet at either the first or the second L2 device;
determining whether the received packet is associated with the virtual private network; and
encrypting and decrypting as appropriate identified packets using local encryption and decryption services prior to transferring the packet through the L2 device using L2 protocols. - View Dependent Claims (26)
-
-
27. A virtual private network for providing secure communications between users without requiring encryption and decryption services at a respective user, the virtual private network comprising:
first and second L2 devices coupling first and second users over a communication network where each of the first and second L2 devices includes a screening mechanism determining whether a received packet is associated with the virtual private network, and encryption and decryption services operating on packets associated with the virtual private network prior to a transfer of the packet through the L2 device using L2 protocols.
Specification