Personalized firewall

US 20030118038A1
Filed: 11/22/2002
Published: 06/26/2003
Est. Priority Date: 11/29/2001
Status: Active Grant

First Claim

Patent Images

1. A method of matching a data packet to a rule in a network gateway having a rule base, comprising determining one or more identification values on the basis of the data packet, querying and receiving property value(s) associated with said one or more identification values, comparing said property value(s) to at least one rule in the rule base, said at least one rule comprising property value(s) and an action, and taking the action defined in said at least one rule, if said property value(s) of the rule match corresponding property value(s) associated with said one or more identification values.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A personalized firewall or other network gateway is provided by a method of matching a data packet to a rule in a network gateway having a rule base. One or more identification values are determined (302) on the basis of the data packet and property value(s) associated with said one or more identification values are queried (304) and received from a property server. The property value(s) describe for example allowed connections and services for an entity associated with the identification value(s). The property value(s) are compared (306) to at least one rule in the rule base, said at least one rule comprising property value(s) and an action, and the action defined in said at least one rule is taken (310), if said property value(s) of the rule match corresponding property value(s) associated with said one or more identification values.

70 Citations

View as Search Results

21 Claims

1. A method of matching a data packet to a rule in a network gateway having a rule base, comprising determining one or more identification values on the basis of the data packet, querying and receiving property value(s) associated with said one or more identification values, comparing said property value(s) to at least one rule in the rule base, said at least one rule comprising property value(s) and an action, and taking the action defined in said at least one rule, if said property value(s) of the rule match corresponding property value(s) associated with said one or more identification values.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. A method according to claim 1, wherein the property value(s) are queried from a predefined property server.
  - 3. A method according to claim 2, further comprising storing in the network gateway the received property value(s) together with the one or more identification values, and wherein the step of querying comprises using the already stored property value(s), if the property value(s) associated with the one or more identification values are already stored in the network gateway, and otherwise querying the property value(s) from the property server.
  - 4. A method according to claim 3, further comprising requesting the property server to send a notification, if the property value(s) that are stored in the network gateway are updated in the property server, receiving from the property server a notification comprising updated property value(s) and the one or more associated identification values, and replacing the respective property value(s) in the network gateway with the updated property value(s).
  - 5. A method according to claim 3, further comprising querying and receiving from the property server the current value of a specific property value that is stored in the network gateway after a predefined time has elapsed since the specific property value was queried the last time, and replacing the specific property value in the network gateway with the received current value.
  - 6. A method according to claim 3, further comprising querying and receiving from the property server the current values of the property values that are stored in the network gateway after a predefined time has elapsed since the property values were queried the last time, and replacing the respective property value(s) in the network gateway with the received current value(s).
  - 7. A method according to claim 3, further comprising querying and receiving from the property server the current values of the property values that have been updated in the property server during a certain time period, and if a current value is received for a property value, which is stored in the network gateway, replacing the property value in the network gateway with the current value.
  - 8. A method according to claim 1, wherein determining said one or more identification values comprises extracting one or more characterizing values from the data packet and mapping the characterizing value(s) to one or more identification values.
  - 9. A method according to claim 1, wherein determining said one or more identification values comprises extracting one or more characterizing values from the data packet and using the one or more characterizing values as the one or more identification values.
  - 10. A method according to claim 1, wherein the rule is an access rule, a network address translation rule, load balancing or a traffic prioritization rule.
  - 11. A method according to claim 1, wherein the identification parameter to be used for querying property value(s) is defined in a rule of the rule base.
  - 12. A method according to claim 1, wherein identification value is a source address, a destination address, a source port, a destination port, a user identifier, or a subscriber number.
  - 13. A method according to claim 1, wherein a characterizing value is a source address, a destination address, a source port, a destination port, a user identifier, or a subscriber number.
  - 14. A method according to claim 1, wherein the property value(s) indicate a combination of allowed and/or disallowed services.
  - 15. A method according to claim 1, wherein the property value(s) indicate, if the identification value(s) are associated with a registered user or with a specific company.
  - 16. A method according to claim 1, wherein the property value(s) indicate provided services.
  - 17. A method according to claim 1, wherein the property value(s) indicate, if the identification value(s) are associated with a network address translation (NAT) rule.
  - 18. A method according to claim 1, wherein the property values are coded into a bit sequence, wherein one bit corresponds the value of one property.

19. A network gateway comprising memory for a rule base, and mechanism for matching a data packet to a rule of the rule base, said mechanism including mechanism for determining one or more identification values on the basis of the data packet, mechanisms for querying and receiving property value(s) associated with said one or more identification values, mechanism for comparing said property value(s) to at least one rule in the rule base, said at least one rule comprising property value(s) and an action, and mechanism for taking the action defined in said at least one rule, if said property value(s) of the rule match corresponding property value(s) associated with said one or more identification values.

20. A property server, comprising memory for storing property value(s) in association with one or more identification values, mechanism for receiving from a network gateway a query for property value(s) associated with certain one or more identification values, mechanism for sending to the network gateway the property value(s) associated with certain one or more identification values as a response to the query, to be used in the network gateway for matching a data packet to a rule, said one or more identification values having been determined on the basis of the data packet, mechanism for receiving from the network gateway a request to send a notification, if the property value(s) associated to certain identification values are updated in the property server, and mechanism for sending said notification to the network gateway, as a response to receiving updated property value(s) associated to said certain identification values, said notification comprising the updated property value(s) and the associated identification values.

21. A computer-readable medium, containing a computer software which, when executed in a computer device having a rule base, causes the computer device to provide a routine of matching a data packet to a rule of the rule base, said routine comprising determining one or more identification values on the basis of the data packet, querying and receiving property value(s) associated with said one or more identification values, comparing said property value(s) to at least one rule in the rule base, said at least one rule comprising property value(s) and an action, and taking the action defined in said at least one rule, if said property value(s) of the rule match corresponding property value(s) associated with said one or more identification values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Stonesoft Corporation
Inventors
Jalava, Mika, Syvanne, Tuomo

Granted Patent

US 8,099,776 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/20 for managing network securi...

Personalized firewall

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Personalized firewall

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others