Method for indexing a plurality of policy filters
First Claim
1. A method for dynamically creating and maintaining a set of indices in a computer, wherein the indices identify a plurality of filters defining a network policy and wherein the indices are used by a firewall to identify a matching filter, comprising:
- creating a first index conforming to a first index type;
identifying, in the first index, a first set of filters, each filter in the first set of filters specifying network packets subject to the network policy;
maintaining statistics including a selected criteria and a corresponding value, wherein the value identifies a number of filters from the first set of filters meeting the selected criteria;
determining that the corresponding value exceeds a threshold value;
creating a second index conforming to a second index type;
identifying, in the second index, a second set of filters, wherein the second set of filters are a subset of the first set of filters; and
removing identification of the subset of filters from the first index.
2 Assignments
0 Petitions
Accused Products
Abstract
A preprocessor used in conjunction with a network firewall is disclosed. The preprocessor creates a first index for identifying a plurality of filters installed in the firewall. The preprocessor maintains statistics including selected criteria and corresponding values for the installed filters. When the value for the selected criteria exceeds a threshold value, the preprocessor creates a second index and moves a subset of filters from the first index to the second index.
99 Citations
26 Claims
-
1. A method for dynamically creating and maintaining a set of indices in a computer, wherein the indices identify a plurality of filters defining a network policy and wherein the indices are used by a firewall to identify a matching filter, comprising:
-
creating a first index conforming to a first index type;
identifying, in the first index, a first set of filters, each filter in the first set of filters specifying network packets subject to the network policy;
maintaining statistics including a selected criteria and a corresponding value, wherein the value identifies a number of filters from the first set of filters meeting the selected criteria;
determining that the corresponding value exceeds a threshold value;
creating a second index conforming to a second index type;
identifying, in the second index, a second set of filters, wherein the second set of filters are a subset of the first set of filters; and
removing identification of the subset of filters from the first index. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for creating a filter index used to identify a plurality of filters used with a network firewall, each filter of the plurality of filters including a set of filter conditions and a filter weight, each filter condition including an individual field weight, comprising:
-
identifying an index type based upon the filter conditions of the plurality of filters;
identifying a subset of filter conditions to include in the index based upon an average field weight calculated from the individual field weight; and
selecting an order by which the subset of filter conditions are placed in the index. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer-readable medium for executing computer-readable instructions for dynamically creating and maintaining a set of indices in a computer, wherein the indices identify a plurality of filters defining a network policy and wherein the indices are used by a firewall to identify a matching filter, comprising:
-
creating a first index conforming to a first index type;
identifying, in the first index, a first set of filters, each filter in the first set of filters specifying network packets subject to the network policy;
maintaining statistics including a selected criteria and a corresponding value, wherein the value identifies a number of filters from the first set of filters meeting the selected criteria;
determining that the corresponding value exceeds a threshold value;
creating a second index conforming to a second index type;
identifying, in the second index, a second set of filters, wherein the second set of filters are a subset of the first set of filters; and
removing identification of the subset of filters from the first index. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A computer-readable medium for executing computer-readable instructions for creating a filter index used to identify a plurality of filters used with a network firewall, each filter of the plurality of filters including a set of filter conditions and a filter weight, each filter condition including an individual field weight, comprising:
-
identifying an index type based upon the filter conditions of the plurality of filters;
identifying a subset of filter conditions to include in the index based upon an average field weight calculated from the individual field weight; and
selecting an order by which the subset of filter conditions are placed in the index. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification