Wireless firewall with tear down messaging
First Claim
Patent Images
1. A method of screening incoming packets, comprising:
- detecting a request to establish a connection from a first network to a packet data network;
detecting establishment of a tunnel, wherein the tunnel has a support node at each end of the tunnel, one of the support nodes being a gateway to the packet data network, wherein the tunnel is used to convey user traffic and the user traffic through the tunnel can have one or more associated firewall sessions on a firewall outside the tunnel;
detecting a tear down of the tunnel; and
sending a request to the firewall to clear the one or more firewall sessions.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods of screening incoming packets are provided. A first firewall detects a tunnel formation. A second firewall maintains a list of open firewall sessions. Each tunnel has one or more associated firewall sessions. The first firewall detects variable situations, such as when the tunnel is torn down, and notifies the second firewall so that, for example, the second firewall can act to clear an associated firewall session from the firewall session list. Incoming packets that are associated with firewall sessions that have been cleared from the firewall session list may not be passed through the second firewall.
-
Citations
31 Claims
-
1. A method of screening incoming packets, comprising:
-
detecting a request to establish a connection from a first network to a packet data network;
detecting establishment of a tunnel, wherein the tunnel has a support node at each end of the tunnel, one of the support nodes being a gateway to the packet data network, wherein the tunnel is used to convey user traffic and the user traffic through the tunnel can have one or more associated firewall sessions on a firewall outside the tunnel;
detecting a tear down of the tunnel; and
sending a request to the firewall to clear the one or more firewall sessions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of screening incoming packets, comprising:
-
providing a connection from a first network to a packet data network including providing a GTP tunnel, wherein the GTP tunnel has a support node at each end of the GTP tunnel, one of the support nodes being a gateway to the packet data network;
detecting a tear down of the GTP tunnel; and
applying a policy to determine whether to request a firewall session clear at a Gi firewall. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method of screening incoming packets, comprising:
-
detecting an establishment of a firewall session between a mobile station logged onto a GPRS network and a system on a packet data network;
detecting an end to the firewall session; and
sending a request to a Gi firewall protecting the gateway support node from attacks from the packet data network to remove the firewall session from an associated firewall session list.
-
-
18. A method of screening incoming packets, comprising:
-
adding a firewall session identifier to a firewall session list when a new firewall session for user traffic coming from a GTP tunnel is created and when the user traffic does not belong to an existing firewall session;
receiving a message to indicate the firewall session is no longer active; and
indicating the firewall session is no longer active on the firewall session list. - View Dependent Claims (19, 20, 21)
-
-
22. A system for screening incoming packets, comprising:
-
a GTP firewall having a GTP communication module; and
a Gi firewall having a Gi communication module that is operable to receive an instruction from the GTP communication module to tear down a firewall session, a firewall session list and a tear down engine that removes inactive firewall sessions from the firewall session list when the tear down engine receives the instruction from the GTP communication module. - View Dependent Claims (23, 24, 25, 26, 27)
-
-
28. A method of screening incoming packets, comprising:
-
providing a connection from a GPRS network to a packet data network including providing a GTP firewall between support nodes in the GPRS network and a Gi Firewall between a support node operating as a gateway to the packet data network and the packet data network;
detecting a network attack originating from the packet data network at the GTP firewall; and
signaling the Gi Firewall to alert the Gi Firewall of the attack. - View Dependent Claims (29, 30, 31)
-
Specification