METHOD OF SHARING STATE BETWEEN STATEFUL INSPECTION FIREWALLS ON MEP NETWORK
First Claim
Patent Images
1. A method of sharing a state between stateful firewalls on a multiple entry/exit point (MEP) network for data exchange between a server and a client through firewalls physically remote from each other, comprising the steps of:
- (a) one of the firewalls receiving an SYN packet sent from the client to the server;
(b) the firewall creating a modified SYN cookie (hereinafter referred to as an m.SYN cookie), modifying the SYN packet using the m.SYN cookie and sending the SYN packet to the server, and the server sending a SYN/ACK packet to the client in response to the SYN packet;
(c) the firewall, which has received the SYN/ACK packet, extracting a firewall identifier IDfw from the SYN/ACK packet and sending the SYN/ACK packet to a corresponding one of the firewalls, the corresponding firewall searching a state table for connection information and sending the connection information, together with the SYN/ACK packet, to the firewall, which has received the SYN/ACK packet; and
(d) the firewall, which has re-received the SYN/ACK packet, updating the state table, changing an acknowledgement number of the SYN/ACK packet to an Initial Sequence Number (ISNc)+1, and sending the SYN/ACK packet to the client.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention is devised to solve the problem in which a state cannot be kept track of because an outgoing traffic and an incoming traffic pass through different firewalls on a Multiple Entry/Exit Point (MEP) network having a plurality of entry points. In the present invention, firewalls physically remote from each other can share connection information using a modified SYN cookie, so that stateful inspection firewalls physically remote from each other can be used even on the MEP network.
128 Citations
10 Claims
-
1. A method of sharing a state between stateful firewalls on a multiple entry/exit point (MEP) network for data exchange between a server and a client through firewalls physically remote from each other, comprising the steps of:
-
(a) one of the firewalls receiving an SYN packet sent from the client to the server;
(b) the firewall creating a modified SYN cookie (hereinafter referred to as an m.SYN cookie), modifying the SYN packet using the m.SYN cookie and sending the SYN packet to the server, and the server sending a SYN/ACK packet to the client in response to the SYN packet;
(c) the firewall, which has received the SYN/ACK packet, extracting a firewall identifier IDfw from the SYN/ACK packet and sending the SYN/ACK packet to a corresponding one of the firewalls, the corresponding firewall searching a state table for connection information and sending the connection information, together with the SYN/ACK packet, to the firewall, which has received the SYN/ACK packet; and
(d) the firewall, which has re-received the SYN/ACK packet, updating the state table, changing an acknowledgement number of the SYN/ACK packet to an Initial Sequence Number (ISNc)+1, and sending the SYN/ACK packet to the client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification