METHOD OF SHARING STATE BETWEEN STATEFUL INSPECTION FIREWALLS ON MEP NETWORK

US 20050240989A1
Filed: 04/23/2004
Published: 10/27/2005
Est. Priority Date: 04/23/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method of sharing a state between stateful firewalls on a multiple entry/exit point (MEP) network for data exchange between a server and a client through firewalls physically remote from each other, comprising the steps of:

(a) one of the firewalls receiving an SYN packet sent from the client to the server;

(b) the firewall creating a modified SYN cookie (hereinafter referred to as an m.SYN cookie), modifying the SYN packet using the m.SYN cookie and sending the SYN packet to the server, and the server sending a SYN/ACK packet to the client in response to the SYN packet;

(c) the firewall, which has received the SYN/ACK packet, extracting a firewall identifier ID_fwfrom the SYN/ACK packet and sending the SYN/ACK packet to a corresponding one of the firewalls, the corresponding firewall searching a state table for connection information and sending the connection information, together with the SYN/ACK packet, to the firewall, which has received the SYN/ACK packet; and

(d) the firewall, which has re-received the SYN/ACK packet, updating the state table, changing an acknowledgement number of the SYN/ACK packet to an Initial Sequence Number (ISN_c)+1, and sending the SYN/ACK packet to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is devised to solve the problem in which a state cannot be kept track of because an outgoing traffic and an incoming traffic pass through different firewalls on a Multiple Entry/Exit Point (MEP) network having a plurality of entry points. In the present invention, firewalls physically remote from each other can share connection information using a modified SYN cookie, so that stateful inspection firewalls physically remote from each other can be used even on the MEP network.

128 Citations

10 Claims

1. A method of sharing a state between stateful firewalls on a multiple entry/exit point (MEP) network for data exchange between a server and a client through firewalls physically remote from each other, comprising the steps of:
- (a) one of the firewalls receiving an SYN packet sent from the client to the server;
  
  (b) the firewall creating a modified SYN cookie (hereinafter referred to as an m.SYN cookie), modifying the SYN packet using the m.SYN cookie and sending the SYN packet to the server, and the server sending a SYN/ACK packet to the client in response to the SYN packet;
  
  (c) the firewall, which has received the SYN/ACK packet, extracting a firewall identifier ID_fwfrom the SYN/ACK packet and sending the SYN/ACK packet to a corresponding one of the firewalls, the corresponding firewall searching a state table for connection information and sending the connection information, together with the SYN/ACK packet, to the firewall, which has received the SYN/ACK packet; and
  
  (d) the firewall, which has re-received the SYN/ACK packet, updating the state table, changing an acknowledgement number of the SYN/ACK packet to an Initial Sequence Number (ISN_c)+1, and sending the SYN/ACK packet to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as set forth in claim 1, wherein the firewalls share a synchronized time counter, which is increased at regular intervals, and a same secret key.
  - 3. The method as set forth in claim 1, wherein the state table includes a difference between the ISN and the m.SYN cookie, and connection information, including a source address, a destination address, a protocol, a source port and a destination port number of the packet.
  - 4. The method as set forth in claim 1, where step (a) further comprises the step of:
    - the firewall, which has received the SYN packet, inspecting the SYN packet according to a preset firewall rule, and performing step (b) if a current connection is a permitted connection, or discarding the SYN packet if the current connection is not the permitted connection.
  - 5. The method as set forth in claim 2, wherein the m.SYN cookie includes upper bits of the ISN of the SYN packet, bits of time indicated by the time counter of the firewall, which creates the m.SYN cookie, at a time of creation of the m.SYN cookie, and bits of an output value of a hash function.
  - 6. The method as set forth in claim 2, wherein the m.SYN cookie includes ISN ₁₇, T₀and Hash₁₃+ID_fw, ISN₁₇being determined by upper 17 bits of the ISN of the SYN packet, T₀being determined by least significant two bits of time indicated by the time counter of the firewall, which creates the m.SYN cookie, at the time of creation of the m.SYN cookie, Hash₁₃being determined by the following Equation:
    - Hash₁₃=Hash(k, sa, sp, da, dp, time_org, ISN_c>
      
      >
      
      15)%2{circumflex over (
      
      )}13 where Hash( ) is an output value of a hash function, k is a secret key, sa is a source address, sp is a source port number, da is a destination address, dp is a destination port number, ISN_c>
      
      >
      
      15 is a value obtained by eliminating lower 15 bits from ISN_c, Hash( )%2{circumflex over (
      
      )}13 is a value of lower 13 bits of the output value of the hash function, time_orgis time indicated by the time counter of the firewall wall, which creates the m.SYN cookie, at the time of creation of the m.SYN cookie
  - 7. The method as set forth in claim 1, wherein step (b) is performed in such a way that the ISN of the SYN packet is replaced with the created m.SYN cookie, and the connection information including the difference between the ISN and the m.SYN cookie is stored in the state table of the firewall.
  - 8. The method as set forth in claim 1, wherein step (c) further comprises the steps of:
    - (c1) extracting the ID_fwfrom the SYN/ACK packet;
      
      (c2) verifying whether the extracted ID_fwis valid;
      
      (c3) comparing the ID_fw, which is verified to be valid at step (c2), with an ID_fwof the firewall, which has received the SYN/ACK packet; and
      
      (c4) if, as a result of the comparison at step (c3), the two ID_fws are identical with each other, searching the state table of the firewall that has received the SYN/ACK packet and modifying the state table and the SYN/ACK packet, or if the ID_fws are different from each other, sending the SYN/ACK packet to the firewall corresponding to the extracted ID_fw.
  - 9. The method as set forth in claim 8, wherein step (c1) is performed in such a way that the m.SYN cookie included in the SYN/ACK packet is extracted, and the ID_fwis extracted from the m.SYN cookie using the following equations.
    ID_fw=(SC−
    - Hash(k, sa, sp, da, dp, time_input, SC>
      
      >
      
      15))%2{circumflex over (
      
      )}13 where SC is the m.SYN cookie included in the SYN/ACK packet, Hash( ) is an output value of a hash function, k is a secret key, sa is a source address, sp is a source port number, da is a destination address, dp is a destination port number, time_inputis time obtained using the following Equation, SC>
      
      >
      
      15 is a value obtained by eliminating lower 15 bits from the SC, and ( )%2{circumflex over (
      
      )}13 is a value of lower 13 bits of the value of ( )
      time_input=time_curr+1((time_curr+1−
      
      T₀)mod4) where time_curris the time indicated by the time counter of the firewall, which verifies the extracted m.SYN cookie, at the time of verification of the extracted m.SYN cookie, and T₀is the least significant two bits of time indicated by the time counter of the firewall, which creates the m.SYN cookie, at the time of creation of the m.SYN cookie.
  - 10. The method as set forth in claim 8, wherein step (c2) is performed in such a way as to compare the extracted ID_fwwith a preset maximum ID_fw, and if the extracted ID_fwis not larger than the preset maximum ID_fw, verifying the extracted ID_fwto be valid, or if the extracted ID_fwis larger than the preset maximum ID_fw, verifying the extracted ID_fwto be invalid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seoul National University Industry Foundation (Seoul National University)
Original Assignee
Seoul National University Industry Foundation (Seoul National University)
Inventors
Kim, Jin-Ho, Bahk, Sae-Woong, Lee, Hee-Jo

Application Number

US10/709,255
Publication Number

US 20050240989A1
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0254 Stateful filtering

METHOD OF SHARING STATE BETWEEN STATEFUL INSPECTION FIREWALLS ON MEP NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

128 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD OF SHARING STATE BETWEEN STATEFUL INSPECTION FIREWALLS ON MEP NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links