System, method and computer program product for updating the states of a firewall

US 20050268335A1
Filed: 05/26/2005
Published: 12/01/2005
Est. Priority Date: 05/28/2004
Status: Active Grant

First Claim

Patent Images

1. A method for use in managing a communication, comprising:

determining a session identifier that identifies a filtering mechanism to update in a security device;

determining a filter identifier that identifies a filter rule within the filtering mechanism to update;

determining an action to be performed on the filter rule;

determining a value attribute with which to update the filter rule;

generating a message, wherein the message includes the session identifier, the filter identifier, the action, and the value attribute; and

providing the message to the security device to enable a dynamic update of the filtering mechanism that allows a first computing device to communicate with a second computing device while the first computing device changes at least one of a network address, or a port number, wherein at least a portion of the communication is routed to the security device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The preferred embodiment of the present invention is a method and computer program product that specifies an array of elements to be incorporated into a firewall configuration protocol. When added to the configuration protocol, these added attributes allow the existing packet filtering mechanism to accommodate a terminal device that has moved and received a new IP address in a timely and efficient manner.

Citations

23 Claims

1. A method for use in managing a communication, comprising:
- determining a session identifier that identifies a filtering mechanism to update in a security device;
  
  determining a filter identifier that identifies a filter rule within the filtering mechanism to update;
  
  determining an action to be performed on the filter rule;
  
  determining a value attribute with which to update the filter rule;
  
  generating a message, wherein the message includes the session identifier, the filter identifier, the action, and the value attribute; and
  
  providing the message to the security device to enable a dynamic update of the filtering mechanism that allows a first computing device to communicate with a second computing device while the first computing device changes at least one of a network address, or a port number, wherein at least a portion of the communication is routed to the security device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the message further includes an indication of ownership associated with the first computing device.
  - 3. The method of claim 1, further comprising:
    - providing, with the message, an indication of ownership of the message;
      
      if the first computing device changes at least one of the network address or port number, providing to the security device the indication of ownership.
  - 4. The method of claim 3, wherein the indication of ownership further comprises at least one of a token, a signature, a cryptographically generated address (CGA), or a cookie.
  - 5. The method of claim 1, wherein the security device employs the message to update the filtering mechanism by updating a packet filtering rule, the packet filtering rule enabling at least one of a drop, a pass, or a log action.
  - 6. The method of claim 1, wherein the filtering mechanism employs a policy-based rule.
  - 7. The method of claim 1, wherein the message further comprises at least one of a source IP address, destination IP address, transport protocol, source port number, and a destination port address.
  - 8. The method of claim 1, wherein the action indicates at least one of a substitution of one or more filtering rules, a discarding of an existing filtering rule, or a creation of a new filtering rule.
  - 9. The method of claim 1, wherein the security device is at least one of a firewall or a network address translator.
  - 10. The method of claim 1, wherein the message is further employable to create a network address map.

11. A method for use in managing a communication over a network, comprising:
- determining a plurality of attributes associated with an update to a filter in a security device for use in managing the communication between a first computing device and a second computing device, at least a portion of the communication being routed to the security device;
  
  providing the plurality of attributes to the security device, wherein the security device employs the attributes to dynamically update the filter to further enable the communication while the first computing device changes a network location.
- View Dependent Claims (12)
- - 12. The method of claim 11, wherein the plurality of attributes further comprises at least one of a session identifier that identifies the filter to update, a filter identifier that identifies a filter rule within the filter to update, an action to be performed on the filter rule, and a value attribute with which to update the filter rule.

13. A computer-readable medium encoded with a data structure for use in updating a state of a security device, the data structure comprising:
- a first data field configured to include a session identifier that indicates a set of filters within the security device;
  
  a second data field configured to include a field identifier employable to indicate a packet filter with the set of filters to be updated by an action;
  
  a third data field configured to include the action performable on the packet filter; and
  
  a fourth data field configured to include a value useable to update the indicated packet filter, wherein the data structure is employable by the security device to dynamically update the state.
- View Dependent Claims (14, 15, 16)
- - 14. The computer-readable medium of claim 13, wherein updating the state of the security device enables a first computing device to communicate with a second computing device through the security device while the first computing device changes a network location.
  - 15. The computer-readable medium of claim 13, wherein the data structure further comprises at least one of a source IP address, a destination IP address, a transport protocol, a source port number, or a destination port address, and wherein the data structure further comprises another action indicating at least one of a drop, a pass, or a log of the communication.
  - 16. The computer-readable medium of claim 13, further comprising:
    - a fifth data field configured to include optional information, including at least one of a requirement for another action by the security device, or an ownership identification associated with a first computing device.

17. A computer-readable medium having computer-executable components for use in managing an update to a security device comprising:
- a transceiver for receiving and sending content over the network;
  
  a processor in communication with the transceiver; and
  
  a memory in communication with the processor and for use in storing data and machine instructions that cause the processor to perform a plurality of operations, including;
  
  determining a message, wherein the message comprises;
  
  a session identifier that recognizes a set of filters within the security device, an indicator of a packet filter within the set of filters to update, an action performable on the packet filter; and
  
  a value useable to update the indicated packet filter; and
  
  providing the message to the security device to dynamically update the security device so as to allow a first computing device to communicate with a second computing device while the first computing device changes a network location, the communication being routed to the security device.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The computer-readable medium of claim 17, wherein the first computing device is configured to communicate over a wireless network.
  - 19. The computer-readable medium of claim 17, wherein to allow a first computing device to communicate with a second computing device further comprises at least one of enabling an initial communication or maintaining an existing communication while the dynamic update is performed.
  - 20. The computer-readable medium of claim 17, wherein the computer-readable medium and computer-executable components are included within the first computing device.
  - 21. The computer-readable medium of claim 17, wherein the message further comprises an options field that is configurable to include a proof of ownership that associates the message to the first computing device, and wherein the proof of ownership further comprises at least one of a token, a certificate, a cookie, or a signature.

22. A system for use in updating a state of a security device, comprising:
- a mobile terminal that is configured to perform actions, including;
  
  determining a plurality of attributes associated with an update to the state of the security device to manage a communication between the mobile terminal and a second computing device, at least a portion of the communication being routable to the security device; and
  
  providing a message including the plurality of attributes to the security device; and
  
  the security device being in communication with the mobile terminal and configured to perform actions, including;
  
  receiving the message including the plurality of attributes, employing an enhanced configuration protocol;
  
  verifying an authenticity of the message by confirming that the mobile terminal owns the message; and
  
  if the message is verified, dynamically updating the state based on information within the message including the plurality of attributes, to allow the mobile device to maintain the communication with the other computing device while the mobile device changes a network location and at least a portion of the communication is routed to the security device.

23. An apparatus useable in managing an update to a security device comprising:
- a transceiver for receiving and sending content over the network;
  
  a means for determining a message, wherein the message comprises;
  
  a session identifier indicating a set of filters within the security device, an indicator of a packet filter with the set of filters to update, an action performable on the packet filter; and
  
  a value useable to update the indicated packet filter; and
  
  a means for providing the message to the security device to dynamically update the security device and allow a first computing device to communicate with a second computing device while the first computing device changes a network location, the communication being routed to the security device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trinityeco
Original Assignee
Nokia, Inc. (Nokia Corporation)
Inventors
Faccin, Stefano, Le, Franck

Granted Patent

US 7,877,599 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0823   using certificates cryptogr...

System, method and computer program product for updating the states of a firewall

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and computer program product for updating the states of a firewall

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links