METHOD AND APPARATUS FOR IMPLEMENTING A LAYER 3/LAYER 7 FIREWALL IN AN L2 DEVICE
First Claim
1. An L2 device in a packet switched communication system, the packet switched communication system having plural zones, each zone representing a distinct security domain and having an associated policy for use in inspecting packets entering/exiting an associated zone, the L2 device comprising:
- at least one port coupled to a terminal unit included in a first security zone;
at least one port coupled to a terminal unit included in a second security zone;
a controller determining for each packet received whether the received packet is destined for another zone;
a firewall engine inspecting and filtering inter-zone packets using a zone specific policy; and
an L2 switching engine immediately transferring to a port all intra-zone packets passing through the L2 device using a table of MAC addresses and corresponding ports, and only transferring to a port inter-zone packets that are retained after the inspection by the firewall engine.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.
87 Citations
2 Claims
-
1. An L2 device in a packet switched communication system, the packet switched communication system having plural zones, each zone representing a distinct security domain and having an associated policy for use in inspecting packets entering/exiting an associated zone, the L2 device comprising:
-
at least one port coupled to a terminal unit included in a first security zone; at least one port coupled to a terminal unit included in a second security zone; a controller determining for each packet received whether the received packet is destined for another zone; a firewall engine inspecting and filtering inter-zone packets using a zone specific policy; and an L2 switching engine immediately transferring to a port all intra-zone packets passing through the L2 device using a table of MAC addresses and corresponding ports, and only transferring to a port inter-zone packets that are retained after the inspection by the firewall engine.
-
-
2-27. -27. (canceled)
Specification
-
- Resources
-
Current AssigneeJuniper Networks Incorporated
-
Original AssigneeJuniper Networks Incorporated
-
InventorsCheung, Lee Chik, Lian, Roger Jia-Jyi, Huang, Guangsong, Mao, Yu Ming
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current726/13
-
CPC Class CodesH04L 63/02 for separating internal fro...H04L 63/0227 Filtering policies mail mes...H04L 63/04 for providing a confidentia...H04L 63/102 Entity profilesH04L 63/162 at the data link layer
