SYSTEMS AND METHODS FOR IMPLEMENTING A PROTOCOL-AWARE NETWORK FIREWALL

US 20120008624A1
Filed: 09/22/2011
Published: 01/12/2012
Est. Priority Date: 11/08/2005
Status: Active Grant

First Claim

Patent Images

1. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method may include receiving a first packet; determining, in a first processor, whether the first packet meets a criterion to be forwarded to a destination indicated in the first packet; receiving a second packet; determining whether the second packet is of a type for changing the criterion and sending the second packet to a second processor if the second packets is of the type for changing the criterion; receiving instructions, based on the second packet sent to the second processor, to change the criterion; and changing the criterion.

14 Citations

View as Search Results

21 Claims

1. (canceled)

2. A method comprising:
- receiving packets in a first network device;
  
  storing a first table including first criteria, wherein the first criteria identify session initiation packets used to create a session or session termination packets used to terminate the session;
  
  storing a second table including second criteria, wherein the second criteria identify packets in the session created by the session initiation packets;
  
  determining whether each of the received packets meets the first criteria in the first table and transmitting each of the packets determined to meet the first criteria to a second network device; and
  
  determining, only for each of the received packets determined not to meet the first criteria in the first table, whether the received packet meets the second criteria in the second table and transmitting each of the packets determined to meet the second criteria toward a destination.
- View Dependent Claims (3, 4, 5, 6, 7, 8)
- - 3. The method of claim 2, further comprising:
    - receiving instructions, based on the packets sent to the second network device, to change the second criteria in the second table; and
      
      changing the second criteria based on the instructions.
  - 4. The method of claim 3, further comprising:
    - receiving packets in the second network device;
      
      determining whether the packets received in the second network device establish or terminate the session between user devices; and
      
      generating the instructions, based on the determination of whether the packets received in the second network device establish or the terminate session between user devices, andtransmitting the instructions to the first network device for changing the second criteria.
  - 5. The method of claim 4, wherein the type of packet to establish or terminate the session is a Session Initiation Protocol (SIP) packet.
  - 6. The method of claim 5, wherein the second criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port;
    - andwherein the first criteria include a destination IP address and an associated destination port.
  - 7. The method of claim 6, wherein storing the second table includes storing the second table in a Content Addressable Memory (CAM).
  - 8. The method of claim 2, wherein receiving the packets in the first network device includes receiving the packet on a first input port, the method further comprising receiving the instructions on a second input port different than the first input port.

9. A system comprising:
- an input port to receive a packet;
  
  a memory to store criteria for determining whether the packet should be forwarded to a destination on a network, wherein the memory includes a first table including static criteria for determining whether the packet should be forwarded to the destination, and a second table including dynamic criteria for determining whether the packet should be forwarded to the destination;
  
  a processor to determine whether the packet matches the static criteria and, only when the packet does not match the static criteria, to determine whether the packet matches the dynamic criteria; and
  
  an output port to forward the packet to the destination when the packet matches the static criteria or the dynamic criteria.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, wherein the static criteria identify session initiation packets used to create a session or session termination packets used to terminate the session, and wherein the dynamic criteria identify packets in the session created by the session initiation packets.
  - 11. The system of claim 10, wherein the processor is a first processor, the system further comprising an output port to send the packet to a second processor if the first processor determines that the packet meets the static criteria, wherein the first processor is configured to receive instructions, based on the packet sent to the second processor, to change the dynamic criteria;
    - andwherein the first processor is configured to change the dynamic criteria based on the instructions.
  - 12. The system of claim 11, wherein the session initiation packets or the session termination packets include a Session Initiation Protocol (SIP) INVITE message, a SIP OK message, or a SIP BYE message.
  - 13. The system of claim 12, wherein the static criteria include a destination internet protocol (IP) address and an associated destination port.
  - 14. The system of claim 12, wherein the dynamic criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port.
  - 15. The system of claim 11, further comprising a dedicated input port to receive the instructions.
  - 16. The system of claim 11, further comprising an access control list (ACL) to authenticate a source of the instructions.
  - 17. The system of claim 11, farther comprising a cryptographic authenticator to receive the instructions.

18. A method comprising:
- receiving packets on an input port from a first network comprising a first device;
  
  transmitting packets on an output port to a second network comprising a second device;
  
  storing a first table and a second table in a memory, wherein the first table includes static criteria for determining whether the received packets should be forwarded to destinations, and wherein the second table includes dynamic criteria for determining whether the received packets should be forwarded to destinations;
  
  determining whether each of the received packets matches the static criteria and, only for packets that do not match the static criteria, determining whether one or more of the received packets matches the dynamic criteria;
  
  transmitting the received packets that match the first criteria or the second criteria toward their destinations; and
  
  determining that one or more of the received packets establishes or terminates a session between the first device and the second device and changing the dynamic criteria based on the one or more of the received packets determined to establish or terminate the session between the first device and the second device.
- View Dependent Claims (19, 20, 21)
- - 19. The method of claim 18, further comprising determining, based on the static criteria, whether the one or more of the received packets are of the type to establish or terminate the session between the first device and the second device.
  - 20. The method of claim 19, wherein the type of packet to establish or terminate a session is a Session Initiation Protocol (SIP) packet.
  - 21. The method of claim 20,wherein the static criteria include a destination internet protocol (IP) address and an associated destination port;
    - andwherein the dynamic criteria comprise a source IP address and an associated source port and a destination IP address and an associated destination port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Services Corporation (Verizon Communications Inc.)
Inventors
Ormazabal, Gaston S., Schulzrinne, Henning G., Yardeni, Eilon, Lennox, Jonathan

Granted Patent

US 9,077,685 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

SYSTEMS AND METHODS FOR IMPLEMENTING A PROTOCOL-AWARE NETWORK FIREWALL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR IMPLEMENTING A PROTOCOL-AWARE NETWORK FIREWALL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links