System for securing inbound and outbound data packet flow in a computer network
First Claim
1. A method of inspecting inbound and outbound data packets in a computer network, the inspection of said data packets occurring according to a security rule, the method comprising the steps of:
- a) generating a definition of each aspect or the computer network inspected by said security rule;
b) generating said security rule in terms of said aspect definitions, said security rule controlling as least one of said aspects;
c) converting said security rule into a set of packet filter language instructions for controlling the operation of a packet filtering module which inspects said data packets;
d) providing a packet filter module coupled to said computer network for inspecting said data packets in accordance with said security rule, said packet filter module implementing a virtual packet filtering machine; and
e) said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network.
1 Assignment
0 Petitions
Accused Products
Abstract
A filter module allows controlling network security by specifying security rules for traffic in the network and accepting or dropping communication packets according to these security rules. A set of security rules are defined in a high level form and are translated into a packet filter code. The packet filter code is loaded into packet filter modules located in strategic points in the network. Each packet transmitted or received at these locations is inspected by performing the instructions in the packet filter code. The result of the packet filter code operation decides whether to accept (pass) or reject (drop) the packet, disallowing the communication attempt.
818 Citations
12 Claims
-
1. A method of inspecting inbound and outbound data packets in a computer network, the inspection of said data packets occurring according to a security rule, the method comprising the steps of:
-
a) generating a definition of each aspect or the computer network inspected by said security rule; b) generating said security rule in terms of said aspect definitions, said security rule controlling as least one of said aspects; c) converting said security rule into a set of packet filter language instructions for controlling the operation of a packet filtering module which inspects said data packets; d) providing a packet filter module coupled to said computer network for inspecting said data packets in accordance with said security rule, said packet filter module implementing a virtual packet filtering machine; and e) said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. In a security system for inspecting inbound and outbound data packets in a computer network, said security system inspecting said data packets in said computer network according to a security rule, where each aspect of said computer network inspected by said security rule has been previously defined, said security rule previously defined in terms of said aspects and converted into packet filter language instructions, a method for operating said security system comprising the steps of:
-
a) providing a packet filter module coupled to said computer network in at least one entity of said computer network to be controlled by said security rule, said packet filter module emulating a virtual packet filtering machine inspecting said data packets passing into and out of said computer network; b) said packet filter module reading and executing said packet filter language instructions for performing packet filtering operations; c) storing the results obtained in said step of reading and executing said packet filter language instructions in a storage device; and d) said packet filter module utilizing said stored results, from previous inspections, for operating said packet filter module to accept or reject the passage of said data packet into and out of said computer network. - View Dependent Claims (9, 10, 11, 12)
-
Specification