Controlling passage of packets or messages via a virtual connection or flow

US 5,828,846 A
Filed: 11/22/1995
Issued: 10/27/1998
Est. Priority Date: 11/22/1995
Status: Expired due to Term

First Claim

Patent Images

1. A method for controlling a virtual connection or flow of packets or messages between a device and a network which conforms to a predefined communication protocol, comprising:

examining a packet or message for network protocol information that indicates if the packet or message triggers a step in managing a virtual connection or flow;

if the packet or message triggers a step, identifying the step from the packet or message network protocol information and applying predefined authorization allow and deny rules that indicate whether destination access should be denied to determine whether to permit the step to occur;

if application of the authorization allow and deny rules permit a step that starts a virtual connection or flow, setting up the virtual connection or flow and updating information on the state of virtual connections or flows;

if application of the authorization allow and deny rules permit a step that terminates a virtual connection or flow, terminating the virtual connection or flow and updating information on the state of virtual connections or flows; and

if the packet or message does not trigger a step, permitting the packet or message to pass directly via the virtual connection or flow, without applying the predefined authorization allow and deny rules.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Passage of packets or messages is controlled between a device and a network via a virtual connection or flow which conforms to a predefined communication protocol. In connection with processing a packet or message that triggers a step in managing the virtual connection or flow, predefined authorization rules are applied to determine whether to permit the step to occur. In connection with processing a packet or message that does not trigger a step in managing the virtual connection or flow, the packet or message is permitted to pass directly via the virtual connection or flow, without applying the predefined authorization rules.

Citations

14 Claims

1. A method for controlling a virtual connection or flow of packets or messages between a device and a network which conforms to a predefined communication protocol, comprising:
- examining a packet or message for network protocol information that indicates if the packet or message triggers a step in managing a virtual connection or flow;
  
  if the packet or message triggers a step, identifying the step from the packet or message network protocol information and applying predefined authorization allow and deny rules that indicate whether destination access should be denied to determine whether to permit the step to occur;
  
  if application of the authorization allow and deny rules permit a step that starts a virtual connection or flow, setting up the virtual connection or flow and updating information on the state of virtual connections or flows;
  
  if application of the authorization allow and deny rules permit a step that terminates a virtual connection or flow, terminating the virtual connection or flow and updating information on the state of virtual connections or flows; and
  
  if the packet or message does not trigger a step, permitting the packet or message to pass directly via the virtual connection or flow, without applying the predefined authorization allow and deny rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 further comprisingin connection with processing a packet or message, determining whether it is a packet or message that triggers a step in managing the virtual connection or flow, the determination being made only on the basis of information in the packet.
  - 3. The method of claim 1, wherein the authorization allow and deny rules comprise rules that use information specifying time intervals that specify when a rule should apply to determine whether to deny access.
  - 4. The method of claim 1, wherein the authorization allow and deny rules comprise rules that use information specifying types of services allowed to determine whether to deny access.
  - 5. The method of claim 1, wherein the authorization allow and deny rules comprise rules that use information specifying types of authentication to determine whether to deny access.
  - 6. The method of claim 1, wherein the authorization allow and deny rules comprise rules that use alert thresholds to determine whether to deny access.
  - 7. The method of claim 1, wherein the communication protocol comprises a TCP/IP communication protocol.
  - 8. The method of claim 7, wherein the triggering steps comprise TCP/IP packet types of at least one of the following:
    - SYN, FIN, and RST.
  - 9. The method of claim 1, further comprising maintaining information on the state of virtual connections.
  - 10. The method of claim 1, wherein the authorization allow and deny rules include rules that check a destination field in the packet against stored permitted destinations.
  - 11. The method of claim 1, wherein the authorization allow and deny rules include rules that check services that are permitted to be supplied for a source/destination pair.
  - 12. The method of claim 1, wherein the authorization allow and deny rules include specification of alert thresholds.
  - 13. The method of claim 1 also including logging information about packets as they are processed.
  - 14. The method of claim 13, wherein the logged information comprises a source address, a destination address, a sequence number, and an amount of data transferred.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.), Orange S.A.
Original Assignee
Raptor Systems Inc. (Gen Digital Inc.)
Inventors
Nadkarni, Ashok P., Kirby, Alan J.
Primary Examiner(s)
SHAH, ALPESH

Application Number

US08/561,790
Time in Patent Office

1,070 Days
Field of Search

395/200.01, 395/200.12, 395/200.15, 395/840-841, 395/853-855, 395/200.3, 395/200.57, 395/200.68, 370/218, 370/252, 370/397, 370/399, 370/254, 370/402, 370/409, 370/464, 370/351, 340/825, 340/825.03, 340/826, 380/3, 380/4, 711/163, 711/164
US Class Current

709/238
CPC Class Codes

H04L 63/0263   Rule management

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/22   Parsing or analysis of headers

H04L 9/40   Network security protocols

Controlling passage of packets or messages via a virtual connection or flow

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling passage of packets or messages via a virtual connection or flow

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links