Methods and apparatus for a computer network firewall with stateful packet filtering
First Claim
1. A method for packet validation in a computer network firewall, comprising the steps of:
- storing in a cache;
(i) a result of applying at least a portion of a rule set to a given packet of a network session; and
(ii) at least one hardware address associated with the given packet;
utilizing the stored result to process at least one subsequent packet having a characteristic similar to that of the given packet, wherein a session key associated with the subsequent packet is used to retrieve the stored result from said cache; and
determining a destination of the subsequent packet, depending on a result associated with the processing of the subsequent packet, using the at least one hardware address stored in said cache.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention provides improved computer network firewalls which include one or more features for increased processing efficiency. A firewall in accordance with the invention can support multiple security policies, multiple users or both, by applying any one of several distinct sets of access rules. The firewall can also be configured to utilize "stateful" packet filtering which involves caching rule processing results for one or more packets, and then utilizing the cached results to bypass rule processing for subsequent similar packets. To facilitate passage to a user, by a firewall, of a separate later transmission which is properly in response to an original transmission, a dependency mask can be set based on session data items such as source host address, destination host address, and type of service. The mask can be used to query a cache of active sessions being processed by the firewall, such that a rule can be selected based on the number of sessions that satisfy the query. Dynamic rules may be used in addition to pre-loaded access rules in order to simplify rule processing. To unburden the firewall of application proxies, the firewall can be enabled to redirect a network session to a separate server for processing.
180 Citations
16 Claims
-
1. A method for packet validation in a computer network firewall, comprising the steps of:
-
storing in a cache;
(i) a result of applying at least a portion of a rule set to a given packet of a network session; and
(ii) at least one hardware address associated with the given packet;utilizing the stored result to process at least one subsequent packet having a characteristic similar to that of the given packet, wherein a session key associated with the subsequent packet is used to retrieve the stored result from said cache; and determining a destination of the subsequent packet, depending on a result associated with the processing of the subsequent packet, using the at least one hardware address stored in said cache. - View Dependent Claims (2, 3, 4)
-
-
5. An apparatus for use in validating a packet in a firewall of a computer network, comprising:
-
a memory for storing a cache containing;
(i) a result of applying at least a portion of a rule set to a given packet of a network session; and
(ii) at least one hardware address associated with the given packet; anda processor coupled to the memory, wherein the processor is operative to utilize the stored result to process at least one subsequent packet having a characteristic similar to that of the given packet, wherein a session key associated with the subsequent packet is used to retrieve the stored result from said cache, and wherein the processor is further operative to determine a destination of the subsequent packet, depending on a result associated with the processing of the subsequent packet, using the at least one hardware address stored in said cache. - View Dependent Claims (6, 7, 8)
-
-
9. A computer system for packet validation in a computer network, comprising:
-
means for storing in a cache;
(i) a result of applying at least a portion of a rule set to a given packet of a network session; and
(ii) at least one hardware address associated with the given packet;means for utilizing the stored result to process at least one subsequent packet having a characteristic similar to that of the given packet, wherein a session key associated with the subsequent packet is used to retrieve the stored result from said cache; and means for determining a destination of the subsequent packet, depending on a result associated with the processing of the subsequent packet, using the at least one hardware address stored in said cache. - View Dependent Claims (10, 11, 12)
-
-
13. A computer system for packet validation in a computer network, comprising a processor which is instructed for:
-
storing in a cache;
(i) a result of applying at least a portion of a rule set to a given packet of a network session; and
(ii) at least one hardware address associated with the given packet;utilizing the stored result to process at least one subsequent packet having a characteristic similar to that of the given packet, wherein a session key associated with the subsequent packet is used to retrieve the stored result from said cache; and determining a destination of the subsequent packet, depending on a result associated with the processing of the subsequent packet, using the at least one hardware address stored in said cache. - View Dependent Claims (14, 15, 16)
-
Specification
-
- Resources
-
Current AssigneeNokia of America Corporation (Nokia Corporation)
-
Original AssigneeLucent Technologies, Inc. (Nokia Corporation)
-
InventorsSharp, Ronald L., Coss, Michael John, Majette, David L.
-
Primary Examiner(s)Heckler, Thomas M.
-
Application NumberUS08/928,794Time in Patent Office1,145 DaysField of Search713/201, 713/150, 713/151, 713/153, 713/154, 713/160-162, 713/164, 713/168-171, 713/183, 350/255, 350/259-264, 350/277-285, 350/28, 350/36US Class Current713/162CPC Class CodesH04L 63/0236 Filtering by address, proto...H04L 63/0254 Stateful filteringH04L 63/0263 Rule management
