Methods and apparatus for a computer network firewall with cache query processing

US 6,170,012 B1
Filed: 09/12/1997
Issued: 01/02/2001
Est. Priority Date: 09/12/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for packet validation in a computer network firewall, comprising the steps of:

obtaining a session key for a packet of a given network session;

processing a query portion of a rule, when a match with said session key is not found in a cache containing information about packets associated with one or more other network sessions which were previously processed by said firewall thereby indicating that the packet from which the session key is obtained is not from the one or more other network sessions, the query portion specifying a query to said cache to determine whether at least a portion of information associated with the packet of the given network session substantially matches at least a portion of information associated with at least one packet associated with the one or more other network sessions contained in said cache; and

processing an action portion of said rule as a function of a result of said query to said cache.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides improved computer network firewalls which include one or more features for increased processing efficiency. A firewall in accordance with the invention can support multiple security policies, multiple users or both, by applying any one of several distinct sets of access rules. The firewall can also be configured to utilize “stateful” packet filtering which involves caching rule processing results for one or more packets, and then utilizing the cached results to bypass rule processing for subsequent similar packets. To facilitate passage to a user, by a firewall, of a separate later transmission which is properly in response to an original transmission, a dependency mask can be set based on session data items such as source host address, destination host address, and type of service. The mask can be used to query a cache of active sessions being processed by the firewall, such that a rule can be selected based on the number of sessions that satisfy the query. Dynamic rules may be used in addition to pre-loaded access rules in order to simplify rule processing. To unburden the firewall of application proxies, the firewall can be enabled to redirect a network session to a separate server for processing.

218 Citations

13 Claims

1. A method for packet validation in a computer network firewall, comprising the steps of:
- obtaining a session key for a packet of a given network session;
  
  processing a query portion of a rule, when a match with said session key is not found in a cache containing information about packets associated with one or more other network sessions which were previously processed by said firewall thereby indicating that the packet from which the session key is obtained is not from the one or more other network sessions, the query portion specifying a query to said cache to determine whether at least a portion of information associated with the packet of the given network session substantially matches at least a portion of information associated with at least one packet associated with the one or more other network sessions contained in said cache; and
  
  processing an action portion of said rule as a function of a result of said query to said cache.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein said match is successfully achieved by an identical match.
  - 3. The method of claim 1 wherein said match is successfully achieved by a substantial match.
  - 4. The method of claim 1 wherein the step of processing a query portion comprises the step of counting network sessions, other than the given network session, which satisfy a condition, and comparing the count with a pre-specified number.
  - 5. The method of claim 1 wherein the step of processing a query portion comprises the step of using session key data in a table look-up.
  - 6. The method of claim 1 wherein said step of processing a query portion employs a dependency mask to specify at least a portion of a query.

7. An apparatus for use in validating a packet in a firewall of a computer network, comprising:
- a processor operative (i) to obtain a session key for a packet of a given network session, (ii) to process a query portion of a rule, when a match with said session key is not found in a cache containing information about packets associated with one or more other network sessions which were previously processed by said firewall thereby indicating that the packet for which the session key is obtained is not from the one or more other network sessions, the query portion specifying a query to said cache to determine whether at least a portion of information associated with the packet of given network session substantially matches at least a portion of information associated with at least one packet associated with the one or more other network sessions contained in said cache, and (iii) to process an action portion of said rule as a function of a result of said query to said cache; and
  
  a memory, coupled to the processor, for storing said cache.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7 wherein said match is successfully achieved by an identical match.
  - 9. The apparatus of claim 7 wherein said match is successfully achieved by a substantial match.
  - 10. The apparatus of claim 7 wherein the processor is operative to process the query portion by counting network sessions, other than the given network session, which satisfy a condition, and comparing the count with a pre-specified number.
  - 11. The apparatus of claim 7 wherein the processor is operative to process the query portion by using session key data in a table look-up.
  - 12. The apparatus of claim 7 wherein the processing of the query portion employs a dependency mask to specify at least a portion of a query.

13. A method for packet validation in a computer network firewall, comprising the steps of:
- obtaining a session key for a packet of a network session;
  
  processing a dependency mask associated with a rule, when a match with said session key is not found in a cache containing information about packets associated with one or more other network sessions which were previously processed by said firewall thereby indicating that the packet from which the session key is obtained is not from the one or more other network sessions, the dependency mask defining a query to said cache to determine whether at least a portion of information associated with the packet of the given network session substantially matches at least a portion of information associated with at least one packet associated with the one or more other network sessions contained in said cache; and
  
  processing an action portion of the rule as a function of a result of said query to the cache.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Sharp, Ronald L., Coss, Michael John, Majette, David L.
Primary Examiner(s)
Maung, Zarni
Assistant Examiner(s)
Cardone, Jason D.

Application Number

US08/928,795
Time in Patent Office

1,208 Days
Field of Search

711/118, 711/125, 711/126, 711/128, 709/218, 709/225, 709/227, 709/228, 709/229, 713/200, 713/201, 713/202, 340/825, 340/825.31
US Class Current

709/229
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 9/40   Network security protocols

Methods and apparatus for a computer network firewall with cache query processing

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

218 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for a computer network firewall with cache query processing

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

218 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links