Access control for networks

US 6,219,706 B1
Filed: 10/16/1998
Issued: 04/17/2001
Est. Priority Date: 10/16/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method, implemented on a dedicated network device which receives and transmits network traffic, for limiting access to a local network, the method comprising:

receiving a packet at the network device;

identifying an application associated with the packet;

determining whether to examine the payload of the packet based on whether certain conditions are met; and

examining the packet payload based on the determination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control system (a firewall) controls traffic to and from a local network. The system is implemented on a dedicated network device such as a router positioned between a local network and an external network, usually the Internet, or between one or more local networks. In this procedure, access control items are dynamically generated and removed based upon the context of an application conversation. Specifically, the system dynamically allocates channels through the firewall based upon its knowledge of the type of applications and protocol (context) employed in the conversation involving a node on the local network. Further, the system may selectively examine packet payloads to determine when new channels are about to be opened. In one example, the firewall employs different rules for handling SMTP (e-mail using a single channel having a well-known port number) sessions, FTP sessions (file transfer using a single control channel having a well known port number and using one or more data channels having arbitrary port numbers), and H.323 (video conferencing using multiple control channels and multiple data channels, which use arbitrary port numbers) sessions.

650 Citations

37 Claims

1. A method, implemented on a dedicated network device which receives and transmits network traffic, for limiting access to a local network, the method comprising:
- receiving a packet at the network device;
  
  identifying an application associated with the packet;
  
  determining whether to examine the payload of the packet based on whether certain conditions are met; and
  
  examining the packet payload based on the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein determining whether to examine the payload comprises determining whether the payload may contain an intrusion signature.
  - 3. The method of claim 1, wherein determining whether to examine the payload comprises determining whether the packet is an FTP packet, an RPC packet, a TFTP packet, or a SMTP packet;
    - and
4. The method of claim 1, wherein determining whether to examine the payload comprises determining whether an additional channel of unknown port number may be opened.
5. The method of claim 4, wherein examining the packet payload comprises examining the payload to identify a port negotiation command.
6. The method of claim 5, further comprising modifying the network device to allow packets associated with the additional channel to pass.
7. The method of claim 6, wherein the packets are allowed to pass by dynamically modifying an access control list to create a path for the additional channel.
8. The method of claim 1, further comprising:
- examining the packet'"'"'s header; and
  
  determining whether information in the packet header corresponds to an access control item.
9. The method of claim 8, further comprising dynamically adjusting a list of access control items based upon examination of the packet payload.
10. The method of claim 1, further comprising:
- identifying a session associated with the packet;
  
  determining whether the packet has been received after a predetermined time out period has elapsed since the last packet of the session was received; and
  
  if the predetermined time out period has elapsed, rejecting the packet.

11. A computer program product comprising a computer readable medium on which is stored program instructions for a method, implemented on a dedicated network device which receives and transmits network traffic, the method limiting access to a local network, and comprising:
- receiving a packet at a network device;
  
  identifying an application associated with the packet;
  
  determining whether to examine the payload of the packet based on whether certain conditions are met; and
  
  examining the packet payload based on the determination.
- View Dependent Claims (12, 13)
- - 12. The computer program product of claim 11, wherein the instructions for determining whether to examine the payload comprise instructions for determining whether an additional channel of unknown port number may be opened in the application associated with the packet.
  - 13. The computer program product of claim 11, wherein the program instructions further specify:

14. A dedicated network device which receives and transmits network traffic and capable of controlling access to a local network, the network device comprising:
- multiple interfaces configured to connect with distinct networks or network segments;
  
  a memory or memories configured to store (i) one or more access control criteria for allowing or disallowing a packet based upon header information and (ii) information specifying an application conversation; and
  
  a processor configured to compare packet header information with the access control criteria and could determine whether to examine packet payloads based upon the context of the application conversation.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The network device of claim 14, wherein the network device is a router or a switch.
  - 16. The network device of claim 14, wherein the memory is configured to store the access control criteria in the form of an access control list.
  - 17. The network device of claim 14, wherein the memory is configured to store the state of at least one of a TCP session and a UDP session.
  - 18. The network device of claim 14, wherein the memory is configured with information specifying the context of an application conversation indicating whether a side channel may be opened for the application.
  - 19. The network device of claim 14, wherein the processor is configured to examine packet payloads when context information in the memory indicates that a side channel may be opened.
  - 20. The network device of claim 19, wherein the processor is configured to dynamically modify the access control criteria when a new side channel opens.
  - 21. The network device of claim 14, further comprising an operating system controlling the network device to perform functions necessary to control access to the local network and route network traffic.
  - 22. The network device of claim 14, wherein the network device comprises at least two processors, at least one of which is associated with one of the multiple interfaces.

23. A method implemented on a computer or dedicated network device for controlling access to a local network, the method comprising:
- receiving a packet;
  
  determining whether the packet possesses a predefined source or destination address or port;
  
  determining whether the packet meets criteria for a current state of a TCP or UDP session with which it is associated;
  
  determining whether to examine the packet'"'"'s payload based on whether certain conditions are met; and
  
  examining the packet'"'"'s payload based on the determination.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 24. The method of claim 23, further comprising determining whether the packet sequence number falls within a defined sequence window.
  - 25. The method of claim 23, further comprising;
26. The method of claim 23, wherein determining whether the packet possesses the predetermined source or destination address or port comprises matching information in the packet header against information in an access control list.
27. The method of claim 23, wherein determining whether the packet meets criteria for a current state comprises determining whether any state transition associated with a TCP or UDP session follows an expected sequence of state transitions.
28. The method of claim 23, wherein determining whether to examine the payload comprises determining whether the payload may contain an intrusion signature.
29. The method of claim 23, wherein determining whether to examine the payload comprises determining whether the packet is an FTP packet, an RPC, a TFTP packet, or a SMTP packet;
- andwherein examining the packet payload identifies the presence or absence of an intrusion signature.
30. The method of claim 23, wherein determining whether to examine the payload comprises determining whether an additional channel of unkown port number may be opened.
31. The method of claim 30, wherein examining the packet payload comprises examining the payload to identify a port negotiation command.
32. The method of claim 31, further comprising modifying the network device to allow packets associated with the additional channel to pass.
33. The method of claim 32, wherein the packets are allowed to pass by dynamically modifying an access control list to create a path for the additional channel.
34. The method of claim 31, wherein the packet initiates a new session, the method further comprising:
- creating a state entry for the new session; and
  
  creating one or more access control items allowing passage of packets from a node identified in the packet initiating the new session.

35. A computer program product comprising a computer readable medium on which are stored computer program instructions for a method of controlling access to a local network, the computer program instructions specifying;
- receiving a packet;
  
  determining whether the packet possesses a predefined source or destination address or port;
  
  determining whether the packet meets criteria for a current state of a TCP or UDP session with which it is associated;
  
  determining whether to examine the packet'"'"'s payload based on whether certain conditions are met; and
  
  examining the packet'"'"'s payload based on the determination.
- View Dependent Claims (36, 37)
- - 36. The computer program product of claim 35, wherein the instructions for determining whether the packet meets criteria for the current state comprises instructions for determining whether any state transition associated with the TCP or UDP session follows an expected sequence of state transitions.
  - 37. The computer program product of claim 35, wherein the program instructions further specify;

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Truong, Steve, Fan, Serene
Primary Examiner(s)
Maung, Zarni

Application Number

US09/174,200
Time in Patent Office

914 Days
Field of Search

709/225, 709/232, 709/229, 709/220, 709/217, 709/250, 713/201
US Class Current

709/225
CPC Class Codes

H04L 63/0254 Stateful filtering

Access control for networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

650 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Access control for networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

650 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links