Access control for networks
First Claim
1. A method, implemented on a dedicated network device which receives and transmits network traffic, for limiting access to a local network, the method comprising:
- receiving a packet at the network device;
identifying an application associated with the packet;
determining whether to examine the payload of the packet based on whether certain conditions are met; and
examining the packet payload based on the determination.
1 Assignment
0 Petitions
Accused Products
Abstract
An access control system (a firewall) controls traffic to and from a local network. The system is implemented on a dedicated network device such as a router positioned between a local network and an external network, usually the Internet, or between one or more local networks. In this procedure, access control items are dynamically generated and removed based upon the context of an application conversation. Specifically, the system dynamically allocates channels through the firewall based upon its knowledge of the type of applications and protocol (context) employed in the conversation involving a node on the local network. Further, the system may selectively examine packet payloads to determine when new channels are about to be opened. In one example, the firewall employs different rules for handling SMTP (e-mail using a single channel having a well-known port number) sessions, FTP sessions (file transfer using a single control channel having a well known port number and using one or more data channels having arbitrary port numbers), and H.323 (video conferencing using multiple control channels and multiple data channels, which use arbitrary port numbers) sessions.
650 Citations
37 Claims
-
1. A method, implemented on a dedicated network device which receives and transmits network traffic, for limiting access to a local network, the method comprising:
-
receiving a packet at the network device;
identifying an application associated with the packet;
determining whether to examine the payload of the packet based on whether certain conditions are met; and
examining the packet payload based on the determination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
wherein examining the packet payload identifies the presence or absence of an intrusion signature.
-
-
4. The method of claim 1, wherein determining whether to examine the payload comprises determining whether an additional channel of unknown port number may be opened.
-
5. The method of claim 4, wherein examining the packet payload comprises examining the payload to identify a port negotiation command.
-
6. The method of claim 5, further comprising modifying the network device to allow packets associated with the additional channel to pass.
-
7. The method of claim 6, wherein the packets are allowed to pass by dynamically modifying an access control list to create a path for the additional channel.
-
8. The method of claim 1, further comprising:
-
examining the packet'"'"'s header; and
determining whether information in the packet header corresponds to an access control item.
-
-
9. The method of claim 8, further comprising dynamically adjusting a list of access control items based upon examination of the packet payload.
-
10. The method of claim 1, further comprising:
-
identifying a session associated with the packet;
determining whether the packet has been received after a predetermined time out period has elapsed since the last packet of the session was received; and
if the predetermined time out period has elapsed, rejecting the packet.
-
-
11. A computer program product comprising a computer readable medium on which is stored program instructions for a method, implemented on a dedicated network device which receives and transmits network traffic, the method limiting access to a local network, and comprising:
-
receiving a packet at a network device;
identifying an application associated with the packet;
determining whether to examine the payload of the packet based on whether certain conditions are met; and
examining the packet payload based on the determination. - View Dependent Claims (12, 13)
identifying a session associated with the packet;
determining whether the packet has been received after a predetermined time out period has elapsed since the last packet of the session was received; and
if the predetermined time out period has elapsed, rejecting the packet.
-
-
14. A dedicated network device which receives and transmits network traffic and capable of controlling access to a local network, the network device comprising:
-
multiple interfaces configured to connect with distinct networks or network segments;
a memory or memories configured to store (i) one or more access control criteria for allowing or disallowing a packet based upon header information and (ii) information specifying an application conversation; and
a processor configured to compare packet header information with the access control criteria and could determine whether to examine packet payloads based upon the context of the application conversation. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method implemented on a computer or dedicated network device for controlling access to a local network, the method comprising:
-
receiving a packet;
determining whether the packet possesses a predefined source or destination address or port;
determining whether the packet meets criteria for a current state of a TCP or UDP session with which it is associated;
determining whether to examine the packet'"'"'s payload based on whether certain conditions are met; and
examining the packet'"'"'s payload based on the determination. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
determining whether the packet has been received after a predetermined timeout period has elapsed since the last packet of the session was received; and
if the predetermined timeout period has elapsed, rejecting the packet.
-
-
26. The method of claim 23, wherein determining whether the packet possesses the predetermined source or destination address or port comprises matching information in the packet header against information in an access control list.
-
27. The method of claim 23, wherein determining whether the packet meets criteria for a current state comprises determining whether any state transition associated with a TCP or UDP session follows an expected sequence of state transitions.
-
28. The method of claim 23, wherein determining whether to examine the payload comprises determining whether the payload may contain an intrusion signature.
-
29. The method of claim 23, wherein determining whether to examine the payload comprises determining whether the packet is an FTP packet, an RPC, a TFTP packet, or a SMTP packet;
- and
wherein examining the packet payload identifies the presence or absence of an intrusion signature.
- and
-
30. The method of claim 23, wherein determining whether to examine the payload comprises determining whether an additional channel of unkown port number may be opened.
-
31. The method of claim 30, wherein examining the packet payload comprises examining the payload to identify a port negotiation command.
-
32. The method of claim 31, further comprising modifying the network device to allow packets associated with the additional channel to pass.
-
33. The method of claim 32, wherein the packets are allowed to pass by dynamically modifying an access control list to create a path for the additional channel.
-
34. The method of claim 31, wherein the packet initiates a new session, the method further comprising:
-
creating a state entry for the new session; and
creating one or more access control items allowing passage of packets from a node identified in the packet initiating the new session.
-
-
35. A computer program product comprising a computer readable medium on which are stored computer program instructions for a method of controlling access to a local network, the computer program instructions specifying;
-
receiving a packet;
determining whether the packet possesses a predefined source or destination address or port;
determining whether the packet meets criteria for a current state of a TCP or UDP session with which it is associated;
determining whether to examine the packet'"'"'s payload based on whether certain conditions are met; and
examining the packet'"'"'s payload based on the determination. - View Dependent Claims (36, 37)
determining whether the packet initiates a new session;
creating a state entry for the new session; and
creating one or more access control items allowing passage of packets from a node identified in the packet initiating the new session.
-
Specification