System and method for providing peer level access control on a network
First Claim
1. A filter for providing peer level access control on a network having a peer with a local rule base, wherein said filter comprises:
- a. means for accessing a peer'"'"'s local rule base;
b. means for detecting when the peer is authenticated;
c. means for loading a rule from the peer'"'"'s local rule base at the filter when the authentication of the peer is detected;
d. means for receiving a packet having a packet identifier, identifying a corresponding local rule, and carrying out the action of the corresponding local rule on the packet while said filter is filtering packets for the peer, and e. a global pre-rule base having a global pre-rule, wherein upon receiving the packet, said filter first searches said global pre-rule base for a rule that corresponds to the packet and carries out the action of the corresponding global pre-rule on the packet, and wherein if no corresponding global pre-rule is identified, the filter searches the local rule base for a rule that corresponds to the packet and carries out the action of the corresponding local rule on the packet.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for providing peer-level access control on networks that carry packets of information, each packet having a 5-tuple having a source and destination address, a source and destination port, and a protocol identifier. The local rule base of a peer is dynamically loaded into a filter when the peer is authenticated, and ejected when the peer is loses authentication. The local rule base is efficiently searched through the use of hash tables wherein a hashed peer network address serves as a pointer the peer'"'"'s local rules. Each rule comprises a 5-tuple and an action. The action of a rule is carried out on a packet when the 5-tuple of the rule corresponds to the 5-tuple of the packet.
-
Citations
17 Claims
-
1. A filter for providing peer level access control on a network having a peer with a local rule base, wherein said filter comprises:
-
a. means for accessing a peer'"'"'s local rule base;
b. means for detecting when the peer is authenticated;
c. means for loading a rule from the peer'"'"'s local rule base at the filter when the authentication of the peer is detected;
d. means for receiving a packet having a packet identifier, identifying a corresponding local rule, and carrying out the action of the corresponding local rule on the packet while said filter is filtering packets for the peer, and e. a global pre-rule base having a global pre-rule, wherein upon receiving the packet, said filter first searches said global pre-rule base for a rule that corresponds to the packet and carries out the action of the corresponding global pre-rule on the packet, and wherein if no corresponding global pre-rule is identified, the filter searches the local rule base for a rule that corresponds to the packet and carries out the action of the corresponding local rule on the packet. - View Dependent Claims (2, 3, 4, 5)
f. means for detecting when the peer logs off; and
g. means for ejecting said local rule base from said filter upon detecting that the peer has logged off.
-
-
3. The filter of claim 1, wherein the packet identifier comprises a source and destination address, a source and destination port, and a protocol identifier.
-
4. The filter of claim 1, wherein said means for accessing the local rule base comprises receiving and storing the local rule base.
-
5. The filter of claim 1, further comprising means for authenticating the peer.
-
6. A filter for providing peer level access control on a network having a peer with a local rule base, wherein said filter comprises:
-
a. means for accessing a peer'"'"'s local rule base;
b. means for detecting when the peer is authenticated;
c. means for loading a rule from the peer'"'"'s local rule base at the filter when the authentication of the peer is detected;
d. means for receiving a packet having a packet identifier, identifying a corresponding local rule, and carrying out the action of the corresponding local rule on the packet while said filter is filtering packets for the peer, and e. a global post-rule base, wherein the global post-rule base is searched for a rule that corresponds to the packet, and the action of a global post-rule is carried out if it corresponds to the packet only if no corresponding rule in said global pre-rule base and no corresponding rule in said local rule base are identified. - View Dependent Claims (7, 8, 9, 10)
f. means for detecting when the peer logs off; and
g. means for ejecting said local rule base from said filter upon detecting that the peer has logged off.
-
-
8. The filter of claim 6, wherein the packet identifier comprises a source and destination address, a source and destination port, and a protocol identifier.
-
9. The filter of claim 6, wherein said means for accessing the local rule base comprises receiving and storing the local rule base.
-
10. The filter of claim 6, further comprising means for authenticating the peer.
-
11. A filter for providing peer level access control on a network having a peer with a local rule base, wherein said filter comprises:
-
a. means for accessing a peer'"'"'s local rule base;
b. means for detecting when the peer is authenticated;
c. means for loading a rule from the peer'"'"'s local rule base at the filter when the authentication of the peer is detected;
d. means for receiving a packet having a packet identifier, identifying a corresponding local rule, and carrying out the action of the corresponding local rule on the packet while said filter is filtering packets for the peer, and e. a default rule, wherein if no corresponding pre-global rule and no corresponding local rule and no corresponding post-global rule are identified, said filter carries out the action of said default rule if said default rule corresponds to the packet, and generates an error condition if said default rule does not correspond to the packet. - View Dependent Claims (12, 13, 14, 15)
f. means for detecting when the peer logs off; and
g. means for ejecting said local rule base from said filter upon detecting that the peer has logged off.
-
-
13. The filter of claim 11, wherein the packet identifier comprises a source and destination address, a source and destination port, and a protocol identifier.
-
14. The filter of claim 11, wherein said means for accessing the local rule base comprises receiving and storing the local rule base.
-
15. The filter of claim 11, further comprising means for authenticating the peer.
-
16. A method for providing peer-level access control on a network with a peer, said method comprising:
-
a. receiving a packet having a packet identifier;
b. searching a global pre-rule base and identifying a global pre-rule that corresponds to the packet;
c. carrying out the action of a global pre-rule if the global pre-rule corresponds to the packet;
d. loading a local rule base of a peer when the peer is authenticated;
e. if no corresponding global pre-rule is found in the global pre-rule base, searching the local rule base, identifying a local rule that corresponds to the packet, and carrying out the action of a local rule if the local rule corresponds to the packet;
f. ejecting the local rule base from the filter;
g. if no corresponding global pre-rule is found in said global pre-rule base and no corresponding local rule is found in said local rule base, searching a global post-rule base for a global post-rule that corresponds to the packet; and
h. carrying out the action of a global post-rule if the global post-rule corresponds to the packet. - View Dependent Claims (17)
i. if no corresponding rule is found in the global pre-rule base and no corresponding rule is found in the local rule base, and no corresponding rule is found in the global post-rule base, determining if the packet corresponds to a default rule; and
j. carrying out the action of the default rule if the default rule corresponds to the packet, and generating an error condition if the default rule does not correspond to the packet.
-
Specification